Linux Format forums Forum Index Linux Format forums
Help, discussion, magazine feedback and more
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

half encrypted raid 5

 
Post new topic   Reply to topic    Linux Format forums Forum Index -> Discussion
View previous topic :: View next topic  
Author Message
JoeyC



Joined: Thu Jul 21, 2005 11:57 am
Posts: 57

PostPosted: Sun Sep 04, 2011 10:22 pm    Post subject: half encrypted raid 5 Reply with quote

All,

I'm building a home LAMP server with a raid5 array (using mdadm) for my data. I want my data to be encrypted so that it can only be accessed if you know the password. Encryption (md-crypt) is going to slow down stuff, as is raid 5.

But here's a thought. What if I only encrypt 2 disks and use the resulting two /dev/mapper/whatever block devices in the array next to, say, 2 'normal' partitions? Only half of the data needs to be encrypted which should give me some speed benefit and the data cannot be reconstructed by mdadm without knowing the passwords.

But how insecure is this? I'm thinking, if anyone nicks the server and sells it on to some nerd like me with too much time (and more brains), is he going to be able to recover some files?

For arguments sake, not that the data is all that important (except to me).

Any thoughts?

J
_________________
[VGVtcHVzIEZ1Z2l0]
Back to top
View user's profile Send private message
Dutch_Master
LXF regular


Joined: Tue Mar 27, 2007 2:49 am
Posts: 2430

PostPosted: Sun Sep 04, 2011 11:48 pm    Post subject: Reply with quote

Not gonna happen: it's either encrypt all or nothing. That's part of the RAID5 setup I'm afraid. But if you use 4 disks instead, try a RAID1+0, on which the RAID1 is clear but the RAID0 encrypted.

(in a RAID, forget about individual disks, they are addressed with their RAID device, mdX)
Back to top
View user's profile Send private message
JoeyC



Joined: Thu Jul 21, 2005 11:57 am
Posts: 57

PostPosted: Mon Sep 05, 2011 9:03 am    Post subject: Reply with quote

The question is not 'can you do it', I'm doing it. No reason why you couldn't use the block device created by cryptsetup in a raid array.

The question is, how (in)secure is it?

J
_________________
[VGVtcHVzIEZ1Z2l0]
Back to top
View user's profile Send private message
nelz
Site admin


Joined: Mon Apr 04, 2005 12:52 pm
Posts: 8449
Location: Warrington, UK

PostPosted: Mon Sep 05, 2011 9:26 am    Post subject: Reply with quote

So you're building a RAID on top of three block devices, two of which are encrypted and one is a disk device? That sounds both horrible and pointless. Even if there were a performance hit when using encryption (which there isn't usually, any half decent processor can handle the encryption far faster than the disk and transfer the data without breaking sweat) you are still doing 2/3 of the encryption work.

If you really want to reduce the encryption load, put LVM on top of an unencrypted RAId5 then only encrypt the filesystems that contain sensitive data - usually /var on a server. There is no point in encrypting the likes of /usr, which only contains publicly available files.
_________________
"Insanity: doing the same thing over and over again and expecting different results." (Albert Einstein)
Back to top
View user's profile Send private message
JoeyC



Joined: Thu Jul 21, 2005 11:57 am
Posts: 57

PostPosted: Mon Sep 05, 2011 10:18 am    Post subject: Reply with quote

Yep, valid points.. My current setup suffers from encryption, but it's and auld yoke, from a time way back when they used weird spelling.

The new one is going to be this atom (without aes extention) on this Jetway board with 4GB memory in it.
I think I'll just play with it a bit, see what it does. I'll see what the difference is between 2/4 and 4/4 encryption, as you suggested.
Also, I'm planning to encrypt the data disks, not the disk containing the os (which will be an SSD, budget permitting).

But, again, the question is: how secure is 2/4 encryption?

J
_________________
[VGVtcHVzIEZ1Z2l0]
Back to top
View user's profile Send private message
nelz
Site admin


Joined: Mon Apr 04, 2005 12:52 pm
Posts: 8449
Location: Warrington, UK

PostPosted: Mon Sep 05, 2011 11:14 am    Post subject: Reply with quote

JoeyC wrote:
But, again, the question is: how secure is 2/4 encryption?


Not very if your sensitive data falls on the unencrypted disks. Bear in mind that things like password files are small and often fit in a single disk block. So you have a 50% chance of the whole file being unencrypted.

If your data is important enough to encrypt, it is important enough to encrypt securely.
_________________
"Insanity: doing the same thing over and over again and expecting different results." (Albert Einstein)
Back to top
View user's profile Send private message
JoeyC



Joined: Thu Jul 21, 2005 11:57 am
Posts: 57

PostPosted: Mon Sep 05, 2011 12:14 pm    Post subject: Reply with quote

Yes.. that more or less settles it. I wrongly assumed that you cannot reconstruct data from 2 of the 4 disks, but if a file is small enough then that fails. Also, half the mail is readable, should it be on the array.

Hm..

J
_________________
[VGVtcHVzIEZ1Z2l0]
Back to top
View user's profile Send private message
View previous topic :: View next topic  
Display posts from previous:   
Post new topic   Reply to topic    Linux Format forums Forum Index -> Discussion All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Linux Format forums topic RSS feed 


Powered by phpBB © 2001, 2005 phpBB Group


Copyright 2011 Future Publishing, all rights reserved.


Web hosting by UKFast