Crypsetup for DNS-320L
479 views
Skip to first unread message
mathieu causse
May 19, 2015, 12:45:57 PM5/19/15
to al...@googlegroups.com
Hello everyone,
First of all thank you guys for the tremendous work you have made with Alt-F. Everything is clear and straightforward, the initial configuration was a piece of cake ;).
I've created a raid1 in /dev/md0 with each of the 2 disks /dev/sda and /dev/sdb being ext4 formatted.
What I'd like now is to encrypt the device md0. I've installed the Alt-F package 'crypsetup'. If I go to Disk->Encryption I have 2 issues here. First I cannot select md0, only sda1 [0.5GB], sda2, sdb1 [0.5GB] or sdb2. Second issue I need to use a password file, I'd rather use a passphrase.
I have tried to connect to my box through ssh but if I launch the encryption of /dev/md0
> cryptsetup -c aes-cbc-essiv:sha256 -y -s 128 luksFormat /dev/md0
I get
WARNING!
========
This will overwrite data on /dev/md0 irrevocably.
Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:
Cannot format device /dev/md0 which is still in use.
Can someone tell me what I am missing?
Cheers,
Mathieu
João Cardoso
May 19, 2015, 3:12:33 PM5/19/15
to al...@googlegroups.com, causse....@gmail.com
On Tuesday, 19 May 2015 17:45:57 UTC+1, mathieu causse wrote:
Hello everyone,First of all thank you guys for the tremendous work you have made with Alt-F. Everything is clear and straightforward, the initial configuration was a piece of cake ;).I've created a raid1 in /dev/md0 with each of the 2 disks /dev/sda and /dev/sdb being ext4 formatted.
Then you made it the wrong way: first you should create the RAID device, then put a filesystem on it. A RAID device uses some space from the underlying physical device; same happens with a filesystem. When you create the RAID over an existing filesystem, some space will be used by the RAID, and the filesystem/fsck will eventually complain because it thinks that it is more space than the RAID will supply.
The exception to the above is when you already have data on the filesystem and want to create the RAID over. In this case you should slightly shrink the filesystem, create the RAID and then enlarge the filesystem. This is only possible for RAID with metadata version 0.9 or 1.0, which uses space near the device end, which the filesystem is not likely to use (unless its' full of data). 'fsck' is more demanding, and might give you a "short read" or similar error/warning -- because fsck will attempt to read the disk past the RAID device end -- after all the filesystem was created when there was more space available.
----------------------------------------------------------
| PARTITION |
----------------------------------------------------------
| | RAID |
----------------------------------------------------------
| FILESYSTEM | RAID |
----------------------------------------------------------
What I'd like now is to encrypt the device md0. I've installed the Alt-F package 'crypsetup'. If I go to Disk->Encryption I have 2 issues here. First I cannot select md0, only sda1 [0.5GB], sda2, sdb1 [0.5GB] or sdb2.
Yes, that is expected. Crytosetup, RAID and LVM can only be used (using the webUI) over physical devices. In theory you can encrypt a device over RAID over LVM, or any combination of the above: encrypt a physical device, RAID it, LVM it, or whatever. But Alt-F follows the "Keep It Simple" principle :-) And crypto is slow enough without the extra RAID layer.
There is a reported "issue" regarding this subject.
Second issue I need to use a password file, I'd rather use a passphrase.
That could be possible, but requires attended powerup. I don't think it's very safe to do using the webUI.
I have tried to connect to my box through ssh but if I launch the encryption of /dev/md0> cryptsetup -c aes-cbc-essiv:sha256 -y -s 128 luksFormat /dev/md0
I get
WARNING!
========
This will overwrite data on /dev/md0 irrevocably.
Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:
Cannot format device /dev/md0 which is still in use.
You have to unmount the filesystem first. That's *one* of the complications of having chains of devices and filesystems... and don't forget that you have to create a filesystem over the encrypted device (and loose all you data). With cryptsetup you are encrypting the disk, not the filesystem nor files on the filesystem -- that's another way of doing things.
-The procedure is to first create a device over a physical device (say partitioning the disk, not really necessary, just goo practice)
-create another device over the created device above (say crypto or RAID or LVM it)
--create another device over the created device above (again crypto or RAID or LVM it, excluding the previous device)
---create another device over the created device above (again crypto or RAID or LVM it, excluding the previous device)
-create a filesystem over the last created device.
Managing the above is no easy chore, you need a log-book to keep a record, just in case you forget what you have done (and you loose your setup scripts)
mathieu causse
May 21, 2015, 2:44:49 PM5/21/15
to al...@googlegroups.com
Thank you Joao, there ton of information in your response, now I need to digest it...
mathieu causse
Sep 26, 2015, 12:59:20 PM9/26/15
to Alt-F
One more point for those interesting in encrypting their NAS you can find a nice tutorial at
2 questions though, in /var/log/systemerror.log I have that message:
No cryptsetup support found for partition type "crypt_LUKS" in "md1"
Actually that is true, I have installed cryptsetup in md0 with is not encrypted, how could I used cryptsetup to decrypt md1 if I had installed it into md1? Does this message can be safely ignored?
My last concern consist in unmounting the encrypted volume backup in /mnt. The umount command doesn't work, I obtain that message
[root@hardos]# cryptsetup remove backup
Device backup is busy.
Cheers,
Mathieu
João Cardoso
Sep 27, 2015, 11:45:43 AM9/27/15
to Alt-F
On Saturday, 26 September 2015 17:59:20 UTC+1, mathieu causse wrote:
One more point for those interesting in encrypting their NAS you can find a nice tutorial at2 questions though, in /var/log/systemerror.log I have that message:
That message is generated when kernel-modules is not yet available for starting the recently discovered crypto partition
Actually that is true, I have installed cryptsetup in md0
You mean that Alt-F packages are installed in md0? If Alt-F kernel-modules package is installed in md0 and md0 is mounted, then the above message does not make sense. Except if...
What is the order of device mounting? md0 does not necessarily becomes available before md1, it all depends on the devices they are built from. RAID are assembled when disk partitions are discovered, so if md1 is made up from sda2 and md0 from sda3, as sda2 appears before sda3, then md1 appears before md0, and no kernel-modules are yet available.
Watch /var/log/hot*.log files to confirm that.
with is not encrypted, how could I used cryptsetup to decrypt md1 if I had installed it into md1?
Does this message can be safely ignored?
Yes. After the system has "settled", then kernel-modules is available and you can start cryptsetup.
My last concern consist in unmounting the encrypted volume backup in /mnt. The umount command doesn't work, I obtain that message[root@hardos]# cryptsetup remove backup
Device backup is busy.
You have to first *unmount* the filesystem built on the device. And you can only unmount it when no processes are accessing it.
So on start: Device discovery (sda2,sda3...) -> RAID assembly (md0, m1,...) or/and CRYPTO starting (over sdax or mdx) -> filesystem mounting -> processes using
On stop, the reverse order has to be used.
Reply all
Reply to author
Forward
0 new messages