使用LUKS加密存储设备

时间:2019-04-29 03:17:32  来源:igfitidea点击:

什么是LUKS(Linux统一密钥设置)?

Linux Unified Key Setup或LUKS是Clemens Fruhwirth在2004年创建的磁盘加密规范,最初旨在用于Linux操作系统。

通常,LUKS在Linux上运行,并且基于cryptsetup的增强版本,使用dm-crypt作为磁盘加密后端。

dm-crypt是Linux内核2.6版和更高版本中的透明磁盘加密子系统。它是设备映射器基础结构的一部分,并使用内核的Crypto API中的加密例程。

dm-crypt可以加密整个磁盘(包括可移动存储介质),分区,软件RAID卷,逻辑卷以及文件。

什么是cryptsetup?

cryptsetup提供了用于Linux统一密钥设置(LUKS)的命令。每次安装磁盘时都必须提供一个加密密码短语,每个卷只能使用一个密钥。对称加密密钥直接来自提供的密码短语。

基于Debian的系统安装cryptsetup命令

sudo apt-get update 
sudo apt-get install cryptsetup 

基于Red Hat的发行版安装cryptsetup命令

yum install cryptsetup -y

在未使用的磁盘上创建分区

使用fdisk -l标识磁盘

fdisk -l命令用于显示系统可用的磁盘。可能是正在使用的磁盘和已分配但未使用的磁盘(没有分区)。

john@ubuntu1404:~$ sudo fdisk -l
[sudo] password for john: 

Disk /dev/sda: 10.7 GB, 10737418240 bytes
255 heads, 63 sectors/track, 1305 cylinders, total 20971520 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x000628fb

   Device Boot      Start         End      Blocks   Id  System
/dev/sda1   *        2048      499711      248832   83  Linux
/dev/sda2          501758    20969471    10233857    5  Extended
/dev/sda5          501760    20969471    10233856   8e  Linux LVM

Disk /dev/sdb: 536 MB, 536870912 bytes
255 heads, 63 sectors/track, 65 cylinders, total 1048576 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x00000000

Disk /dev/sdb doesn't contain a valid partition table

Disk /dev/mapper/ubuntu--vg-root: 9403 MB, 9403629568 bytes
255 heads, 63 sectors/track, 1143 cylinders, total 18366464 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x00000000

Disk /dev/mapper/ubuntu--vg-root doesn't contain a valid partition table

Disk /dev/mapper/ubuntu--vg-swap_1: 1073 MB, 1073741824 bytes
255 heads, 63 sectors/track, 130 cylinders, total 2097152 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x00000000

Disk /dev/mapper/ubuntu--vg-swap_1 doesn't contain a valid partition table

可以看到我们有一个尚未使用的名为/dev/sdb的设备。这是我们将用于示例的磁盘。

在磁盘上创建分区

使用fdisk在设备/dev/sdb上创建标准Linux分区。

john@ubuntu1404:~$ sudo fdisk /dev/sdb
[sudo] password for john: 
Device contains neither a valid DOS partition table, nor Sun, SGI or OSF disklabel
Building a new DOS disklabel with disk identifier 0xfb0b3262.
Changes will remain in memory only, until you decide to write them.
After that, of course, the previous content won't be recoverable.

Warning: invalid flag 0x0000 of partition table 4 will be corrected by w(rite)

Command (m for help): n
Partition type:
   p   primary (0 primary, 0 extended, 4 free)
   e   extended
Select (default p): p
Partition number (1-4, default 1): 
Using default value 1
First sector (2048-1048575, default 2048): 
Using default value 2048
Last sector, +sectors or +size{K,M,G} (2048-1048575, default 1048575): 
Using default value 1048575

Command (m for help): p

Disk /dev/sdb: 536 MB, 536870912 bytes
255 heads, 63 sectors/track, 65 cylinders, total 1048576 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0xfb0b3262

   Device Boot      Start         End      Blocks   Id  System
/dev/sdb1            2048     1048575      523264   83  Linux

Command (m for help): w
The partition table has been altered!

Calling ioctl() to re-read partition table.
Syncing disks.

