[DRBD-user] DRBD on Encrypted FS

[Andreas Kurz]

hello,

On 10/06/2011 12:24 AM, Bill Asher wrote:
> Today I did a little test to see if I could configure DRBD on encrypted LVs and what I found is it didn't work for me... Because the servers are located in a colo, security for the servers is the main reasoning.
> All seems to go good until I tell DRBD to mirror filerA logical volume(/dev/vg/data) to filerB LV (/dev/vg/data).  I then received errors on the console like this, over and over:
> 
> "Block drbd0: open("/dev/vg/data") failed with -16"
> 
> I then rebooted to Ubuntu CD to look at the LVs and.. they were all gone. The only thing the partitioner sees is the two partitions I created, one for /boot the other for logical volumes, but all my lvm tables were gone.  I was able to repeat this issue on both my filers.
> 
> So my question is..
> 
> a) can this even be done, encrypting the filesystem then configureing DRBD
> b) if encryption can be done, is my approach wrong?
> 
> Thank you in advance for your time.
...

if you want to encrypt a _blockdevice_ and one possible solution is:

* encrypt a complete partition/disk with dm-crypt/LUKS/cryptsetup
* use this encrypted dm device as pv for your vg(s)
* create a lv per DRBD device

after every reboot you need to activate the encrypted partition using
cryptsetup and e.g. your passphrase and you have to do a vgscan/vgchange
prior to the activation of DRBD.

and if you own a recent Intel cpu supporting AES-NI in combination with
a recent kernel like 2.6.39 which supports multiple encryption pipes and
the aesni_intel driver, then you get a damn fast and secure replicated
storage ;-)

Regards,
Andreas

-- 
Need help with DRBD?
http://www.hastexo.com/now


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 286 bytes
Desc: OpenPGP digital signature
URL: <http://lists.linbit.com/pipermail/drbd-user/attachments/20111007/9e76c9fa/attachment.pgp>