I searched on the web a definitive answer to the following question but couldn't find a clear YES or NO, or a clear procedure on how to enable this approach!
In a two nodes setup, with DRBD as the block device replication technology, with OCFs2 as the clustered file system (which requires active/active DRBD mode), is it possible to use LUKS to encrypt the underlying block device such that it is usable from any node in the cluster? Does the kernel require the passphrase on each node at boot time? If not, how does it work?
Thanks in advance for your responses.
D.
Dual Primary DRBD with OCFS2 is somewhat common, and plenty of information and guides are available, so I won't go into that.
The unusual part is the LUKS encryption. Yes, it can be done. The easiest way is to simply encrypt the backing disk, or LVM volume, for DRBD. Essentially, placing the LUKS encrypted disk below DRBD. This way once the LUKS volume is unlocked, and DRBD may access it, it will operate like any other DRBD setup. Just to be clear it should look like this: Raw disk -> LUKS -> DRBD -> OCFS2
This does mean that the disk will need to be unlocked before DRBD is started. This does usually mean you will need to enter a passphrase at each boot, but it is possible to automatically unlock the encrypted volume at boot via a keyfile. However, this keyfile will need to be stored some place already unencrypted so this somewhat defeats the purpose.
Please also note that dual-primary DRBD requires some mechanism to physically STONITH the nodes (IPMI device, networked attached UPS, etc). It will work without this safeguard in place or configured, but given enough time, it will scramble and corrupt you data. Please, be certain to use STONITH.