cryptsetup+luks加密block设备
[root@node01 /]# lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sr0 11:0 1 1024M 0 rom
vda 252:0 0 120G 0 disk
├─vda1 252:1 0 1G 0 part /boot
├─vda2 252:2 0 19G 0 part
│ ├─centos-root 253:0 0 117G 0 lvm /
│ └─centos-swap 253:1 0 2G 0 lvm
└─vda3 252:3 0 100G 0 part
└─centos-root 253:0 0 117G 0 lvm /
vdb 252:16 0 500G 0 disk
└─vdb1 252:17 0 500G 0 part
生产随机密码
# openssl rand -base64 32
# date | md5 | rev | head -c 24 | md5 | tail -c 32
格式化成luks加密盘
[root@node01 /]# cryptsetup luksFormat /dev/vdb1
WARNING!
========
这将覆盖 /dev/vdb1 上的数据,该动作不可取消。
Are you sure? (Type uppercase yes): YES
输入 /dev/vdb1 的口令: # Richr00t
确认密码: # Richr00t
[root@node01 /]# cryptsetup luksopen /dev/vdb1 gpdata1
用法: cryptsetup [-?vyrq] [-?|--help] [--usage] [--version] [-v|--verbose] [--debug] [-c|--cipher STRING] [-h|--hash STRING] [-y|--verify-passphrase] [-d|--key-file STRING] [--master-key-file=STRING]
[--dump-master-key] [-s|--key-size 位] [-l|--keyfile-size 字节] [--keyfile-offset=字节] [--new-keyfile-size=字节] [--new-keyfile-offset=字节] [-S|--key-slot INT] [-b|--size 扇区] [-o|--offset 扇区] [-p|--skip 扇区]
[-r|--readonly] [-q|--batch-mode] [-t|--timeout 秒] [--progress-frequency=秒] [-T|--tries INT] [--align-payload=扇区] [--header-backup-file=STRING] [--use-random] [--use-urandom] [--shared]
[--uuid=STRING] [--allow-discards] [--header=STRING] [--test-passphrase] [--tcrypt-hidden] [--tcrypt-system] [--tcrypt-backup] [--veracrypt] [--veracrypt-pim=INT] [--veracrypt-query-pim]
[-M|--type STRING] [--force-password] [--perf-same_cpu_crypt] [--perf-submit_from_crypt_cpus] [--deferred] [-i|--iter-time 毫秒] [--pbkdf=STRING] [--pbkdf-memory=千字节] [--pbkdf-parallel=线程]
[--pbkdf-force-iterations=LONG] [--priority=STRING] [--disable-locks] [--disable-keyring] [-I|--integrity STRING] [--integrity-no-journal] [--integrity-no-wipe] [--token-only] [--token-id=INT]
[--key-description=STRING] [--sector-size=INT] [--persistent] [--label=STRING] [--subsystem=STRING] [--unbound] [选项…] <动作> <动作特定参数>
cryptsetup: 未知动作。
打开luks加密盘
[root@node01 /]# cryptsetup luksOpen /dev/vdb1 gpdata1
输入 /dev/vdb1 的口令: # Richr00t
[root@node01 /]# ll /dev/mapper/
总用量 0
lrwxrwxrwx 1 root root 7 4月 25 23:31 centos-root -> ../dm-0
lrwxrwxrwx 1 root root 7 4月 25 23:31 centos-swap -> ../dm-1
crw------- 1 root root 10, 236 4月 25 23:31 control
lrwxrwxrwx 1 root root 7 6月 1 23:03 gpdata1 -> ../dm-2
格式化加密盘为xfs文件系统
[root@node01 /]# mkfs.xfs /dev/mapper/gpdata1
meta-data=/dev/mapper/gpdata1 isize=512 agcount=4, agsize=32767744 blks
= sectsz=512 attr=2, projid32bit=1
= crc=1 finobt=0, sparse=0
data = bsize=4096 blocks=131070976, imaxpct=25
= sunit=0 swidth=0 blks
naming =version 2 bsize=4096 ascii-ci=0 ftype=1
log =internal log bsize=4096 blocks=63999, version=2
