使用cryptsetup對分區進行了加密後,這個分區就不再允許直接掛載。如果要使用這個分區,必須對這個分區做一個映射,映射到/dev/mapper這個目錄裏去,我們只能掛載這個映射才能使用。然而做映射的時候是需要輸入解密密碼的。
Crypsetup工具加密的特點:
1. 加密後不能直接掛載
2. 加密後硬盤丟失也不用擔心數據被盜
3. 加密後必須做映射才能掛載
步驟:
1. 創建分區
2. 加密分區
3. 映射分區
4. 格式化分區(分區映射)
5. 掛載分區
1.爲硬盤新建立一個分區,如下圖:建立了一個500M的/dev/sda7的分區。
[root@server1 ~]# fdisk /dev/sda
WARNING: DOS-compatible mode is deprecated. It's strongly recommended to
switch off the mode (command 'c') and change display units to
sectors (command 'u').
Command (m for help): p
Disk /dev/sda: 42.9 GB, 42949672960 bytes
255 heads, 63 sectors/track, 5221 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x000da724
Device Boot Start End Blocks Id System
/dev/sda1 * 1 26 204800 83 Linux
Partition 1 does not end on cylinder boundary.
/dev/sda2 26 2576 20480000 83 Linux
/dev/sda3 2576 3213 5120000 83 Linux
/dev/sda4 3213 5222 16137216 5 Extended
/dev/sda5 3213 3344 1048576 82 Linux swap / Solaris
/dev/sda6 3345 3456 899608+ 83 Linux
Command (m for help): n
First cylinder (3344-5222, default 3344): 3457
Last cylinder, +cylinders or +size{K,M,G} (3457-5222, default 5222): +500M
Command (m for help): w
The partition table has been altered!
Calling ioctl() to re-read partition table.
WARNING: Re-reading the partition table failed with error 16: Device or resource busy.
The kernel still uses the old table. The new table will be used at
the next reboot or after you run partprobe(8) or kpartx(8)
Syncing disks.
2. 利用工具程序crypsetup進行加密,會出現警告,提示可能損害/dev/sda7裏面的數據,我們敲入大寫的YES(記住是大寫),然後輸入兩遍加密密碼。
[root@server1 ~]# cryptsetup luksFormat /dev/sda7
WARNING!
========
This will overwrite data on /dev/sda7 irrevocably.
Are you sure? (Type uppercase yes): YES 必須大寫
Enter LUKS passphrase: 輸入密鑰
Verify passphrase: 再次輸入密鑰
3.如果這時候掛載此分區,會提示類型已經加密
[root@server1 ~]# mount /dev/sda7 /mnt
mount: unknown filesystem type 'crypto_LUKS'
4.爲/dev/sda7做一個映射,映射到/dev/mapper目錄中,才能夠使用,在映射時必須要輸入加密密鑰才能成功,如下圖
[root@server1 ~]# cryptsetup luksOpen /dev/sda7 rhel rhel爲映射名
Enter passphrase for /dev/sda7:
5.查看映射情況,映射只是一個鏈接文件,源文件在/dev/dm-1,如下圖:
[root@server1 ~]# ll /dev/mapper/
total 0
crw-rw----. 1 root root 10, 58 Jul 16 05:48 control
lrwxrwxrwx. 1 root root 7 Jul 16 06:02 rhel -> ../dm-1
lrwxrwxrwx.1 root root 7 Jul 16 05:57 udisks-luks-uuid-912a609f-1ddc-4c72-932a-c55ea18c934d-uid500 -> ../dm-0
6.查看rhel映射的狀態,如下圖:
[root@server1 ~]# cryptsetup status /dev/mapper/rhel 輸入映射查看
/dev/mapper/rhel is active:
cipher: aes-cbc-essiv:sha256
keysize: 256 bits
device: /dev/sda7
offset: 4096 sectors
size: 1040066 sectors
mode: read/write
[root@server1 ~]# cryptsetup status /dev/dm-1 或者輸入源文件查看也可。
/dev/mapper//dev/dm-1 is active:
cipher: aes-cbc-essiv:sha256
keysize: 256 bits
device: /dev/sda7
offset: 4096 sectors
size: 1040066 sectors
mode: read/write
[root@server1 ~]#
7.格式化映射既等於格式化/dev/sda7分區,如下圖
[root@server1 ~]# mkfs -t ext4 /dev/dm-1 或者mkfs.ext4 /dev/mapper/rhel
mke2fs 1.41.12 (17-May-2010)
Filesystem label=
OS type: Linux
Block size=1024 (log=0)
Fragment size=1024 (log=0)
Stride=0 blocks, Stripe width=0 blocks
130048 inodes, 520032 blocks
26001 blocks (5.00%) reserved for the super user
First data block=1
Maximum filesystem blocks=67633152
64 block groups
8192 blocks per group, 8192 fragments per group
2032 inodes per group
Superblock backups stored on blocks:
8193, 24577, 40961, 57345, 73729, 204801, 221185, 401409
Writing inode tables: done
Creating journal (8192 blocks): done
Writing superblocks and filesystem accounting information: done
This filesystem will be automatically checked every 23 mounts or
180 days, whichever comes first. Use tune2fs -c or -i to override
8.掛載分區映射,如下圖:
[root@server1 ~]# mkdir /rhel
[root@server1 ~]# mount /dev/mapper/rhel /rhel
[root@server1 ~]# ls /rhel/
lost+found
[root@server1 ~]# df -hl
Filesystem Size Used Avail Use% Mounted on
/dev/sda2 20G 3.9G 15G 21% /
tmpfs 250M 420K 250M 1% /dev/shm
/dev/sda1 194M 24M 161M 13% /boot
/dev/sda3 4.9G 139M 4.5G 3% /home
/dev/mapper/udisks-luks-uuid-912a609f-1ddc-4c72-932a-c55ea18c934d-uid500
863M 17M 803M 3% /media/opt
/dev/mapper/rhel 492M 11M 457M 3% /rhel
| |