使用fdisk -l验证新分区

因为这是分配给设备/dev/sdb的第一个分区,所以将其表示为/dev/sdb1

john@ubuntu1404:~$ sudo fdisk -l

Disk /dev/sdb: 536 MB, 536870912 bytes
70 heads, 4 sectors/track, 3744 cylinders, total 1048576 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0xfb0b3262

   Device Boot      Start         End      Blocks   Id  System
/dev/sdb1            2048     1048575      523264   83  Linux

使用luksFormat创建LUKS分区

john@ubuntu1404:~$ sudo cryptsetup luksFormat /dev/sdb1

WARNING!
========
This will overwrite data on /dev/sdb1 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter passphrase: 
Verify passphrase:

创建映射名称

john@ubuntu1404:~$ sudo cryptsetup luksOpen /dev/sdb1 MyEncData
Enter passphrase for /dev/sdb1: 

在加密设备上创建文件系统

在使用加密设备之前,您需要创建一个文件系统。

john@ubuntu1404:~$ sudo mkfs.ext4 /dev/mapper/MyEncData
mke2fs 1.42.9 (4-Feb-2014)
Filesystem label=
OS type: Linux
Block size=1024 (log=0)
Fragment size=1024 (log=0)
Stride=0 blocks, Stripe width=0 blocks
130560 inodes, 521216 blocks
26060 blocks (5.00%) reserved for the super user
First data block=1
Maximum filesystem blocks=67633152
64 block groups
8192 blocks per group, 8192 fragments per group
2040 inodes per group
Superblock backups stored on blocks: 
	8193, 24577, 40961, 57345, 73729, 204801, 221185, 401409

Allocating group tables: done                            
Writing inode tables: done                            
Creating journal (8192 blocks): done
Writing superblocks and filesystem accounting information: done 

挂载加密设备

创建一个挂载点, 然后使用mount命令来完成挂载

john@ubuntu1404:/$ sudo mkdir private
john@ubuntu1404:/$ sudo mount /dev/mapper/MyEncData /private

验证LUKS设备的状态

john@ubuntu1404:/$ df -hT
john@ubuntu1404:/private$ sudo cryptsetup -v status MyEncData
/dev/mapper/MyEncData is active and is in use.
  type:    LUKS1
  cipher:  aes-xts-plain64
  keysize: 256 bits
  device:  /dev/sdb1
  offset:  4096 sectors
  size:    1042432 sectors
  mode:    read/write
Command successful.

测试加密设备

john@ubuntu1404:/$ cd /private
john@ubuntu1404:/private$ sudo touch sample.data
john@ubuntu1404:/private$ ls -al
total 5
drwxrwxrwx  2 root root 1024 Sep 29 21:50 .
drwxr-xr-x 24 root root 4096 Sep 29 21:45 ..
-rw-r--r--  1 root root    0 Sep 29 21:50 sample.data

卸载LUKS设备

john@ubuntu1404:/$ cd /
john@ubuntu1404:/$ sudo umount /private

Verify the device is no longer mounted with "df"

john@ubuntu1404:/$ df -h
Filesystem                   Size  Used Avail Use% Mounted on
/dev/mapper/ubuntu--vg-root  8.5G  6.3G  1.8G  79% /
none                         4.0K     0  4.0K   0% /sys/fs/cgroup
udev                         483M  4.0K  483M   1% /dev
tmpfs                        100M  928K   99M   1% /run
none                         5.0M     0  5.0M   0% /run/lock
none                         497M  152K  497M   1% /run/shm
none                         100M   36K  100M   1% /run/user
/dev/sda1                    236M   76M  148M  34% /boot

关闭LUKS设备-luksClose

### 可以看到我们的设备仍然可用
john@ubuntu1404:/$ ls -l /dev/mapper/MyEncData 
lrwxrwxrwx 1 root root 7 Sep 29 21:25 /dev/mapper/MyEncData -> ../dm-2
### 执行luksClose命令
john@ubuntu1404:/$ sudo cryptsetup luksClose /dev/mapper/MyEncData
### 设备不可用
john@ubuntu1404:/$ ls -l /dev/mapper/MyEncData 
ls: cannot access /dev/mapper/MyEncData: No such file or directory

重新打开设备

john@ubuntu1404:/$ sudo cryptsetup luksOpen /dev/sdb1 MyEncData
Enter passphrase for /dev/sdb1: 

挂载设备

john@ubuntu1404:/$ cd /
john@ubuntu1404:/$ sudo mount /dev/mapper/MyEncData /private

john@ubuntu1404:/$ cd /private

john@ubuntu1404:/private$ ls -l
total 0
-rw-r--r-- 1 root root 0 Sep 29 21:50 sample.data

更改LUKS设备的密码

通过以下命令luksAddKeyluksRemoveKey来添加/删除密码

luksAddKey <device> [<key file with new key>]

              adds  a  new passphrase. An existing passphrase must be supplied
              interactively or via --key-file.  The new passphrase to be added
              can  be  specified  interactively or read from the file given as
              positional argument.

luksRemoveKey <device> [<key file with passphrase to be removed>]

              Removes the  supplied  passphrase  from  the  LUKS  device.  The
              passphrase  to  be  removed  can  be specified interactively, as
              positional argument or via --key-file.