使用LUKS加密存储设备
时间:2019-04-29 03:17:32 来源:igfitidea点击:
什么是LUKS(Linux统一密钥设置)?
Linux Unified Key Setup或LUKS是Clemens Fruhwirth在2004年创建的磁盘加密规范,最初旨在用于Linux操作系统。
通常,LUKS在Linux上运行,并且基于cryptsetup的增强版本,使用dm-crypt作为磁盘加密后端。
dm-crypt是Linux内核2.6版和更高版本中的透明磁盘加密子系统。它是设备映射器基础结构的一部分,并使用内核的Crypto API中的加密例程。
dm-crypt可以加密整个磁盘(包括可移动存储介质),分区,软件RAID卷,逻辑卷以及文件。
什么是cryptsetup?
cryptsetup提供了用于Linux统一密钥设置(LUKS)的命令。每次安装磁盘时都必须提供一个加密密码短语,每个卷只能使用一个密钥。对称加密密钥直接来自提供的密码短语。
基于Debian的系统安装cryptsetup命令
sudo apt-get update sudo apt-get install cryptsetup
基于Red Hat的发行版安装cryptsetup命令
yum install cryptsetup -y
在未使用的磁盘上创建分区
使用fdisk -l标识磁盘
fdisk -l命令用于显示系统可用的磁盘。可能是正在使用的磁盘和已分配但未使用的磁盘(没有分区)。
john@ubuntu1404:~$ sudo fdisk -l [sudo] password for john: Disk /dev/sda: 10.7 GB, 10737418240 bytes 255 heads, 63 sectors/track, 1305 cylinders, total 20971520 sectors Units = sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disk identifier: 0x000628fb Device Boot Start End Blocks Id System /dev/sda1 * 2048 499711 248832 83 Linux /dev/sda2 501758 20969471 10233857 5 Extended /dev/sda5 501760 20969471 10233856 8e Linux LVM Disk /dev/sdb: 536 MB, 536870912 bytes 255 heads, 63 sectors/track, 65 cylinders, total 1048576 sectors Units = sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disk identifier: 0x00000000 Disk /dev/sdb doesn't contain a valid partition table Disk /dev/mapper/ubuntu--vg-root: 9403 MB, 9403629568 bytes 255 heads, 63 sectors/track, 1143 cylinders, total 18366464 sectors Units = sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disk identifier: 0x00000000 Disk /dev/mapper/ubuntu--vg-root doesn't contain a valid partition table Disk /dev/mapper/ubuntu--vg-swap_1: 1073 MB, 1073741824 bytes 255 heads, 63 sectors/track, 130 cylinders, total 2097152 sectors Units = sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disk identifier: 0x00000000 Disk /dev/mapper/ubuntu--vg-swap_1 doesn't contain a valid partition table
可以看到我们有一个尚未使用的名为/dev/sdb的设备。这是我们将用于示例的磁盘。
在磁盘上创建分区
使用fdisk在设备/dev/sdb上创建标准Linux分区。
john@ubuntu1404:~$ sudo fdisk /dev/sdb
[sudo] password for john:
Device contains neither a valid DOS partition table, nor Sun, SGI or OSF disklabel
Building a new DOS disklabel with disk identifier 0xfb0b3262.
Changes will remain in memory only, until you decide to write them.
After that, of course, the previous content won't be recoverable.
Warning: invalid flag 0x0000 of partition table 4 will be corrected by w(rite)
Command (m for help): n
Partition type:
p primary (0 primary, 0 extended, 4 free)
e extended
Select (default p): p
Partition number (1-4, default 1):
Using default value 1
First sector (2048-1048575, default 2048):
Using default value 2048
Last sector, +sectors or +size{K,M,G} (2048-1048575, default 1048575):
Using default value 1048575
Command (m for help): p
Disk /dev/sdb: 536 MB, 536870912 bytes
255 heads, 63 sectors/track, 65 cylinders, total 1048576 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0xfb0b3262
Device Boot Start End Blocks Id System
/dev/sdb1 2048 1048575 523264 83 Linux
Command (m for help): w
The partition table has been altered!
Calling ioctl() to re-read partition table.
Syncing disks.
