From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <jorge.fabregas@gmail.com>
Received: from mail.saout.de ([127.0.0.1])
 by localhost (mail.saout.de [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id Yn2iiCZmUQ0N for <dm-crypt@saout.de>;
 Tue, 12 Jul 2011 13:32:42 +0200 (CEST)
Received: from mail-gw0-f50.google.com (mail-gw0-f50.google.com [74.125.83.50])
 (using TLSv1 with cipher RC4-SHA (128/128 bits))
 (No client certificate requested)
 by mail.saout.de (Postfix) with ESMTPS
 for <dm-crypt@saout.de>; Tue, 12 Jul 2011 13:32:41 +0200 (CEST)
Received: by gwj16 with SMTP id 16so2254330gwj.37
 for <dm-crypt@saout.de>; Tue, 12 Jul 2011 04:32:39 -0700 (PDT)
Message-ID: <4E1C30D4.9010503@gmail.com>
Date: Tue, 12 Jul 2011 07:32:36 -0400
From: =?ISO-8859-1?Q?Jorge_F=E1bregas?= <jorge.fabregas@gmail.com>
MIME-Version: 1.0
References: <20110711230312.9833b94d.ldarby@tuffmail.com>
In-Reply-To: <20110711230312.9833b94d.ldarby@tuffmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: Re: [dm-crypt] Encrypted Raid1 or Raid 1 of encrypted devices?
List-Id: <dm-crypt.saout.de>
List-Unsubscribe: <http://www.saout.de/mailman/options/dm-crypt>,
 <mailto:dm-crypt-request@saout.de?subject=unsubscribe>
List-Archive: <http://www.saout.de/pipermail/dm-crypt>
List-Post: <mailto:dm-crypt@saout.de>
List-Help: <mailto:dm-crypt-request@saout.de?subject=help>
List-Subscribe: <http://www.saout.de/mailman/listinfo/dm-crypt>,
 <mailto:dm-crypt-request@saout.de?subject=subscribe>
To: dm-crypt@saout.de

On 07/11/2011 06:03 PM, Laurence Darby wrote:
> Is there a recommended way to do this?

Hello Laurence,

That's an interesting question:  encrypted raid1 or raid1 of encrypted
disks? That also could be phrased as "dm-crypt on top of dm-raid" or
"dm-raid on top of dm-crypt"?

I must admit  I would have never thought about a "raid1 of encrypted
disks" (seems awkward) but apparently it works.  I'm new here (and to
disk encryption at all) but here are my two cents:

# Performance
I guess from the point of view of performance (CPU-wise) , an "encrypted
RAID1" would be better as you would be only encrypting once and DM-raid
will take care of copying those bits as they are to the 2nd disk.  I
suggest you do some tests (copying large amount of data to the encrypted
disk) and measure it.

# Management
There's no doubt that an encrypted raid1 is much better (much less
commands: you just need to format once, luksOpen once, luksClose once.
one backup of the header)

# Reliability
I'm not sure about this part.  Let's see what others have to say
regarding this.

Regards,
Jorge