I currently have a storage server with the following config.
Multiple raid6 volumes (mdadm) -> aggregated into a lvm volume group -> lvm volumes -> encrypted with luks1 -> (no partitioning) xfs file systems mounted and used by the os
I have the following criteria: I want to keep software raid (mdadm) with multiple raid sets, xfs, and lvm. I don’t mind using 2fa, but I don’t want to just store my secret keys on a dongle attached to my PC because that seems to defeat the point of encryption at rest.
My questions:
-
Is there a better way to encrypt my data at rest?
-
Is there a better layer at which to apply the encryption?
I’m mostly unhappy with luks1 over a whole lvm volume and looking for alternatives.
–
Thank you everyone for these great responses! I’ll be looking into these ideas :)
I was a bit surprised at it as well, but it doesn’t for me running Debian headless. If I reboot after a kernel update it’ll try to boot into the new kernel and fail waiting for the initramfs, but it’ll boot just fine into the previous kernel. Once I update the initramfs it works fine.
If you know what resources you used to set it up, I’d be curious to take a look and see if I missed something.