From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.saout.de ([127.0.0.1]) by localhost (mail.saout.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Icpmy2lKLM6B for ; Wed, 11 Sep 2013 22:39:14 +0200 (CEST) Received: from mout.gmx.net (mout.gmx.net [212.227.15.15]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by mail.saout.de (Postfix) with ESMTPS for ; Wed, 11 Sep 2013 22:39:14 +0200 (CEST) Received: from [192.168.1.210] ([92.225.108.206]) by mail.gmx.com (mrgmx102) with ESMTPSA (Nemesis) id 0M2FhY-1WBXfy0RQC-00s7Xb for ; Wed, 11 Sep 2013 22:39:14 +0200 Message-ID: <5230D4F1.2080901@gmx.de> Date: Wed, 11 Sep 2013 22:39:13 +0200 From: ax487 MIME-Version: 1.0 References: <5230B2B8.9060604@gmx.de> <20130911182411.GA29506@tansi.org> In-Reply-To: <20130911182411.GA29506@tansi.org> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: [dm-crypt] Encrypted Btrfs RAID1 List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: "dm-crypt@saout.de" On 11.09.2013 20:24, Arno Wagner wrote: > On Wed, Sep 11, 2013 at 08:13:12PM +0200, ax487 wrote: >> Hello all, >> >> I have been using LUKS for quite some time now to encrypt block devices. >> Up to now I have always used the setup RAID1 -> Encryption -> LVM2 -> >> filesystems. >> Now however I want to create an encrypted Btrfs RAID1. The problem is >> that a RAID based on Btrfs is not based on block devices. What I would >> need is to encrypt two different partitions and then use their decrypted >> counterparts as basis for the RAID. The problem is that I really don't >> want to add my pass phrase multiple times and I don't like key files. I >> realize that the 'reuse key' problem is a long standing issue: >> >> https://bbs.archlinux.org/viewtopic.php?id=117152 >> https://bugzilla.redhat.com/show_bug.cgi?id=446567 >> https://www.martineve.com/2012/11/02/luks-encrypting-multiple-partitions-on-debianubuntu-with-a-single-passphrase/ >> >> However I did not find a solution anywhere. >> Could you tell me how to setup my system to make things work the way I >> intend to? > > Easy answer: Don't use Btrfs as long as it is not finished (i.e. > does not implement encryption). If these people think they can > integrate multiple storage layers, they should at least have the > most common in there and that does include encryption. Well, I think that Btrfs is ready for a production system. The filesystem-based approach to a RAID1 offers some advantages, as does Btrfs in general. Also, as I have pointed out, people seem to want reusable keys as a feature. If Btrfs becomes the new standard filesystem on linux there will probably be some more requests. I might be wrong, but I assumed that reusable keys would be a feature not too difficult to implement, most certainly much less difficult than for the Btrfs developers to implement disk encryption from scratch. > > More complicated answer: There is no pre-packaged solution. > You could do different things, e.g. make one parition LUKS > and the other plain dm-crypt with a key derived somehow from > the LUKS master key. I don't know how much you know about what a RAID1 is, but that approach pretty much defeats the entire purpose of it... > > Arno >