磁盘加密保护

五.磁盘加密保护


• LUKS ( Linux 统一密钥设置 ) 是标准的设备加密格式
• LUKS 可以对分区或卷进行加密
• 必须首先对加密的卷进行解密 , 才能挂载其中的文件系统


创建新加密的卷
• 使用 fdisk 创建新分区
• cryptsetup luksFormat /dev/vdaN 可对新分区进行加密 ,并设置解密密码
• 您输入正确的解密密码之后 , cryptsetup luksOpen/dev/vdaN name 会将加密的卷 /dev/vdaN 解锁为/dev/mapper/name
• 解密的卷上创建 xfs 文件系统 : mkfs -t xfs /dev/mapper/name
• 创建目录挂载点 , 并挂载文件系统 : 
  mkdir /secret
  mount /dev/mapper/name /secret
• 完成之后  umount /dev/mapper/name 并运行
  cryptsetup luksClose name 以锁定加密的卷




    1  fdisk /dev/vdb ##分区
    2  partprobe 
    3  cryptsetup luksFormat /dev/vdb1 ##加密
    4  cryptsetup open /dev/vdb1 westos ##打开加密层并命名
    5  ll /dev/mapper/westos 
    6  mkfs.xfs /dev/mapper/westos ##初始化
    7  mount /dev/mapper/westos /mnt ##挂载
    8  cd /mnt/
    9  ls
   10  touch file{1..10} ##在/mnt目录下创建10个文件
   11  df ##查看此时挂载情况
   12  ls
   15  umount /mnt ##取消挂载
   16  df
   17  cd /mnt/
   18  ls
   19  cd
   20  mount /dev/mapper/westos  /mnt/ ##挂载
   21  cd /mnt
   22  ls ##查看挂载与否文件的情况
   23  umount /mnt/
   24  cd
   25  umount /mnt/
   26  ll /dev/mapper/
   27  cryptsetup close westos ##关闭加密层
   28  ll /dev/mapper/
## 29  mount /dev/vdb1 /mnt
## 30  mount /dev/mapper/westos /mnt
   31  cryptsetup open /dev/vdb1 westos ##先打开加密层再挂载
   32  mount /dev/mapper/westos /mnt
   33  cd /mnt
   34  ls
 


------------------------------------------------------------------------------
[root@desktop5 ~]# fdisk /dev/vdb
Welcome to fdisk (util-linux 2.23.2).


Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.


Device does not contain a recognized partition table
Building a new DOS disklabel with disk identifier 0x6fb16d36.


Command (m for help): n
Partition type:
   p   primary (0 primary, 0 extended, 4 free)
   e   extended
Select (default p): 
Using default response p
Partition number (1-4, default 1): 
First sector (2048-20971519, default 2048): 
Using default value 2048
Last sector, +sectors or +size{K,M,G} (2048-20971519, default 20971519): +1G
Partition 1 of type Linux and of size 1 GiB is set


Command (m for help): wq
The partition table has been altered!


Calling ioctl() to re-read partition table.
Syncing disks.
[root@desktop5 ~]# partprobe 
[root@desktop5 ~]# cryptsetup luksFormat /dev/vdb1


WARNING!
========
This will overwrite data on /dev/vdb1 irrevocably.


Are you sure? (Type uppercase yes): yes
[root@desktop5 ~]# cryptsetup luksFormat /dev/vdb1


WARNING!
========
This will overwrite data on /dev/vdb1 irrevocably.


