This document details how to make an encrypted RAID1 array from two devices, and was pieced together from Archlinux and Debian wikis.
I have 2x1TB drives that I want to put in a RAID1 array so that data is duplicated on both devices for redundancy.
The drives are already partitioned.
root@localhost:~# fdisk -l /dev/sdb /dev/sdc
Disk /dev/sdb: 931.53 GiB, 1000204886016 bytes, 1953525168 sectors
Disk model: WDC WD10EZEX-08W
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 4096 bytes
I/O size (minimum/optimal): 4096 bytes / 4096 bytes
Disklabel type: dos
Disk identifier: 0x7c60bb0b
Device Boot Start End Sectors Size Id Type
/dev/sdb1 2048 1953525167 1953523120 931.5G 83 Linux
Disk /dev/sdc: 931.53 GiB, 1000204886016 bytes, 1953525168 sectors
Disk model: WDC WD10EZEX-08W
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 4096 bytes
I/O size (minimum/optimal): 4096 bytes / 4096 bytes
Disklabel type: dos
Disk identifier: 0xceeb7513
Device Boot Start End Sectors Size Id Type
/dev/sdc1 2048 1953525167 1953523120 931.5G 83 Linux
Using madam we can create a new raid array with both these partitions.
root@localhost:~# mdadm --zero-superblock /dev/sdb /dev/sdc
root@localhost:~# mdadm --create /dev/md0 --level=1 --raid-devices=2 /dev/sdb1 /dev/sdc1
root@localhost:~# mkfs.ext4 /dev/md0
Then we can use cryptsetup to create an encrypted volume on the raid array at /dev/md0.
root@localhost:~# cryptsetup luksFormat /dev/md0
WARNING: Device /dev/md0 already contains a 'crypto_LUKS' superblock signature.
WARNING!
========
This will overwrite data on /dev/md0 irrevocably.
Are you sure? (Type uppercase yes): YES
Enter passphrase for /dev/md0:
Verify passphrase:
root@localhost:~# cryptsetup luksDump /dev/md0
LUKS header information
Version: 2
Epoch: 3
Metadata area: 16384 [bytes]
Keyslots area: 16744448 [bytes]
UUID: 0c297174-7f29-4c2a-b52c-34acb967607a
Label: (no label)
Subsystem: (no subsystem)
Flags: (no flags)
Data segments:
0: crypt
offset: 16777216 [bytes]
length: (whole device)
cipher: aes-xts-plain64
sector: 512 [bytes]
Keyslots:
0: luks2
Key: 512 bits
Priority: normal
Cipher: aes-xts-plain64
Cipher key: 512 bits
PBKDF: argon2i
Time cost: 4
Memory: 1048576
Threads: 4
Salt: d8 98 a1 47 ac 8e 0f b8 20 28 67 b5 3c e6 81 4b
53 51 9f 2f 78 6e 5d 1b 7f 61 15 2e 66 cd 47 db
AF stripes: 4000
AF hash: sha256
Area offset:32768 [bytes]
Area length:258048 [bytes]
Digest ID: 0
Tokens:
Digests:
0: pbkdf2
Hash: sha256
Iterations: 195629
Salt: e8 be 9f 53 65 48 76 51 2b 30 e1 35 5a 79 9b 04
22 68 13 5d ce 89 77 9d 53 83 27 86 d2 c1 d4 09
Digest: ab 9e 03 50 f0 a4 fc 63 6f c7 1b 87 23 e4 b7 ab
a4 61 4f ca d1 f5 a1 78 17 e7 e8 42 4a 75 7f dd
Note that the (default) cipher is aes-xts-plain64.
To use the device, we must open a mapping. Note the raid and crypto block devices on both devices.
root@localhost:~# cryptsetup open /dev/md0 stuff
Enter passphrase for /dev/md0:
root@localhost:~# lsblk -p /dev/sdb /dev/sdc
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
/dev/sdb 8:16 0 931.5G 0 disk
└─/dev/sdb1 8:17 0 931.5G 0 part
└─/dev/md0 9:0 0 931.4G 0 raid1
└─/dev/mapper/stuff 253:0 0 931.4G 0 crypt
/dev/sdc 8:32 0 931.5G 0 disk
└─/dev/sdc1 8:33 0 931.5G 0 part
└─/dev/md0 9:0 0 931.4G 0 raid1
└─/dev/mapper/stuff 253:0 0 931.4G 0 crypt
Finally we can make and mount our filesystem.
root@localhost:~# mkfs.ext4 /dev/mapper/stuff
mke2fs 1.45.5 (07-Jan-2020)
Creating filesystem with 244153264 4k blocks and 61038592 inodes
Filesystem UUID: 395ab6dd-2a35-483c-bf3a-47d55fda33e9
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,
4096000, 7962624, 11239424, 20480000, 23887872, 71663616, 78675968,
102400000, 214990848
Allocating group tables: done
Writing inode tables: done
Creating journal (262144 blocks): done
Writing superblocks and filesystem accounting information: done
root@localhost:~# mount /dev/mapper/stuff /mnt/stuff
root@localhost:~# ls -a /mnt/stuff
. .. lost+found