On 6/23/26 11:10, [email protected] wrote:
On Tue, Jun 23, 2026 at 10:33:01AM -0700, David Christensen wrote:
[...]
Both configurations work, but have different performance and security
considerations:
* partitions > RAID > encryption > filesystem
Will encrypt the RAID virtual block device, saving CPU cycles and
requiring one passphrase and/or key.
* partitions > encryption > RAID > filesystem
Will encrypt each partition, arguably improving security but requiring
more CPU cycles and passphrases/ keys.
Actually it would reduce security, IMO, because the opponent would have
to find just one of both keys (the content is mirrored), thus potentially
reducing the key strength by one bit. Not a big deal, granted :)
Cheers
I agree that successfully cracking two or more disks from an encrypted
RAID will give an attacker greater confidence in the resulting data and
metadata.
But I would expect a cracking algorithm for an encryption layer with
on-disk cryptographic details (e.g. LUKS header) would primarily attack
those on-disk cryptographic details:
* Assuming a brute-force cracking algorithm, each crack attempt (e.g.
passphrase and/or key generated by an iterator) is an independent trial
and the work is readily partitioned across multiple computers working in
parallel. So, cracking 1 LUKS header with N computers will take the
same average time as cracking any one of 2 to N different LUKS headers
with N computers.
* What an attacker wants is a cracking algorithm where each new cracking
attempt leverages the results from previous failed attempts. AIUI LUKS,
dm-crypt, and other professional cryptographic systems are specifically
designed to thwart such. But if you design such an algorithm, you could
become famous, make money, become an enemy of the state, go to prison,
flee into exile, etc..
I was thinking of what happens if a disk fails, the sysadmin disposes of
the disk, an attacker obtains the disk, and the attacker successfully
cracks the encryption. The attacker now has all or part of the
plaintext data, the plaintext metadata, and the plaintext cryptographic
details at the time the disk failed:
* If encryption was applied on top of RAID and the attacker obtains a
second encrypted disk, the attacker can use the plaintext cryptographic
details from the first disk to crack the second disk. This could be as
simple as entering the passphrase and/or key from the first disk.
* If encryption was applied under RAID and the sysadmin used different
strong passphrases and/or keys on every disk, the plaintext
cryptographic details from any one cracked disk will not help to crack
additional encrypted disks.
David