I currently have a storage server with the following config.

Multiple raid6 volumes (mdadm) -> aggregated into a lvm volume group -> lvm volumes -> encrypted with luks1 -> (no partitioning) xfs file systems mounted and used by the os

I have the following criteria: I want to keep software raid (mdadm) with multiple raid sets, xfs, and lvm. I don’t mind using 2fa, but I don’t want to just store my secret keys on a dongle attached to my PC because that seems to defeat the point of encryption at rest.

My questions:

  1. Is there a better way to encrypt my data at rest?

  2. Is there a better layer at which to apply the encryption?

I’m mostly unhappy with luks1 over a whole lvm volume and looking for alternatives.

Thank you everyone for these great responses! I’ll be looking into these ideas :)

  • socphoenix
    link
    fedilink
    English
    arrow-up
    5
    ·
    10 months ago

    Second the key-password combo. It keeps the keys you have on the flash drive but adds a password component that thieves would need to figure out as well. Just make sure to pick a good password!