磁盘加密

 
磁盘加密
 
 
一、 简单分区和文件系统
fdisk 是用于管理磁盘分区的工具。常用选项:
-l 指定磁盘名称;
-c 禁用旧的 DOS 兼容模式;
-u 以扇区,而不是以柱面的格式显示。
Ext4 是 linux 文件系统的一次大革命。它的进步远超过之前。(更详细内
容,请百度“ ext4 新特性 ”)
二、 通过分区加密启用数据保密
LUKS(linux 统一密钥设置)是标准的设备加密格式。 LUKS 可以对分区或卷
进行加密。必须首先对加密的卷进行解密,才能挂载其中的文件系统。
1.使用 fdisk 创建分区
 
[root@wangfc ~]# fdisk /dev/sdb
 
WARNING: DOS-compatible mode is deprecated. It's strongly recommended to
         switch off the mode (command 'c') and change display units to
         sectors (command 'u').
 
Command (m for help): p
 
Disk /dev/sdb: 5368 MB, 5368709120 bytes
255 heads, 63 sectors/track, 652 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x0008a69b
 
   Device Boot       Start          End       Blocks    Id   System
/dev/sdb1                1          652      5237158+    5   Extended
/dev/sdb5                1            1          976    83   Linux
 
2.对分区进行加密,设置解密密码。
 
[root@wangfc ~]# cryptsetup luksFormat /dev/sdb5
 
WARNING!
========
This will overwrite data on /dev/sdb5 irrevocably.
 
Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:
 
 
[root@wangfc ~]# ll /dev/mapper/ -l    查看设备
total 0
crw-rw----. 1 root root 10, 58 Jul 31 19:55 control
 
3.将分区解锁,映射成可用的分区
 
[root@wangfc ~]# cryptsetup luksOpen /dev/sdb5 rhel
Enter passphrase for /dev/sdb5:
 
[root@wangfc ~]# ll /dev/mapper/
total 0
crw-rw----. 1 root root 10, 58 Jul 31 19:55 control
lrwxrwxrwx. 1 root root       7 Aug   1 18:22 rhel -> ../dm-0
 
  4.格式化,挂载起来使用。
        
[root@wangfc ~]# mkfs.ext4 /dev/mapper/rhel
mke2fs 1.41.12 (17-May-2010)
Filesystem label=
OS type: Linux
Block size=4096 (log=2)    
Fragment size=4096 (log=2)
Stride=0 blocks, Stripe width=0 blocks
66240 inodes, 264544 blocks
13227 blocks (5.00%) reserved for the super user
First data block=0
Maximum filesystem blocks=272629760
9 block groups
32768 blocks per group, 32768 fragments per group
7360 inodes per group
Superblock backups stored on blocks:
        32768, 98304, 163840, 229376
 
Writing inode tables: done                            
Creating journal (8192 blocks): done
Writing superblocks and filesystem accounting information: done
 
This filesystem will be automatically checked every 37 mounts or
180 days, whichever comes first.   Use tune2fs -c or -i to override.
             
[root@wangfc ~]# mkdir /mnt/luks
[root@wangfc ~]# mount /dev/mapper/rhel /mnt/luks/
[root@wangfc ~]# df -TH
Filesystem     Type      Size    Used   Avail Use% Mounted on
/dev/sda2      ext4       49G    4.4G     42G   10% /
tmpfs         tmpfs      1.1G    103k    1.1G    1% /dev/shm
/dev/sda1      ext4      305M     32M    258M   11% /boot
/dev/mapper/rhel
              ext4      1.1G     35M    978M    4% /mnt/luks
 
5.开机挂载。开机输入密码,才能挂载。系统才能启来。
 
[root@wangfc ~]# vim /etc/fstab
/dev/mapper/rhel        /mnt/luks              ext4     defaults          0 0  
[root@wangfc ~]# vim /etc/crypttab
rhel       /dev/sdb5    none      表示不知密码
 
如果要让其开机不需要输入密码则需如下做:
 
@ 新建文件在里面置入密码
[root@wangfc ~]# vim rhel_pass
 
@ 编辑 crypttab 文件
[root@wangfc ~]# vim /etc/crypttab
rhel       /dev/sdb5    /root/rhel_pass
 
@ 添加密钥
[root@wangfc ~]# cryptsetup luksAddKey /dev/sdb5  /root/rhel_pass
 
6 .如何锁定?如何重新开启?
锁定
[root@wangfc ~]# umount /mnt/luks/  
[root@wangfc ~]# cryptsetup luksClose rhel
重新开启
[root@wangfc ~]# cryptsetup luksOpen /dev/sdb5 rhel
Enter passphrase for /dev/sdb5:
[root@wangfc ~]# mount /dev/mapper/rhel /mnt/luks/
 
7 . 如何解除加密?先移出有用的数据,再 重新格式化分区
 
三、 如何加密文件。
 
[root@wangfc ~]# dd if=/dev/zero of=my.img bs=1M count=512
512+0 records in
512+0 records out
536870912 bytes (537 MB) copied, 2.87673 s, 187 MB/s
[root@wangfc ~]# losetup -d /dev/l
log     loop0   loop1   loop2   loop3   loop4   loop5   loop6   loop7   lp0     lp1     lp2     lp3    
[root@wangfc ~]# losetup -d /dev/loop1
loop: can't delete device /dev/loop1: No such device or address
[root@wangfc ~]# losetup /dev/loop1 /root/my.img
[root@wangfc ~]# cryptsetup luksFormat /dev/loop1
 
WARNING!
========
This will overwrite data on /dev/loop1 irrevocably.
 
Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:
 
[root@wangfc ~]# l l /dev/mapper/
total 0
crw-rw----. 1 root root 10, 58 Aug   2 17:30 control
lrwxrwxrwx. 1 root root       7 Aug   2 17:48 my.img -> ../dm-1
lrwxrwxrwx. 1 root root       7 Aug   2 17:31 rhel -> ../dm-0
[root@wangfc ~]# mkfs.ext4 /dev/mapper/my.img
mke2fs 1.41.12 (17-May-2010)
Filesystem label=
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
Stride=0 blocks, Stripe width=0 blocks
66240 inodes, 264544 blocks
13227 blocks (5.00%) reserved for the super user
First data block=0
Maximum filesystem blocks=272629760
9 block groups
32768 blocks per group, 32768 fragments per group
7360 inodes per group
Superblock backups stored on blocks:
        32768, 98304, 163840, 229376
 
Writing inode tables: done                            
Creating journal (8192 blocks): done
Writing superblocks and filesystem accounting information: done
 
This filesystem will be automatically checked every 20 mounts or
180 days, whichever comes first.   Use tune2fs -c or -i to override.
[root@wangfc ~]# mkdir /tmp/luks
[root@wangfc ~]# mount /dev/mapper/my.img /tmp/luks/
[root@wangfc ~]# ll /tmp/luks/
total 16
drwx------. 2 root root 16384 Aug   2 17:48 lost+found

你可能感兴趣的:(磁盘加密)