From: Milan Broz <mbroz@redhat.com>
To: "Jorge Fábregas" <jorge.fabregas@gmail.com>
Cc: dm-crypt@saout.de
Subject: Re: [dm-crypt] Encrypted Raid1 or Raid 1 of encrypted devices?
Date: Tue, 12 Jul 2011 14:10:03 +0200 [thread overview]
Message-ID: <4E1C399B.8020401@redhat.com> (raw)
In-Reply-To: <4E1C30D4.9010503@gmail.com>
On 07/12/2011 01:32 PM, Jorge Fábregas wrote:
> That's an interesting question: encrypted raid1 or raid1 of encrypted
> disks? That also could be phrased as "dm-crypt on top of dm-raid" or
> "dm-raid on top of dm-crypt"?
>
> I must admit I would have never thought about a "raid1 of encrypted
> disks" (seems awkward) but apparently it works. I'm new here (and to
> disk encryption at all) but here are my two cents:
Technically both works.
> # Performance
> I guess from the point of view of performance (CPU-wise) , an "encrypted
> RAID1" would be better as you would be only encrypting once and DM-raid
> will take care of copying those bits as they are to the 2nd disk. I
> suggest you do some tests (copying large amount of data to the encrypted
> disk) and measure it.
This depends on kernel version and if the system is SMP/multi-cpu.
For <2.6.38 you may get better performance for raid over crypt,
for newer kernel it will be different.
(I am not saying better because there are still performance issues
with crypt over MD Raid. Depends on io pattern and if IO are issued
from different cpus or not. Like dd can be slower but threaded fs test
can have much more better performance.)
> # Management
> There's no doubt that an encrypted raid1 is much better (much less
> commands: you just need to format once, luksOpen once, luksClose once.
> one backup of the header)
yes, I would suggest crypt over MD always too.
> # Reliability
> I'm not sure about this part. Let's see what others have to say
> regarding this.
IMHO both solutions are similar here. Some errors are propagated,
hw failure (RAM, disk) would have similar effect.
RAID is not backup. You should backup LUKS header and data anyway.
Milan
next prev parent reply other threads:[~2011-07-12 12:10 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-07-11 22:03 [dm-crypt] Encrypted Raid1 or Raid 1 of encrypted devices? Laurence Darby
2011-07-12 11:32 ` Jorge Fábregas
2011-07-12 12:10 ` Milan Broz [this message]
2011-07-12 12:31 ` Arno Wagner
2011-07-12 23:14 ` Laurence Darby
2011-07-12 12:20 ` Arno Wagner
[not found] <mailman.6.1310512453.3639.dm-crypt@saout.de>
2011-07-14 6:17 ` Yaron Sheffer
2011-07-14 11:01 ` Arno Wagner
2011-07-14 11:41 ` Roscoe
2011-07-14 13:42 ` Arno Wagner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4E1C399B.8020401@redhat.com \
--to=mbroz@redhat.com \
--cc=dm-crypt@saout.de \
--cc=jorge.fabregas@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.