= sectsz=512 sunit=0 blks, lazy-count=1
realtime =none extsz=4096 blocks=0, rtextents=0
挂载xfs文件系统
[root@node01 /]# mount /dev/mapper/gpdata1 /data
[root@node01 /]# lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sr0 11:0 1 1024M 0 rom
vda 252:0 0 120G 0 disk
├─vda1 252:1 0 1G 0 part /boot
├─vda2 252:2 0 19G 0 part
│ ├─centos-root 253:0 0 117G 0 lvm /
│ └─centos-swap 253:1 0 2G 0 lvm
└─vda3 252:3 0 100G 0 part
└─centos-root 253:0 0 117G 0 lvm /
vdb 252:16 0 500G 0 disk
└─vdb1 252:17 0 500G 0 part
└─gpdata1 253:2 0 500G 0 crypt /data
[root@node01 /]# df -h
文件系统 容量 已用 可用 已用% 挂载点
/dev/mapper/centos-root 117G 37G 81G 31% /
devtmpfs 16G 0 16G 0% /dev
tmpfs 16G 0 16G 0% /dev/shm
tmpfs 16G 1.4G 15G 9% /run
tmpfs 16G 0 16G 0% /sys/fs/cgroup
/dev/vda1 1014M 149M 866M 15% /boot
tmpfs 16G 12K 16G 1% /var/lib/kubelet/pods/d2cb564e-7955-453d-a6ec-dae869a141f2/volumes/kubernetes.io~secret/flannel-token-qt55c
tmpfs 16G 12K 16G 1% /var/lib/kubelet/pods/acb7bbbb-5c34-48fa-ada3-f1ed450077b5/volumes/kubernetes.io~secret/kube-proxy-token-rgkvs
overlay 117G 37G 81G 31% /var/lib/docker/overlay2/95fe079eddb5cc899dbe745fba787d28e7fcebf3d504d540d065a28c8809b690/merged
overlay 117G 37G 81G 31% /var/lib/docker/overlay2/b2672c76c82dad28531882071e68be209d7db14475640118f0c3efd3138cbbc3/merged
shm 64M 0 64M 0% /var/lib/docker/containers/dfb5f5dad10957904e1c46d60f756bc382f0c5ce3b49e84f55ddfd1f0af826dc/mounts/shm
shm 64M 0 64M 0% /var/lib/docker/containers/bc6dd6cdfccb37bb641db371022cbca46344c5f4ad4d3363fbbe9d45e58999ec/mounts/shm
overlay 117G 37G 81G 31% /var/lib/docker/overlay2/7248118aa7475f157907470cc4e5f8c4bd8b0d003958e87fe196d635575d782a/merged
overlay 117G 37G 81G 31% /var/lib/docker/overlay2/a7333d823ee294b624e7511ac47ba8406a218cd0f5f832a8fa24b2a3a6313299/merged
tmpfs 3.2G 32K 3.2G 1% /run/user/1000
tmpfs 3.2G 0 3.2G 0% /run/user/0
/dev/mapper/gpdata1 500G 33M 500G 1% /data
备份加密信息
[root@node01 /]# cryptsetup luksHeaderBackup --header-backup-file gpdata1.dat /dev/vdb1
[root@node01 /]# sh
sh sha224sum sha384sum shcomp shopt showconsolefont showkey showrgb shuf
sha1sum sha256sum sha512sum shift show-changed-rco show-installed showmount shred shutdown
[root@node01 /]# sha1sum gpdata1.dat
7446bd08f0512f5bfd89b970124788cde22ab0d4 gpdata1.dat
[root@node01 /]# cryptsetup luksDump /dev/vdb1
LUKS header information for /dev/vdb1
Version: 1
Cipher name: aes
Cipher mode: xts-plain64
Hash spec: sha256
Payload offset: 4096
MK bits: 256
MK digest: c8 26 d7 cd 6f 9f f7 95 c6 90 13 1e 3c b2 89 04 da ad 2c ea
MK salt: 16 a1 16 7b 10 93 32 86 45 52 21 7f 65 5a 66 bf
61 3d 0c 58 20 84 f7 12 b2 0a f4 a8 52 0c 6e b4
MK iterations: 31326
UUID: 8a1003a0-328b-4e02-9f42-f254afb82946
Key Slot 0: ENABLED
Iterations: 493678
