os linux
Disk
→ Encrypted raid 1
→ Create a raid with mdadm
fdisk /dev/sda
fdisk /dev/sdc
mdadm -E /dev/sd[a-c]
mdadm -E /dev/sda1
mdadm -E /dev/sdc1
mdadm --create /dev/md0 --level=mirror --raid-devices=2 /dev/sda1 /dev/sdc1
cat /proc/mdstat
mkdir /mnt/2TO
mkfs.ext4 /dev/md0
mount /dev/md0 /mnt/2TO
→ Encrypt with luks
mdadm --detail /dev/md0
shred --verbose --random-source=/dev/urandom --iterations=3 /dev/md0
cryptsetup -y -v luksFormat /dev/md0
cryptsetup --verbose --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000 --use-random luksFormat /dev/md0
man cryptsetup
gparted
modprobe dm-crypt
cryptsetup --cipher=aes-xts-plain --verify-passphrase --key-size=512 luksFormat /dev/md0
cryptsetup luksOpen /dev/md0 cryptdisk
mkfs.ext4 /dev/mapper/cryptdisk
mount -t ext4 /dev/mapper/cryptdisk /mnt
mount -t ext4 /dev/mapper/cryptdisk /mnt/2TO
→ Configure startup
This allows to ask for password at startup. Set the UUID (present in /dev/part-by-uuid/
/etc/crypttab
→ Open on an other computer
mdadm --assemble /dev/md0 /dev/sda1 /dev/sdc1
apt install cryptsetup
cryptsetup luksOpen /dev/md0 cryptdisk
mount /dev/mapper/cryptdisk /mnt/cryptdisk
→ Adding a luks key
In order to skip password at boot (security issue) one cat create a key and provide its path to crypttab
see details https://linuxconfig.org/how-to-use-a-file-as-a-luks-device-key
cryptsetup luksDump /dev/md0 # just summarize luks info
dd if=/dev/urandom of=/cryptdisk-key bs=512 count=8 # create a key
cryptsetup luksAddKey /dev/md0 /cryptdisk-key # adds a new password with the key
now you can specify /cryptdisk-key as the key
→ Schdeuled resync
Resync check the md array to fix and sync disks. On debian, this is done every first sunday night per month
root@natus:/home/natus# cat /etc/cron.d/mdadm
# By default, run at 00:57 on every Sunday, but do nothing unless the day of
# the month is less than or equal to 7. Thus, only run on the first Sunday of
# each month. crontab(5) sucks, unfortunately, in this regard; therefore this
# hack (see #380425).
57 0 * * 0 root if [ -x /usr/share/mdadm/checkarray ] && [ $(date +\%d) -le 7 ]; then /usr/share/mdadm/checkarray --cron --all --idle --quiet; fi
This page was last modified:
