0

I would like to set up resilient encrypted storage with single NVMe drive for my laptop and its (encrypted) backup (with SATA housing and SSD drive).

This is what I have at the moment:

  • SSD -> GPT partitions (unencrypted /boot, EFI, and LUKS) -> LVM -> BTRFS.

I started checking if LUKS has any CRC, so that it wouldn't multiply data corruption, and it seems that it has not. It will create 16 wrong bytes for a single bad bit. I'm interested to know if there's a way to setup integrity checking for LUKS or a layer bellow LUKS so it wouldn't propagate errors in case of data corruption, bad memory, possible unsafe shutdowns. In case of unrecoverable data corruption I'd recover it from backup, and I think that is quite small chance that both would get corrupted simultaneously. Any ideas are very welcome :)

Alojzij Blatnik
  • 123
  • 1
  • 9
  • Configuring disk encryption on a single laptop probably doesn't qualify as managing systems in a business environment. – vidarlo Dec 27 '22 at 14:42
  • @vidarlo what do you mean? – Alojzij Blatnik Dec 27 '22 at 14:44
  • Your question is offtopic here. It may be on topic on superuser or unix SE. – vidarlo Dec 27 '22 at 14:44
  • Okay, but actually that's for business, although 1 person self-employed business :) Is it possible to transfer it to superuser or unix in case that's more appropriate? – Alojzij Blatnik Dec 27 '22 at 14:48
  • Look for `dm-verity` which uses MAC to implement integrity-supporting block devices. On top of that you may place any file system. Note that damaged blocks (purposely or accidentally) will translate into *I/O errors*, which corresponds to "bottom" (decryption error) output of an decryption function of an authenticated cipher. – Nikita Kipriyanov Dec 27 '22 at 15:24
  • Thanks for info. I was testing a bit and it looks like that verity is intented for read-only device, but there is also dm-integrity which blows on a single bad bit (although crc could fix single bit errors). But I found this article (https://gist.github.com/MawKKe/caa2bbf7edcc072129d73b61ae7815fb). So, there's a possible solution with raid1, although I'd prefer solution with single drive and backup for bigger corruption. – Alojzij Blatnik Dec 27 '22 at 18:05

1 Answers1

1

I checked quite few options (for encrypted drive). Note that I'm not familiar much with ZFS. Also, btrfs DUP on SSD may not be 100% "duplicated", because wear leveling may place the copy on the same area, so both copies could get damaged.

single drive

LUKS + btrfs with metadata (and data) DUP

  • reduces available disk size by half

LUKS with dm-integrity + btrfs with metadata (and data) DUP

  • reduced write performance by half (when enabled journaling), but btrfs gets less corrupted data

ZFS with native encryption (or on top of LUKS)

two drives

2x LUKS + btrfs with raid1

2x dm-integrity + mdadm (raid1) + LUKS + btrfs with metadata (and data) DUP

ZFS' equivalent of raid1 and native encryption (or on top of LUKS)

Alojzij Blatnik
  • 123
  • 1
  • 9