https://raid.wiki.kernel.org/index.php/RAID_setup
https://wiki.archlinux.org/index.php/RAID
Layout
Partitioning
Create a same sized partition on every disk of type Non-FS (Id=da). Its important to create identic partitions on every disk to avoid future problems if a disk has to be replaced and the RAID has to be resynced.Fdisk output of the RAID members after partitioning:
Device Boot Start End Blocks Id System /dev/sda1 2048 1953525167 976761560 da Non-FS data /dev/sdb1 2048 1953525167 976761560 da Non-FS data /dev/sdc1 2048 1953525167 976761560 da Non-FS data /dev/sdd1 2048 1953525167 976761560 da Non-FS data /dev/sde1 2048 1953525167 976761560 da Non-FS data
Create the RAID
mdadm --create --verbose --level=5 --metadata=1.2 --raid-devices=4 /dev/md0 /dev/sd[abcd]1 \
--spare-devices=1 /dev/sde1The RAID should now start syncing. You can check the proggress with
watch cat /proc/mdstatIf for some reason the sync doesn't start automatically, you can force is with the following command
mdadm --readwrite /dev/mdXWhere /dev/mdX is your RAID device. For example /dev/md0
Depending on your RAID size this process will take a couple of hours.
Save the RAID configuration
mdadm --detail --scan >> /etc/mdadm/mdadm.conf
Encrypt RAID
Create the LUKS container on the RAID device /dev/md0. I used aes-xts-plain64, there are others like aes-cbc-essiv (which is the default at the time of this writing). What is the better cipher depends on many factors and is out of the scope of this post.
cryptsetup luksFormat --cipher aes-xts-plain64 --hash sha512 /dev/md0
This will require a confirmation in upper case to go on and enter the desired passphrase.
Open the new LUKS container:
cryptsetup luksDump /dev/md0
This will create a new link under /dev/mapper named crypt-raid To get crypt setup on the encrypted device:
cryptsetup luksDump /dev/md0
This shows, among other data, the used algorithm, key hash and used key slots
Create File System
Before you can mount the encrypted RAID device you have to create a file system on it. In this case I will go eith ext4:mkfs.ext4 /dev/mapper/crypt-raid
Mount Device
Before the crypt device can be mounted it has to be unlocked:cryptsetup luksOpen /dev/md0 crypt-raid
This maps the crypt device under /dev/mapper/crypt-raid
mount /dev/mapper/crypt-raid [mount point]
On Boot Mount
In order to get the encrypted device unlocked and mounted on boot, it has to be added to both the /etc/crypttab and the /etc/fstab files as follows:/etc/crypttab:
crypt-raid /dev/md0 none luks
/etc/fstab:
/dev/mapper/crypt-raid /mnt/raid ext4 defaults 0 0
This will block the boot process until you provide the required passphrase which can be a problem if you are running a headless server. One solution is to provide a key file on an external USB stick or only use the fstab entry (no crypttab entry) with the noauto option and manually mount the device via ssh.