I currently have a storage server with the following config.

Multiple raid6 volumes (mdadm) -> aggregated into a lvm volume group -> lvm volumes -> encrypted with luks1 -> (no partitioning) xfs file systems mounted and used by the os

I have the following criteria: I want to keep software raid (mdadm) with multiple raid sets, xfs, and lvm. I don’t mind using 2fa, but I don’t want to just store my secret keys on a dongle attached to my PC because that seems to defeat the point of encryption at rest.

My questions:

  1. Is there a better way to encrypt my data at rest?

  2. Is there a better layer at which to apply the encryption?

I’m mostly unhappy with luks1 over a whole lvm volume and looking for alternatives.

Thank you everyone for these great responses! I’ll be looking into these ideas :)

  • constantokra
    link
    fedilink
    English
    arrow-up
    1
    ·
    10 months ago

    I was a bit surprised at it as well, but it doesn’t for me running Debian headless. If I reboot after a kernel update it’ll try to boot into the new kernel and fail waiting for the initramfs, but it’ll boot just fine into the previous kernel. Once I update the initramfs it works fine.

    If you know what resources you used to set it up, I’d be curious to take a look and see if I missed something.

    • ShortN0te@lemmy.ml
      link
      fedilink
      English
      arrow-up
      2
      ·
      10 months ago

      Steps are basically not more then this (Can not find the original blog i followed but this is the small write up i have made years ago)

      • install dropbear
      • update config to your liking
      • copy public ssh keys over
      • run update-initramfs -u (has to be rerun on config change)
      • done (for the server part)

      For some reason i install busybox too in the personal write up. But i do not think it is necessary.

      • constantokra
        link
        fedilink
        English
        arrow-up
        1
        ·
        10 months ago

        That’s basically the same as my writeup from when I did it. Except I also had a -k all on update-initramfs. Not sure about the switches, so I’ll look into them. Thanks.