Are you sure? (Type uppercase yes): YES
Enter passphrase: 
Verify passphrase: 
[root@desktop5 ~]# cryptsetup open /dev/vdb1 westos
Enter passphrase for /dev/vdb1: 
[root@desktop5 ~]# ll /dev/mapper/westos 
lrwxrwxrwx. 1 root root 7 Apr 22 21:20 /dev/mapper/westos -> ../dm-0
[root@desktop5 ~]# mkfs.xfs /dev/mapper/westos 
meta-data=/dev/mapper/westos     isize=256    agcount=4, agsize=65408 blks
         =                       sectsz=512   attr=2, projid32bit=1
         =                       crc=0
data     =                       bsize=4096   blocks=261632, imaxpct=25
         =                       sunit=0      swidth=0 blks
naming   =version 2              bsize=4096   ascii-ci=0 ftype=0
log      =internal log           bsize=4096   blocks=853, version=2
         =                       sectsz=512   sunit=0 blks, lazy-count=1
realtime =none                   extsz=4096   blocks=0, rtextents=0
[root@desktop5 ~]# mount /dev/mapper/westos /mnt
[root@desktop5 ~]# cd /mnt/
[root@desktop5 mnt]# ls
[root@desktop5 mnt]# touch file{1..10}
[root@desktop5 mnt]# df
Filesystem         1K-blocks    Used Available Use% Mounted on
/dev/vda1           10473900 3805140   6668760  37% /
devtmpfs              927072       0    927072   0% /dev
tmpfs                 942660     140    942520   1% /dev/shm
tmpfs                 942660   17032    925628   2% /run
tmpfs                 942660       0    942660   0% /sys/fs/cgroup
/dev/mapper/westos   1043116   32928   1010188   4% /mnt
[root@desktop5 mnt]# ls
file1  file10  file2  file3  file4  file5  file6  file7  file8  file9
[root@desktop5 mnt]# umount /mnt
umount: /mnt: target is busy.
        (In some cases useful info about processes that use
         the device is found by lsof(8) or fuser(1))
[root@desktop5 mnt]# cd
[root@desktop5 ~]# umount /mnt
[root@desktop5 ~]# df
Filesystem     1K-blocks    Used Available Use% Mounted on
/dev/vda1       10473900 3805140   6668760  37% /
devtmpfs          927072       0    927072   0% /dev
tmpfs             942660     140    942520   1% /dev/shm
tmpfs             942660   17032    925628   2% /run
tmpfs             942660       0    942660   0% /sys/fs/cgroup
[root@desktop5 ~]# cd /mnt/
[root@desktop5 mnt]# ls
[root@desktop5 mnt]# cd
[root@desktop5 ~]# mount /dev/mapper/westos  /mnt/
[root@desktop5 ~]# cd /mnt
[root@desktop5 mnt]# ls
file1  file10  file2  file3  file4  file5  file6  file7  file8  file9
[root@desktop5 mnt]# umount /mnt/
umount: /mnt: target is busy.
        (In some cases useful info about processes that use
         the device is found by lsof(8) or fuser(1))
[root@desktop5 mnt]# cd
[root@desktop5 ~]# umount /mnt/
[root@desktop5 ~]# ll /dev/mapper/
total 0
crw-------. 1 root root 10, 236 Apr 22 21:00 control
lrwxrwxrwx. 1 root root       7 Apr 22 21:21 westos -> ../dm-0
[root@desktop5 ~]# cryptsetup close westos
[root@desktop5 ~]# ll /dev/mapper/
total 0
crw-------. 1 root root 10, 236 Apr 22 21:00 control
[root@desktop5 ~]# mount /dev/vdb1 /mnt
mount: unknown filesystem type 'crypto_LUKS'
[root@desktop5 ~]# mount /dev/mapper/westos /mnt
mount: special device /dev/mapper/westos does not exist
[root@desktop5 ~]# cryptsetup open /dev/vdb1 westos
Enter passphrase for /dev/vdb1: 
[root@desktop5 ~]# mount /dev/mapper/westos /mnt
[root@desktop5 ~]# cd /mnt
[root@desktop5 mnt]# ls
file1  file10  file2  file3  file4  file5  file6  file7  file8  file9
-------------------------------------------------------------------------------------




2.开机自动挂载这个加密
[root@desktop5 mnt]# history
    1  vim /etc/crypttab 
    3  vim /root/diskpass ##diskpass是自己取的名字,里面直接放加密的密码
    4  ll
    5  chmod 600 /root/diskpass ##使别人不能有任何权限
    6  cryptsetup luksAddKey /dev/vdb1 /root/diskpass ##输入加密的密码
    9  cat /etc/crypttab 
   10  cat /etc/fstab 






[root@desktop5 mnt]# vim /etc/crypttab
[root@desktop5 mnt]# vim /etc/crypttab 
[root@desktop5 mnt]# vim /root/diskpass
[root@desktop5 mnt]# ll
total 0
-rw-r--r--. 1 root root 0 Apr 22 21:21 file1
-rw-r--r--. 1 root root 0 Apr 22 21:21 file10
-rw-r--r--. 1 root root 0 Apr 22 21:21 file2
-rw-r--r--. 1 root root 0 Apr 22 21:21 file3
-rw-r--r--. 1 root root 0 Apr 22 21:21 file4
-rw-r--r--. 1 root root 0 Apr 22 21:21 file5
-rw-r--r--. 1 root root 0 Apr 22 21:21 file6
-rw-r--r--. 1 root root 0 Apr 22 21:21 file7
-rw-r--r--. 1 root root 0 Apr 22 21:21 file8
-rw-r--r--. 1 root root 0 Apr 22 21:21 file9
[root@desktop5 mnt]# chmod 600 /root/diskpass
[root@desktop5 mnt]# cryptsetup luksAddKey /dev/vdb1 /root/diskpass
Enter any passphrase: 
[root@desktop5 mnt]# vim /etc/crypttab 
[root@desktop5 mnt]# vim /etc/fstab 
[root@desktop5 mnt]# cat /etc/crypttab 
westos /dev/vdb1 /root/diskpass
[root@desktop5 mnt]# cat /etc/fstab 


#
# /etc/fstab
# Created by anaconda on Wed May  7 01:22:57 2014
#
# Accessible filesystems, by reference, are maintained under '/dev/disk'
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info
#
UUID=9bf6b9f7-92ad-441b-848e-0257cbb883d1 /                       xfs     defaults        1 1
/dev/mapper/westos /mnt xfs defaults 0 0







你可能感兴趣的:(运维,入门,学习)