7

How to luks encrypt raid drive?

posted
*
by
Avatar
HulkSmashBurgers@reddthat.com
in
Avatar
guix@lemmy.ml
6 comments
hidereport

Edit: Turns out for what I’m trying to do (mount luks encrypted raid after start up) only needs the device mapping for the raid drive and not a file-system object.

So I luks encrypted the raid and call a script to open the vault and mount it when I need to.

In my system config file I added a raid drive like so:

(mapped-devices (list (mapped-device
                                     (source (uuid
                                                  "205e5caa-694f-4457-a2a1-8affa3536e75"))
                                     (target "guix")
                                     (type luks-device-mapping))

                                  (mapped-device
                                     (source (list "/dev/sdb1" "/dev/sdc1"))
                                     (target "/dev/md0")
                                     (type raid-device-mapping))))

(file-systems (cons* (file-system
                                  (mount-point "/")
                                  (device "/dev/mapper/guix")
                                  (type "ext4")
                                  (dependencies (list (list-ref mapped-devices 0))))

                               (file-system
                                  (mount-point "/mnt/nas")
                                  (device "/dev/md0")
                                  (type "ext4")
                                  (mount? #f)
                                  (dependencies (list (list-ref mapped-devices 1)))) %base-file-systems)))

I’d now like to luks encrypt the raid drive but I’m not sure how to go about doing it. Do I simply make a another mapped-device object, specifying the raid drive uuid and “/dev/md0” as the target:

(mapped-device
   (source (uuid
                {raid uuid}))
                (target "/dev/md0")
                (type luks-device-mapping))

and then pass that as a dependency to the raid file system object?

Thanks

Sort:
HotTopControversialNewOld
Avatar
lurch (he/him)@sh.itjust.works
2 points

You sure you want to use LUKS? It has a specific format that can be probed for almost like a known plain text.

permalink
report
reply
Avatar
HulkSmashBurgers@reddthat.comOP
2 points

I’m not opposed to using something other than luks, it’s just what I’m familiar with. Is there some other better approach you could recommend?

permalink
report
parent
reply
Avatar
LoveSausage@lemmy.ml
1 point

https://devicetests.com/secure-luks-encryption had to Google that, if you want to brute force your way into a modern like setup you either need a weak password or a very powerful computer and time/money… or do you mean something else?

permalink
report
parent
reply
Avatar
lurch (he/him)@sh.itjust.works
1 point
*

I mean that any attack gets more easy when you know, after it’s decrypted there are the bytes A, B and C at the locations X, Y and Z. It helps with brute force as well as hybrid attacks to find the master key.

LUKS does exactly have those specific Bytes at specific locations PLUS it has a marker that basically says “I am in this format and encrypted with this algorythm”.

permalink
report
parent
reply
Avatar
LoveSausage@lemmy.ml
0 points

Interesting. But is that issue not mitigated by using a good passphrase ? Been using luks as default for years. Any better option for full disk encryption on Linux ?

permalink
report
parent
reply
Show more comments

Guix

!guix@lemmy.ml

Create post

Guix is an advanced distribution of the GNU operating system developed by the GNU Project

Community stats

  • 3

    Monthly active users

  • 47

    Posts

  • 99

    Comments

Community moderators