What do you use for encryption?

[celliott]

I'm looking to build a couple of RAID6 backup servers (6x 3TB drives, ~10TB or so usable) and want to encrypt the complete raid devices for a bit of extra peice of mind.

Obviously this adds extra complexity if there is ever a bad block on the RAID and wont be so easy to restore filesystem damage, is LUKS/dm-crypt generally reliable? I'll be using CentOS 6 and mdadm raid as performance isn't important.

If you have encrypted data on *nix systems what do you use?

Cheers

 

[JonJ678]

Geli, which works fine, and LUKS, which also works fine. Neither do brilliant things to performance. A bad sector on an encrypted drive is likely to do much more damage than a bad sector on a non-encrypted drive. That's your cost. Nominally neither should break - but how much faith do you have in the existence of a perfect computing system?

Only you can judge how the extra risk of a failed backup compares to the risk of someone having access to the unencrypted data. Sadly I don't know how to calculate how the probabilities of data loss change.

I think I would go down the jbod/raid 1 route for backups and encrypt the disks independently. Raid + encryption is too many failure modes (which destroy all the data) for comfort in a backup. This is a pain when backing up more than one disks worth - all the data I care about losing fits on a usb stick!

 

[darude]

I've used LUKS in the past with success, I'd only encrypt personal data e.g. home folder. Not OS, movies etc.

 

[memyselfandi]

We've looked at LUKS previously but you need to take into the account of the differences between if someone physically steals the server/disks (with the volumes unmounted) or hacks into your running server (with the volumes mounted) and whether that method of encryption will cover you the way you want in either case.

You may find you actually want/need file level encryption rather than filesystem level encryption.