Not just as a reminder for myself but for everyone having troubles setting up a crypted LVM on top of a Linux Software-RAID ON TOP of two or more 2TB+ Hard-Disks. The tricky part here is the hard disks which need to have a GPT Partition Table. Another issue are todays new (U)EFI Mainboards.
Another positive aspect is that you can secure your data much more against typical suspects like the NSA or other surveillance parties.
Debian installation Grub error: Reserved BIOS boot area partition?What to do to continue installation?
Well, mainly nothing except it makes ones life harder to set up
operating systems and choosing the right bootloader. Is it just Grub2
I'll show you a good method here that i have tested on Ubuntu 12.04 LTS and on a Debian Wheezy machine (should also work on other distros as well). One on real hardware with UEFI and one with two 2TB disks in a virtualbox-vm (to show you some helpful screenshots)
Which is also a key part of the whole installation is how you boot
the installer. Debian and Ubuntu uses the debian-installer which has
an expert mode. This is what we need.
On Ubuntu, before boot the installer, press F6 and mark the expert mode there. On a Debian CD just go to "Advanced Options" and boot the expert mode.
I'll explain later why this is important.
After booting, continue like you always would until you come to the "Installer Components" part where you have to choose some of them: choose-mirror, crypto-dm-modules...(only on Debian), load-media and parted-udeb.
Then continue the installation process until you reach the partitioner
At first, create empty partition tables on each of your hard drives. Here comes the key part as of this step the expert install allows us to choose "gpt" as the partition table which is necessary for 2TB or larger hard drives!
Now create a "1MB" large partition on every drive and use it as a "reserved BIOS boot area".
This will become important for a successful GRUB installation as it will install itself on those small partitions, since there is no MBR anymore on GPT disks, so this will do the trick.
Now create two more partitions on each drive. By the way, it's important to create the exact same partitions and sizes on each drive for a successful RAID creation.
The first partition should have around 256MB of size. This will become our RAID-device for /boot. The second partition can take up all the rest of your hard disk. This will become our crypted LVM raid-disk. For both partitions use the "physical volume for RAID" setting.
Now your partition table should look like the following.
Configure the RAID devices
Now we will configure the software RAID by creating two MD devices. One with both smaller partitions and one with the two larger ones. That's it.
Configure the crypto device (for LVM use later)
Use the larger partition as a "physical volume for encryption" then let us "configure encrypted volumes". The recommendations on Debian Wheezy and Ubuntu are as follows.
If you cannot wait, you can also abort the erase of the volume. Now define a passphrase (if you have choosen the defaults) for your encrypted volume but beware: NEVER LOOSE THAT PASSPHRASE OR YOU WILL LOOSE YOUR DATA.
Now use the new crypto volume as a "physical volume for LVM". The whole thing now feels like a matryoshka doll, doesn't it?
let us configure the LVM. This will be quite basic stuff again. At
first create a volume group "vg0" for example. Then create
logical volumes for your most basic partitions like swap or the root
filesystem with its sizes you desire. Special tip here: You can
safely use smaller partitions sizes in a LVM since you can mostly do
an online resize of the disks if you need more space.
After you have done this and created the mount points everything is done and it should look like this. (Did you remember to create the /boot partition on the smaller first RAID device? Check the picture if not!)
Now write all changes to disk and continue the installation. At this point where you need to install GRUB, just do it like its advised to install in the MBR (it will mostly choose /dev/sda for it automatically). Now finish the installation and after a smooth reboot you'll be presented with a "Enter passphrase" Login for your personal fort knox.
Have fun encrypting your data!