RAID1 on luks 还是 luks on RAID1

系统安装、升级讨论
版面规则
我们都知道新人的确很菜,也喜欢抱怨,并且带有浓厚的Windows习惯,但既然在这里询问,我们就应该有责任帮助他们解决问题,而不是直接泼冷水、简单的否定或发表对解决问题没有任何帮助的帖子。乐于分享,以人为本,这正是Ubuntu的精神所在。
回复
zhangjint5
帖子: 304
注册时间: 2011-01-02 12:31

RAID1 on luks 还是 luks on RAID1

#1

帖子 zhangjint5 » 2018-02-22 13:28

公司的敏感数据,需要加密和做RAID1

问题来了,最底层的分区是先做RAID1,还是先luks加密呢,那种比较科学?
poloshiao
论坛版主
帖子: 18279
注册时间: 2009-08-04 16:33

Re: RAID1 on luks 还是 luks on RAID1

#2

帖子 poloshiao » 2018-02-22 15:55

luks on RAID1

https://gitlab.com/cryptsetup/cryptsetu ... ns#2-setup
Frequently Asked Questions
2. Setup
2.2 LUKS on partitions or raw disks?
(3) Encrypted RAID: Create your RAID from partitions and/or full devices. Put LUKS on top of the RAID device, just if it were an ordinary block device.
2.8 Encryption on top of RAID or the other way round?

提醒
注意 superblock format 的版本選擇問題
使用 關鍵字 superblock format 搜尋上述文章
參閱
https://raid.wiki.kernel.org/index.php/Superblock
Superblock
https://raid.wiki.kernel.org/index.php/ ... ck_formats
RAID superblock formats
zhangjint5
帖子: 304
注册时间: 2011-01-02 12:31

Re: RAID1 on luks 还是 luks on RAID1

#3

帖子 zhangjint5 » 2018-02-23 14:27

Encryption on top of RAID or the other way round?


Unless you have special needs, place encryption between RAID and
filesystem, i.e. encryption on top of RAID. You can do it the other
way round, but you have to be aware that you then need to give the
passphrase for each individual disk and RAID autodetection will not
work anymore. Therefore it is better to encrypt the RAID device,
e.g. /dev/dm0 .

This means that the typical layering looks like this:

Filesystem <- top
|
Encryption
|
RAID
|
Raw partitions
|
Raw disks <- bottom
The big advantage is that you can manage the RAID container just like
any RAID container, it does not care that what is in it is encrypted.
知道该怎么做了!

谢谢
回复