Debian, Grub2, Software mirroring, encrypted filesystem
Hopefully the title says it all: I have two disks in my machine that I want mirrored using mdadm. On top of that mirror I want an encrypted volume, with my regular root filesystem on top of that. And I'd like to be able to boot my system too.
It took some messing around, so I just thought I'd note here what I ended up with. I'm not sure what I've got is optimal, but it Works For Me.
Partitions
Here is the partition table structure I ended up with:
sda1 boot loader |
sda2 EXT2 filesystem: /boot |
sda3 swap |
sda4 EXT4 filesystem: / |
sdb1 boot loader |
sdb2 EXT2 filesystem: /boot |
sdb3 swap |
sdb4 EXT4 filesystem: / |
sda |
sdb |
Volumes
And I wanted to end up with some volumes that looked like this:
EXT2 filesystem /boot |
|
Mirrored volume | |
sda2 |
sdb2 |
Swap | |
Mirrored volume | |
sda3 |
sdb3 |
EXT4 filesystem / |
|
Cryptographic volume | |
Mirrored volume | |
sda4 |
sdb4 |
The procedure
I set up my disks by booting off the Debian rescue CD, although I'm sure SystemRescueCd would do everything I needed.
Partitioning the disks
For each disk (/dev/sda and /dev/sdb):
parted /dev/sdN
# add a GPT partition table
mklabel gpt
# Create a small leading partition to give Grub somewhere to write
# its boot loader.
mkpart
grub
ext2
1
20
# A mirrored but unencrypted boot volume
mkpart
boot
ext2
22
1044
# Swap space
mkpart
swap
linux-swap
1046
5142
# The root filesystem (the rest of the disk)
mkpart
main
ext3
5144
-1
# Make the first grub partition into a boot partition
toggle 1 bios_grub
Create the mirror devices
mdadm \
--create \
--level=1 \
--metadata=0.90 \
--chunk=4 \
--raid-devices=2 \
/dev/md2 /dev/sda2 /dev/sdb2
mdadm \
--create \
--level=1 \
--metadata=0.90 \
--chunk=4 \
--raid-devices=2 \
/dev/md3 /dev/sda3 /dev/sdb3
mdadm \
--create \
--level=1 \
--metadata=0.90 \
--chunk=4 \
--raid-devices=2 \
/dev/md4 /dev/sda4 /dev/sdb4
Create filesystems
Put a filesystem on the boot device:
mkfs.ext2 /dev/md2
tune2fs -r0 -i0 /dev/md2
Set up the swap space
mkswap /dev/md3
Put the encryption layer on the root filesystem
cryptsetup luksFormat -c aes-cbc-essiv:sha256 -s 256 /dev/md4
and format it:
cryptsetup luksOpen /dev/md4 newroot
mkfs.ext4 /dev/mapper/newroot
tune2fs -i0 -r0 /dev/mapper/newroot
Finishing touches
I had a pre-existing installation of Debian, so at this point I mounted my new filesystems from the rescue CD and copied everything over:
mkdir -p /mnt/newroot
mount /dev/mapper/newroot /mnt/newroot
mkdir /mnt/newroot/{boot,dev,proc,sys}
for dir in dev proc sys; do
mount --bind /$dev /mnt/newroot/$dev
done
mount /dev/md2 /mnt/newroot/boot
cp -av /other/mounted/installation/* /mnt/newroot
If you didn't already have an installation, you could probably use
debootstrap
at this point.
Finally, setting it up to boot, I switched to my new root filesystem
using chroot
:
chroot /mnt/newroot
Then:
Edited
/etc/fstab
to reference/dev/mapper/newroot
for root and/dev/md3
for swapRegenerated /etc/mdadm/mdadm.conf:
mdadm --detail --scan > /etc/mdadm/mdadm.conf
Created an
/etc/crypttab:
newroot /dev/md4 none luks
Updated initrd to reflect all of these changes (so it unencrypts the root filesystem on boot):
update-initramfs -u
Reinstalled grub on both disks:
# Generate a new grub config that should hopefully load the # right modules for software mirroring and the GPT partition # table (raid, mdraid, part_gpt) grub-mkconfig > /boot/grub/grub.cfg grub-install /dev/sda grub-install /dev/sdb
Then dropped out of my chroot shell, unmounted everything, rebooted and put my fingers in my ears. And it booted! Phew.