Re: [dm-crypt] dm-crypt alignment + ssd + raid

["Thomas Bächler" <thomas@archlinux.org>]

[-- Attachment #1: Type: text/plain, Size: 2638 bytes --]

Am 01.06.2010 16:34, schrieb Philippe Cerfon:
> I have to scenarios:
> A) Sofware RAID6, multiple partitions each to be encrypted. (Using the
> kernel md for the software RAID)
> B) Single SSD disk, multiple partitions each to be encrypted.
> 
> 
> Regarding A:
> 1) What is generally the best way to do this? I mean how to stack the
> different levels of md/RAID, [LVM] (if used at all), dm-crypt.
> I'd say one has about this:
> (physical disk[s]) --> (MD/RAID6) --> (dm-crypt) --> ([LVM] if used at
> all) --> filesystem
> 
> Or is another order "better"?
> I think having MD/RAID at the bottom makes sense (instead of dm-crypt
> at the bottom), at this should make recovery easier, right?
> I'm not sure whether I need LVM at all, but I think it makes only
> sense to have it on top of dm-crypt in order to use to use it to
> enlarge volumes.
> I guess one cannot enlarge a LUKS "filesystem", even if the an
> unterlying LVM volume would be enlarged?

I have used both scenarios in the past. The LUKS volume does not know
its payload size, so it will use the maximum space available.

In the scenario LVM->dm-crypt: Once you enlarge the underlying LV, you
can either 'cryptsetup resize' or 'cryptsetup luksClose && cryptsetup
luksOpen' for the volume to get the new size. The former does not even
require unmounting the file system.

The scenario dm-crypt->LVM is easier, as there is no extra layer between
the LV and filesystem.

Combined with a file system that can do online resizing (like ext3 on
newer kernels, or ext4), you can enlarge the file system transparently,
without any downtime. Shrinking is obviously more complicated.

These days, I use LVM on top of dm-crypt. However, a LUKS volume
encrypted with aes-xts-plain should not be bigger than 1TB for security
reasons (I read that here, don't know the exact reason), so this might
be unsuitable for your needs.

> 2) I guess at any of the levels from above, one can partition the
> exported block device, right?
> So e.g. partition the physical disks that each has one big sdX1, and
> create the RAID on it _OR_ create the RAID directly on the disk
> withoug partitioning.

I wouldn't rely on partitions, LVM is way more flexible. (Having /boot
on LVM might not work and require a small partition, depending on the
bootloader)


Sorry, but I am not familiar with the alignment questions you posted,
although I think with 2.6.33 and up-to-date userspace, all alignments
should be correct automatically without any specific interaction from
your end. Someone else will probably give a definitive answer on that.


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 262 bytes --]