Soft Raid 1 on Ubuntu 12.04 with GPT disks ========================================== .. highlight:: bash prerequisites:: apt-get --yes install gdisk mdadm lvm2 cryptsetup Create Partitions ----------------- We will use one partition per device with maximum size. create partitions:: wajig install gdisk gdisk /dev/sdc # create a new empty GUID partition table (GPT) o y w y # add a new partition (type: Linux RAID) gdisk /dev/sdc n fd00 w y check:: gdisk -l /dev/sdc same for /dev/sdd. find partition uuids:: ls -la /dev/disk/by-partuuid/ Setup RAID1 ----------- setup raid1:: mdadm --create --verbose /dev/md0 --level=1 --raid-devices=2 /dev/sdc1 /dev/sdd1 y fetch the UUID for the new raid:: mdadm --detail /dev/md0 add to config at ``/etc/mdadm/mdadm.conf`` for automatic assembly on boot (http://wiki.ubuntuusers.de/Software-RAID#mdadm-conf-aktualisieren):: ARRAY /dev/md0 metadata=1.2 name=locutus:0 UUID=25f29ab9:89f6e9e7:19f083c1:bc9b2d06 watch raid (md) logging:: watch cat /proc/mdstat I usually wait for the whole resync to finish (8 hours, 3TB). Encrypt RAID device ------------------- :: cryptsetup --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000 --use-random --verify-passphrase luksFormat /dev/md0 # uppercase YES # check cryptsetup luksDump /dev/md0 # test cryptsetup luksOpen /dev/md0 crypt0 ls /dev/mapper/crypt0 Setup LVM --------- http://www.gagme.com/greg/linux/raid-lvm.php - physical extend size limitations do not apply to LVM2 (see manpage) - ~65000 extends per LV - 256MB physical extend size (12TB storage: 12000000MB / 65000 ~ 182 MB) :: pvcreate /dev/mapper/crypt0 pvdisplay vgcreate raid /dev/mapper/crypt0 vgdisplay # full size of raid lvcreate --name storage --extents 100%VG raid lvdisplay Format File System And Mount ---------------------------- :: mkfs.ext3 -L storage /dev/raid/storage mkdir /media/storage mount /dev/raid/storage /media/storage cd /media/storage/ df . give ownership to self:: chown -R `id -u`:`id -g` /media/storage/ Extend ------ Follow steps up to `Encrypt RAID device`_ which results in a new block device ``/dev/mapper/crypt1``. Unmount:: umount /media/storage LVM:: pvcreate /dev/mapper/crypt1 vgdisplay # VG Name is still "raid" vgextend raid /dev/mapper/crypt1 lvdisplay # LV Name is /dev/raid/storage # also check "LV Size" # extend to 100% of volume group size lvextend -l 100%VG /dev/raid/storage lvdisplay # check "LV Size" again Ext3 FS:: # size information (Block count, Block size) tune2fs -l /dev/raid/storage # run fsck e2fsck -f /dev/raid/storage # check max possible size resize2fs -P /dev/raid/storage # DO IT! resize2fs /dev/raid/storage Open after Reboot ----------------- See :download:`open_storage.sh`:: ./open_storage.sh Open multiple devices with one keyfile -------------------------------------- Don't want to put password multiple times. Put a keyfile into an encrypted file. Mount it before unlocking and unmount it afterwards. First, create a file to hold encrypted data:: # tried 1M and 2M dd if=/dev/zero of=crypt_keyfile bs=4M count=1 losetup /dev/loop0 crypt_keyfile badblocks -s -w -t random -v /dev/loop0 # random data # prompts for uppercase YES and password twice cryptsetup --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000 --use-random --verify-passphrase luksFormat /dev/loop0 Open the encrypted file, make a file system and mount it:: # this will prompt for password cryptsetup luksOpen /dev/loop0 crypt_keyfile mkfs.ext3 /dev/mapper/crypt_keyfile e2fsck -f /dev/mapper/crypt_keyfile mkdir -p /tmp/crypt_keyfile mount /dev/mapper/crypt_keyfile /tmp/crypt_keyfile Now create a keyfile containing some random data [1]_:: keyfile_size_in_bytes=$(( $(cryptsetup luksDump /dev/md0 | grep 'MK bits' | awk '{ print $NF }') / 8 )) echo $keyfile_size_in_bytes dd if=/dev/zero of=/tmp/crypt_keyfile/keyfile bs=${keyfile_size_in_bytes}b count=1 badblocks -s -w -t random -v /tmp/crypt_keyfile/keyfile head -c 500 /tmp/crypt_keyfile/keyfile Add:: # all of them will ask for their pass phrases cryptsetup luksAddKey /dev/md0 /tmp/crypt_keyfile/keyfile cryptsetup luksAddKey /dev/md1 /tmp/crypt_keyfile/keyfile Umount keyfile:: umount /tmp/crypt_keyfile cryptsetup luksClose crypt_keyfile losetup -d /dev/loop0 To mount keyfile again:: losetup /dev/loop0 crypt_keyfile cryptsetup luksOpen /dev/loop0 crypt_keyfile mount /dev/mapper/crypt_keyfile /tmp/crypt_keyfile Updated decrypt script: :download:`decrypt.sh`. Share ----- :: wajig install samba :: adduser --home /media/storage --shell /bin/false --no-create-home --disabled-login --gecos 'windows share account' storage passwd storage # make samba aware of new user smbpasswd -a storage vim /etc/samba/smb.conf chown -R storage:storage /media/storage :: [global] workgroup = WORKGROUP server string = %h dns proxy = no log file = /var/log/samba/log.%m max log size = 1000 syslog = 0 panic action = /usr/share/samba/panic-action %d encrypt passwords = true passdb backend = tdbsam obey pam restrictions = yes unix password sync = yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . pam password change = yes map to guest = bad user usershare allow guests = yes [storage] comment = storage path = /media/storage browsable = yes guest ok = yes valid users = storage writable = yes restart Samba:: service smbd restart Troubleshooting --------------- md127 http://ubuntuforums.org/showthread.php?p=10907831#post10907831:: # check /etc/mdadm/mdadm.conf update-initramfs -u .. [1] This could also be a keyfile with a string or a picture; see https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption#Keyfiles