Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Encrypting a RAID1
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Other Things Gentoo
View previous topic :: View next topic  
Author Message
Phr33d0m
n00b
n00b


Joined: 21 Jul 2011
Posts: 21

PostPosted: Fri Apr 27, 2012 9:43 am    Post subject: Encrypting a RAID1 Reply with quote

Hi guys, I've been googling a little about this and didn't find a good answer.
I want to create a hardware RAID1 with two disks and later encrypt this RAID with (maybe) TrueCrypt.
The problem comes, what will happen if one of the hard drives fail? Will everything regenerate just fine if I just replace the broken hdd (no need to re-do encryption or anything similar)?

I'd appreciate any tips from experienced users on how to make this even more successfully.
For example, for maximum security, which of these would you recommend me choose:

Code:
Hash algorithm:
1) RIPEMD-160
2) SHA-1
3) Whirlpool

Encryption algorithm:
1) AES
2) Blowfish
3) CAST5
4) Serpent
5) Triple DES
6) Twofish
7) AES-Twofish
8) AES-Twofish-Serpent
9) Serpent-AES
10) Serpent-Twofish-AES
11) Twofish-Serpent


Thanks in advance.
Back to top
View user's profile Send private message
eccerr0r
Watchman
Watchman


Joined: 01 Jul 2004
Posts: 7236
Location: almost Mile High in the USA

PostPosted: Fri Apr 27, 2012 2:00 pm    Post subject: Reply with quote

Currently I have a loopback dmcrypt on my software/md raid5... If one of my raid5 disks dies, the loopback dmcrypt will persist (it's just a regular file...)

I don't see why it wouldn't be protected from failure if a disk fails... Just make sure it's layered correctly. If you create the raid on top of encrypted volumes then I'm not quite sure what it would do... in theory this should work too.

Are you looking for plausible deniability or just safety? Mine was more for data safety than anything else...
_________________
Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSD
What am I supposed watching?
Back to top
View user's profile Send private message
Phr33d0m
n00b
n00b


Joined: 21 Jul 2011
Posts: 21

PostPosted: Sat Apr 28, 2012 7:32 am    Post subject: Reply with quote

Hello, as this is a hardware RAID1 - the encryption layer will be always on top of the RAID so my question was if I have to rebuild the ecryption layer if I had to replace one of the hdds?

eccerr0r wrote:
Are you looking for plausible deniability or just safety?

What I need here is both. That's why I need a high level encryption. And as this data will have external backups it's why I'm using just a basic mirroring (RAID1) instead of RAID5 (also because of economic reasons too).
Back to top
View user's profile Send private message
SlashBeast
Moderator
Moderator


Joined: 23 May 2006
Posts: 2843

PostPosted: Sat Apr 28, 2012 10:26 am    Post subject: Reply with quote

If you create dmcrypt over raid1 (say md1) after disk failure you just add new disk to array and data is copied. No need to re-create encrypted storage. Also i would suggest not to touch truecrypt on linux at all. I am using dmcrypt with aes-xts-plain64 on lvm array.
_________________
BitBucket -- better-initramfs
Back to top
View user's profile Send private message
eccerr0r
Watchman
Watchman


Joined: 01 Jul 2004
Posts: 7236
Location: almost Mile High in the USA

PostPosted: Sat Apr 28, 2012 12:35 pm    Post subject: Reply with quote

I would have to say for plausible deniability do not run dmcrypt over raid1 or other RAID. Redundant random data is not really random.
_________________
Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSD
What am I supposed watching?
Back to top
View user's profile Send private message
Phr33d0m
n00b
n00b


Joined: 21 Jul 2011
Posts: 21

PostPosted: Wed May 02, 2012 1:17 pm    Post subject: Reply with quote

SlashBeast wrote:
If you create dmcrypt over raid1 (say md1) after disk failure you just add new disk to array and data is copied. No need to re-create encrypted storage. Also i would suggest not to touch truecrypt on linux at all. I am using dmcrypt with aes-xts-plain64 on lvm array.

