科普链接:https://wiki.archlinux.org/index.php/Disk_encryption
前面的链接关于硬盘加密,讲了几种,基本上就是选dm-crypt with LUKS
在grub中,解密根分区以及/boot分区。
dm-crypt文档:https://wiki.archlinux.org/index.php/Dm-crypt
使用 dm-crypt加密一个非根分区。https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_a_non-root_file_system
dm-crypt 的两种加密方式: PLAIN, LUKS(Linux Unified Key Setup)。
具体什么区别我也不太知道,简单来说就是LUKS在文件系统(硬盘分区?)里存储了与加密信息加密方式相关的元数据。而PLAIN中没有。LUKS是dm-crypt的默认方式。
一堆破文档,都不及man手册讲的清楚。
DESCRIPTION cryptsetup is used to conveniently setup dm-crypt managed device-mapper mappings. These include plain dm-crypt volumes and LUKS volumes. The difference is that LUKS uses a metadata header and can hence offer more features than plain dm-crypt. On the other hand, the header is visible and vulnerable to damage.
这个man,写的这么好,在我看过的man里边可以排前三。
/home/tong/bin [tong@T7] [19:24] > man cryptsetup
一: 弄了台虚拟机做实验先:
[root@t206 arch-crypt]# qemu-system-x86_64 -vnc 0.0.0.0:1 --enable-kvm -smp 1 -m 1G -drive file=disk.qcow2,if=virtio -net bridge -net nic,model=virtio -cdrom ../iso/archlinux-2017.05.01-x86_64.iso
二: 加密非根分区
1. 格式化LUKS分区
root@archiso ~ # cryptsetup luksFormat /dev/vda WARNING! ======== This will overwrite data on /dev/vda irrevocably. Are you sure? (Type uppercase yes): YES Enter passphrase: Verify passphrase: cryptsetup luksFormat /dev/vda 5.00s user 0.01s system 41% cpu 12.157 total root@archiso ~ #
后边还能加一个参数 keyfile。意思是将keyfile里边的内容作为密码。
2. 挂载加密分区(解密)
root@archiso ~ # cryptsetup open /dev/vda vd_root Enter passphrase for /dev/vda: root@archiso ~ # ll /dev/mapper/vd_root lrwxrwxrwx 1 root root 7 Jun 1 11:58 /dev/mapper/vd_root -> ../dm-0
3. 初始化文件系统
root@archiso ~ # mkfs.xfs /dev/mapper/vd_root
4. 挂载使用
root@archiso ~ # mount /dev/mapper/vd_root mnt root@archiso ~ # ll total 9 -rw-r--r-- 1 root root 8864 May 1 07:04 install.txt drwxr-xr-x 2 root root 6 Jun 2 01:56 mnt root@archiso ~ # cd mnt root@archiso ~/mnt # ll total 0 root@archiso ~/mnt # touch 123 root@archiso ~/mnt # touch txt root@archiso ~/mnt # vim txt root@archiso ~/mnt # cat txt 123456 root@archiso ~/mnt # ls 123 txt root@archiso ~/mnt # ll total 4 -rw-r--r-- 1 root root 0 Jun 2 01:57 123 -rw-r--r-- 1 root root 7 Jun 2 01:57 txt root@archiso ~/mnt # cd ..
5. 卸载关闭
root@archiso ~ # umount mnt root@archiso ~ # cryptsetup close vd_root root@archiso ~ # ll /dev/mapper total 0 crw------- 1 root root 10, 236 Jun 1 11:58 control root@archiso ~ #
三, 加密全系统
https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system
有多种方式,以及包括boot分区加密等。内容很多
boot分区,MBR加密:https://wiki.archlinux.org/index.php/Dm-crypt/Specialties#Securing_the_unencrypted_boot_partition
chkboot(检查分区是否被串改?)
首先,我选用简单的方法,在LUKS上创建btrfs。查看上述文档的btrfs章节。
btrfs的详细内容,branch到这里:http://www.cnblogs.com/hugetong/p/6934247.html
全系统加密的关键在于,initrd,grub,boot partition,以及kernel。
分区什么的,与非根分区没什么区别,不再叙述。
还是有区别的,这块盘,我需要分出boot partition,swap partition,如果是uEFI的话,还有ESP分区。
有关 parted的unit问题 https://www.gnu.org/software/parted/manual/parted.html#unit
1. 分区表使用 GPT
root@archiso ~ # parted /dev/vda GNU Parted 3.2 Using /dev/vda Welcome to GNU Parted! Type 'help' to view a list of commands. (parted) mktable gpt
2. 创建BIOS grub分区
bios_grub分区只需要31KiB,但是为了对齐以及扩展,我们用1MiB
https://www.gnu.org/software/grub/manual/html_node/BIOS-installation.html
(parted) mkpart fat32 1MiB 2MiB (parted) set 1 bios_grub on (parted) print Model: Virtio Block Device (virtblk) Disk /dev/vda: 20971520kiB Sector size (logical/physical): 512B/512B Partition Table: gpt Disk Flags: Number Start End Size File system Name Flags 1 1024kiB 2048kiB 1024kiB bios_grub (parted)
3. 创建boot分区。挂载根分区前的所有内容,都在这个分区里,我们选择1G的大小。
A suggested size for /boot is 200 MiB unless using UEFI, in which case greater than 512 MiB is needed.
