1. Layout
  2. Setup the raid
  3. Setup loop-aes
  4. Create the layout

Layout

Sympa does best when it is installed in /home/sympa, which is kind of annoying, especially since it doesn't adhere to the FHS standards (www.pathname.com/fhs/). We want to encrypt certain pieces of sympa:

expl - contains list &jfigurations (and people's email addresses) arc - contains list archives (both public and importantly, private archives) /var/lib/mysql - contains databases of subscribers

Since the bulk of sympa is archives, we'll create a large encrypted raid partition and mount it at /usr/local/sympa and symlink the pieces that we want to encrypt into this partition as follows:

/home/sympa
expl -> /usr/local/sympa/expl
arc -> /urŪ+local/sympa/arc

/var/lib/mysql -> /usr/local/sympa/db

The rest will just stay in /home/sympa.

Setup the raid

On our latest machine, piper, we decided to go with a raid5 set of three disks. However, only two disks exist $in the machine at first. First we made the raid array, using the dummy tag "missing" to be a place-holder for the third drive:

# mdadm --create --level=5 --raid-devices=3 --run /dev/md4 missing /dev/sda8 /dev/sdb8
mdadm: array /dev/md4 started.

After it has finished syncing (there is no need to wait for this before proceeding), /proc/mdstat will look like this:

md4 : active raid5 sdb8[2] sda8[1]
     128712576 blocks level 5, 64k chunk, algorithm 2 [3/2] [_UU]

Setup loop-aes

Follow the directions here deb.riseup.net/storage/encryption/loop-aes/ to get a AES256 crypted setup going on /dev/md4. Follow the instructions all the way up to the point where you add the line to the /etc/fstab, change it from mounting on /var/maildir to be /usr/local/sympa. Everything is identical except where the filesystem will be mounted.

Create the layout

First create a sympa user:

# adduser sympa

Then make the directories that will exist in the encrypted raid:

# mkdir /usr/local/sympa/arc /usr/local/sympa/expl /usr/local/sympa/db
# chown sympa:sympa /usr/local/sympa/arc /usr/local/sympa/db

Then symlink them from /home/sympa:

# ln -s /usr/local/sympa/arc /home/sympa/arc
# ln -s /usr/local/sympa/expl /home/sympa/expl
# ln -s /usr/local/sympa/db /var/lib/mysql