Salt: e0 34 1b 8e 2f 1e e3 6f 9f 46 bb 95 7b 13 7c 29
80 90 5d 86 b2 ea 09 7b a2 ff ea 9a 85 c9 d2 16
Key material offset: 8
AF stripes: 4000
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED
修改密码:
[root@node01 /]# cryptsetup luksAddKey --key-slot 1 -v /dev/vdb1
输入任意已存在的口令: # Richr00t
密钥槽 0 已解锁。
输入密钥槽的新口令: # nokiaDO123$
确认密码: # nokiaDO123$
密钥槽 0 已解锁。
命令成功。
[root@node01 /]# cryptsetup luksDump /dev/vdb1
LUKS header information for /dev/vdb1
Version: 1
Cipher name: aes
Cipher mode: xts-plain64
Hash spec: sha256
Payload offset: 4096
MK bits: 256
MK digest: c8 26 d7 cd 6f 9f f7 95 c6 90 13 1e 3c b2 89 04 da ad 2c ea
MK salt: 16 a1 16 7b 10 93 32 86 45 52 21 7f 65 5a 66 bf
61 3d 0c 58 20 84 f7 12 b2 0a f4 a8 52 0c 6e b4
MK iterations: 31326
UUID: 8a1003a0-328b-4e02-9f42-f254afb82946
Key Slot 0: ENABLED
Iterations: 493678
Salt: e0 34 1b 8e 2f 1e e3 6f 9f 46 bb 95 7b 13 7c 29
80 90 5d 86 b2 ea 09 7b a2 ff ea 9a 85 c9 d2 16
Key material offset: 8
AF stripes: 4000
Key Slot 1: ENABLED
Iterations: 531192
Salt: 77 a3 00 1d e4 70 d9 cb 5b 8b d2 36 ce db 9d 40
ef e4 54 d2 e2 de 52 70 04 8f b9 30 bd b1 7e b1
Key material offset: 264
AF stripes: 4000
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED
[root@node01 /]# cryptsetup luksKillSlot /dev/vdb1 0
输入任意剩余的口令: # nokiaDO123$
[root@node01 /]#
[root@node01 /]#
[root@node01 /]# cryptsetup luksDump /dev/vdb1
LUKS header information for /dev/vdb1
Version: 1
Cipher name: aes
Cipher mode: xts-plain64
Hash spec: sha256
Payload offset: 4096
MK bits: 256
MK digest: c8 26 d7 cd 6f 9f f7 95 c6 90 13 1e 3c b2 89 04 da ad 2c ea
MK salt: 16 a1 16 7b 10 93 32 86 45 52 21 7f 65 5a 66 bf
61 3d 0c 58 20 84 f7 12 b2 0a f4 a8 52 0c 6e b4
MK iterations: 31326
UUID: 8a1003a0-328b-4e02-9f42-f254afb82946
Key Slot 0: DISABLED
Key Slot 1: ENABLED
Iterations: 531192
Salt: 77 a3 00 1d e4 70 d9 cb 5b 8b d2 36 ce db 9d 40
ef e4 54 d2 e2 de 52 70 04 8f b9 30 bd b1 7e b1
Key material offset: 264
AF stripes: 4000
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED
操作/dev/sdb1
[root@localhost ~]# openssl rand -base64 32 >> lukspasswd
[root@localhost ~]# more lukspasswd
lUWa6RjKy9xWPD82Ovc4FFnN0vFP6ysOVCegO5tZsX8=
[root@localhost ~]#
[root@localhost ~]#
[root@localhost ~]# ls
anaconda-ks.cfg ANALYZER_86N9MP2.txt bak CentOS-7-x86_64-DVD-2009.iso home.xfsdump lukspasswd software Template
[root@localhost ~]#
[root@localhost ~]# lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 372G 0 disk
├─sda1 8:1 0 1G 0 part /boot
└─sda2 8:2 0 371G 0 part
├─centos-root 253:0 0 317G 0 lvm /
├─centos-swap 253:1 0 4G 0 lvm [SWAP]
└─centos-home 253:2 0 50G 0 lvm
sdb 8:16 0 18.2T 0 disk
└─sdb1 8:17 0 18.2T 0 part
sdc 8:32 0 18.2T 0 disk
└─sdc1 8:33 0 18.2T 0 part
[root@localhost ~]# cryptsetup luksFormat /dev/sdb1
WARNING!
