All of lore.kernel.org
 help / color / mirror / Atom feed
* [dm-crypt] Encrypted Btrfs RAID1
@ 2013-09-11 18:13 ax487
  2013-09-11 18:24 ` Arno Wagner
  0 siblings, 1 reply; 4+ messages in thread
From: ax487 @ 2013-09-11 18:13 UTC (permalink / raw)
  To: dm-crypt@saout.de

Hello all,

I have been using LUKS for quite some time now to encrypt block devices.
Up to now I have always used the setup RAID1 -> Encryption -> LVM2 ->
filesystems.
Now however I want to create an encrypted Btrfs RAID1. The problem is
that a RAID based on Btrfs is not based on block devices. What I would
need is to encrypt two different partitions and then use their decrypted
counterparts as basis for the RAID. The problem is that I really don't
want to add my pass phrase multiple times and I don't like key files. I
realize that the 'reuse key' problem is a long standing issue:

https://bbs.archlinux.org/viewtopic.php?id=117152
https://bugzilla.redhat.com/show_bug.cgi?id=446567
https://www.martineve.com/2012/11/02/luks-encrypting-multiple-partitions-on-debianubuntu-with-a-single-passphrase/

However I did not find a solution anywhere.
Could you tell me how to setup my system to make things work the way I
intend to?

Regards,
ax487

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [dm-crypt] Encrypted Btrfs RAID1
  2013-09-11 18:13 [dm-crypt] Encrypted Btrfs RAID1 ax487
@ 2013-09-11 18:24 ` Arno Wagner
  2013-09-11 20:39   ` ax487
  0 siblings, 1 reply; 4+ messages in thread
From: Arno Wagner @ 2013-09-11 18:24 UTC (permalink / raw)
  To: dm-crypt

On Wed, Sep 11, 2013 at 08:13:12PM +0200, ax487 wrote:
> Hello all,
> 
> I have been using LUKS for quite some time now to encrypt block devices.
> Up to now I have always used the setup RAID1 -> Encryption -> LVM2 ->
> filesystems.
> Now however I want to create an encrypted Btrfs RAID1. The problem is
> that a RAID based on Btrfs is not based on block devices. What I would
> need is to encrypt two different partitions and then use their decrypted
> counterparts as basis for the RAID. The problem is that I really don't
> want to add my pass phrase multiple times and I don't like key files. I
> realize that the 'reuse key' problem is a long standing issue:
> 
> https://bbs.archlinux.org/viewtopic.php?id=117152
> https://bugzilla.redhat.com/show_bug.cgi?id=446567
> https://www.martineve.com/2012/11/02/luks-encrypting-multiple-partitions-on-debianubuntu-with-a-single-passphrase/
> 
> However I did not find a solution anywhere.
> Could you tell me how to setup my system to make things work the way I
> intend to?

Easy answer: Don't use Btrfs as long as it is not finished (i.e.
does not implement encryption). If these people think they can 
integrate multiple storage layers, they should at least have the
most common in there and that does include encryption.

More complicated answer: There is no pre-packaged solution.
You could do different things, e.g. make one parition LUKS
and the other plain dm-crypt with a key derived somehow from 
the LUKS master key.

Arno
-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno@wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
There are two ways of constructing a software design: One way is to make it
so simple that there are obviously no deficiencies, and the other way is to
make it so complicated that there are no obvious deficiencies. The first
method is far more difficult.  --Tony Hoare

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [dm-crypt] Encrypted Btrfs RAID1
  2013-09-11 18:24 ` Arno Wagner
@ 2013-09-11 20:39   ` ax487
  2013-09-11 23:19     ` Arno Wagner
  0 siblings, 1 reply; 4+ messages in thread
From: ax487 @ 2013-09-11 20:39 UTC (permalink / raw)
  To: dm-crypt@saout.de

On 11.09.2013 20:24, Arno Wagner wrote:
> On Wed, Sep 11, 2013 at 08:13:12PM +0200, ax487 wrote:
>> Hello all,
>>
>> I have been using LUKS for quite some time now to encrypt block devices.
>> Up to now I have always used the setup RAID1 -> Encryption -> LVM2 ->
>> filesystems.
>> Now however I want to create an encrypted Btrfs RAID1. The problem is
>> that a RAID based on Btrfs is not based on block devices. What I would
>> need is to encrypt two different partitions and then use their decrypted
>> counterparts as basis for the RAID. The problem is that I really don't
>> want to add my pass phrase multiple times and I don't like key files. I
>> realize that the 'reuse key' problem is a long standing issue:
>>
>> https://bbs.archlinux.org/viewtopic.php?id=117152
>> https://bugzilla.redhat.com/show_bug.cgi?id=446567
>> https://www.martineve.com/2012/11/02/luks-encrypting-multiple-partitions-on-debianubuntu-with-a-single-passphrase/
>>
>> However I did not find a solution anywhere.
>> Could you tell me how to setup my system to make things work the way I
>> intend to?
> 
> Easy answer: Don't use Btrfs as long as it is not finished (i.e.
> does not implement encryption). If these people think they can 
> integrate multiple storage layers, they should at least have the
> most common in there and that does include encryption.

