Chinese translated version of Documentation/device-mapper/dm-crypt.txt
If you have any comment or update to the content, please contact the
original document maintainer directly. However, if you have a problem
communicating in English you can also ask the Chinese maintainer for
help. Contact the Chinese maintainer if this translation is outdated
or if there is a problem with the translation.
Chinese maintainer: 林天智 <lintianzhi1992@gmail.com>
---------------------------------------------------------------------
Documentation/device-mapper/dm-crypt.txt的中文翻译
如果想评论或更新本文的内容,请直接联系原文档的维护者。如果你使用英文
交流有困难的话,也可以向中文版维护者求助。如果本翻译更新不及时或者翻
译存在问题,请联系中文版维护者。
中文版维护者: 林天智 <lintianzhi1992@gmail.com>
以下为正文
---------------------------------------------------------------------
dm-crypt
===
Device-Mapper's "crypt" target provides transparent encryption of block devices
using the kernel crypto API.
设备映射的“加密”使用了内核的crypto API提供了一个为块设备加密的透明方法。
Parameters: <cipher> <key> <iv_offset> <device path> \
<offset> [<#opt_params> <opt_params>]
参数: <cipher> <key> <iv_offset> <device path> <offset> \
[<#opt_params> <opt_params>]
<cipher>
Encryption cipher and an optional IV generation mode.
(In format cipher[:keycount]-chainmode-ivopts:ivmode).
Examples:
des
aes-cbc-essiv:sha256
twofish-ecb
/proc/crypto contains supported crypto modes
<cipher>
加密密码和一个可选的四种模式。
(这样的密码格式[:keycount]-chainmode-ivopts:ivmode)
例子:
des
aes-cbc-essiv:sha256
twofish-ecb
/pro/crypto 包含了支持的加密方式
<key>
Key used for encryption. It is encoded as a hexadecimal number.
You can only use key sizes that are valid for the selected cipher.
<key>
密钥用来加密。使用16进制数编码。
只能使用与选择的密码匹配的密钥大小
<keycount>
Multi-key compatibility mode. You can define <keycount> keys and
then sectors are encrypted according to their offsets (sector 0 uses key0;
sector 1 uses key1 etc.). <keycount> must be a power of two.
<keycount>
多个密钥兼容模式。可以定义<keycount>个密钥,根据偏移量选择不同的部分(第0部
分用密钥0,第1部分用密钥1,等)。<keycount>一定要是2的冪
<iv_offset>
The IV offset is a sector count that is added to the sector number
before creating the IV.
<iv_offset>
IV偏移是一个在创建IV之前可以加到扇区数量中的一个扇区计数
<device path>
This is the device that is going to be used as backend and contains the
encrypted data. You can specify it as a path like /dev/xxx or a device
number <major>:<minor>.
<device path>
这是一个在后端被使用并且包含了加密过的数据的设备。
可以指定像 /dev/xxx/ 一样的路径或者 <major>:<minor>这样的设备号
<offset>
Starting sector within the device where the encrypted data begins.
<offset>
设备内加密数据开始部分所在的扇区
<#opt_params>
Number of optional parameters. If there are no optional parameters,
the optional paramaters section can be skipped or #opt_params can be zero.
Otherwise #opt_params is the number of following arguments.
Example of optional parameters section:
1 allow_discards
<#opt_params>
可选参数的数量。如果没有可选参数,可选参数部分可以被忽略或者 #opt_params 可
以被设置成0。否则 #opt_params 就是接下来参数的数量。
可选参数的例子:
1 allow_discards
allow_discards
Block discard requests (a.k.a. TRIM) are passed through the crypt device.
The default is to ignore discard requests.
allow_discards
块丢弃请求(又名: TRIM)可以通过加密设备。
默认行为是忽略丢弃请求。
WARNING: Assess the specific security risks carefully before enabling this
option. For example, allowing discards on encrypted devices may lead to
the leak of information about the ciphertext device (filesystem type,
used space etc.) if the discarded blocks can be located easily on the
device later.
警告:在允许这个选项前,要很小心地访问特定的安全层。比如,如果丢弃的块可以在在设备上很容易访问到的话,允许在加密设备上丢弃可能导致密文设备信息的泄漏(文件系统类型,使用空间等)
Example scripts
===============
LUKS (Linux Unified Key Setup) is now the preferred way to set up disk
encryption with dm-crypt using the 'cryptsetup' utility, see
http://code.google.com/p/cryptsetup/
脚本例子:
LUKS(Linux Unified Key Setup) 现在更倾向于用dm-crypt使用'cryptsetup’的功能来启动磁盘,看这里:http://code.google.com/p/cryptsetup/
[[
#!/bin/sh
# Create a crypt device using dmsetup
dmsetup create crypt1 --table "0 `blockdev --getsize $1` crypt aes-cbc-essiv:sha256 babebabebabebabebabebabebabebabe 0 $1 0"
]]
[[
#!/bin/sh
# Create a crypt device using cryptsetup and LUKS header with default cipher
cryptsetup luksFormat $1
cryptsetup luksOpen $1 crypt1
]]