========
This will overwrite data on /dev/sdb1 irrevocably.
Are you sure? (Type uppercase yes): YES
Enter passphrase for /dev/sdb1:
Verify passphrase:
[root@localhost ~]# cryptsetup luksOpen /dev/sdb1 data1
Enter passphrase for /dev/sdb1:
[root@localhost ~]#
[root@localhost ~]#
[root@localhost ~]# ll /dev/mapper/
total 0
lrwxrwxrwx. 1 root root 7 Aug 18 22:24 centos-home -> ../dm-2
lrwxrwxrwx. 1 root root 7 Aug 18 22:24 centos-root -> ../dm-0
lrwxrwxrwx. 1 root root 7 Aug 16 13:17 centos-swap -> ../dm-1
crw-------. 1 root root 10, 236 Aug 16 13:17 control
lrwxrwxrwx. 1 root root 7 Aug 26 12:44 data1 -> ../dm-3
[root@localhost ~]# mkfs.xfs /dev/mapper/data1
meta-data=/dev/mapper/data1 isize=512 agcount=19, agsize=268435455 blks
= sectsz=512 attr=2, projid32bit=1
= crc=1 finobt=0, sparse=0
data = bsize=4096 blocks=4882839808, imaxpct=5
= sunit=0 swidth=0 blks
naming =version 2 bsize=4096 ascii-ci=0 ftype=1
log =internal log bsize=4096 blocks=521728, version=2
= sectsz=512 sunit=0 blks, lazy-count=1
realtime =none extsz=4096 blocks=0, rtextents=0
[root@localhost ~]# mount /dev/mapper/data1 /data1
[root@localhost ~]# ls
anaconda-ks.cfg ANALYZER_86N9MP2.txt bak CentOS-7-x86_64-DVD-2009.iso home.xfsdump lukspasswd software Template
[root@localhost ~]# lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 372G 0 disk
├─sda1 8:1 0 1G 0 part /boot
└─sda2 8:2 0 371G 0 part
├─centos-root 253:0 0 317G 0 lvm /
├─centos-swap 253:1 0 4G 0 lvm [SWAP]
└─centos-home 253:2 0 50G 0 lvm
sdb 8:16 0 18.2T 0 disk
└─sdb1 8:17 0 18.2T 0 part
└─data1 253:3 0 18.2T 0 crypt /data1
sdc 8:32 0 18.2T 0 disk
└─sdc1 8:33 0 18.2T 0 part
[root@localhost ~]#
[root@localhost ~]# df -h
Filesystem Size Used Avail Use% Mounted on
devtmpfs 158G 0 158G 0% /dev
tmpfs 158G 0 158G 0% /dev/shm
tmpfs 158G 19M 158G 1% /run
tmpfs 158G 0 158G 0% /sys/fs/cgroup
/dev/mapper/centos-root 317G 17G 301G 6% /
/dev/sda1 1014M 150M 865M 15% /boot
tmpfs 32G 0 32G 0% /run/user/0
/dev/mapper/data1 19T 33M 19T 1% /data1
操作/dev/sdc1
[root@localhost ~]# cryptsetup luksFormat /dev/sdc1
WARNING!
