centos6使用 eCryptfs 加密数据

1. eCryptfs 简介
eCryptfs 是在 Linux kernel 实现的一个加密文件系统,在 Linux kernel 2.6.19 版本收纳入官方 Linux kernel。它采用堆叠式的设计思想,逻辑上位于 VFS 和传统文件系统之间。用户应用程序对传统文件系统的读写操作,经过系统调用通过 VFS 首先被 eCryptfs 截获,eCryptfs 对文件数据进行加解密的操作,再转发给传统文件系统,为应用提供透明、动态、高效的加密功能。

eCryptfs 对每个文件采用不同的文件加密密钥 ( File Encryption Key, FEK ),文件加密算法推荐使用 AES-128。FEK 不能以明文的形式存放,eCryptfs 使用用户提供的口令(Passphrase)、非对称密钥算法(如 RSA 算法)或 TPM(Trusted Platform Module)的公钥来加密保护 FEK。

例如,当使用用户口令的时候,口令先经 hash 函数处理,再做为密钥加密 FEK。口令/公钥称为文件加密密钥加密密钥(File Encryption Key Encryption Key,FEFEK),加密后的 FEK 则称为加密文件密钥(Encrypted File Encryption Key,EFEK )。如果一个文件被多个授权用户访问,则有多份 EFEK。 此外,eCryptfs 还支持文件名的加密。

2. eCryptfs 安装
CentOS6.10

[root@ct11 ~]# yum install ecryptfs-utils
Loaded plugins: fastestmirror, security
Setting up Install Process
Repository base is listed more than once in the configuration
Repository updates is listed more than once in the configuration
Repository extras is listed more than once in the configuration
Repository centosplus is listed more than once in the configuration
Repository contrib is listed more than once in the configuration
Determining fastest mirrors
 * base: mirrors.163.com
 * extras: mirror.bit.edu.cn
 * updates: mirrors.ustc.edu.cn
base                                                                                                                                                                      | 3.7 kB     00:00     
extras                                                                                                                                                                    | 3.4 kB     00:00     
extras/primary_db                                                                                                                                                         |  29 kB     00:00     
updates                                                                                                                                                                   | 3.4 kB     00:00     
updates/primary_db                                                                                                                                                        | 9.9 MB     00:03     
Resolving Dependencies
--> Running transaction check
---> Package ecryptfs-utils.x86_64 0:82-6.el6_1.3 will be installed
--> Processing Dependency: libtspi.so.1()(64bit) for package: ecryptfs-utils-82-6.el6_1.3.x86_64
--> Running transaction check
---> Package trousers.x86_64 0:0.3.13-2.el6 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

=================================================================================================================================================================================================
 Package                                            Arch                                       Version                                            Repository                                Size
=================================================================================================================================================================================================
Installing:
 ecryptfs-utils                                     x86_64                                     82-6.el6_1.3                                       base                                     147 k
Installing for dependencies:
 trousers                                           x86_64                                     0.3.13-2.el6                                       base                                     277 k

Transaction Summary
=================================================================================================================================================================================================
Install       2 Package(s)

Total download size: 424 k
Installed size: 1.3 M
Is this ok [y/N]: y
Downloading Packages:
(1/2): ecryptfs-utils-82-6.el6_1.3.x86_64.rpm                                                                                                                             | 147 kB     00:00     
(2/2): trousers-0.3.13-2.el6.x86_64.rpm                                                                                                                                   | 277 kB     00:00     
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                                                            750 kB/s | 424 kB     00:00     
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing : trousers-0.3.13-2.el6.x86_64                                                                                                                                                  1/2 
  Installing : ecryptfs-utils-82-6.el6_1.3.x86_64                                                                                                                                            2/2 
  Verifying  : trousers-0.3.13-2.el6.x86_64                                                                                                                                                  1/2 
  Verifying  : ecryptfs-utils-82-6.el6_1.3.x86_64                                                                                                                                            2/2 

Installed:
  ecryptfs-utils.x86_64 0:82-6.el6_1.3                                                                                                                                                           

Dependency Installed:
  trousers.x86_64 0:0.3.13-2.el6                                                                                                                                                                 

Complete!