I guess it wouldn't be mdX but sdX as if it's a hardware RAID it will be like a normal hdd to the system, am I correct?
Also, why you do NOT recommend truecrypt on linux? Any personal experience? I've heard very good things about it exactly on linux. Some details would be nice why shouldn't I use it.

eccerr0r wrote:
I would have to say for plausible deniability do not run dmcrypt over raid1 or other RAID. Redundant random data is not really random.

If you don't recommend dmcrypt, what do you recommend? Truecrypt? The above comment (SlashBeast's) recommends NOT to use truecrypt. Are there any other (good/better) tools to do what I want?
Back to top
View user's profile Send private message
eccerr0r
Watchman
Watchman


Joined: 01 Jul 2004
Posts: 7236
Location: almost Mile High in the USA

PostPosted: Wed May 02, 2012 2:17 pm    Post subject: Reply with quote

Actually I should have clarified, *any* FDE over RAID if you want plausible deniability. I think you're better off with a backup system that encrypts both disks differently (using different keys but can use the same password to protect the keys).
_________________
Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSD
What am I supposed watching?
Back to top
View user's profile Send private message
broken_chaos
Guru
Guru


Joined: 18 Jan 2006
Posts: 370
Location: Ontario, Canada

PostPosted: Wed May 02, 2012 7:16 pm    Post subject: Reply with quote

eccerr0r wrote:
I would have to say for plausible deniability do not run dmcrypt over raid1 or other RAID. Redundant random data is not really random.

Unless I'm mistaken (which is quite possible), actual random data would generally be duplicated on a RAID1 array too. Though, with dm-crypt plausible deniability really isn't an option or goal -- LUKS has headers that say exactly what parts are encrypted, how they're encrypted, and is incapable of steganography.

I'm not entirely sure how you're going to achieve plausible deniability when you're backing it all up, though.
Back to top
View user's profile Send private message
eccerr0r
Watchman
Watchman


Joined: 01 Jul 2004
Posts: 7236
Location: almost Mile High in the USA

PostPosted: Thu May 03, 2012 12:16 am    Post subject: Reply with quote

I looked at my dmcrypt container, it looks very random, and doesn't appear to have any header information.
What I'm concerned is if your raid1 the dmcrypt container, you'll end up with two drives with the exact same content. People will wonder why there's two copies of the same random data... thus losing plausible deniability.

If you had two different disks with different keys they'd look different and random to each other, then you can still maintain plausible deniability.

Yes, that's why it seems a bit odd to either back up or RAID encrypted information...
_________________
Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSD
What am I supposed watching?
Back to top
View user's profile Send private message
Phr33d0m
n00b
n00b


Joined: 21 Jul 2011
Posts: 21

PostPosted: Thu May 03, 2012 9:36 am    Post subject: Reply with quote

eccerr0r wrote:
People will wonder why there's two copies of the same random data... thus losing plausible deniability.

If you had two different disks with different keys they'd look different and random to each other, then you can still maintain plausible deniability.

Yes, that's why it seems a bit odd to either back up or RAID encrypted information...

Thank you very much, now I understand what you all meant with that I'd lose plausible deniability with a RAID1.

I want to explain, this is NOT a problem for me. I just want to:
* PROTECT my data with the RAID1 (I know backups are an option too, but I'd rather prefer the RAID)
* SECURE my data with the encryption (for more "securing" I was going to use a hidden partition inside, so in the outter partition I'd put non-important data, and in the hidden partition I'd put my important data, in that case even if someone gets to my data and see that in both hdd's there's the same "random data" and ask me about my pass, I'd give them the pass to the non-important data)

Is this the correct aproach?
No one answered anything about my question why shouldn't I use truecrypt? I think it's a good and easy-to-use software for what I need.

Thanks in advance.
Back to top
View user's profile Send private message
Veldrin
Veteran
Veteran


Joined: 27 Jul 2004
Posts: 1945
Location: Zurich, Switzerland

PostPosted: Thu May 03, 2012 11:38 am    Post subject: Reply with quote

Then you are doing it wrong
Quote:
* PROTECT my data with the RAID1 (I know backups are an option too, but I'd rather prefer the RAID)

RAID1 (or any RAID Level for that matter) is no substitute for a backup. if you delete a file by accident on a RAID1 array, it is gone. if you have a backup, the you have at least some (old) copy of it.

