Hello
Are there any restrictions for using together DRBD and block device level encryption (LUKS2) ?
For instance, for logical volumes
volume 31 {
device /dev/drbd3;
disk /dev/block_nfs_vg/ha_block_exports_lv;
meta-disk internal;
}
volume 32 {
device /dev/drbd4;
disk /dev/block_nfs_vg/ha_block_exports_lv_2;
meta-disk internal;
}
which are promoted by pacemaker, drbd resource file has set “auto-promote no;”.
Anton
There is nothing preventing the use of LUKS atop DRBD. DRBD is just a block device after all.
You will need to promote DRBD then issue a cryptsetup open. Likewise, a cryptsetup close would be needed before demoting the DRBD resource. With Pacemaker you can automate all of this via the crypt resource-agent.
Alternatively, you could put LUKS below DRBD and use it to encrypt the /dev/block_nfs_vg/ha_block_exports_lv LVM device directly. With this setup you would not need anything additional in Pacemaker, but would need to unlock the device with a cryptsetup open before you can start Pacemaker and DRBD. This is usually just handled at boot.
Hhmmm… it seems I was too hasty with my question.
Yes, the fundamental question is - lvm over luks, or, luks over lvm ?
For instance, if the LVM volume group has a single physical volume, lvm over luks will have a single password for all logical volumes in that volume group. This is less flexible than luks over lvm, with individual passwords for each logical volume.
But lvm over luks looks more preferable, because in this case, physical volume LVM meta data will be encrypted too.
Thank you Devin.
Anton