Soft Raid 1 on Ubuntu 12.04 with GPT disks

prerequisites:

apt-get --yes install gdisk mdadm lvm2 cryptsetup

Create Partitions

We will use one partition per device with maximum size.

create partitions:

wajig install gdisk
gdisk /dev/sdc
# create a new empty GUID partition table (GPT)
o
y
w
y
# add a new partition (type: Linux RAID)
gdisk /dev/sdc
n
<ENTER>
<ENTER>
<ENTER>
fd00
w
y
<ENTER>

check:

gdisk -l /dev/sdc

same for /dev/sdd.

find partition uuids:

ls -la /dev/disk/by-partuuid/

Setup RAID1

setup raid1:

mdadm --create --verbose /dev/md0 --level=1 --raid-devices=2 /dev/sdc1 /dev/sdd1
y

fetch the UUID for the new raid:

mdadm --detail /dev/md0

add to config at /etc/mdadm/mdadm.conf for automatic assembly on boot (http://wiki.ubuntuusers.de/Software-RAID#mdadm-conf-aktualisieren):

ARRAY /dev/md0 metadata=1.2 name=locutus:0 UUID=25f29ab9:89f6e9e7:19f083c1:bc9b2d06

watch raid (md) logging:

watch cat /proc/mdstat

I usually wait for the whole resync to finish (8 hours, 3TB).

Encrypt RAID device

cryptsetup --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000 --use-random --verify-passphrase luksFormat /dev/md0
# uppercase YES
# check
cryptsetup luksDump /dev/md0
# test
cryptsetup luksOpen /dev/md0 crypt0
ls /dev/mapper/crypt0

Setup LVM

http://www.gagme.com/greg/linux/raid-lvm.php

• physical extend size limitations do not apply to LVM2 (see manpage)

  • ~65000 extends per LV

  • 256MB physical extend size (12TB storage: 12000000MB / 65000 ~ 182 MB)

pvcreate /dev/mapper/crypt0
pvdisplay
vgcreate raid /dev/mapper/crypt0
vgdisplay
# full size of raid
lvcreate --name storage --extents 100%VG raid
lvdisplay

Format File System And Mount

mkfs.ext3 -L storage /dev/raid/storage
mkdir /media/storage
mount /dev/raid/storage /media/storage
cd /media/storage/
df .

give ownership to self:

chown -R `id -u`:`id -g` /media/storage/

Extend

Follow steps up to Encrypt RAID device which results in a new block device /dev/mapper/crypt1.

Unmount:

umount /media/storage

LVM:

pvcreate /dev/mapper/crypt1
vgdisplay  # VG Name is still "raid"
vgextend raid /dev/mapper/crypt1
lvdisplay  # LV Name is /dev/raid/storage
           # also check "LV Size"
# extend to 100% of volume group size
lvextend -l 100%VG /dev/raid/storage
lvdisplay  # check "LV Size" again

Ext3 FS:

# size information (Block count, Block size)
tune2fs -l /dev/raid/storage
# run fsck
e2fsck -f /dev/raid/storage
# check max possible size
resize2fs -P /dev/raid/storage
# DO IT!
resize2fs /dev/raid/storage

Open after Reboot

See open_storage.sh:

./open_storage.sh

Open multiple devices with one keyfile

Don’t want to put password multiple times. Put a keyfile into an encrypted file. Mount it before unlocking and unmount it afterwards.

First, create a file to hold encrypted data:

# tried 1M and 2M
dd if=/dev/zero of=crypt_keyfile bs=4M count=1
losetup /dev/loop0 crypt_keyfile
badblocks -s -w -t random -v /dev/loop0  # random data
# prompts for uppercase YES and password twice
cryptsetup --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000 --use-random --verify-passphrase luksFormat /dev/loop0

Open the encrypted file, make a file system and mount it:

# this will prompt for password
cryptsetup luksOpen /dev/loop0 crypt_keyfile
mkfs.ext3 /dev/mapper/crypt_keyfile
e2fsck -f /dev/mapper/crypt_keyfile
mkdir -p /tmp/crypt_keyfile
mount /dev/mapper/crypt_keyfile /tmp/crypt_keyfile

Now create a keyfile containing some random data [1]:

keyfile_size_in_bytes=$(( $(cryptsetup luksDump /dev/md0 | grep 'MK bits' | awk '{ print $NF }') / 8 ))
echo $keyfile_size_in_bytes
dd if=/dev/zero of=/tmp/crypt_keyfile/keyfile bs=${keyfile_size_in_bytes}b count=1
badblocks -s -w -t random -v /tmp/crypt_keyfile/keyfile
head -c 500 /tmp/crypt_keyfile/keyfile

Add:

# all of them will ask for their pass phrases
cryptsetup luksAddKey /dev/md0 /tmp/crypt_keyfile/keyfile
cryptsetup luksAddKey /dev/md1 /tmp/crypt_keyfile/keyfile

Umount keyfile:

umount /tmp/crypt_keyfile
cryptsetup luksClose crypt_keyfile
losetup -d /dev/loop0

To mount keyfile again:

losetup /dev/loop0 crypt_keyfile
cryptsetup luksOpen /dev/loop0 crypt_keyfile
mount /dev/mapper/crypt_keyfile /tmp/crypt_keyfile

Updated decrypt script: decrypt.sh.

Share

wajig install samba

adduser --home /media/storage --shell /bin/false --no-create-home --disabled-login --gecos 'windows share account' storage
passwd storage
# make samba aware of new user
smbpasswd -a storage
vim /etc/samba/smb.conf
chown -R storage:storage /media/storage

[global]
workgroup = WORKGROUP
server string = %h
dns proxy = no

log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d

encrypt passwords = true
passdb backend = tdbsam
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes
map to guest = bad user

usershare allow guests = yes

[storage]
comment = storage
path = /media/storage
browsable = yes
guest ok = yes
valid users = storage
writable = yes

restart Samba:

service smbd restart

Troubleshooting

md127 http://ubuntuforums.org/showthread.php?p=10907831#post10907831:

# check /etc/mdadm/mdadm.conf
update-initramfs -u

[1]

This could also be a keyfile with a string or a picture; see https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption#Keyfiles