BTRFS and Luks integration

luks btrfs

I would like to build a RAID1/BTRFS/Luks setup. What I found about it so far is:

An encrypted Btrfs file system can be created on top of the dm_crypt disk encryption subsystem and Linux Unified Key Setup (LUKS) layer, which supports a variety of encryption standards. However, this approach disables some of the capabilities and advantages of using Btrfs on raw block devices, such as automatic solid-state disk support and detection.

What's the best approach to implement this solution?

/dev/sda1 < 500 Gb 
/dev/sdb1 < 500 Gb 

/dev/md0 < RAID1 stripe < Luks < BTRFS < snapshots

Would a setup like this work?

I can't see other way of doing it without losing BTRFS-es snapshot capabilities. I could setup the raid without mdadm with btrfs like:

mkfs.btrfs -m raid1 -d raid1 /dev/sda /dev/sdb

but then I got btrfs right on the top where I can only drop luks encrypted images. Even if 1 bit changes inside an image will affect the snapshots of btrfs (aka it will copy the whole image file again)..


The important thing to note is that if you use md for the mirroring and create btrfs on top of it with "-d single" you will lose the ability to recover from bitrot errors (btrfs will still detect them)

So the best solution for your case would be your second example:

raw device -> LUKS -> btrfs RAID1 from the LUKS devices

loan already answered the TRIM/discard part for you and there is nothing for me to add there


However, this approach disables some of the capabilities and advantages of using Btrfs on raw block devices, such as automatic solid-state disk support and detection.

cryptsetup supports passing TRIM requests; you just need to use the argument --allow-discards when doing a cryptsetup open, or using discard as an option when using /etc/crypttab. Do this before executing mkfs.btrfs and you'll see that it detects the SSD and turns on TRIM. You may also want to ensure you use discard,ssd as options when later mounting the filesystem.

Even if 1 bit changes inside an image will affect the snapshots of btrfs (aka it will copy the whole image file again)..

BTRFS will detect any bit corruption in a data/metadata block and correct that block using the other copy (it won't copy the file). Snapshots reference existing data/metadata blocks and don't normally take up extra space. Should part of a block (part of a file) later change, a copy will be made and referenced separately (it won't copy the file unless the block contains the whole file). The unchanged block will not be copied, just referenced.

Related

Linux read disk cache and NFS
Switching hosting from GoDaddy to AWS
Latency & speed considerations between 2 servers on Amazon EC2
What type of Fiber-Connector is this?
Connection Reset error trying to set up HTTPS locally using VS and IIS Express
MongoDB Auth, can be authenticated in the shell but not via the command line
Nginx: expires header becomes 404
error "illegal software format" in upgrade fw .ros file of Cisco Sg200-26 small business smart switch
Automatically Kill/Restart Process(es) When Memory is Critically Low
Linux server hangs, where to look for possible reason? [closed]
PHP Startup: Unable to load dynamic library '/usr/lib/php5/20100525/apc.so'
Why is my instance failing ELB health checks when adding it to the load balancer via Ansible?