* [dm-crypt] Encrypted Raid 1 Btrfs on *Single Drive*
@ 2014-03-14 11:09 Jorge Fábregas
2014-03-14 12:00 ` .. ink ..
0 siblings, 1 reply; 3+ messages in thread
From: Jorge Fábregas @ 2014-03-14 11:09 UTC (permalink / raw)
To: dm-crypt
Hi everyone,
I plan to use BTRS on an external drive. I want to use its RAID 1
capabilities (yes, I know RAID 1 on a single drive doesn't make sense
but I want to take advantage of BTRFS's data & metadata checksumming to
help with bitrot). The thing is, I want to use LUKS with it.
I'm not sure about the proper stacking here. I just did a test with this:
# cryptsetup luksFormat /dev/sdc (my external drive)
# cryptsetup luksOpen /dev/sdc vault
# fdisk /dev/mapper/vault
...and created two partitions of equal size
...afterwards I got /dev/mapper/vault1 & vault2
# mkfs.btrfs -d raid1 -m raid1 /dev/mapper/vault1 /dev/mapper/vault2
# mount /dev/mapper/vault1 /mnt
...and everything works as expected. For btrfs you just need to mount
one of the RAID members and it automatically takes care of the rest
Now, when I wanted to undo everything, and after unmount /mnt, I
couldn't simply just use luksClose. I got the following error:
device-mapper: remove ioctl on vault failed: Device or resource busy
I tried lucksClose with vault1 & vault2 before attempting to close vault
but couldn't. I had to:
# dmsetup remove vault1
# dmsetup remove vault2
# dmsetup remove vault
Then the devices disappeared from /dev/mapper. Now when I want to mount
my external drive again I have to add another step once I open the LUKS
device:
# kpartx -a /dev/mapper/vault
...so it can create /dev/mapper/vault1 & vault2 so I can use either one
to mount the btrs raid 1.
Is this the correct method: create the two partitions on the LUKS
device so can I use BTRS RAID 1? I thought about the other way:
1) create two partitions on raw device
2) format those two partitions with LUKS
3) unlock those two devices and give them to BTRFS...
...but then I'll have two LUKS devices to maintain etc.
Any comments will be appreciated.
Thanks!
Jorge
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [dm-crypt] Encrypted Raid 1 Btrfs on *Single Drive*
2014-03-14 11:09 [dm-crypt] Encrypted Raid 1 Btrfs on *Single Drive* Jorge Fábregas
@ 2014-03-14 12:00 ` .. ink ..
2014-03-15 11:07 ` Jorge Fábregas
0 siblings, 1 reply; 3+ messages in thread
From: .. ink .. @ 2014-03-14 12:00 UTC (permalink / raw)
To: Jorge Fábregas; +Cc: dm-crypt@saout.de
[-- Attachment #1: Type: text/plain, Size: 1465 bytes --]
On Fri, Mar 14, 2014 at 7:09 AM, Jorge Fábregas <jorge.fabregas@gmail.com>wrote:
>
>
> # cryptsetup luksFormat /dev/sdc (my external drive)
>
> # cryptsetup luksOpen /dev/sdc vault
>
> # fdisk /dev/mapper/vault
> ...and created two partitions of equal size
> ...afterwards I got /dev/mapper/vault1 & vault2
>
> I think somehow,the kpartx step was done here and this is evident by the
existence of
/dev/mapper/vault1 & vault2
> I tried lucksClose with vault1 & vault2 before attempting to close vault
> but couldn't. I had to:
>
> # dmsetup remove vault1
> # dmsetup remove vault2
> # dmsetup remove vault
>
> I think here,you should have done:
kpartx -d /dev/mapper/vault
cryptsetup luksClose vault
Then the devices disappeared from /dev/mapper. Now when I want to mount
> my external drive again I have to add another step once I open the LUKS
> device:
>
> # kpartx -a /dev/mapper/vault
> ...so it can create /dev/mapper/vault1 & vault2 so I can use either one
> to mount the btrs raid 1.
>
> This much seem to be expected.
> Is this the correct method: create the two partitions on the LUKS
> device so can I use BTRS RAID 1? I thought about the other way:
>
> The "standard way" is to create an LVM volume in the encrypted
container.This is how most
distributions implements "full disk encryption" with LUKS.
With an LVM volume,you can simulate partitions by creating volume
groups/logical volumes.
[-- Attachment #2: Type: text/html, Size: 2709 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [dm-crypt] Encrypted Raid 1 Btrfs on *Single Drive*
2014-03-14 12:00 ` .. ink ..
@ 2014-03-15 11:07 ` Jorge Fábregas
0 siblings, 0 replies; 3+ messages in thread
From: Jorge Fábregas @ 2014-03-15 11:07 UTC (permalink / raw)
To: dm-crypt
On 03/14/2014 08:00 AM, .. ink .. wrote:
> I think somehow,the kpartx step was done here and this is evident by the
> existence of /dev/mapper/vault1 & vault2
Hi,
No, I didn't run kpartx at this step. I did run "partprobe" after fdisk
here in Fedora 20. Maybe one of them creates the partition device files.
> I think here,you should have done:
> kpartx -d /dev/mapper/vault
> cryptsetup luksClose vault
There you go. Thanks for this. That worked nicely. I'll add this to my
steps.
> The "standard way" is to create an LVM volume in the encrypted
> container.This is how most distributions implements "full disk
> encryption" with LUKS.
>
> With an LVM volume,you can simulate partitions by creating volume
> groups/logical volumes.
In my scenario, running btrfs over LVM seems overkill since BTRFS has
already built-in volume management.
Thanks!
Jorge
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2014-03-15 11:07 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-03-14 11:09 [dm-crypt] Encrypted Raid 1 Btrfs on *Single Drive* Jorge Fábregas
2014-03-14 12:00 ` .. ink ..
2014-03-15 11:07 ` Jorge Fábregas
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox