Aerospace Software Ltd.

Encrypted RAID Howto

Mandrake 10.2

Scope

This guide explains how to install Mandrake Linux on two disk drives, configured as a RAID 1 array.

RAID level 1, means a mirrored pair of disks. This provides protection against mechanical failure. Hopefully, only one drive will fail at a time. To provide some electrical separation between the disks, to reduce the probability that when one fails, it will damage the other, put them on different controllers - don't plug them into the same cable. I have seen one case, where one disk failed causing the other on the same cable, to get corrupted, so don't do that.

Diskdrake

Start the Mandrake installation and select Custom Disk Partitioning. That will run the diskdrake wizard.

You should have two disk drives of approximately the same size. These will show up in two tabs hda and hdc. If you see hda and hdb, then they are on the same controller - don't do that - it is slower and dangerous.

Note: Diskdrake can also do other types of RAID, but this guide describes RAID1, which provides protection against hardware failure.

Select the tab of the smaller drive and see exactly how big it is. Let's assume that it is 60GB. Everyone has his favourite way to partition a drive, but to make a RAID system, you must have at least the following partitions:

/boot
/
swap
/home

It is a good idea to also have a /tmp and a /var partition. You'll see why later.

The /boot partition must be the first partition. I always try to put the swap partition in the middle of the disk, since from an average seek time point of view, it is best to avoid the edges. With multi platter disks, you don't know where the real 'middle' is, but you do know where two of the edges are, so avoid them - that is the best you can do.

Now divy it up: 1GB for /boot, 10GB for /, 1GB for swap and the rest for /home. Write the numbers down, in order.

Select the disk hda, select the type as Linux RAID and make the size 1GB, then click Add to RAID for RAID device 0. Rinse and repeat with the left over piece to make the block sizes defined above, each time selecting a new RAID device - the numbers will auto increment, 1, 2 and 3.

You will notice that a new tab was created, called RAID.

Now repeat the process with disk hdc and when you click Add to RAID, select the corresponding RAID devices on the other disk, 0..3.

The final step, is to select the new RAID tab - which now acts like a virtual disk drive, and select the mount points and file systems. Name the mount points as defined /boot, /, swap and /home. Swap is created by selecting the file system type of Swap. Select a fast journaled file system for each virtual partition, eg. ReiserFS, JFS or XFS. (Don't use Ext3 - it is slow. Ext3 is only good as an upgrade for Ext2, if you don't want to reformat a disk that already has data on it. Don't use Ext3 on a fresh system).

There is an exception of course - DON'T use Reiser or XFS on an encrypted partition. Rather use Ext3 with encryption.

If the one disk is larger than the other, then it will have some space left over. Don't waste it - define a partition called /spare or something like that and select ReiserFS as file system. It may be handy one day, for non-critical data, for example storing ISO CDROM images, or downloaded stuff.

That's it! You are now the proud owner of a RAID 1 system and can carry on with the installation as normal.

Encrypted File Systems

NOTE: The Cryptoloop system has a known exploit and development of this system has been halted. New Linux systems use dm-crypt instead. However, this system is still a whole lot better than nothing and Mandriva 2007 still uses it. Ensure that you use a very long passphrase of at least 20 characters to protect against the exploit.

If this is a server or a notebook machine, then I recommend that you encrypt the /home and /swap partitions. It is easy to reset the root password of a machine, if you have physical access to it - boot into single user mode and do 'passwd'. However, if the /home partition is encrypted and you ensured that all important data is in fact saved there and not scattered in /var as database programs like to do, then your data remains unreadable.

Many programs scribble stuff in the /tmp area. Therefore, it is also a good idea to encrypt the /tmp partition and make soft links from /usr/tmp and /var/tmp to /tmp.

Use Ext3 on encrypted partitions. A single bit error on an encrypted system cause large blocks of data to become unreadable. With Ext3, there is a chance that some data will still be OK, but with Reiser or XFS, you will lose the whole partition when anything goes wrong with the hardware.

One important question is how much an encrypted file system will slow the machine down. I performed a test doing a kernel compile on a machine with an encrypted swap partition. The before and after slowdown was about 2%. Therefore I think it would usually be safe to ignore the slowdown issue, as it is quite insignificant. However, you can recover the speed loss simply by turning the Last Accessed Time Stamp off, by ticking the 'noatime' checkbox. Noatime, will speed things up by about 3%.

You cannot encrypt the /boot, /, /usr or /var directories and you don't need to anyway since Mandriva Linux and all the GNU programs are not secret.

You have to encrypt the /swap partition, else it could leak plain text data, which would make any other encryption moot. Even if you don't use an encrypted /home partition, you may still want to use loopback encryption on other folders, so it is a good idea to always encrypt /swap.

When you select the mount point and file system, click the Options button and select the 'Encryption' check box, then enter a long passphrase, of more than 20 characters and select your AES key length - 2048 bits is recommended. You don't need to enter a passphrase for the /swap partition, since it gets its key from /dev/random and is different every time you start up.

At system startup, it will prompt for the passphrase to mount the /home directory. This prompt has a timeout, to allow a headless machine to get going. You would then have to log in via SSH and mount the encrypted partition manually.

Encrypting /tmp is similar to encrypting /swap, but diskdrake doesn't make it easy. You need to do it manually. Once the system is working, edit file /etc/rc.d/rc.sysinit and change the following:

# create encrypted randomized /tmp
# this is NOT in fstab, so won't be mounted any other way
losetup -e AES256 -H random /dev/loop2 /dev/hda9
mke2fs /dev/loop2
mount -t ext2 /dev/loop2 /tmp
chmod 777 /tmp

# no need to do cleanups anymore!
# Clean up various /tmp bits
#rm -f /tmp/.X*-lock /tmp/.lock.* /tmp/.gdm_socket /tmp/.s.PGSQL.*
#rm -rf /tmp/.X*-unix /tmp/.ICE-unix /tmp/.font-unix /tmp/hsperfdata_* \
#       /tmp/kde-* /tmp/ksocket-* /tmp/mc-* /tmp/mcop-* /tmp/orbit-*  \
#       /tmp/scrollkeeper-*  /tmp/ssh-*
# Make ICE directory
mkdir -m 1777 -p /tmp/.ICE-unix >/dev/null 2>&1
chown root:root /tmp/.ICE-unix
[ -n "$SELINUX" ] && restorecon /tmp/.ICE-unix >/dev/null 2>&1

Then edit file /etc/fstab and comment out the /tmp entry. If you now reboot, the /tmp partition will be encrypted with a random key, same as the /swap partition. It is also a good idea to clean /tmp out first, before rebooting.

To ensure that all temporary areas point to /tmp, remove /usr/tmp and /var/tmp and create simlinks instead:

rmdir /usr/tmp
ln -s /tmp /usr/tmp
rmdir /var/tmp
ln -s /tmp /var/tmp

BTW, when you reboot, press 'Esc', so you can see the password prompt!

Errata

The 2006 version of Mandriva has a problem with Diskdrake and it cannot upgrade from previous versions. Diskdrake works if you create the RAID from scratch, which means that you'll lose all data on the disk array. Here is a workaround that I found on the Mandriva site, but I have not tried it:

at beginning of install,
- press ctrl-alt-f2
- rm /sbin
- mkdir /sbin
- cd /tmp/stage2/sbin
- for i in *; do ln -s /tmp/stage2/sbin/$i /sbin/$i; done
- rm /sbin/dmraid

Have Fun!

Herman