Full Disk Encryption with GRUB 2 + LUKS + LVM + SWRAID on Debian Jessie
In January I started setting up a home server/NAS based on FreeBSD on a HP Microserver. Read about my setup in part 1 and part 2.
While I generally like the idea (BSD license, complete base system in one repo) and community behind FreeBSD, I have the feeling that the project is missing some manpower. VIMAGE is still experimental and in combination with PF it will crash every night (because of a Cron job). There seems to be a bug that IPSec tunnels bypass the firewall. There is no AMD support in bhyve yet (it’s scheduled for October 2014 with the 10.1 release), so I cannot run any virtual machines on my home server.
So my concerns about manpower and the fact that I cannot run any virtual machines yet lead me back to Debian Linux.
The Plan
Because with Debian I can use KVM and run multiple virtual machines, I’ll set up a minimalistic, fully encrypted base system with Debian. All services the NAS will supply will run in virtual machines that run Ubuntu, Debian or FreeBSD.
The Setup
Before we finally talk about the setup, I’d like to give attribution to the blog posts that I based this guide on:
- State of the art Debian/wheezy deployments with GRUB and LVM/SW-RAID/Crypto
- archlinux: dm-crypt/Device encryption
Hardware
I have four disks in my HP MicroServer:
- Disk 1: Operating System - 3.5’ 250GB 7200RPM HDD
- Disk 2: Operating System - 2.5’ 200GB 7200RPM HDD
- Disk 3: Data - 3.5’ 4TB NAS HDD
- Disk 4: Data - 3.5’ 4TB NAS HDD
The first two disks will hold the base operating system and maybe the virtual machine operating system images. The data disks will be for data only.
The storage system layers will look like this:
| Filesystem (eg. ext4) |
| LVM |
| LUKS Crypto |
| Linux Software RAID 1 |
| Physical Hard Disk |
Above the physical block layer, we’ll put a Linux software RAID. The first RAID 1 will span disks 1 and 2 and a second RAID 1 will span the data disks (disks 3 and 4).
And on top of the software RAID will be the encryption layer. Why not the other way round? Because otherwise we would have two crypto devices instead of one, and the CPU would have to encrypt/decrypt any write/read operation twice.
This thread on the dm-crypt list discusses the two options.
Software
We are going to use grml, a Debian-based rescue/admin live distribution, to install the system.
So after downloading grml and booting the live CD, let’s start with becoming root:
Initialize the disks with random data
We will start writing random data to the two operating system disks.
This may take a very long time, depending on how big your disks are.
Partitioning the OS disks
Copy the the partition table from the first disk to the second:
Set new UUIDs on /dev/sdb:
RAID Mirror Setup
LUKS Crypto Setup
We use aes-xts as XTS works especially well for encrypting filesystems.
The keysize of 512 is actually 256, because XTS splits the key in half.
Because we use sha512 instead of sha1, we need to increase the time for the hash iterations.
Also, we have to use /dev/random instead of /dev/urandom, as urandom does not stop giving data if entropy gets low.
Now let’s open the crypto device:
LVM Setup
Let’s create a physical volume and a volume group:
Now the logical volumes. Be sure to ajust the sizes of the volumes to fit your system:
Create the file systems
Preparing for installation
Installation
Finishing the installation
Let’s get into our new installation:
Edit /etc/fstab to look like:
Edit /etc/crypttab to look like:
Prepare for reboot
Reboot
comments powered by Disqus