磁盘加密
 
 
一、简单分区和文件系统
fdisk 是用于管理磁盘分区的工具。常用选项:
-l 指定磁盘名称;
-c 禁用旧的 DOS 兼容模式;
-u 以扇区,而不是以柱面的格式显示。
Ext4 是 linux 文件系统的一次大革命。它的进步远超过之前。(更详细内
容,请百度“ext4 新特性”)
二、通过分区加密启用数据保密
LUKS(linux 统一密钥设置)是标准的设备加密格式。 LUKS 可以对分区或卷
进行加密。必须首先对加密的卷进行解密,才能挂载其中的文件系统。
1.使用 fdisk 创建分区
 
[root@wangfc ~]# fdisk /dev/sdb
 
WARNING: DOS-compatible mode is deprecated. It's strongly recommended to
         switch off the mode (command 'c') and change display units to
         sectors (command 'u').
 
Command (m for help): p
 
Disk /dev/sdb: 5368 MB, 5368709120 bytes
255 heads, 63 sectors/track, 652 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x0008a69b
 
   Device Boot      Start         End      Blocks   Id  System
/dev/sdb1               1         652     5237158+   5  Extended
/dev/sdb5               1           1         976   83  Linux
 
2.对分区进行加密,设置解密密码。
 
[root@wangfc ~]# cryptsetup luksFormat /dev/sdb5
 
WARNING!
========
This will overwrite data on /dev/sdb5 irrevocably.
 
Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:
 
 
[root@wangfc ~]# ll /dev/mapper/ -l   查看设备
total 0
crw-rw----. 1 root root 10, 58 Jul 31 19:55 control
 
3.将分区解锁,映射成可用的分区
 
[root@wangfc ~]# cryptsetup luksOpen /dev/sdb5 rhel
Enter passphrase for /dev/sdb5:
 
[root@wangfc ~]# ll /dev/mapper/
total 0
crw-rw----. 1 root root 10, 58 Jul 31 19:55 control
lrwxrwxrwx. 1 root root      7 Aug  1 18:22 rhel -> ../dm-0
 
  4.格式化,挂载起来使用。
        
[root@wangfc ~]# mkfs.ext4 /dev/mapper/rhel
mke2fs 1.41.12 (17-May-2010)
Filesystem label=
OS type: Linux
Block size=4096 (log=2)   
Fragment size=4096 (log=2)
Stride=0 blocks, Stripe width=0 blocks
66240 inodes, 264544 blocks
13227 blocks (5.00%) reserved for the super user
First data block=0
Maximum filesystem blocks=272629760
9 block groups
32768 blocks per group, 32768 fragments per group
7360 inodes per group
Superblock backups stored on blocks:
        32768, 98304, 163840, 229376
 
Writing inode tables: done                           
Creating journal (8192 blocks): done
Writing superblocks and filesystem accounting information: done
 
This filesystem will be automatically checked every 37 mounts or
180 days, whichever comes first.  Use tune2fs -c or -i to override.
             
[root@wangfc ~]# mkdir /mnt/luks
[root@wangfc ~]# mount /dev/mapper/rhel /mnt/luks/
[root@wangfc ~]# df -TH
Filesystem    Type     Size   Used  Avail Use% Mounted on
/dev/sda2     ext4      49G   4.4G    42G  10% /
tmpfs        tmpfs     1.1G   103k   1.1G   1% /dev/shm
/dev/sda1     ext4     305M    32M   258M  11% /boot
/dev/mapper/rhel
              ext4     1.1G    35M   978M   4% /mnt/luks
 
5.开机挂载。开机输入密码,才能挂载。系统才能启来。
 
[root@wangfc ~]# vim /etc/fstab
/dev/mapper/rhel        /mnt/luks              ext4     defaults          0 0 
[root@wangfc ~]# vim /etc/crypttab
rhel       /dev/sdb5    none     表示不知密码
 
如果要让其开机不需要输入密码则需如下做:
 
@ 新建文件在里面置入密码
[root@wangfc ~]# vim rhel_pass
 
@编辑crypttab文件
[root@wangfc ~]# vim /etc/crypttab
rhel       /dev/sdb5    /root/rhel_pass
 
@ 添加密钥
[root@wangfc ~]# cryptsetup luksAddKey /dev/sdb5  /root/rhel_pass
 
6.如何锁定?如何重新开启?
锁定
[root@wangfc ~]# umount /mnt/luks/ 
[root@wangfc ~]# cryptsetup luksClose rhel
重新开启
[root@wangfc ~]# cryptsetup luksOpen /dev/sdb5 rhel
Enter passphrase for /dev/sdb5:
[root@wangfc ~]# mount /dev/mapper/rhel /mnt/luks/
 
7.如何解除加密?先移出有用的数据,再重新格式化分区
 
三、如何加密文件。
 
[root@wangfc ~]# dd if=/dev/zero of=my.img bs=1M count=512
512+0 records in
512+0 records out
536870912 bytes (537 MB) copied, 2.87673 s, 187 MB/s
[root@wangfc ~]# losetup -d /dev/l
log    loop0  loop1  loop2  loop3  loop4  loop5  loop6  loop7  lp0    lp1    lp2    lp3   
[root@wangfc ~]# losetup -d /dev/loop1
loop: can't delete device /dev/loop1: No such device or address
[root@wangfc ~]# losetup /dev/loop1 /root/my.img
[root@wangfc ~]# cryptsetup luksFormat /dev/loop1
 
WARNING!
========
This will overwrite data on /dev/loop1 irrevocably.
 
Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:
 
[root@wangfc ~]# ll /dev/mapper/
total 0
crw-rw----. 1 root root 10, 58 Aug  2 17:30 control
lrwxrwxrwx. 1 root root      7 Aug  2 17:48 my.img -> ../dm-1
lrwxrwxrwx. 1 root root      7 Aug  2 17:31 rhel -> ../dm-0
[root@wangfc ~]# mkfs.ext4 /dev/mapper/my.img
mke2fs 1.41.12 (17-May-2010)
Filesystem label=
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
Stride=0 blocks, Stripe width=0 blocks
66240 inodes, 264544 blocks
13227 blocks (5.00%) reserved for the super user
First data block=0
Maximum filesystem blocks=272629760
9 block groups
32768 blocks per group, 32768 fragments per group
7360 inodes per group
Superblock backups stored on blocks:
        32768, 98304, 163840, 229376
 
Writing inode tables: done                           
Creating journal (8192 blocks): done
Writing superblocks and filesystem accounting information: done
 
This filesystem will be automatically checked every 20 mounts or
180 days, whichever comes first.  Use tune2fs -c or -i to override.
[root@wangfc ~]# mkdir /tmp/luks
[root@wangfc ~]# mount /dev/mapper/my.img /tmp/luks/
[root@wangfc ~]# ll /tmp/luks/
total 16
drwx------. 2 root root 16384 Aug  2 17:48 lost+found