再检查安装状态:

[dc2-user@didiyun ~]$ yum list installed | grep ecryptfs-utils
ecryptfs-utils.x86_64              111-5.el7                           @epel


工具已正确安装。

3. eCryptfs 使用

创建挂载口令,首先输入用户的登录口令,然后输入两次挂载口令

[root@ct11 ~]# ecryptfs-setup-private
ERROR:  Cannot get ecryptfs version, ecryptfs kernel module not loaded?

如果出现此错误,执行modprobe ecryptfs

[root@ct11 ~]# modprobe ecryptfs

root@ct11 ~]# ecryptfs-setup-private
ERROR:  User needs to be a member of ecryptfs group

编辑/etc/group   将root用户加入到ecryptfs组

创建挂载口令,首先输入用户的登录口令,然后输入两次挂载口令:

dc2-user@didiyun:~$ sudo ecryptfs-setup-private
Enter your login passphrase [dc2-user]: 
Enter your mount passphrase [leave blank to generate one]: 
Enter your mount passphrase (again): 

************************************************************************
YOU SHOULD RECORD YOUR MOUNT PASSPHRASE AND STORE IT IN A SAFE LOCATION.
  ecryptfs-unwrap-passphrase ~/.ecryptfs/wrapped-passphrase
THIS WILL BE REQUIRED IF YOU NEED TO RECOVER YOUR DATA AT A LATER TIME.
************************************************************************


Done configuring.

创建希望加密的文件夹:

dc2-user@didiyun:~$ mkdir private

设置文件夹权限不允许其他人访问:

dc2-user@didiyun:~$ chmod 700 private

挂载加密文件夹,输入挂载口令:

dc2-user@didiyun:~$ sudo mount -t ecryptfs private private
Passphrase: 

然后依次需要选择加密算法,密钥长度,是否允许读写非 eCryptfs 文件,是否文件名加密,可全部直接回车为默认:

Select cipher: 
 1) aes: blocksize = 16; min keysize = 16; max keysize = 32
 2) blowfish: blocksize = 8; min keysize = 16; max keysize = 56
 3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24
 4) twofish: blocksize = 16; min keysize = 16; max keysize = 32
 5) cast6: blocksize = 16; min keysize = 16; max keysize = 32
 6) cast5: blocksize = 8; min keysize = 5; max keysize = 16
Selection [aes]: 
Select key bytes: 
 1) 16
 2) 32
 3) 24
Selection [16]: 
Enable plaintext passthrough (y/n) [n]: 
Enable filename encryption (y/n) [n]: 
Attempting to mount with the following options:
  ecryptfs_unlink_sigs
  ecryptfs_key_bytes=16
  ecryptfs_cipher=aes
  ecryptfs_sig=c03eaf5f09f59761
WARNING: Based on the contents of [/root/.ecryptfs/sig-cache.txt],
it looks like you have never mounted with this key 
before. This could mean that you have typed your 
passphrase wrong.


键入两个 yes :

Would you like to proceed with the mount (yes/no)? : yes
Would you like to append sig [c03eaf5f09f59761] to
[/root/.ecryptfs/sig-cache.txt] 
in order to avoid this warning in the future (yes/no)? : yes
Successfully appended new sig to user sig cache file
Mounted eCryptfs

eCryptfs 挂载成功,进入 eCryptfs 目录:

dc2-user@didiyun:~$ cd private

创建一个文件:

dc2-user@didiyun:~/private$ echo "this is a ecryptfs test file" > tes
dc2-user@didiyun:~/private$ cat tes
this is a ecryptfs test file

卸载 eCryptfs 目录:

dc2-user@didiyun:~/private$ cd ..
dc2-user@didiyun:~$ sudo umount private

查看文件,内容显示密文:

dc2-user@didiyun:~$ cat private/tes
m댶ş쫖_CONSOLEᄒ¯_	梞妾8Ҙ}ɔ,Æ­hW䴑[Y©iq龎h=~f°:ⲋᄴ1ࢄYꃵʨ㘐ÿͨ e৫O@8xY»B틠|思¬枾mΩ¥}R{zǩ§(³貮}KᄂKX S渤)$ߢ·©VDµ·>Uڨ붥1b鞺8iX*ҊNVn'ŝ2GzJe 
                                                                                                                                                  @ÿ¡}`¾$L2ܨ§caАbn<ߨ[ǻ�BѪ©'ڼ?Lh·.x
                          吖³(ɛVz

重新挂载 eCryptfs,输入相关参数:

dc2-user@didiyun:~$ sudo mount -t ecryptfs private private
Passphrase: 
Select cipher: 
 1) aes: blocksize = 16; min keysize = 16; max keysize = 32
 2) blowfish: blocksize = 8; min keysize = 16; max keysize = 56
 3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24
 4) twofish: blocksize = 16; min keysize = 16; max keysize = 32
 5) cast6: blocksize = 16; min keysize = 16; max keysize = 32
 6) cast5: blocksize = 8; min keysize = 5; max keysize = 16
Selection [aes]: 
Select key bytes: 
 1) 16
 2) 32
 3) 24
Selection [16]: 
Enable plaintext passthrough (y/n) [n]: 
Enable filename encryption (y/n) [n]: 
Attempting to mount with the following options:
  ecryptfs_unlink_sigs
  ecryptfs_key_bytes=16
  ecryptfs_cipher=aes
  ecryptfs_sig=c03eaf5f09f59761
Mounted eCryptfs

查看文件,显示文件的正确内容:

dc2-user@didiyun:~$ cat private/tes
this is a ecryptfs test file

eCryptfs 详细使用参数:

[dc2-user@didiyun ~]$ man ecryptfs

注意,记住mount 时输出的参数以及你手动输入的密码,方便数据迁移和恢复

  ecryptfs_unlink_sigs
  ecryptfs_key_bytes=16
  ecryptfs_cipher=aes
  ecryptfs_sig=cbd6dc63028e5602

参考:https://blog.csdn.net/java060515/article/details/85000843

           https://blog.csdn.net/lzpdz/article/details/50546749

 

 

  • 0
    点赞
  • 4
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
CentOS 7中,可以使用OpenSSL来进行数据传输加密。以下是一些基本的步骤: 1. 安装OpenSSL: ``` sudo yum install openssl ``` 2. 生成自签名证书: ``` sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/pki/tls/private/example.key -out /etc/pki/tls/certs/example.crt ``` 这将生成一个有效期为365天的自签名证书,并将私钥保存到`/etc/pki/tls/private/example.key`,将证书保存到`/etc/pki/tls/certs/example.crt`。 3. 配置SSL/TLS: 在需要加密传输的服务中,需要配置SSL/TLS。例如,如果您想要对Apache进行加密传输,可以按照以下步骤操作: - 安装Apache: ``` sudo yum install httpd ``` - 启用SSL模块: ``` sudo systemctl enable httpd sudo systemctl start httpd sudo yum install mod_ssl ``` - 编辑Apache配置文件:`/etc/httpd/conf.d/ssl.conf` ``` <VirtualHost _default_:443> DocumentRoot "/var/www/html" ServerName yourdomain.com:443 SSLEngine on SSLCertificateFile /etc/pki/tls/certs/example.crt SSLCertificateKeyFile /etc/pki/tls/private/example.key </VirtualHost> ``` 这将使Apache监听`443`端口,并使用我们之前生成的证书来进行SSL/TLS加密传输。 4. 测试: 使用浏览器访问您的服务,例如`https://yourdomain.com`,如果一切正常,您应该能够在浏览器中看到证书信息。 以上是一些基本的步骤,具体配置取决于您要保护的服务。同时,还需要注意保护私钥文件,否则可能会导致证书被盗用。

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值