Linux Format forums

Re: half encrypted raid 5

JoeyC — Mon Sep 05, 2011 12:14 pm

Author: JoeyC

Posted: Mon Sep 05, 2011 12:14 pm

Yes.. that more or less settles it. I wrongly assumed that you cannot reconstruct data from 2 of the 4 disks, but if a file is small enough then that fails. Also, half the mail is readable, should it be on the array.

Hm..

J

Re: half encrypted raid 5

nelz — Mon Sep 05, 2011 11:14 am

Author: nelz

Posted: Mon Sep 05, 2011 11:14 am

JoeyC wrote:

But, again, the question is: how secure is 2/4 encryption?

Not very if your sensitive data falls on the unencrypted disks. Bear in mind that things like password files are small and often fit in a single disk block. So you have a 50% chance of the whole file being unencrypted.

If your data is important enough to encrypt, it is important enough to encrypt securely.

Re: half encrypted raid 5

JoeyC — Mon Sep 05, 2011 10:18 am

Author: JoeyC

Posted: Mon Sep 05, 2011 10:18 am

Yep, valid points.. My current setup suffers from encryption, but it's and auld yoke, from a time way back when they used weird spelling.

The new one is going to be this atom (without aes extention) on this Jetway board with 4GB memory in it.
I think I'll just play with it a bit, see what it does. I'll see what the difference is between 2/4 and 4/4 encryption, as you suggested.
Also, I'm planning to encrypt the data disks, not the disk containing the os (which will be an SSD, budget permitting).

But, again, the question is: how secure is 2/4 encryption?

J

Re: half encrypted raid 5

nelz — Mon Sep 05, 2011 9:26 am

Author: nelz

Posted: Mon Sep 05, 2011 9:26 am

So you're building a RAID on top of three block devices, two of which are encrypted and one is a disk device? That sounds both horrible and pointless. Even if there were a performance hit when using encryption (which there isn't usually, any half decent processor can handle the encryption far faster than the disk and transfer the data without breaking sweat) you are still doing 2/3 of the encryption work.

If you really want to reduce the encryption load, put LVM on top of an unencrypted RAId5 then only encrypt the filesystems that contain sensitive data - usually /var on a server. There is no point in encrypting the likes of /usr, which only contains publicly available files.

Re: half encrypted raid 5

JoeyC — Mon Sep 05, 2011 9:03 am

Author: JoeyC

Posted: Mon Sep 05, 2011 9:03 am

The question is not 'can you do it', I'm doing it. No reason why you couldn't use the block device created by cryptsetup in a raid array.

The question is, how (in)secure is it?

J

Re: half encrypted raid 5

Dutch_Master — Sun Sep 04, 2011 11:48 pm

Author: Dutch_Master

Posted: Sun Sep 04, 2011 11:48 pm

Not gonna happen: it's either encrypt all or nothing. That's part of the RAID5 setup I'm afraid. But if you use 4 disks instead, try a RAID1+0, on which the RAID1 is clear but the RAID0 encrypted.

(in a RAID, forget about individual disks, they are addressed with their RAID device, mdX)

half encrypted raid 5

JoeyC — Sun Sep 04, 2011 10:22 pm

Author: JoeyC

Posted: Sun Sep 04, 2011 10:22 pm

All,

I'm building a home LAMP server with a raid5 array (using mdadm) for my data. I want my data to be encrypted so that it can only be accessed if you know the password. Encryption (md-crypt) is going to slow down stuff, as is raid 5.

But here's a thought. What if I only encrypt 2 disks and use the resulting two /dev/mapper/whatever block devices in the array next to, say, 2 'normal' partitions? Only half of the data needs to be encrypted which should give me some speed benefit and the data cannot be reconstructed by mdadm without knowing the passwords.

But how insecure is this? I'm thinking, if anyone nicks the server and sells it on to some nerd like me with too much time (and more brains), is he going to be able to recover some files?

For arguments sake, not that the data is all that important (except to me).

Any thoughts?

J