Set Up A Fully Encrypted Raid1 LVM System

Author: Stephan Jau
Revision: v1.0
Last Change: November 30 2008

Introduction

For this Howto I use Debian Lenny (still testing and not "stable" for the simple reason as - contrary to Debian Etch and/or Ubuntu 8.04/8.10 - the install routine does setup the initrd correctly so that you can set up encrypted swap and also an encrypted raid1 lvm during install). This Howto will be heavy on screen shots again - a lot of them are repetitive as I setup multiple partitions at once.

Basically I will set up the system in a way that (a) everything [except for /boot] will be encrypted, (b) everything will be on a raid1 and (c) have a LVM for your data partition so that this one can be easily expanded.

Notice: The sizes used for this howto are just exemplary.... please consider carefully how you want to size your partitions! I did setup a real server using 500 MB for /boot, 2 GB for SWAP, 10 GB for / and the rest went into /data (in which I have also the data of the home folder, the /etc folder, the mysql databases and webroot)

The reason for Raid1 is that I wanted to setup the system in such a way that if one disk is failing the system can still be "setup" quickly and without knowledge. The only thing one has to know is to disconnect which of the drives and then boot the machine.

 

Installing the system (with one drive)

Step 1: Getting to the partitioner

So, once you reach the partitioner, select manual partitioning:

As I have a completely new harddisk (or rather virtual harddisk) I have to select it first:

Then to create an empty partition list:

And we'll return at the previous screen, this time with an empty partition list.

 

Step 2: Creating the BOOT partition

Select the FREE SPACE to create a new partition:

Now we select to create a new partition on the harddisk:

I make it 256MB - that should be sufficient for a few kernels. However make it larger if you want to run more kernels on it..

In this Howto I make all the partitions primary. So you should be well aware of the size and implications of it.

I set it at the beginning. You could also set it at the ened... IMHO it doesn't matter much.

At the partition properties select "Use as":

And now select it to be a raid:

As this is the boot partition it needs to be bootable. Change the according property:

Now you are done here:

 

Step 3: Creating the SWAP Partition

Once again back at the partition overview, select the FREE SPACE to create a new partition:

Now we select to create a new partition on the harddisk:

I make it in this Howto 1024MB. General rule of thumb would be 1-2x the size of your ram. Note that on a 32bit system you can't just use more than 4GB ram, on 64bit you can (but there are also ways on 32bit)

Again make it a primary partitions:

I set it at the beginning. You could also set it at the end... IMHO it doesn't matter much.

At the partition properties select "Use as":

And now select it to be a raid:

Now you are done here:

Share this page:

7 Comment(s)

Add comment

Comments

From: Anonymous at: 2008-12-11 12:18:19

Isn't the order wrong?

1. 2 RAID (/boot and 1 for LVM)

2. LVM

3. encryption on LVM partitions

From: schrapp at: 2008-12-22 23:27:14

just today i set up a new server in a similar way. i did 2 things differently:

 1) install the second drive right away and add it to the raid during debian setup with partman. that way you don't have to add it manually later on.

 2) create just 2 raids. one for /boot and one that takes up the rest of the space. create a crypto device on top of that, that takes all of the available space as well. then add the resulting crypto mapper to a logical volume group and create your logical volumes with mount points (/, /home, /tmp, /var, ...). that way, you only have one encrypted device (therefore only one password). when using LVM imho there is no reason to create more than one underlying partition, unless you're adding a new physical device to an existing setup.

From: at: 2009-01-23 08:54:34

There are many ways to make a setup. I did think about it quite some time, did research on what file systems to use where... did consider whether to use encryption-->lvm or lvm-->encryption.

After carefull consideration I just came to the conclusion that I prefer this setup more. I do want to have independant root and only the actualy data on the lvm. Hence I chose that approach.

There's no right/wrong here. Just think of the consequences of your choices and what suits you the most.

From: ruipedroca at: 2009-03-08 14:51:29

Hi,

 I think your guide is great, good job!

Just a note: in the beggining fo this guide you say Ubuntu 8.04 and 8.10 wouldn't do the job, but at least the alternate 8.04.1 Desktop CD does, because I've already tried it (both RAID1 and encription, but not at the same time in the same OS installation) and it works.
However, you must perform some after installation steps (install GRUB boot-loader on second drive andupdate startup script to detect a failed drive).
I've followed this guide:
https://help.ubuntu.com/community/Installation/SoftwareRAID 

I'd like to thank you for the screenshots, that make your guide a breeze to follow! :)

From: Richard Williams at: 2010-03-19 15:35:41

I've just built a new Linux (Debian Lenny) server using a motherboard with hardware RAID.  Trouble is, it only has Windows RAID drivers, so I've had to use a software RAID.  I couldn't have done so easily without this article.

From: Shnifti at: 2011-12-26 16:36:57

I did both ways: creating raid right in the debian installer partman and also the other with adding second drive to a degraded raid after installation. (using debian squeeze)

So my setup is like

(I have md0 as a raid 5, doesnt matter for now) 

 /dev/md1 for /boot as ext2

/dev/md2  > crypt > vg_debian > lv_root, lv_home, lv_var > filesystems (ext4/xfs)

 In both ways I am the  getting the frequent kernel message:

bio too big device /dev/md2 (248 > 240)

 I have no clue what that might mean. Google doesnt show up so much results. But after reading trought some lists I am quite feared of facing data corruption.

I am using an compact flash card 8g on IDE port and an usb drive 8gb. Anyways they differ in size so I set up system with the USB drive (smaller) and later copied the partition table to the sd card. Maybe the problem is resulting from there.

Somebody might has an idea? What can I do? Is this kind of setup practical even setup, like everything nested (raid,crypt,lvm)?

best regards! Ben

From: tuxware at: 2014-09-29 15:10:53

Could you please post your /etc/fstab and your grub menu.lst? Would be a great help as I am having trouble booting my new raid system.