This project has moved. For the latest updates, please go here.

encryption and RAID 5

Topics: Users Discussion
Dec 8, 2015 at 7:51 PM
I have a semi-unique situation, but I haven't had any luck finding an answer so far, so I'm hoping someone here can help me.

I have an LSI RAID card, and six 3TB hard drives hooked up in RAID 5. I encrypted the hard drives with TrueCrypt as a whole device (created the RAID, encrypted as hidden, and then formatted it as a whole). The LSI RAID card lets me add new hard drives to existing RAIDs and it builds them into the RAID. It takes a few days, but will disperse all the contents of the hard drive over the new RAID while doing it. My question is, can I do this with an encrypted volume or does it redistributing the stuff wreck the encryption and then make it unlockable and lost? If it can be distributed, then should I convert from TrueCrypt to VeraCrypt before or after I add to the RAID? Also, I just thought, do I need to decrypt the RAID before adding another hard drive, or do it while encrypted?
Dec 8, 2015 at 9:54 PM
I found this in the FAQs. As close to an answer as I could find. I'd still like it if someone could verify it before I risk loosing all that stuff.

Is it possible to change the file system of an encrypted volume?

Yes, when mounted, VeraCrypt volumes can be formatted as FAT12, FAT16, FAT32, NTFS, or any other file system. VeraCrypt volumes behave as standard disk devices so you can right-click the device icon (for example in the 'Computer' or 'My Computer' list) and select 'Format'. The actual volume contents will be lost. However, the whole volume will remain encrypted. If you format a VeraCrypt-encrypted partition when the VeraCrypt volume that the partition hosts is not mounted, then the volume will be destroyed, and the partition will not be encrypted anymore (it will be empty).
Coordinator
Dec 11, 2015 at 11:13 PM
First of all, it is not a good idea to use RAID-5 with large disks because of the risk of failure of two or more disks that will make your data unrecoverable.

If we suppose that you will never have a simultaneous failure of two or more disks, then there is no problem with encrypting a RAID-5 with TrueCrypt/VeraCrypt. RAID rebuild mechanism is independent of the file system or encryption used. The most important thing to remember is that it guarantees that the data will always be seen a single disk and that a storage sector with index N will always be at index N. These properties guarantee a safe use with encryption because all what we need is that the location of a certain data block will not change.

So, to answer your questions:
  • you can add a new hard drive to an encrypted RAID 5.
  • There is no difference between converting from TrueCrypt to VeraCrypt before or after adding a new disk to the RAID 5. The only caution would to wait for the RAID to finish rebuilding itself when new disks are inserted.
  • As I said above, no need to decrypt a RAID before adding a new drive.
Dec 11, 2015 at 11:53 PM
thanks for getting back to me. I was unsure, so I actually started to permanently decrypt the RAID. It's only like 15% done.
To be sure you understand though. I'm not replacing one of the hard drives, but adding to an existing array. Going from 6 hard drives to 8, adding one at a time, of course.
Dec 14, 2015 at 1:22 PM
That is actually possible?
Well, you obviously need to resize the TC/VC volume accordingly. If this mechanism works without data loss on unencrypted data, this will work as well.
As idrassi said, RAID systems do not care about the filesystem - so either this RAID-extension just maps additional sectors of the virtual disk and updates parity or adding a drive will cause data loss anyway.
The adding will take at least the same time as a rebuild I think, as the redundancy (parity) has to be updated and redistributed. during this phase you ma not be protected if a disk fails, as a part of the parity is updated to 7 disks and the other part is not. This seems risky to me, I myself would definitely do a backup.
And never forget: As soon as the RAID-Controller fails you might be in trouble even if all disks are still working - so RAID is not really a backup (RAID is for availability and speed)