[Home]

Debian, Grub2, Software mirroring, encrypted filesystem

Hopefully the title says it all: I have two disks in my machine that I want mirrored using mdadm. On top of that mirror I want an encrypted volume, with my regular root filesystem on top of that. And I'd like to be able to boot my system too.

It took some messing around, so I just thought I'd note here what I ended up with. I'm not sure what I've got is optimal, but it Works For Me.

Partitions

Here is the partition table structure I ended up with:

sda1
boot loader
sda2
EXT2 filesystem: /boot
sda3
swap
sda4
EXT4 filesystem: /
sdb1
boot loader
sdb2
EXT2 filesystem: /boot
sdb3
swap
sdb4
EXT4 filesystem: /
sda
sdb

Volumes

And I wanted to end up with some volumes that looked like this:

EXT2 filesystem
/boot
Mirrored volume
sda2
sdb2
Swap
Mirrored volume
sda3
sdb3
EXT4 filesystem
/
Cryptographic volume
Mirrored volume
sda4
sdb4

The procedure

I set up my disks by booting off the Debian rescue CD, although I'm sure SystemRescueCd would do everything I needed.

Partitioning the disks

For each disk (/dev/sda and /dev/sdb):

 parted /dev/sdN

 # add a GPT partition table
 mklabel gpt

 # Create a small leading partition to give Grub somewhere to write
 # its boot loader.
 mkpart
   grub
   ext2
   1
   20

 # A mirrored but unencrypted boot volume
 mkpart
   boot
   ext2
   22
   1044

 # Swap space
 mkpart
   swap
   linux-swap
   1046
   5142

 # The root filesystem (the rest of the disk)
 mkpart
   main
   ext3
   5144
   -1

 # Make the first grub partition into a boot partition
 toggle 1 bios_grub

Create the mirror devices

 mdadm \
   --create \
   --level=1 \
   --metadata=0.90 \
   --chunk=4 \
   --raid-devices=2 \
   /dev/md2 /dev/sda2 /dev/sdb2

 mdadm \
   --create \
   --level=1 \
   --metadata=0.90 \
   --chunk=4 \
   --raid-devices=2 \
   /dev/md3 /dev/sda3 /dev/sdb3

 mdadm \
   --create \
   --level=1 \
   --metadata=0.90 \
   --chunk=4 \
   --raid-devices=2 \
   /dev/md4 /dev/sda4 /dev/sdb4

Create filesystems

Put a filesystem on the boot device:

 mkfs.ext2 /dev/md2
 tune2fs -r0 -i0 /dev/md2

Set up the swap space

 mkswap /dev/md3

Put the encryption layer on the root filesystem

 cryptsetup luksFormat -c aes-cbc-essiv:sha256 -s 256 /dev/md4

and format it:

 cryptsetup luksOpen /dev/md4 newroot
 mkfs.ext4 /dev/mapper/newroot
 tune2fs -i0 -r0 /dev/mapper/newroot

Finishing touches

I had a pre-existing installation of Debian, so at this point I mounted my new filesystems from the rescue CD and copied everything over:

 mkdir -p /mnt/newroot
 mount /dev/mapper/newroot /mnt/newroot

 mkdir /mnt/newroot/{boot,dev,proc,sys}

 for dir in dev proc sys; do
   mount --bind /$dev /mnt/newroot/$dev
 done

 mount /dev/md2 /mnt/newroot/boot

 cp -av /other/mounted/installation/* /mnt/newroot

If you didn't already have an installation, you could probably use debootstrap at this point.

Finally, setting it up to boot, I switched to my new root filesystem using chroot:

 chroot /mnt/newroot

Then:

Then dropped out of my chroot shell, unmounted everything, rebooted and put my fingers in my ears. And it booted! Phew.