# Is is wise to encrypt a raid 5 system?

## FizzyWidget

I see that a lot of people have done this, but i was of the thought that if you did this and a drive dies how can it rebuild it? Is this a fallacy? Can you boot into Gentoo give luks the pass and use mdadm to rebuild?

----------

## Goverp

I've neither tried nor done this, but I don't think there should be any problem.

There are two ways you could do it:

RAID 5 in clear, then create an encrypted partition on top.  If you lose a disk, then RAID should rebuild it, and that's all in clear, and the rebuilt disk image will include all the data needed for the crypto to continue working.  In this case, from the crypto point of view, RAID is invisible.

RAID 5 built from encrypted partitions.  I don't know if this is actually possible, and it sounds horrible, but it should still work.  If you lose a disk, RAID will rebuild it using the decrypted data from the other disks, and your crypto will encrypt it on the replacement.  In this case, from the RAID point of view, the crypto should be invisible. The main problem is not RAID rebuilding the disk.  The point of RAID 5 is to provide continuous operation despite losing a drive.  If you do lose one, the array continues to work, and you could, and probably should, make a backup before doing anything more.  The even if your crypto fouls up adding a new drive, you can start over.  RAID is not an aid to data integrity or a backup solution, it provides continuous availability and/or performance.

----------

## FizzyWidget

Yes most of the ways i have seen to do this seem to go with the option of making the raid (dev/md0) then using luks to encrypt /dev/md0 and mounting it as /dev/mapper/name, and then formatting /dev/mapper/name, if a disk does fail then i suppose you could boot with a replacement in there and get mdadm to rebuild the degraded raid.

Was hoping someone here might have some experience with it, don't mind trying it out myself as i have backups of all the information, its more of a time thing

----------

## frostschutz

The rebuild process is the same regardless of encryption or no encryption. In other words it's no problem whatsoever.

While you can build Software RAID from encrypted partitions, it'll most likely be slower than putting the encryption on top of the RAID. Also more difficult to handle.

----------

## FizzyWidget

cool, so its best to make the raid 5 first then luks it afterwards?

----------

## dE_logics

Last time I had a look at this, I had been warned specifically about it.

----------

## FizzyWidget

in what way? did yo go ahead with it, decide not to?

----------

## frostschutz

 *Dark Foo wrote:*   

> cool, so its best to make the raid 5 first then luks it afterwards?

 

That's how it's usually done, yes.

 *dE_logics wrote:*   

> Last time I had a look at this, I had been warned specifically about it.

 

Well, there are at least 2 warnings to give.

1) RAID is not a Backup. If your data is important, you should think about backups first, and RAID later.

2) Encryption can cause complete, irrecoverable data loss, if you lock yourself out. (and back to 1) make backups).

However technically it works just the way it's supposed to. As always, you just have to know what you are doing.

----------

## FizzyWidget

 *frostschutz wrote:*   

>  *Dark Foo wrote:*   cool, so its best to make the raid 5 first then luks it afterwards? 
> 
> That's how it's usually done, yes.
> 
>  *dE_logics wrote:*   Last time I had a look at this, I had been warned specifically about it. 
> ...

 

well i have 2 raid 5 systems, a laptop which will store some things, an imac which will have the docs and stuff on, and a 1TB external drive, think that should have me covered  :Smile: 

To your last sentence, i might be boned on that one   :Wink: 

----------

## Goverp

IMHO the one that really matters is the 1Tb external drive.  Do you (a) keep it off-site, (b) encrypt it?

----------

## FizzyWidget

 *Goverp wrote:*   

> IMHO the one that really matters is the 1Tb external drive.  Do you (a) keep it off-site, (b) encrypt it?

 

The external only has password protection atm as i need to be able to use it on all four pcs, i am hoping to format it as xfs and encrypt it once i have all 3 systems linux, as for it being off site , no, it hides in another room in the house, or in the loft.

It's a pain trying to find a file system/encryption that will work on windows/Linux and Mac - truecrypt seems hit or miss, sometimes it will work on linux some times on mac

----------

## FizzyWidget

Ok so just so i have it right, as i am writing all this down in a little html file for future reference

```
fdisk /dev/sdb/c/d

mdadm --create /dev/md0 --verbose --chunk=64 --level=raid5 --raid-devices=3 /dev/sd[bcd]1 - wait for it to build raid

cryptsetup -y -c aes-cbc-essiv:sha256 -s 256 luksFormat /dev/md0

cryptsetup luksOpen /dev/md0 storage

mkfs.xfs /dev/mapper/storage

mount /dev/mapper/storage /storage

fill the the drive with goodies
```

That look right?

----------

## dewhite

 *Dark Foo wrote:*   

> Ok so just so i have it right, as i am writing all this down in a little html file for future reference
> 
> ```
> fdisk /dev/sdb/c/d
> 
> ...

 

Those are basically the steps I took - yes.  Just keep in mind that it's recommended to fill the disks with random data before you start so as to wipe out any old unencrypted data, and to make it more difficult to see which parts of the disk(s) are filled with newly encrypted data.  a la:

```
dd if=/dev/urandom of=/dev/path/to/your/devices
```

(If you want to see the progress of dd, use kill to signal it to report the amount of data copied by entering:

```
kill -USR1 PID
```

Where PID is the process id in use by DD.

----------

## frostschutz

 *dewhite wrote:*   

> 
> 
> ```
> dd if=/dev/urandom of=/dev/path/to/your/devices
> ```
> ...

 

/dev/urandom takes a hundred years to complete. single pass shred with pseudo random numbers is faster...

----------

## FizzyWidget

dban on 3 pass was fast also

----------

