LUKS (Linux Unified Key Setup)

This guide should work on all Linux based distros assuming you have access to cryptsetup. /dev/sda2 will be the partition that I will set LUKS up on.

If you’re using Arch (even the live CD) or a newer version of cryptsetup you can bench all of the cryptographic methods using:
cryptsetup benchmark

Unfortunately Debian 7 and Ubuntu 12.04.2 LTS do not come with the newer version and therefore cannot run the benchmark. I highly recommend using AES-256 if the performance is good enough (above ~200MB/s for writing or at least the speed of gigabit which is 1000/8 = 125MB/s). Newer Intel CPUs (i7-970 and later) have the AES-NI extension which means the AES encryption/decryption can be done in hardware.

  1. dd the partition to wipe out any old data. Formatting won’t cut it and this part will take quite a few hours depending on the size of the array/disk.
    dd if=/dev/zero of=/dev/sda2 bs=1M

  2. Install cryptsetup
    apt-get install cryptsetup

  3. Setup the partition for LUKS.
    cryptsetup --verify-passphrase luksFormat /dev/sda2 -c aes -s 256 -h sha256

3a. If you get an error about not being able to find the partition then you need to run ‘partprobe’.

apt-get install parted

  1. Create the mapper that we can mount (change ‘raidtest’ to anything you want).
    cryptsetup luksOpen /dev/sda2 raidtest

  2. Format the device mapper.
    mkfs.ext4 /dev/mapper/raidtest

  3. Mount the mapper
    mount /dev/mapper/raidtest /mnt/raidtest

  4. Test the speed of the new device.

    cd /mnt/raidtest
    dd if=/dev/zero of=test bs=1M count=1k conv=fdatasync; unlink test
    dd if=/dev/zero of=test bs=16k count=64k conv=fdatasync; unlink test
    dd if=/dev/zero of=test bs=8k count=128k conv=fdatasync; unlink test

On my RAID6 array on an LSI 9260-8i with 4 drives, I get about 190MB/s with the 1M block size test from above. Without AES encryption I normally see around 250MB/s and the Xeon X3450 in my server does not have the AES-NI instruction set, which means it uses all available CPU cores to do the calculations and is slower. This is higher than the speed of gigabit LAN so it’s definitely an acceptable loss. Encrypt all the things!

  1. Get the UUID of the LUKS partition as well as the mapper partition.

For me they are:

/dev/sda2: UUID="14c25eae-dcd6-4821-94b3-95b5a96485d6" TYPE="crypto_LUKS"
/dev/mapper/raidtest: UUID="200a4e7e-3fec-4727-80df-5bf1c55c2d8d" TYPE="ext4"
  1. Edit your fstab (change the UUID to that of your /dev/mapper device).
    nano /etc/fstab
    UUID=200a4e7e-3fec-4727-80df-5bf1c55c2d8d /mnt/raidtest ext4 relatime,errors=remount-ro 0 1

  2. Edit your crypttab (change the UUID to that of your physical device partition).
    nano /etc/crypttab
    raidtest UUID=14c25eae-dcd6-4821-94b3-95b5a96485d6 none luks

Now when you reboot, Linux will first look at crypttab and ask you for your password to decrypt the volume. Then it will look at /etc/fstab and mount the mapper device. You will need to enter your password every time you reboot otherwise the partition will not be mounted.