(parted) mkpart ext4 2MiB 1026MiB (parted) print Model: Virtio Block Device (virtblk) Disk /dev/vda: 20971520kiB Sector size (logical/physical): 512B/512B Partition Table: gpt Disk Flags: Number Start End Size File system Name Flags 1 1024kiB 2048kiB 1024kiB bios_grub 2 2048kiB 1050624kiB 1048576kiB (parted)
4. swap分区。 时至今日,swap分区的大小已经没有要求了。要求只来自suspend and hibernate。
文件 /sys/power/image_size 中配置了系统对于hibernate image大小的限制。默认为RAM大小的2/5
https://wiki.archlinux.org/index.php/Partitioning#Swap
https://wiki.archlinux.org/index.php/Power_management/Suspend_and_hibernate#Hibernation
(parted) mkpart primary linux-swap 1026MiB 3074MiB (parted) print Model: Virtio Block Device (virtblk) Disk /dev/vda: 20480MiB Sector size (logical/physical): 512B/512B Partition Table: gpt Disk Flags: Number Start End Size File system Name Flags 1 1.00MiB 2.00MiB 1.00MiB bios_grub 2 2.00MiB 1026MiB 1024MiB 3 1026MiB 3074MiB 2048MiB linux-swap(v1) (parted)
5. 剩下的空间做成 crypt-LUKS + btrfs
(parted) mkpart primary 3074MiB 100% (parted) print Model: Virtio Block Device (virtblk) Disk /dev/vda: 20480MiB Sector size (logical/physical): 512B/512B Partition Table: gpt Disk Flags: Number Start End Size File system Name Flags 1 1.00MiB 2.00MiB 1.00MiB bios_grub 2 2.00MiB 1026MiB 1024MiB 3 1026MiB 3074MiB 2048MiB linux-swap(v1) 4 3074MiB 20479MiB 17405MiB (parted)
初始化各分区文件系统,与前文操作一至
root@archiso ~ # mkfs.fat /dev/sda1 mkfs.fat 4.1 (2017-01-24) mkfs.fat: unable to open /dev/sda1: No such file or directory 1 root@archiso ~ # mkfs.fat /dev/vda1 :( mkfs.fat 4.1 (2017-01-24) root@archiso ~ # mkfs.fat /dev/vda2 mkfs.fat 4.1 (2017-01-24) root@archiso ~ # mkswap /dev/vda3 Setting up swapspace version 1, size = 2 GiB (2147479552 bytes) no label, UUID=3b11937b-85fb-4c8a-8f8f-97e75097b4e1 root@archiso ~ # cryptsetup luksFormat /dev/vda4 WARNING! ======== This will overwrite data on /dev/vda4 irrevocably. Are you sure? (Type uppercase yes): YES Enter passphrase: Verify passphrase: cryptsetup luksFormat /dev/vda4 5.00s user 0.03s system 24% cpu 20.180 total root@archiso ~ # cryptsetup luksFormat /dev/vda4 WARNING! ======== This will overwrite data on /dev/vda4 irrevocably. Are you sure? (Type uppercase yes): YES Enter passphrase: Verify passphrase: Passphrases do not match. 2 root@archiso ~ # cryptsetup luksFormat /dev/vda4 :( WARNING! ======== This will overwrite data on /dev/vda4 irrevocably. Are you sure? (Type uppercase yes): YES Enter passphrase: Verify passphrase: root@archiso ~ # cryptsetup luksFormat /dev/vda4 WARNING! ======== This will overwrite data on /dev/vda4 irrevocably. Are you sure? (Type uppercase yes): YES Enter passphrase: Verify passphrase: root@archiso ~ # root@archiso ~ # root@archiso ~ # root@archiso ~ # parted -l /dev/vda Warning: Unable to open /dev/sr0 read-write (Read-only file system). /dev/sr0 has been opened read-only. Model: QEMU QEMU DVD-ROM (scsi) Disk /dev/sr0: 504MB Sector size (logical/physical): 2048B/2048B Partition Table: msdos Disk Flags: Number Start End Size Type File system Flags 2 336kB 269MB 268MB primary esp Model: Virtio Block Device (virtblk) Disk /dev/vda: 21.5GB Sector size (logical/physical): 512B/512B Partition Table: gpt Disk Flags: Number Start End Size File system Name Flags 1 1049kB 2097kB 1049kB bios_grub bios_grub 2 2097kB 1076MB 1074MB fat32 boot 3 1076MB 3223MB 2147MB linux-swap(v1) swap 4 3223MB 21.5GB 18.3GB root root@archiso ~ #