Quote:
No one answered anything about my question why shouldn't I use truecrypt? I think it's a good and easy-to-use software for what I need.

It just feels wrong. I use it too, inside a GUI for some less important data, but the FDE is handled in my case by LUKS, in which I trust.

just my .02$
V.
_________________
read the portage output!
If my answer is too concise, ask for an explanation.
Back to top
View user's profile Send private message
broken_chaos
Guru
Guru


Joined: 18 Jan 2006
Posts: 370
Location: Ontario, Canada

PostPosted: Thu May 03, 2012 6:00 pm    Post subject: Reply with quote

eccerr0r wrote:
I looked at my dmcrypt container, it looks very random, and doesn't appear to have any header information.

If you're using LUKS, it definitely does. Run `cryptsetup luksDump <device>` on your encrypted block device, and it'll spit out stuff like the version, cipher, mode, hash, information about the key slots, etc.
Back to top
View user's profile Send private message
eccerr0r
Watchman
Watchman


Joined: 01 Jul 2004
Posts: 7236
Location: almost Mile High in the USA

PostPosted: Thu May 03, 2012 11:17 pm    Post subject: Reply with quote

No I'm not using LUKS... just using it in plain mode, mostly because of legacy. I tried using dmcrypt before LUKS, but it looks like LUKS is probably more of what I should use...

For plain mode, I've botched typing my password a few times, it will still map... as garbage, leading to me to believe that itself does not know the correct password unless the decrypted data looks like an ext2 filesystem...
_________________
Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSD
What am I supposed watching?
Back to top
View user's profile Send private message
broken_chaos
Guru
Guru


Joined: 18 Jan 2006
Posts: 370
Location: Ontario, Canada

PostPosted: Fri May 04, 2012 4:17 pm    Post subject: Reply with quote

eccerr0r wrote:
For plain mode, I've botched typing my password a few times, it will still map... as garbage, leading to me to believe that itself does not know the correct password unless the decrypted data looks like an ext2 filesystem...

Ah, yeah, plain mode is apparently indistinguishable from random. But dm-crypt doesn't do steganography -- so anyone looking at the drive (unless it happens to be an old drive you keep with the rest of your spare parts -- arguably a pretty effective way of hiding data) will pretty immediately assume it's encrypted and beat you with a $4 wrench until you tell them the password.
Back to top
View user's profile Send private message
RazielFMX
l33t
l33t


Joined: 23 Apr 2005
Posts: 835
Location: NY, USA

PostPosted: Fri May 04, 2012 6:46 pm    Post subject: Reply with quote

broken_chaos wrote:
eccerr0r wrote:
For plain mode, I've botched typing my password a few times, it will still map... as garbage, leading to me to believe that itself does not know the correct password unless the decrypted data looks like an ext2 filesystem...

Ah, yeah, plain mode is apparently indistinguishable from random. But dm-crypt doesn't do steganography -- so anyone looking at the drive (unless it happens to be an old drive you keep with the rest of your spare parts -- arguably a pretty effective way of hiding data) will pretty immediately assume it's encrypted and beat you with a $4 wrench until you tell them the password.


http://xkcd.com/538/
Back to top
View user's profile Send private message
eccerr0r
Watchman
Watchman


Joined: 01 Jul 2004
Posts: 7236
Location: almost Mile High in the USA

PostPosted: Sat May 05, 2012 3:45 pm    Post subject: Reply with quote

For government security, sure, waterboarding may even be cheaper...

Just one would hope if hardware gets lost, people won't know who owned the hardware and not curious enough to try to decrypt the contents because they wouldn't know what it contains...

Next time I'll cat /dev/urandom to my hard drives before I put them in storage with the rest of my encrypted hard drives... :D
_________________
Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSD
What am I supposed watching?
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Other Things Gentoo All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum