五.磁盘加密保护
• LUKS 可以对分区或卷进行加密
• 必须首先对加密的卷进行解密 , 才能挂载其中的文件系统
创建新加密的卷
• 使用 fdisk 创建新分区
• cryptsetup luksFormat /dev/vdaN 可对新分区进行加密 ,并设置解密密码
• 您输入正确的解密密码之后 , cryptsetup luksOpen/dev/vdaN name 会将加密的卷 /dev/vdaN 解锁为/dev/mapper/name
• 解密的卷上创建 xfs 文件系统 : mkfs -t xfs /dev/mapper/name
• 创建目录挂载点 , 并挂载文件系统 :
mkdir /secret
mount /dev/mapper/name /secret
• 完成之后 umount /dev/mapper/name 并运行
cryptsetup luksClose name 以锁定加密的卷
1 fdisk /dev/vdb ##分区
2 partprobe
3 cryptsetup luksFormat /dev/vdb1 ##加密
4 cryptsetup open /dev/vdb1 westos ##打开加密层并命名
5 ll /dev/mapper/westos
6 mkfs.xfs /dev/mapper/westos ##初始化
7 mount /dev/mapper/westos /mnt ##挂载
8 cd /mnt/
9 ls
10 touch file{1..10} ##在/mnt目录下创建10个文件
11 df ##查看此时挂载情况
12 ls
15 umount /mnt ##取消挂载
16 df
17 cd /mnt/
18 ls
19 cd
20 mount /dev/mapper/westos /mnt/ ##挂载
21 cd /mnt
22 ls ##查看挂载与否文件的情况
23 umount /mnt/
24 cd
25 umount /mnt/
26 ll /dev/mapper/
27 cryptsetup close westos ##关闭加密层
28 ll /dev/mapper/
## 29 mount /dev/vdb1 /mnt
## 30 mount /dev/mapper/westos /mnt
31 cryptsetup open /dev/vdb1 westos ##先打开加密层再挂载
32 mount /dev/mapper/westos /mnt
33 cd /mnt
34 ls
------------------------------------------------------------------------------
[root@desktop5 ~]# fdisk /dev/vdb
Welcome to fdisk (util-linux 2.23.2).
Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.
Device does not contain a recognized partition table
Building a new DOS disklabel with disk identifier 0x6fb16d36.
Command (m for help): n
Partition type:
p primary (0 primary, 0 extended, 4 free)
e extended
Select (default p):
Using default response p
Partition number (1-4, default 1):
First sector (2048-20971519, default 2048):
Using default value 2048
Last sector, +sectors or +size{K,M,G} (2048-20971519, default 20971519): +1G
Partition 1 of type Linux and of size 1 GiB is set
Command (m for help): wq
The partition table has been altered!
Calling ioctl() to re-read partition table.
Syncing disks.
[root@desktop5 ~]# partprobe
[root@desktop5 ~]# cryptsetup luksFormat /dev/vdb1
WARNING!
========
This will overwrite data on /dev/vdb1 irrevocably.
Are you sure? (Type uppercase yes): yes
[root@desktop5 ~]# cryptsetup luksFormat /dev/vdb1
WARNING!
========
This will overwrite data on /dev/vdb1 irrevocably.
Are you sure? (Type uppercase yes): YES
Enter passphrase:
Verify passphrase:
[root@desktop5 ~]# cryptsetup open /dev/vdb1 westos
Enter passphrase for /dev/vdb1:
[root@desktop5 ~]# ll /dev/mapper/westos
lrwxrwxrwx. 1 root root 7 Apr 22 21:20 /dev/mapper/westos -> ../dm-0
[root@desktop5 ~]# mkfs.xfs /dev/mapper/westos
meta-data=/dev/mapper/westos isize=256 agcount=4, agsize=65408 blks
= sectsz=512 attr=2, projid32bit=1
= crc=0
data = bsize=4096 blocks=261632, imaxpct=25
= sunit=0 swidth=0 blks
naming =version 2 bsize=4096 ascii-ci=0 ftype=0
log =internal log bsize=4096 blocks=853, version=2
= sectsz=512 sunit=0 blks, lazy-count=1
realtime =none extsz=4096 blocks=0, rtextents=0
[root@desktop5 ~]# mount /dev/mapper/westos /mnt
[root@desktop5 ~]# cd /mnt/
[root@desktop5 mnt]# ls
[root@desktop5 mnt]# touch file{1..10}
[root@desktop5 mnt]# df
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/vda1 10473900 3805140 6668760 37% /
devtmpfs 927072 0 927072 0% /dev
tmpfs 942660 140 942520 1% /dev/shm
tmpfs 942660 17032 925628 2% /run
tmpfs 942660 0 942660 0% /sys/fs/cgroup
/dev/mapper/westos 1043116 32928 1010188 4% /mnt
[root@desktop5 mnt]# ls
file1 file10 file2 file3 file4 file5 file6 file7 file8 file9
[root@desktop5 mnt]# umount /mnt
umount: /mnt: target is busy.
