I currently have a storage server with the following config.
Multiple raid6 volumes (mdadm) -> aggregated into a lvm volume group -> lvm volumes -> encrypted with luks1 -> (no partitioning) xfs file systems mounted and used by the os
I have the following criteria: I want to keep software raid (mdadm) with multiple raid sets, xfs, and lvm. I don’t mind using 2fa, but I don’t want to just store my secret keys on a dongle attached to my PC because that seems to defeat the point of encryption at rest.
My questions:
-
Is there a better way to encrypt my data at rest?
-
Is there a better layer at which to apply the encryption?
I’m mostly unhappy with luks1 over a whole lvm volume and looking for alternatives.
–
Thank you everyone for these great responses! I’ll be looking into these ideas :)
You can layer them however you want, so you can slap luks on the physical drives, or the mdraid, or the individual LVM volumes as you do right now. If the entire setup is either locked or unlocked, luks between the raid and LVM PV makes sense. Having luks on the individual LVs have the advantage that you can have your data partially unlocked.
2FA is complicated. You can use a second factor like, you need to enter both a password and be in possession of the flash drive, but you can’t do it with the standard TOTP codes because you need the key to validate them in the first place.
One thing you can explore is TPM: the computer can detect if it’s been tampered with, and if all checks out, it will unwrap the key. You can add a password or flash drive as a second factor. There’s also the whole smartcard rabbit hole.
What exactly are you unsatisfied with? I think that’s a better starting point to advise on.
Second the key-password combo. It keeps the keys you have on the flash drive but adds a password component that thieves would need to figure out as well. Just make sure to pick a good password!