使用fdisk -l验证新分区
因为这是分配给设备/dev/sdb的第一个分区,所以将其表示为/dev/sdb1
john@ubuntu1404:~$ sudo fdisk -l Disk /dev/sdb: 536 MB, 536870912 bytes 70 heads, 4 sectors/track, 3744 cylinders, total 1048576 sectors Units = sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disk identifier: 0xfb0b3262 Device Boot Start End Blocks Id System /dev/sdb1 2048 1048575 523264 83 Linux
使用luksFormat创建LUKS分区
john@ubuntu1404:~$ sudo cryptsetup luksFormat /dev/sdb1 WARNING! ======== This will overwrite data on /dev/sdb1 irrevocably. Are you sure? (Type uppercase yes): YES Enter passphrase: Verify passphrase:
创建映射名称
john@ubuntu1404:~$ sudo cryptsetup luksOpen /dev/sdb1 MyEncData Enter passphrase for /dev/sdb1:
在加密设备上创建文件系统
在使用加密设备之前,您需要创建一个文件系统。
john@ubuntu1404:~$ sudo mkfs.ext4 /dev/mapper/MyEncData mke2fs 1.42.9 (4-Feb-2014) Filesystem label= OS type: Linux Block size=1024 (log=0) Fragment size=1024 (log=0) Stride=0 blocks, Stripe width=0 blocks 130560 inodes, 521216 blocks 26060 blocks (5.00%) reserved for the super user First data block=1 Maximum filesystem blocks=67633152 64 block groups 8192 blocks per group, 8192 fragments per group 2040 inodes per group Superblock backups stored on blocks: 8193, 24577, 40961, 57345, 73729, 204801, 221185, 401409 Allocating group tables: done Writing inode tables: done Creating journal (8192 blocks): done Writing superblocks and filesystem accounting information: done
挂载加密设备
创建一个挂载点, 然后使用mount命令来完成挂载
john@ubuntu1404:/$ sudo mkdir private john@ubuntu1404:/$ sudo mount /dev/mapper/MyEncData /private
验证LUKS设备的状态
john@ubuntu1404:/$ df -hT john@ubuntu1404:/private$ sudo cryptsetup -v status MyEncData /dev/mapper/MyEncData is active and is in use. type: LUKS1 cipher: aes-xts-plain64 keysize: 256 bits device: /dev/sdb1 offset: 4096 sectors size: 1042432 sectors mode: read/write Command successful.
测试加密设备
john@ubuntu1404:/$ cd /private john@ubuntu1404:/private$ sudo touch sample.data john@ubuntu1404:/private$ ls -al total 5 drwxrwxrwx 2 root root 1024 Sep 29 21:50 . drwxr-xr-x 24 root root 4096 Sep 29 21:45 .. -rw-r--r-- 1 root root 0 Sep 29 21:50 sample.data
卸载LUKS设备
john@ubuntu1404:/$ cd / john@ubuntu1404:/$ sudo umount /private Verify the device is no longer mounted with "df" john@ubuntu1404:/$ df -h Filesystem Size Used Avail Use% Mounted on /dev/mapper/ubuntu--vg-root 8.5G 6.3G 1.8G 79% / none 4.0K 0 4.0K 0% /sys/fs/cgroup udev 483M 4.0K 483M 1% /dev tmpfs 100M 928K 99M 1% /run none 5.0M 0 5.0M 0% /run/lock none 497M 152K 497M 1% /run/shm none 100M 36K 100M 1% /run/user /dev/sda1 236M 76M 148M 34% /boot
关闭LUKS设备-luksClose
### 可以看到我们的设备仍然可用 john@ubuntu1404:/$ ls -l /dev/mapper/MyEncData lrwxrwxrwx 1 root root 7 Sep 29 21:25 /dev/mapper/MyEncData -> ../dm-2 ### 执行luksClose命令 john@ubuntu1404:/$ sudo cryptsetup luksClose /dev/mapper/MyEncData ### 设备不可用 john@ubuntu1404:/$ ls -l /dev/mapper/MyEncData ls: cannot access /dev/mapper/MyEncData: No such file or directory
重新打开设备
john@ubuntu1404:/$ sudo cryptsetup luksOpen /dev/sdb1 MyEncData Enter passphrase for /dev/sdb1:
挂载设备
john@ubuntu1404:/$ cd / john@ubuntu1404:/$ sudo mount /dev/mapper/MyEncData /private john@ubuntu1404:/$ cd /private john@ubuntu1404:/private$ ls -l total 0 -rw-r--r-- 1 root root 0 Sep 29 21:50 sample.data
更改LUKS设备的密码
通过以下命令luksAddKey和luksRemoveKey来添加/删除密码
luksAddKey <device> [<key file with new key>]
adds a new passphrase. An existing passphrase must be supplied
interactively or via --key-file. The new passphrase to be added
can be specified interactively or read from the file given as
positional argument.
luksRemoveKey <device> [<key file with passphrase to be removed>]
Removes the supplied passphrase from the LUKS device. The
passphrase to be removed can be specified interactively, as
positional argument or via --key-file.
