Full Disk Encryption with GRUB 2 + LUKS + LVM + SWRAID on Debian Jessie
12 Dec 2014
In January I started setting up a home server/NAS based on FreeBSD on a HP Microserver. Read about my setup in part 1 and part 2.
While I generally like the idea (BSD license, complete base system in one repo) and community behind FreeBSD, I have the feeling that the project is missing some manpower. VIMAGE is still experimental and in combination with PF it will crash every night (because of a Cron job). There seems to be a bug that IPSec tunnels bypass the firewall.
There is no AMD support in bhyve yet (it’s scheduled for October 2014 with the 10.1 release), so I cannot run any virtual machines on my home server.
So my concerns about manpower and the fact that I cannot run any virtual machines yet lead me back to Debian Linux.
Because with Debian I can use KVM and run multiple virtual machines, I’ll set up a minimalistic, fully encrypted base system with Debian. All services the NAS will supply will run in virtual machines that run Ubuntu, Debian or FreeBSD.
Before we finally talk about the setup, I’d like to give attribution to the blog posts that I based this guide on:
The first two disks will hold the base operating system and maybe the virtual machine operating system images.
The data disks will be for data only.
The storage system layers will look like this:
| Filesystem (eg. ext4) |
| LVM |
| LUKS Crypto |
| Linux Software RAID 1 |
| Physical Hard Disk |
Above the physical block layer, we’ll put a Linux software RAID. The first RAID 1 will span disks 1 and 2 and a second RAID 1 will span the data disks (disks 3 and 4).
And on top of the software RAID will be the encryption layer. Why not the other way round? Because otherwise we would have two crypto devices instead of one, and the CPU would have to encrypt/decrypt any write/read operation twice.
This thread on the dm-crypt list discusses the two options.
We are going to use grml, a Debian-based rescue/admin live distribution, to install the system.
So after downloading grml and booting the live CD, let’s start with becoming root:
Initialize the disks with random data
We will start writing random data to the two operating system disks.
This may take a very long time, depending on how big your disks are.
Partitioning the OS disks
Copy the the partition table from the first disk to the second:
Set new UUIDs on /dev/sdb:
RAID Mirror Setup
LUKS Crypto Setup
We use aes-xts as XTS works especially well for encrypting filesystems.
The keysize of 512 is actually 256, because XTS splits the key in half.
Because we use sha512 instead of sha1, we need to increase the time for the hash iterations.
Also, we have to use /dev/random instead of /dev/urandom, as urandom does not stop giving data if entropy gets low.
Now let’s open the crypto device:
Let’s create a physical volume and a volume group:
Now the logical volumes. Be sure to ajust the sizes of the volumes to fit your system: