Note: "permalinks" may not be as permanent as we would like,
direct links of old sources may well be a few messages off.
Lars Ellenberg schrieb: (...) >>> you could also use dm-crypt on top of drbd, >>> instead of below it? I guess that would be the easiest way. >> Indeed, but not in this setup. >> Here, the whole disk is encrypted, but only a part of it is replicated >> with DRBD. >> Of course I could partition the disk into parts encrypted separately, >> but then it's harder to maintain. > > btw. > there probably is a (policy?) reason that the whole disk is encrypted. Yes, one machine is placed in a (possibly insecure) rented datacentre. Starting a machine located in a possibly insecure place, in a secure way, is another thing of course. > if you have drbd above the decryption layer, > then drbd replicates _cleartext_, > which probably was not intended to leave the machine. > if you have however the drbd below, > it is all crypted traffic again, > because drbd then neve ever sees cleartext. The whole transmission is using VPN, so no problem here. -- Tomasz Chmielewski http://wpkg.org