I currently have a storage server with the following config.

Multiple raid6 volumes (mdadm) -> aggregated into a lvm volume group -> lvm volumes -> encrypted with luks1 -> (no partitioning) xfs file systems mounted and used by the os

I have the following criteria: I want to keep software raid (mdadm) with multiple raid sets, xfs, and lvm. I don’t mind using 2fa, but I don’t want to just store my secret keys on a dongle attached to my PC because that seems to defeat the point of encryption at rest.

My questions:

  1. Is there a better way to encrypt my data at rest?

  2. Is there a better layer at which to apply the encryption?

I’m mostly unhappy with luks1 over a whole lvm volume and looking for alternatives.

Thank you everyone for these great responses! I’ll be looking into these ideas :)

  • Possibly linux
    link
    fedilink
    English
    arrow-up
    1
    arrow-down
    1
    ·
    10 months ago

    First off if I remember correctly there was some people complaining they lost everything with XFS so be careful.

    Secondly, could you use a iSCI volume? It would limit it to your laptop only but you should be able to encrypt it all.

    The other option is to encrypt some sort of file that holds your data.