I try made a super-duper hiper-secure configuration with: Software RAID(1) -> LUKS -> LVM
To do this I have 2 physical SSD drive (Crucial MX500).
I'll following along instructions available here:
- Install Ubuntu 20.04 desktop with RAID 1 and LVM on machine with UEFI BIOS
- Full_Disk_Encryption_Howto_2019
But I stuck with couple questions. Because I plan full-disk encryption with UEFI I was thinking how to deal with ESP partition and separated /boot partition (which also I want to encrypt). The only answear that I found was to clone ESP partition between physical disks to be able to replace entire disk and add EFI entry to boot chain. Another idea was move EFI to another small disk but it introduce single point of failure when disk dies.
Because new version of Ubuntu was released with GRUB 2.0.6 I really was counted on LUKS2 support (but it looks like implementation have some bugs and we still have to rely on luks1 for /boot encryption and "metadata=0.9" for building RAID array)
So, I must to rearrange entire setup:
(vm - for presentation purpose only)
Prompt password during boot I'll solve with passphrase stored on my yubikey.
My question is anyone did something similar that works? All my trials end up with Minimal Bash like or do not make start possible at all.
I don't own deep knowledge about every system boot stage so I have no idea how to debug startup at this level but I have impression that system don't know how to cope with luks partition behind software raid. This setup is more like configuration for arch/gentoo user but I faith that I find someone who did this before and can give advice how to do it right.
I think all of this would be much simplify when RAID would be hardware based. Obviously RAID isn't backup itself so I additional plan to make another copy to my Synology (paranoid mode).
