LUKS + BTRFS + RAID1
I'd like to use BTRFS RAID1 with dm_crypt on a microserver. The hard part that I don't understand many things about how filesystems and LUKS work. Let's say we have 2 partitions on a drive and we do a whole drive encryption. Does that mean that both partitions will be encrypted and without knowing the key I won't be able to tell what filesystems they have? If so, then I don't understand how it is possible to have an unencrypted boot partition (necessary to load dm_crypt) on such drives or how btrfs raid1 will work if I encrypt both drives and they don't know from each other until both of them are decrypted? On the other hand if dm_crypt uses the btrfs partitions to store the data encrypted for example in a huge file, then wouldn't the btrfs scrub work on this huge file only and wouldn't a single uncorrectable error kill the whole content of the disks?
filesystem encryption raid luks btrfs
asked Jan 5 '18 at 16:44
inf3rnoinf3rno
1881111
add a comment |
I'd like to use BTRFS RAID1 with dm_crypt on a microserver. The hard part that I don't understand many things about how filesystems and LUKS work. Let's say we have 2 partitions on a drive and we do a whole drive encryption. Does that mean that both partitions will be encrypted and without knowing the key I won't be able to tell what filesystems they have? If so, then I don't understand how it is possible to have an unencrypted boot partition (necessary to load dm_crypt) on such drives or how btrfs raid1 will work if I encrypt both drives and they don't know from each other until both of them are decrypted? On the other hand if dm_crypt uses the btrfs partitions to store the data encrypted for example in a huge file, then wouldn't the btrfs scrub work on this huge file only and wouldn't a single uncorrectable error kill the whole content of the disks?
filesystem encryption raid luks btrfs
asked Jan 5 '18 at 16:44
inf3rnoinf3rno
1881111
add a comment |
I'd like to use BTRFS RAID1 with dm_crypt on a microserver. The hard part that I don't understand many things about how filesystems and LUKS work. Let's say we have 2 partitions on a drive and we do a whole drive encryption. Does that mean that both partitions will be encrypted and without knowing the key I won't be able to tell what filesystems they have? If so, then I don't understand how it is possible to have an unencrypted boot partition (necessary to load dm_crypt) on such drives or how btrfs raid1 will work if I encrypt both drives and they don't know from each other until both of them are decrypted? On the other hand if dm_crypt uses the btrfs partitions to store the data encrypted for example in a huge file, then wouldn't the btrfs scrub work on this huge file only and wouldn't a single uncorrectable error kill the whole content of the disks?
filesystem encryption raid luks btrfs
asked Jan 5 '18 at 16:44
inf3rnoinf3rno
1881111
I'd like to use BTRFS RAID1 with dm_crypt on a microserver. The hard part that I don't understand many things about how filesystems and LUKS work. Let's say we have 2 partitions on a drive and we do a whole drive encryption. Does that mean that both partitions will be encrypted and without knowing the key I won't be able to tell what filesystems they have? If so, then I don't understand how it is possible to have an unencrypted boot partition (necessary to load dm_crypt) on such drives or how btrfs raid1 will work if I encrypt both drives and they don't know from each other until both of them are decrypted? On the other hand if dm_crypt uses the btrfs partitions to store the data encrypted for example in a huge file, then wouldn't the btrfs scrub work on this huge file only and wouldn't a single uncorrectable error kill the whole content of the disks?
filesystem encryption raid luks btrfs
filesystem encryption raid luks btrfs
asked Jan 5 '18 at 16:44
inf3rnoinf3rno
1881111
asked Jan 5 '18 at 16:44
inf3rnoinf3rno
1881111
asked Jan 5 '18 at 16:44
inf3rnoinf3rno
1881111
asked Jan 5 '18 at 16:44
inf3rnoinf3rno
1881111
asked Jan 5 '18 at 16:44
inf3rnoinf3rno
1881111
1881111
add a comment |
add a comment |
2 Answers
2
active
oldest
votes
Does that mean that both partitions will be encrypted and without
knowing the key I won't be able to tell what filesystems they have?
Yes, both partitions will be encrypted as LUKS partitions. You will be able to tell they are LUKS encrypted partitions. Without the key (and/or passphrase), you will not be able to tell what is inside the partition.
If so, then I don't understand how it is possible to have an
unencrypted boot partition ...
Either (a) the boot partition is a separate [and unencrypted] partition, or (b) the boot loader [GRUB?] asks for the passphrase and knows how to decrypt and mount the boot parition. (I typically use an unencrypted boot partition with Ubuntu. I once saw an encrypted boot partition on an installation of Manjaro Linux.)
