使用
cryptsetup
对分区进行了加密后,这个分区就不再允许直接挂载。如果要使用这个分区,必须对这个分区做一个映射,映射到
/dev/mapper
这个目录里去,我们只能挂载这个映射才能使用。然而做映射的时候是需要输入解密密码的。
Crypsetup工具加密的特点:
1. 加密后不能直接挂载
2. 加密后硬盘丢失也不用担心数据被盗
3. 加密后必须做映射才能挂载
步骤:
1. 创建分区
2. 加密分区
3. 映射分区
4. 格式化分区(分区映射)
5. 挂载分区
1.
为硬盘新建立一个分区,如下图:建立了一个500M的/dev/sda7的分区。
[root@server1 ~]#
fdisk /dev/sda
WARNING: DOS-compatible mode is deprecated. It's strongly recommended to
switch off the mode (command 'c') and change display units to
sectors (command 'u').
Command (m for help):
p
Disk /dev/sda: 42.9 GB, 42949672960 bytes
255 heads, 63 sectors/track, 5221 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x000da724
Device Boot Start End Blocks Id System
/dev/sda1 * 1 26 204800 83 Linux
Partition 1 does not end on cylinder boundary.
/dev/sda2 26 2576 20480000 83 Linux
/dev/sda3 2576 3213 5120000 83 Linux
/dev/sda4 3213 5222 16137216 5 Extended
/dev/sda5 3213 3344 1048576 82 Linux swap / Solaris
/dev/sda6 3345 3456 899608+ 83 Linux
Command (m for help):
n
First cylinder (3344-5222, default 3344):
3457
Last cylinder, +cylinders or +size{K,M,G} (3457-5222, default 5222):
+500M
Command (m for help):
w
The partition table has been altered!
Calling ioctl() to re-read partition table.
WARNING: Re-reading the partition table failed with error 16: Device or resource busy.
The kernel still uses the old table. The new table will be used at
the next reboot or after you run partprobe(8) or kpartx(8)
Syncing disks.
2. 利用工具程序
crypsetup进行加密,会
出现警告,提示可能损害/dev/sda7里面的数据,我们敲入大写的
YES
(记住是大写),然后输入两遍加密密码。
[root@server1 ~]# cryptsetup luksFormat /dev/sda7
WARNING!
========
This will overwrite data on /dev/sda7 irrevocably.
Are you sure? (Type uppercase yes):
YES
必须大写
Enter LUKS passphrase:
输入密钥
Verify passphrase:
再次输入密钥
3.
如果这时候挂载此分区
,
会提示类型已经加密
[root@server1 ~]# mount /dev/sda7 /mnt
mount: unknown filesystem type 'crypto_LUKS'
4.
为/dev/sda7做一个映射,映射到/dev/mapper目录中,才能够使用,在映射时必须要输入加密密钥才能成功,如下图
[root@server1 ~]# cryptsetup luksOpen /dev/sda7
rhel rhel
为映射名
Enter passphrase for /dev/sda7:
5.
查看映射情况,映射只是一个链接文件,源文件在/dev/dm-1,如下图:
[root@server1 ~]# ll /dev/mapper/
total 0
crw-rw----. 1 root root 10, 58 Jul 16 05:48 control
lrwxrwxrwx. 1 root root 7 Jul 16 06:02 rhel -> ../dm-1
lrwxrwxrwx.1 root root 7 Jul 16 05:57 udisks-luks-uuid-912a609f-1ddc-4c72-932a-c55ea18c934d-uid500 -> ../dm-0
6.
查看rhel映射的状态,如下图:
[root@server1 ~]# cryptsetup status /dev/mapper/rhel
输入映射查看
/dev/mapper/rhel is active:
cipher: aes-cbc-essiv:sha256
keysize: 256 bits
device: /dev/sda7
offset: 4096 sectors
size: 1040066 sectors
mode: read/write
[root@server1 ~]# cryptsetup status /dev/dm-1
或者输入源文件查看也可。
/dev/mapper//dev/dm-1 is active:
cipher: aes-cbc-essiv:sha256
keysize: 256 bits
device: /dev/sda7
offset: 4096 sectors
size: 1040066 sectors
mode: read/write
[root@server1 ~]#
7.
格式化映射既等于格式化/dev/sda7分区,如下图
[root@server1 ~]# mkfs -t ext4 /dev/dm-1
或者
mkfs.ext4 /dev/mapper/rhel
mke2fs 1.41.12 (17-May-2010)
Filesystem label=
OS type: Linux
Block size=1024 (log=0)
Fragment size=1024 (log=0)
Stride=0 blocks, Stripe width=0 blocks
130048 inodes, 520032 blocks
26001 blocks (5.00%) reserved for the super user
First data block=1
Maximum filesystem blocks=67633152
64 block groups
8192 blocks per group, 8192 fragments per group
2032 inodes per group
Superblock backups stored on blocks:
8193, 24577, 40961, 57345, 73729, 204801, 221185, 401409
Writing inode tables: done
Creating journal (8192 blocks): done
Writing superblocks and filesystem accounting information: done
This filesystem will be automatically checked every 23 mounts or
180 days, whichever comes first. Use tune2fs -c or -i to override
8.
挂载分区映射,如下图:
[root@server1 ~]# mkdir /rhel
[root@server1 ~]# mount /dev/mapper/rhel /rhel
[root@server1 ~]# ls /rhel/
lost+found
[root@server1 ~]# df -hl
Filesystem Size Used Avail Use% Mounted on
/dev/sda2 20G 3.9G 15G 21% /
tmpfs 250M 420K 250M 1% /dev/shm
/dev/sda1 194M 24M 161M 13% /boot
/dev/sda3 4.9G 139M 4.5G 3% /home
/dev/mapper/udisks-luks-uuid-912a609f-1ddc-4c72-932a-c55ea18c934d-uid500
863M 17M 803M 3% /media/opt
/dev/mapper/rhel 492M 11M 457M 3% /rhel