(In some cases useful info about processes that use
the device is found by lsof(8) or fuser(1))
[root@desktop5 mnt]# cd
[root@desktop5 ~]# umount /mnt
[root@desktop5 ~]# df
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/vda1 10473900 3805140 6668760 37% /
devtmpfs 927072 0 927072 0% /dev
tmpfs 942660 140 942520 1% /dev/shm
tmpfs 942660 17032 925628 2% /run
tmpfs 942660 0 942660 0% /sys/fs/cgroup
[root@desktop5 ~]# cd /mnt/
[root@desktop5 mnt]# ls
[root@desktop5 mnt]# cd
[root@desktop5 ~]# mount /dev/mapper/westos /mnt/
[root@desktop5 ~]# cd /mnt
[root@desktop5 mnt]# ls
file1 file10 file2 file3 file4 file5 file6 file7 file8 file9
[root@desktop5 mnt]# umount /mnt/
umount: /mnt: target is busy.
(In some cases useful info about processes that use
the device is found by lsof(8) or fuser(1))
[root@desktop5 mnt]# cd
[root@desktop5 ~]# umount /mnt/
[root@desktop5 ~]# ll /dev/mapper/
total 0
crw-------. 1 root root 10, 236 Apr 22 21:00 control
lrwxrwxrwx. 1 root root 7 Apr 22 21:21 westos -> ../dm-0
[root@desktop5 ~]# cryptsetup close westos
[root@desktop5 ~]# ll /dev/mapper/
total 0
crw-------. 1 root root 10, 236 Apr 22 21:00 control
[root@desktop5 ~]# mount /dev/vdb1 /mnt
mount: unknown filesystem type 'crypto_LUKS'
[root@desktop5 ~]# mount /dev/mapper/westos /mnt
mount: special device /dev/mapper/westos does not exist
[root@desktop5 ~]# cryptsetup open /dev/vdb1 westos
Enter passphrase for /dev/vdb1:
[root@desktop5 ~]# mount /dev/mapper/westos /mnt
[root@desktop5 ~]# cd /mnt
[root@desktop5 mnt]# ls
file1 file10 file2 file3 file4 file5 file6 file7 file8 file9
-------------------------------------------------------------------------------------
2.开机自动挂载这个加密
[root@desktop5 mnt]# history
1 vim /etc/crypttab
3 vim /root/diskpass ##diskpass是自己取的名字,里面直接放加密的密码
4 ll
5 chmod 600 /root/diskpass ##使别人不能有任何权限
6 cryptsetup luksAddKey /dev/vdb1 /root/diskpass ##输入加密的密码
9 cat /etc/crypttab
10 cat /etc/fstab
[root@desktop5 mnt]# vim /etc/crypttab
[root@desktop5 mnt]# vim /etc/crypttab
[root@desktop5 mnt]# vim /root/diskpass
[root@desktop5 mnt]# ll
total 0
-rw-r--r--. 1 root root 0 Apr 22 21:21 file1
-rw-r--r--. 1 root root 0 Apr 22 21:21 file10
-rw-r--r--. 1 root root 0 Apr 22 21:21 file2
-rw-r--r--. 1 root root 0 Apr 22 21:21 file3
-rw-r--r--. 1 root root 0 Apr 22 21:21 file4
-rw-r--r--. 1 root root 0 Apr 22 21:21 file5
-rw-r--r--. 1 root root 0 Apr 22 21:21 file6
-rw-r--r--. 1 root root 0 Apr 22 21:21 file7
-rw-r--r--. 1 root root 0 Apr 22 21:21 file8
-rw-r--r--. 1 root root 0 Apr 22 21:21 file9
[root@desktop5 mnt]# chmod 600 /root/diskpass
[root@desktop5 mnt]# cryptsetup luksAddKey /dev/vdb1 /root/diskpass
Enter any passphrase:
[root@desktop5 mnt]# vim /etc/crypttab
[root@desktop5 mnt]# vim /etc/fstab
[root@desktop5 mnt]# cat /etc/crypttab
westos /dev/vdb1 /root/diskpass
[root@desktop5 mnt]# cat /etc/fstab
#
# /etc/fstab
# Created by anaconda on Wed May 7 01:22:57 2014
#
# Accessible filesystems, by reference, are maintained under '/dev/disk'
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info
#
UUID=9bf6b9f7-92ad-441b-848e-0257cbb883d1 / xfs defaults 1 1
/dev/mapper/westos /mnt xfs defaults 0 0