Ubuntu – Software RAID, LVM, and Encryption Setup Questions

I have 4 hard drives, each with two partitions on them 10.1GB for swap and 990.1GB for the rest.

I took this and set up two MD devices with RAID10, one for the set of 4 swap partitions and one for the set of 4 other partitions.

I set the 20.2GB Software RAID device as my swap and moved on to LVM.

This is as far as this guide takes me using software RAID. I would now like to set up LVM and encryption on it.

I created a new volume and logical volume; size 1.5TB. I encrypted the volume and set the remaining 1.4TB within the encrypted volume as the root (f ext4 /).

Here are my questions:

Should I set up a separate Volume / Logical Volume for the 20.2GB Software RAID device being used as a swap area?

Should I encrypt this volume as well if I'm encrypting the ext4 / area?

Finish partitioning and write changes to disk gives an error of:

You have selected the root file system
to be stored on an encrypted
partition. This feature requires a
separate /boot partition on which the
kernel and initrd can be stored.

you should go back and setup a /boot
partition.

Where does this /boot partition need to be setup? (Should each drive have an extra partition for this before setting up RAID?)

How much space does it need?

Should it be part of LVM?

Should it be encrypted?

Best Answer

/boot needs to not be encrypted otherwise the boot loader (unless I'm behind the times and one of them supports encrypted volumes) will not be able to ready the Kernel and initrd. It does not need to be encrypted as it should never contain anything other than the kernel, the initrd, and perhaps a few other support files.

The the device that is your LVM PV is encrypted, then /boot will need to be elsewhere: probably a separate RAID volume. If the device used as the PV is not encrypted (instead you encrypted the LV that is to be /) then /boot could be in the LVM except for the GRUB-can't-boot-off-all-RAID-types issue (see below).

Historically /boot had to be near the start of the disk, but modern boot loaders generally remove this requirement. A few hundred Mb should be perfectly sufficient, but with such large drives being standard these days there will be no harm in making it bigger just in case unless you are constrained by trying to fit into a very small device (say, a small SD card in a Pi or similar) as might be the case for an embedded system.

Most boot loaders do not support booting off RAID or if they do they only support booting off RAID1 (where every drive has a copy all the data) "by accident", so create the small partition on all the drives and use a RAID1 array over them. This way /boot is readable as long as at least one drive is in a working state. Make sure the boot loaded installs into the MBR of all four drives on install, otherwise if you BIOS boots off another (due to the first being offline for instance) you will have to mess around getting the loader's MBR onto the other drive(s) at that point rather than it already being there.

Update: As per Nick's comment below, modern boot loaders can deal directly with some forms of encrypted volumes so depending on your target setup there are now less things to worry about.

Best Answer

Related Solutions

Linux software RAID 1 – root filesystem becomes read-only after a fault on one disk

Lvm – Linux: Encryption of a physical LVM volume doesn’t imply encryption of its logical subvolumes

Related Topic