btrfs raid1 with luks encryption

[duxsco]

Hi.
I wish to have the following setup:

Code: Select all

/dev/sda1: mdadm ___
                    \
                     |---> /dev/md0 (raid1) -> ext4 -> /boot
/dev/sdb1: mdadm ___/


/dev/sda2: mdadm ___
                    \
                     |---> /dev/md1 (raid1) -> luks -> swap
/dev/sdb2: mdadm ___/

/dev/sda3: luks ---> /dev/mapper/root   ---> btrfs raid 1 parition  ___
                                                                       \
                                                                        |---> btrfs raid1 ---> /
/dev/sdb3: luks ---> /dev/mapper/root2 ---> btrfs raid 1 partition  ___/

I couldn't find a way to specify two or more encrypted root partitions in "/etc/default/grub" with "crypt_root=" in order to get a password prompt for each of them upon boot or unlock them with a keyfile. Arch Linux supports this with minor changes to two files (https://wiki.archlinux.org/index.php/Dm ... partitions). Is there a way to realise this on Gentoo Linux? I want to use the btrfs raid functionality in order to cope with badblocks. Afaik, btrfs handles them better than mdadm.

Best regards,
onndsd

[frostschutz]

Using LUKS below RAID means encrypting everything twice.

[duxsco]

I have AES-NI and fault tolerance is more important for me than some loss of performance. If one block has gone bad, btrfs recovers by using the healthy block from the other hard drive upon read time. Afaik, mdadm doesn't store checksums on data and metadata like btrfs does (https://btrfs.wiki.kernel.org/index.php ... rfs_use.3F).

[trubicoid]

any news with this particular setup onndsd?
I think the easiest solution would be a custom script in initrd, which decrypts the two partitions.

[astroe]

I have a simpler setup, with just encrypted drives, no RAID. I have dmcrypt added to the boot runlevel. In /etc/conf.d/dmcrypt I specified which drive maps to which logical name and it asks for all the passwords during booting.

[duxsco]

I couldn't find a solution. If you have both a SSD and HDD, you can use the SSD hardware encryption and LUKS on HDD. Then, mirror boot, root etc. over both drives. Unfortunately, btrfs doesn't support the "--write-mostly" option, known from mdadm. Or, you patch the bootup files like astroe.

[davidm]

I couldn't find a way to specify two or more encrypted root partitions in "/etc/default/grub" with "crypt_root=" in order to get a password prompt for each of them upon boot or unlock them with a keyfile.

I know this is an old post but I know usually with grub I just specified one of the drives and then it figured out the rest. This was unencrypted. When I moved to LUKS in encryption I actually used a separate boot along with a separate / partition which was on ext4 (new hdd) so I can't say I have experience exactly with that however (with systemd) when I booted it would prompt me for the passwords to the other drives when I tried to mount the separate btrfs volume. Of course this happened beyond GRUB, probably because of the contents of my /etc/fstab and perhaps /etc/crypttab

I think anyone trying this is probably going to have to bite the bullet and do a separate /boot partition although you could probably encrypt that with LUKS as I believe grub2 can handle that -- only on one disk though and not over multiple volumes with LUKS.

Alternately before giving up you might try specifying one of the drives in the LUKS btrfs array to see if it can automatically figure it out based on that. I take it something like crypt_root=/dev/sda,/dev/sdb,dev/sdc won't work? You might try asking one of the Grub2 developers or perhaps doing a feature request if this is really unimplemented.

Hopefully this helps someone searching.

[rini17]

I have similar setup (btrfs raid1 on LUKS devices with separate unencrypted /boot on ext4). Every boot I am currently mounting the encrypted devices by hand in initramfs shell (I drop into busybox shell, run cryptsetup luksOpen + btrfs dev scan, then resume normal startup). If you configure genkernel to include busybox, btrfs and luks support, all needed tools to do so will get installed there.

I have looked into genkernel initramfs scripts so that above can be done automatically but fixing these is not trivial, as the functions use global variables like CRYPT_ROOT They can't simply be called multiple times with multiple devices.

[E14n]

I have posted a patch[1] for genkernel that allows its initramfs to load multiple luks encrypted volumes on boot. This will allow you to use btrfs raid on luks encrypted block devices. The patch uses the crypt_roots command line flag to mark the devices.

1. https://bugs.gentoo.org/694778