The main problem with this setup that since raid1 will be on the upper
level, both hdds/ssds will be encrypted differently, which means
performance penalty and a lot of unnecessary encryption.
I've heard the overhead of disk encryption is negligible. I have never had a problem with it. But then I have never measured the performance impact, and I do not need high speed disk IO on my system.
In any case, you will only pay the cost for multiple encryption when writing data. When reading, only one copy of the data will need to be read.
I use LUKS + ZFS + RAID1, but only for /home. I use ext4 for /, and ext2 for /boot.
(Note that if you have N>2 disks, BTRFS's "RAID1" mode is not really RAID1, as BTRFS will only create 2 copies of your data, not N copies as required by RAID1. In other words, BTRFS "RAID1" with N>2 disks gives you more storage space, not more redundancy.)
answered Aug 23 '18 at 22:05
mpbmpb
41839
add a comment |
I read some texts in the topic. According to them the partitioning and formatting are separate processes, so I don't have to give the file system type by partitioning a block device (ssd/hdd/virtual?). The dm-crypt can convert an unencrypted block device to an encrypted one by encrypting each block (or sector?) individually and the btrfs can live on that encrypted block device.
Note: dmcrypt + btrfs needs 4+ kernel to work properly; 3.2- kernels have compatibility and security issues, 4.0- kernels have performance issues.
The main problem with this setup that since raid1 will be on the upper level, both hdds/ssds will be encrypted differently, which means performance penalty and a lot of unnecessary encryption. According to other texts/answers I read there is no way to do this now. People are working on btrfs encryption, but there is nothing stable yet. Currently the stacked approach with ecryptfs - the btrfs FAQ mentions - is a lot slower than dm-crypt, so that wouldn't be a good solution either. Another option is using zfs, which has encryption support, but afaik. it consumes a lot of memory compared to btrfs.
update (Jan, 2019):
I checked zfs too, it has a nice native encryption and you can encrypt the swap partition too, so I think that is the way to go. It has some drawbacks too, it uses more memory and it isn't as straightforward to add a new disk as with btrfs.
answered Jan 15 '18 at 16:22
inf3rnoinf3rno
1881111
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "89"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f992672%2fluks-btrfs-raid1%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
Does that mean that both partitions will be encrypted and without
knowing the key I won't be able to tell what filesystems they have?
Yes, both partitions will be encrypted as LUKS partitions. You will be able to tell they are LUKS encrypted partitions. Without the key (and/or passphrase), you will not be able to tell what is inside the partition.
If so, then I don't understand how it is possible to have an
unencrypted boot partition ...
Either (a) the boot partition is a separate [and unencrypted] partition, or (b) the boot loader [GRUB?] asks for the passphrase and knows how to decrypt and mount the boot parition. (I typically use an unencrypted boot partition with Ubuntu. I once saw an encrypted boot partition on an installation of Manjaro Linux.)
The main problem with this setup that since raid1 will be on the upper
level, both hdds/ssds will be encrypted differently, which means
performance penalty and a lot of unnecessary encryption.
I've heard the overhead of disk encryption is negligible. I have never had a problem with it. But then I have never measured the performance impact, and I do not need high speed disk IO on my system.
In any case, you will only pay the cost for multiple encryption when writing data. When reading, only one copy of the data will need to be read.
I use LUKS + ZFS + RAID1, but only for /home. I use ext4 for /, and ext2 for /boot.
(Note that if you have N>2 disks, BTRFS's "RAID1" mode is not really RAID1, as BTRFS will only create 2 copies of your data, not N copies as required by RAID1. In other words, BTRFS "RAID1" with N>2 disks gives you more storage space, not more redundancy.)
answered Aug 23 '18 at 22:05
mpbmpb
41839
add a comment |
Does that mean that both partitions will be encrypted and without
knowing the key I won't be able to tell what filesystems they have?
Yes, both partitions will be encrypted as LUKS partitions. You will be able to tell they are LUKS encrypted partitions. Without the key (and/or passphrase), you will not be able to tell what is inside the partition.
If so, then I don't understand how it is possible to have an
unencrypted boot partition ...
Either (a) the boot partition is a separate [and unencrypted] partition, or (b) the boot loader [GRUB?] asks for the passphrase and knows how to decrypt and mount the boot parition. (I typically use an unencrypted boot partition with Ubuntu. I once saw an encrypted boot partition on an installation of Manjaro Linux.)
The main problem with this setup that since raid1 will be on the upper
level, both hdds/ssds will be encrypted differently, which means
performance penalty and a lot of unnecessary encryption.
I've heard the overhead of disk encryption is negligible. I have never had a problem with it. But then I have never measured the performance impact, and I do not need high speed disk IO on my system.
In any case, you will only pay the cost for multiple encryption when writing data. When reading, only one copy of the data will need to be read.
I use LUKS + ZFS + RAID1, but only for /home. I use ext4 for /, and ext2 for /boot.
(Note that if you have N>2 disks, BTRFS's "RAID1" mode is not really RAID1, as BTRFS will only create 2 copies of your data, not N copies as required by RAID1. In other words, BTRFS "RAID1" with N>2 disks gives you more storage space, not more redundancy.)
answered Aug 23 '18 at 22:05
mpbmpb
41839
add a comment |
Does that mean that both partitions will be encrypted and without
knowing the key I won't be able to tell what filesystems they have?
Yes, both partitions will be encrypted as LUKS partitions. You will be able to tell they are LUKS encrypted partitions. Without the key (and/or passphrase), you will not be able to tell what is inside the partition.
If so, then I don't understand how it is possible to have an
unencrypted boot partition ...
Either (a) the boot partition is a separate [and unencrypted] partition, or (b) the boot loader [GRUB?] asks for the passphrase and knows how to decrypt and mount the boot parition. (I typically use an unencrypted boot partition with Ubuntu. I once saw an encrypted boot partition on an installation of Manjaro Linux.)
The main problem with this setup that since raid1 will be on the upper
level, both hdds/ssds will be encrypted differently, which means
performance penalty and a lot of unnecessary encryption.
I've heard the overhead of disk encryption is negligible. I have never had a problem with it. But then I have never measured the performance impact, and I do not need high speed disk IO on my system.
In any case, you will only pay the cost for multiple encryption when writing data. When reading, only one copy of the data will need to be read.
I use LUKS + ZFS + RAID1, but only for /home. I use ext4 for /, and ext2 for /boot.
(Note that if you have N>2 disks, BTRFS's "RAID1" mode is not really RAID1, as BTRFS will only create 2 copies of your data, not N copies as required by RAID1. In other words, BTRFS "RAID1" with N>2 disks gives you more storage space, not more redundancy.)
answered Aug 23 '18 at 22:05
mpbmpb
41839
Does that mean that both partitions will be encrypted and without
knowing the key I won't be able to tell what filesystems they have?
Yes, both partitions will be encrypted as LUKS partitions. You will be able to tell they are LUKS encrypted partitions. Without the key (and/or passphrase), you will not be able to tell what is inside the partition.
If so, then I don't understand how it is possible to have an
unencrypted boot partition ...
Either (a) the boot partition is a separate [and unencrypted] partition, or (b) the boot loader [GRUB?] asks for the passphrase and knows how to decrypt and mount the boot parition. (I typically use an unencrypted boot partition with Ubuntu. I once saw an encrypted boot partition on an installation of Manjaro Linux.)
The main problem with this setup that since raid1 will be on the upper
level, both hdds/ssds will be encrypted differently, which means
performance penalty and a lot of unnecessary encryption.
I've heard the overhead of disk encryption is negligible. I have never had a problem with it. But then I have never measured the performance impact, and I do not need high speed disk IO on my system.
In any case, you will only pay the cost for multiple encryption when writing data. When reading, only one copy of the data will need to be read.
I use LUKS + ZFS + RAID1, but only for /home. I use ext4 for /, and ext2 for /boot.
(Note that if you have N>2 disks, BTRFS's "RAID1" mode is not really RAID1, as BTRFS will only create 2 copies of your data, not N copies as required by RAID1. In other words, BTRFS "RAID1" with N>2 disks gives you more storage space, not more redundancy.)
answered Aug 23 '18 at 22:05
mpbmpb
41839
answered Aug 23 '18 at 22:05
mpbmpb
41839
answered Aug 23 '18 at 22:05
mpbmpb
41839
answered Aug 23 '18 at 22:05
mpbmpb
41839
41839
add a comment |
add a comment |
I read some texts in the topic. According to them the partitioning and formatting are separate processes, so I don't have to give the file system type by partitioning a block device (ssd/hdd/virtual?). The dm-crypt can convert an unencrypted block device to an encrypted one by encrypting each block (or sector?) individually and the btrfs can live on that encrypted block device.
Note: dmcrypt + btrfs needs 4+ kernel to work properly; 3.2- kernels have compatibility and security issues, 4.0- kernels have performance issues.
The main problem with this setup that since raid1 will be on the upper level, both hdds/ssds will be encrypted differently, which means performance penalty and a lot of unnecessary encryption. According to other texts/answers I read there is no way to do this now. People are working on btrfs encryption, but there is nothing stable yet. Currently the stacked approach with ecryptfs - the btrfs FAQ mentions - is a lot slower than dm-crypt, so that wouldn't be a good solution either. Another option is using zfs, which has encryption support, but afaik. it consumes a lot of memory compared to btrfs.
update (Jan, 2019):
I checked zfs too, it has a nice native encryption and you can encrypt the swap partition too, so I think that is the way to go. It has some drawbacks too, it uses more memory and it isn't as straightforward to add a new disk as with btrfs.
answered Jan 15 '18 at 16:22
inf3rnoinf3rno
1881111
add a comment |
I read some texts in the topic. According to them the partitioning and formatting are separate processes, so I don't have to give the file system type by partitioning a block device (ssd/hdd/virtual?). The dm-crypt can convert an unencrypted block device to an encrypted one by encrypting each block (or sector?) individually and the btrfs can live on that encrypted block device.
Note: dmcrypt + btrfs needs 4+ kernel to work properly; 3.2- kernels have compatibility and security issues, 4.0- kernels have performance issues.
The main problem with this setup that since raid1 will be on the upper level, both hdds/ssds will be encrypted differently, which means performance penalty and a lot of unnecessary encryption. According to other texts/answers I read there is no way to do this now. People are working on btrfs encryption, but there is nothing stable yet. Currently the stacked approach with ecryptfs - the btrfs FAQ mentions - is a lot slower than dm-crypt, so that wouldn't be a good solution either. Another option is using zfs, which has encryption support, but afaik. it consumes a lot of memory compared to btrfs.
update (Jan, 2019):
I checked zfs too, it has a nice native encryption and you can encrypt the swap partition too, so I think that is the way to go. It has some drawbacks too, it uses more memory and it isn't as straightforward to add a new disk as with btrfs.
answered Jan 15 '18 at 16:22
inf3rnoinf3rno
1881111
add a comment |
I read some texts in the topic. According to them the partitioning and formatting are separate processes, so I don't have to give the file system type by partitioning a block device (ssd/hdd/virtual?). The dm-crypt can convert an unencrypted block device to an encrypted one by encrypting each block (or sector?) individually and the btrfs can live on that encrypted block device.
Note: dmcrypt + btrfs needs 4+ kernel to work properly; 3.2- kernels have compatibility and security issues, 4.0- kernels have performance issues.
The main problem with this setup that since raid1 will be on the upper level, both hdds/ssds will be encrypted differently, which means performance penalty and a lot of unnecessary encryption. According to other texts/answers I read there is no way to do this now. People are working on btrfs encryption, but there is nothing stable yet. Currently the stacked approach with ecryptfs - the btrfs FAQ mentions - is a lot slower than dm-crypt, so that wouldn't be a good solution either. Another option is using zfs, which has encryption support, but afaik. it consumes a lot of memory compared to btrfs.
update (Jan, 2019):
I checked zfs too, it has a nice native encryption and you can encrypt the swap partition too, so I think that is the way to go. It has some drawbacks too, it uses more memory and it isn't as straightforward to add a new disk as with btrfs.
answered Jan 15 '18 at 16:22
inf3rnoinf3rno
1881111
I read some texts in the topic. According to them the partitioning and formatting are separate processes, so I don't have to give the file system type by partitioning a block device (ssd/hdd/virtual?). The dm-crypt can convert an unencrypted block device to an encrypted one by encrypting each block (or sector?) individually and the btrfs can live on that encrypted block device.
Note: dmcrypt + btrfs needs 4+ kernel to work properly; 3.2- kernels have compatibility and security issues, 4.0- kernels have performance issues.
The main problem with this setup that since raid1 will be on the upper level, both hdds/ssds will be encrypted differently, which means performance penalty and a lot of unnecessary encryption. According to other texts/answers I read there is no way to do this now. People are working on btrfs encryption, but there is nothing stable yet. Currently the stacked approach with ecryptfs - the btrfs FAQ mentions - is a lot slower than dm-crypt, so that wouldn't be a good solution either. Another option is using zfs, which has encryption support, but afaik. it consumes a lot of memory compared to btrfs.
update (Jan, 2019):
I checked zfs too, it has a nice native encryption and you can encrypt the swap partition too, so I think that is the way to go. It has some drawbacks too, it uses more memory and it isn't as straightforward to add a new disk as with btrfs.
answered Jan 15 '18 at 16:22
inf3rnoinf3rno
1881111
edited Feb 2 at 18:06
answered Jan 15 '18 at 16:22
inf3rnoinf3rno
1881111
answered Jan 15 '18 at 16:22
inf3rnoinf3rno
1881111
answered Jan 15 '18 at 16:22
inf3rnoinf3rno
1881111
1881111
add a comment |
add a comment |
Thanks for contributing an answer to Ask Ubuntu!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f992672%2fluks-btrfs-raid1%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