========
This will overwrite data on /dev/sdc1 irrevocably.
Are you sure? (Type uppercase yes): YES
Enter passphrase for /dev/sdc1:
Verify passphrase:
[root@localhost ~]# cryptsetup luksOpen /dev/sdc1 data2
Enter passphrase for /dev/sdc1:
[root@localhost ~]# ll /dev/mapper/
total 0
lrwxrwxrwx. 1 root root 7 Aug 18 22:24 centos-home -> ../dm-2
lrwxrwxrwx. 1 root root 7 Aug 18 22:24 centos-root -> ../dm-0
lrwxrwxrwx. 1 root root 7 Aug 16 13:17 centos-swap -> ../dm-1
crw-------. 1 root root 10, 236 Aug 16 13:17 control
lrwxrwxrwx. 1 root root 7 Aug 26 12:45 data1 -> ../dm-3
lrwxrwxrwx. 1 root root 7 Aug 26 12:56 data2 -> ../dm-4
[root@localhost ~]# lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 372G 0 disk
├─sda1 8:1 0 1G 0 part /boot
└─sda2 8:2 0 371G 0 part
├─centos-root 253:0 0 317G 0 lvm /
├─centos-swap 253:1 0 4G 0 lvm [SWAP]
└─centos-home 253:2 0 50G 0 lvm
sdb 8:16 0 18.2T 0 disk
└─sdb1 8:17 0 18.2T 0 part
└─data1 253:3 0 18.2T 0 crypt /data1
sdc 8:32 0 18.2T 0 disk
└─sdc1 8:33 0 18.2T 0 part
└─data2 253:4 0 18.2T 0 crypt
[root@localhost ~]# mkfs.xfs /dev/mapper/data2
meta-data=/dev/mapper/data2 isize=512 agcount=19, agsize=268435455 blks
= sectsz=512 attr=2, projid32bit=1
= crc=1 finobt=0, sparse=0
data = bsize=4096 blocks=4883332864, imaxpct=5
= sunit=0 swidth=0 blks
naming =version 2 bsize=4096 ascii-ci=0 ftype=1
log =internal log bsize=4096 blocks=521728, version=2
= sectsz=512 sunit=0 blks, lazy-count=1
realtime =none extsz=4096 blocks=0, rtextents=0
[root@localhost ~]# mount /dev/mapper/data2 /data2
[root@localhost ~]# df -h
Filesystem Size Used Avail Use% Mounted on
devtmpfs 158G 0 158G 0% /dev
tmpfs 158G 0 158G 0% /dev/shm
tmpfs 158G 19M 158G 1% /run
tmpfs 158G 0 158G 0% /sys/fs/cgroup
/dev/mapper/centos-root 317G 17G 301G 6% /
/dev/sda1 1014M 150M 865M 15% /boot
tmpfs 32G 0 32G 0% /run/user/0
/dev/mapper/data1 19T 33M 19T 1% /data1
/dev/mapper/data2 19T 33M 19T 1% /data2
[root@localhost ~]# lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 372G 0 disk
├─sda1 8:1 0 1G 0 part /boot
└─sda2 8:2 0 371G 0 part
├─centos-root 253:0 0 317G 0 lvm /
├─centos-swap 253:1 0 4G 0 lvm [SWAP]
└─centos-home 253:2 0 50G 0 lvm
sdb 8:16 0 18.2T 0 disk
└─sdb1 8:17 0 18.2T 0 part
└─data1 253:3 0 18.2T 0 crypt /data1
sdc 8:32 0 18.2T 0 disk
└─sdc1 8:33 0 18.2T 0 part
└─data2 253:4 0 18.2T 0 crypt /data2
[root@localhost ~]#
备份加密信息
# cryptsetup luksHeaderBackup --header-backup-file data1.dat /dev/sdb1
# cryptsetup luksHeaderBackup --header-backup-file data2.dat /dev/sdc1