Note: "permalinks" may not be as permanent as we would like,
direct links of old sources may well be a few messages off.
hello, On 10/06/2011 12:24 AM, Bill Asher wrote: > Today I did a little test to see if I could configure DRBD on encrypted LVs and what I found is it didn't work for me... Because the servers are located in a colo, security for the servers is the main reasoning. > All seems to go good until I tell DRBD to mirror filerA logical volume(/dev/vg/data) to filerB LV (/dev/vg/data). I then received errors on the console like this, over and over: > > "Block drbd0: open("/dev/vg/data") failed with -16" > > I then rebooted to Ubuntu CD to look at the LVs and.. they were all gone. The only thing the partitioner sees is the two partitions I created, one for /boot the other for logical volumes, but all my lvm tables were gone. I was able to repeat this issue on both my filers. > > So my question is.. > > a) can this even be done, encrypting the filesystem then configureing DRBD > b) if encryption can be done, is my approach wrong? > > Thank you in advance for your time. ... if you want to encrypt a _blockdevice_ and one possible solution is: * encrypt a complete partition/disk with dm-crypt/LUKS/cryptsetup * use this encrypted dm device as pv for your vg(s) * create a lv per DRBD device after every reboot you need to activate the encrypted partition using cryptsetup and e.g. your passphrase and you have to do a vgscan/vgchange prior to the activation of DRBD. and if you own a recent Intel cpu supporting AES-NI in combination with a recent kernel like 2.6.39 which supports multiple encryption pipes and the aesni_intel driver, then you get a damn fast and secure replicated storage ;-) Regards, Andreas -- Need help with DRBD? http://www.hastexo.com/now -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 286 bytes Desc: OpenPGP digital signature URL: <http://lists.linbit.com/pipermail/drbd-user/attachments/20111007/9e76c9fa/attachment.pgp>