hello,
On 10/06/2011 12:24 AM, Bill Asher wrote:
> Today I did a little test to see if I could configure DRBD on encrypted LVs
> and what I found is it didn't work for me... Because the servers are located
> in a colo, security for the servers is the main reasoning.
> All seems to go good until I tell DRBD to mirror filerA logical
> volume(/dev/vg/data) to filerB LV (/dev/vg/data). I then received errors on
> the console like this, over and over:
>
> "Block drbd0: open("/dev/vg/data") failed with -16"
>
> I then rebooted to Ubuntu CD to look at the LVs and.. they were all gone. The
> only thing the partitioner sees is the two partitions I created, one for
> /boot the other for logical volumes, but all my lvm tables were gone. I was
> able to repeat this issue on both my filers.
>
> So my question is..
>
> a) can this even be done, encrypting the filesystem then configureing DRBD
> b) if encryption can be done, is my approach wrong?
>
> Thank you in advance for your time.
...if you want to encrypt a _blockdevice_ and one possible solution is: * encrypt a complete partition/disk with dm-crypt/LUKS/cryptsetup * use this encrypted dm device as pv for your vg(s) * create a lv per DRBD device after every reboot you need to activate the encrypted partition using cryptsetup and e.g. your passphrase and you have to do a vgscan/vgchange prior to the activation of DRBD. and if you own a recent Intel cpu supporting AES-NI in combination with a recent kernel like 2.6.39 which supports multiple encryption pipes and the aesni_intel driver, then you get a damn fast and secure replicated storage ;-) Regards, Andreas -- Need help with DRBD? http://www.hastexo.com/now
signature.asc
Description: OpenPGP digital signature
_______________________________________________ drbd-user mailing list [email protected] http://lists.linbit.com/mailman/listinfo/drbd-user