Well, I think that Btrfs is ready for a production system. The
filesystem-based approach to a RAID1 offers some advantages, as does
Btrfs in general. Also, as I have pointed out, people seem to want
reusable keys as a feature. If Btrfs becomes the new standard filesystem
on linux there will probably be some more requests. I might be wrong,
but I assumed that reusable keys would be a feature not too difficult to
implement, most certainly much less difficult than for the Btrfs
developers to implement disk encryption from scratch.

> 
> More complicated answer: There is no pre-packaged solution.
> You could do different things, e.g. make one parition LUKS
> and the other plain dm-crypt with a key derived somehow from 
> the LUKS master key.

I don't know how much you know about what a RAID1 is, but that approach
pretty much defeats the entire purpose of it...

> 
> Arno
> 

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [dm-crypt] Encrypted Btrfs RAID1
  2013-09-11 20:39   ` ax487
@ 2013-09-11 23:19     ` Arno Wagner
  0 siblings, 0 replies; 4+ messages in thread
From: Arno Wagner @ 2013-09-11 23:19 UTC (permalink / raw)
  To: dm-crypt

On Wed, Sep 11, 2013 at 10:39:13PM +0200, ax487 wrote:
> On 11.09.2013 20:24, Arno Wagner wrote:
> > On Wed, Sep 11, 2013 at 08:13:12PM +0200, ax487 wrote:
> >> Hello all,
> >>
> >> I have been using LUKS for quite some time now to encrypt block devices.
> >> Up to now I have always used the setup RAID1 -> Encryption -> LVM2 ->
> >> filesystems.
> >> Now however I want to create an encrypted Btrfs RAID1. The problem is
> >> that a RAID based on Btrfs is not based on block devices. What I would
> >> need is to encrypt two different partitions and then use their decrypted
> >> counterparts as basis for the RAID. The problem is that I really don't
> >> want to add my pass phrase multiple times and I don't like key files. I
> >> realize that the 'reuse key' problem is a long standing issue:
> >>
> >> https://bbs.archlinux.org/viewtopic.php?id=117152
> >> https://bugzilla.redhat.com/show_bug.cgi?id=446567
> >> https://www.martineve.com/2012/11/02/luks-encrypting-multiple-partitions-on-debianubuntu-with-a-single-passphrase/
> >>
> >> However I did not find a solution anywhere.
> >> Could you tell me how to setup my system to make things work the way I
> >> intend to?
> > 
> > Easy answer: Don't use Btrfs as long as it is not finished (i.e.
> > does not implement encryption). If these people think they can 
> > integrate multiple storage layers, they should at least have the
> > most common in there and that does include encryption.
> 
> Well, I think that Btrfs is ready for a production system. 

Then why are you complaining about its missing features?

> The
> filesystem-based approach to a RAID1 offers some advantages, as does
> Btrfs in general. Also, as I have pointed out, people seem to want
> reusable keys as a feature. If Btrfs becomes the new standard filesystem
> on linux there will probably be some more requests. I might be wrong,
> but I assumed that reusable keys would be a feature not too difficult to
> implement, most certainly much less difficult than for the Btrfs
> developers to implement disk encryption from scratch.
> 
> > 
> > More complicated answer: There is no pre-packaged solution.
> > You could do different things, e.g. make one parition LUKS
> > and the other plain dm-crypt with a key derived somehow from 
> > the LUKS master key.
> 
> I don't know how much you know about what a RAID1 is, but that approach
> pretty much defeats the entire purpose of it...

I very much know what RAID1 is, I just assume you are not 
stupid enough to run a LUKS partition without header backup....

True, if you lose the disk on start-up, then the RAID1 will
not come up, but if you lose it while running, you get
the standard RAID1 redundancy.

Arno
-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno@wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
There are two ways of constructing a software design: One way is to make it
so simple that there are obviously no deficiencies, and the other way is to
make it so complicated that there are no obvious deficiencies. The first
method is far more difficult.  --Tony Hoare

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2013-09-11 23:19 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-09-11 18:13 [dm-crypt] Encrypted Btrfs RAID1 ax487
2013-09-11 18:24 ` Arno Wagner
2013-09-11 20:39   ` ax487
2013-09-11 23:19     ` Arno Wagner

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.