Encrypted SnapRAID

If you have read my previous SnapRAID tutorial, you will see that I’m a big fan of it for home storage. I wanted to setup a SnapRAID volume made up of encrypted hard drives. We will accomplish this using dm-crypt + LUKS. The following is how I did it.

This example is going to made up of a (3) disk SnapRAID array + (1) parity disk. In this example, they are disks /dev/sd[bcde]. First, let’s install the tools to create encrypted filesystems and to work with our disks.

Next, let’s enable the modules to make the encrypted filesystems work.

With encrypted disks, it’s a good idea to start with clean verified disks. Here’s a way to zero your disk(s).

WARNING! POTENTIAL DATA LOSS AHEAD WARNING!

This will overwrite data on /dev/sd[bcde] irrevocably.

Next, let’s add a partition to each disk.

Next, let’s make a backup of this partition table and copy it to the other disks.

Then, let’s encrypt these partitions using AES-XTS, the most secure mode of full disk encryption.

Answer the questions like this

Next, let’s unlock the encrypted partitions to add a filesystem to them. The names at the end, represent how the disks will be mapped to /dev/mapper (i.e. disk(1,2) or parity1).

Now that they are unlocked, adding a partition is easy.

Now, this encryption is nice, but I don’t want to enter a password for each of my disks to unlock them each time I boot when my / partition is unlocked, so I’ll unlock them automatically at startup. To accomplish this, we will use a keyfile. Here I’m creating a keyfile (this is a 4096 bit key).

Let’s make this file only readable by root.

Next, let’s add this key as an unlocking method for each partition.

Next, let’s make a mointpoint for each of these disks.

To make these auto unlock, we need to make /etc/crypttab entries for each disk. They should be based off the crypto_LUKS partitions. To find their UUIDs, try this…

It should output something like this.

Next, use those UUIDs to create the /etc/crypttab file. It should look something like this. Those names at the beginning again create the entries that map to /dev/mapper.

Finally, update your initramfs

Now, the disks will automatically unlock at startup, but I also want them to automount too, so create /etc/fstab entries for each. They should be in this format and based off the UUID of the /dev/mapper entries. To find them quickly, try this.

Now create /etc/fstab entries for each of the ext4 partitions using the UUID’s from above.

They should be in this format.

Reboot and ensure your disks automount. Once, you have this working, you can follow along with the rest of my previous SnapRAID tutorial.

Zack

Zack

I love learning new things and trying out the latest technology.

You may also like...

4 Responses

  1. srnoob says:

    Firstly, thanks for the great articles!

    I’m planning to use this method to set up an encrypted snapraid using an i7 920, which unfortunately doesn’t have AES-NI.

    Will a snapraid set up using this method be decrypted (/encrypted?) using multiple threads on the machine, or only one?

    • Zack Zack says:

      Using this method, the disks are automatically encrypted/decrypted at boot up. After that, SnapRAID would be working with unencrypted disks, so it should perform just fine. I’d suggest testing it out on a small data set and see how it goes.

Leave a Reply