:: Re: [DNG] UEFI, software RAID1, LVM…
Página superior
Eliminar este mensaje
Responder a este mensaje
Autor: Olaf Meeuwissen
Fecha:  
A: Antony Stone
Cc: dng
Asunto: Re: [DNG] UEFI, software RAID1, LVM and encryption
Hi Antony,

Thanks for the feedback. I've been researching a bit myself in the mean
time as well but still value additional input from the list.

Antony Stone writes:

> On Sunday 24 July 2022 at 05:18:47, Olaf Meeuwissen via Dng wrote:
>
>> Hi list,
>>
>> I lost the single SSD on my mini PC and am in the process of rethinking
>> its storage. So far, I've got myself two brand new and identical PCIe
>> NVMe SSDs (256GB) for use in a software RAID1 setup. I think I need to
>> enable UEFI to get access to the BIOS from the GRUB menu.
>>
>> I want my /home directory on a partition of its own, at a minimum, and
>> encrypt it. I don't see a need to encrypt much else as I am not after
>> plausible deniability. It's mostly to be able to return a broken disk
>> for a replacement and still sleep in relative peace of mind ;-)
>>
>> I haven't quite made up my mind as to a need for other partitions. I
>> use containers and VMs quite a bit. Perhaps these are better stored
>> some place other than the partitions for / or (an encrypted) /home.
>>
>> With 64GB of RAM, I don't see much need for swap. If needed, I could
>> always add a swapfile instead of a partition.
>>
>> Given the above,
>>
>> - what are your expert(?) opinions on partitioning for this?
>
> Use LVM on top of RAID - great flexibility, plus reliability.
>
>> - how do I make (and keep) both disks bootable?
>
> grub-install /dev/thing1
> grub-install /dev/thing2
>
> You can keep /boot as a separate RAID1 (separate from LVM, that is) if you
> want to, or you can include it in LVM these days.
>
> That means you have the grub loader itself, the grub.conf, and the initramfs
> and kernel, all replicated on both disks.
>
> The only part of this you need to remember to do manually is grub-install
> /dev/thing2 if there's ever a new version of grub itself.


I vaguely recall reading that you could enter a list of space separated
devices to install GRUB to in the installer.

On top of that, I think I actually configured something like that in
/etc/default/grub on one of the machines at the office.

>> - can I put the ESP on RAID1?
>
> Er, what's ESP?


It's not Extra-Sensory Perception in this context :-P
It's the EFI System Partition and is what gets mounted on /boot/efi/.

>>    - if not, how do I keep the copies in sync?

>
>> - do I need a separate partition for /boot?
>
> You do not need one, but you can have one.


Then I'd rather do without. I asked because on a few of my systems it
*is* a separate partition. Thinking about that, I believe these were
installed to use a "fully" encrypted system, i.e. the partition mounted
on / encrypted as well. In that case it makes sense because most BIOSs
probably do not handle that.

If I only want/need an encrypted /home then I should be okay with /boot
on the partition that's mounted on /.

>>    - if so, can it be put on RAID1?

>
> Yes.
>
>>      - if not, how do I keep the copies in sync?

>
> n/a


ACK.

>> - should I use LVM?
>
> Yes, IMHO.
>
>>  - does randomizing the partition for /home make sense if on LVM and may
>>    get resized sometime in the future?

>
> What do you mean by randomizing?


Writing random data to the partition before using it. This is supposed
to make it harder to decrypt for prying eyes.

After I sent my mail, I thought I could randomize the whole disk (or
that part that's used as an LVM PV) but that might take a while ...

Thanks again and looking forward to other opinions and follow-up!
--
Olaf Meeuwissen