If you have some sensitive data on your server, you most likely want to protect its' confidentiality. Using strong cryptography is one of the easiest ways to achieve that.
As the data is sensitive, let's use the redundant array - RAID5, which requires minimum of 3 disks. Assuming that first two disks were used to create mirrored /, /var and /home filesystems, now we'll create the /dev/md3 using /dev/sdc1, /dev/sdd1, /dev/sde1, and /dev/sdf1 (type 0xFD, equal size):
mdadm --create /dev/md3 --level=raid5 --raid-devices=4 /dev/sdc1 /dev/sdd1 /dev/sde1 /dev/sdf1
The easiest way to generate the encryption key is reading needed amount of bytes from /dev/random:
head -c128 /dev/random > storage_key.bin
This will read 128 bytes (1024 bits) of random data and write them to a key file. Store that key file in a safe place (GPG encryption to yourself is safe, local filesystem on the same computer is not).
Instead of mounting the array directly, the loopback device with transparent encryption is used:
cat storage_key.bin | losetup -p 0 -e twofish -k 256 -H sha512 /dev/loop0 /dev/md3
Now, you can work with /dev/loop0 as if it was real drive - for example, create the file system on it:
mke2fs -j -m0 /dev/loop0
mount it:
mount /dev/loop0 /storage -o noatime
and, of course, store some files there:
% df -h /storage Filesystem Size Used Avail Use% Mounted on /dev/loop0 2.7T 1.9T 823G 71% /storage
When unmounting the storage, don't forget to either use -d option for umount:
umount -d /dev/loop0
or explicitly detach the loopback device:
umount /dev/loop0 losetup -d /dev/loop0
Don't forget to encrypt your backups as well (the long hexadecimal is the recipient's GPG key ID):
tar -C /storage --one-file-system -cz . \ | gpg -e -r 0xEF3B1FA8 \ | ssh user@some.remote.host dd bs=1M of=`hostname`-backup-`date +%Y%m%d`.tar.gz.gpg
Hopefully you will never need that, but… Well, simply destroy the key (burning the flash is not a bad method) and turn off the server.