Dave Johansen
2013-May-15 16:22 UTC
[CentOS] Best configuration for encrypted software RAID 1?
I'm setting up a computer with CentOS 6.4 and a mirrored software RAID. I would like it to be encrypted so I was wondering what the best configuration is. The only info I could find is http://lists.centos.org/pipermail/centos-docs/2008-October/001912.html but it appears to be a bit old and the info on the wiki ( http://wiki.centos.org/HowTos/EncryptTmpSwapHome ) doesn't seem to address RAIDs. My main question is will it be better to encrypt the RAID itself or the two partitions used by the RAID? Any other things I should be aware of? Thanks, Dave
On 05/15/2013 12:22 PM, Dave Johansen wrote:> I'm setting up a computer with CentOS 6.4 and a mirrored software > RAID. I would like it to be encrypted so I was wondering what the best > configuration is. The only info I could find is > http://lists.centos.org/pipermail/centos-docs/2008-October/001912.html > but it appears to be a bit old and the info on the wiki ( > http://wiki.centos.org/HowTos/EncryptTmpSwapHome ) doesn't seem to > address RAIDs. > > My main question is will it be better to encrypt the RAID itself or > the two partitions used by the RAID? Any other things I should be > aware of? > > Thanks, > DaveThis depends on your use-case. Personally, I want my servers to be able to boot headless, so I leave /boot, <swap> and / unencrypted, RAID or not. Then I encrypt the LV (or partition) I am going to put data I care about on. I don't think there is any benefit to encrypting the partitions behind the MD device as it won't be able to form until you decrypt the devices. I'd keep crypt on the resulting /dev/mdX, at the lowest. Again, it depends on your use-case. -- Digimer Papers and Projects: https://alteeve.ca/w/ What if the cure for cancer is trapped in the mind of a person without access to education?
Markus Falb
2013-May-21 19:53 UTC
[CentOS] Best configuration for encrypted software RAID 1?
On 15.Mai.2013, at 18:22, Dave Johansen wrote:> My main question is will it be better to encrypt the RAID itself or > the two partitions used by the RAID?encrypt data once and let md mirror the encrypted stuff or let md mirror and encrypt data twice, once per raid member. Encryption is CPU hungry. Performance wise the winner seems clear. -- Markus