I'm managing a file server with two disks. The server is running Ubuntu 14.04, and it's already configured with software RAID1 (/dev/md0
), and LVM on top of it.
Important data is stored in /var
and /srv
file systems, and I'm asked to encrypt them, but I'm not sure which way to follow.
Can I create new logical volumes, use dm-crypt
to encrypt them, and then create a file system and move the data there?
Since encrypted volumes need to be auto mounted at boot, I should store encryption keys on a different device, like an USB stick, is it right?
What I care about:
- Right now I don't know how much
/var
and/srv
will grow, so I want to be able to easily enlarge those file system when needed (that's why we are using LVM). - I need to protect data in
/var
and/srv
if the disks are replaced and put elsewhere. - I care more about reliability and security than performance.
What I don't care about:
- I don't need to protect the root file system, since it's a quite standard configuration.
- I don't need to protect the swap volume, I'm even considering the option to remove it, since it's never used (there's plenty of RAM available).
Here's a view of my current setup, for reference:
$ lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 1,8T 0 disk
└─sda1 8:1 0 1,8T 0 part
└─md0 9:0 0 1,8T 0 raid1
├─raidvg-varlv (dm-2) 252:2 0 15G 0 lvm /var
├─raidvg-srvlv (dm-3) 252:3 0 304G 0 lvm /srv
├─raidvg-systemlv (dm-4) 252:4 0 10,2G 0 lvm /
└─raidvg-swaplv (dm-5) 252:5 0 3,7G 0 lvm [SWAP]
sdb 8:16 0 1,8T 0 disk
└─sdb1 8:17 0 1,8T 0 part
└─md0 9:0 0 1,8T 0 raid1
├─raidvg-varlv (dm-2) 252:2 0 15G 0 lvm /var
├─raidvg-srvlv (dm-3) 252:3 0 304G 0 lvm /srv
├─raidvg-systemlv (dm-4) 252:4 0 10,2G 0 lvm /
└─raidvg-swaplv (dm-5) 252:5 0 3,7G 0 lvm [SWAP]