This guide should work on all Linux based distros assuming you have access to cryptsetup. /dev/sda2 will be the partition that I will set LUKS up on.
If you’re using Arch (even the live CD) or a newer version of cryptsetup you can bench all of the cryptographic methods using:
Unfortunately Debian 7 and Ubuntu 12.04.2 LTS do not come with the newer version and therefore cannot run the benchmark. I highly recommend using AES-256 if the performance is good enough (above ~200MB/s for writing or at least the speed of gigabit which is 1000/8 = 125MB/s). Newer Intel CPUs (i7-970 and later) have the AES-NI extension which means the AES encryption/decryption can be done in hardware.
dd the partition to wipe out any old data. Formatting won’t cut it and this part will take quite a few hours depending on the size of the array/disk.
dd if=/dev/zero of=/dev/sda2 bs=1M
apt-get install cryptsetup
Setup the partition for LUKS.
cryptsetup --verify-passphrase luksFormat /dev/sda2 -c aes -s 256 -h sha256
3a. If you get an error about not being able to find the partition then you need to run ‘partprobe’.
Create the mapper that we can mount (change ‘raidtest’ to anything you want).
cryptsetup luksOpen /dev/sda2 raidtest
Format the device mapper.
Mount the mapper
mount /dev/mapper/raidtest /mnt/raidtest
Test the speed of the new device.1234cd /mnt/raidtestdd if=/dev/zero of=test bs=1M count=1k conv=fdatasync; unlink testdd if=/dev/zero of=test bs=16k count=64k conv=fdatasync; unlink testdd if=/dev/zero of=test bs=8k count=128k conv=fdatasync; unlink test
On my RAID6 array on an LSI 9260-8i with 4 drives, I get about 190MB/s with the 1M block size test from above. Without AES encryption I normally see around 250MB/s and the Xeon X3450 in my server does not have the AES-NI instruction set, which means it uses all available CPU cores to do the calculations and is slower. This is higher than the speed of gigabit LAN so it’s definitely an acceptable loss. Encrypt all the things!
- Get the UUID of the LUKS partition as well as the mapper partition.
For me they are:
Edit your fstab (change the UUID to that of your /dev/mapper device).
UUID=200a4e7e-3fec-4727-80df-5bf1c55c2d8d /mnt/raidtest ext4 relatime,errors=remount-ro 0 1
Edit your crypttab (change the UUID to that of your physical device partition).
raidtest UUID=14c25eae-dcd6-4821-94b3-95b5a96485d6 none luks
Now when you reboot, Linux will first look at crypttab and ask you for your password to decrypt the volume. Then it will look at
/etc/fstab and mount the mapper device. You will need to enter your password every time you reboot otherwise the partition will not be mounted.