科普链接:https://wiki.archlinux.org/index.php/Disk_encryption

前面的链接关于硬盘加密,讲了几种,基本上就是选dm-crypt with LUKS

在grub中,解密根分区以及/boot分区。

dm-crypt文档:https://wiki.archlinux.org/index.php/Dm-crypt

使用 dm-crypt加密一个非根分区。https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_a_non-root_file_system

dm-crypt 的两种加密方式: PLAIN, LUKS(Linux Unified Key Setup)。

具体什么区别我也不太知道,简单来说就是LUKS在文件系统(硬盘分区?)里存储了与加密信息加密方式相关的元数据。而PLAIN中没有。LUKS是dm-crypt的默认方式。

一堆破文档,都不及man手册讲的清楚。

DESCRIPTION

       cryptsetup  is  used  to  conveniently setup dm-crypt managed device-mapper mappings. These include plain dm-crypt volumes and

       LUKS volumes. The difference is that LUKS uses a metadata header and can hence offer more features than plain dm-crypt. On the

       other hand, the header is visible and vulnerable to damage.

这个man,写的这么好,在我看过的man里边可以排前三。

/home/tong/bin [tong@T7] [:]

> man cryptsetup

一: 弄了台虚拟机做实验先:

[root@t206 arch-crypt]# qemu-system-x86_64 -vnc 0.0.0.0: --enable-kvm -smp  -m 1G -drive file=disk.qcow2,if=virtio -net bridge -net nic,model=virtio -cdrom ../iso/archlinux-2017.05.-x86_64.iso

二: 加密非根分区

1.  格式化LUKS分区

root@archiso ~ # cryptsetup luksFormat /dev/vda

WARNING!

========

This will overwrite data on /dev/vda irrevocably.

Are you sure? (Type uppercase yes): YES

Enter passphrase:

Verify passphrase:

cryptsetup luksFormat /dev/vda  .00s user .01s system % cpu 12.157 total

root@archiso ~ #

后边还能加一个参数 keyfile。意思是将keyfile里边的内容作为密码。

2.  挂载加密分区(解密)

root@archiso ~ # cryptsetup open /dev/vda vd_root

Enter passphrase for /dev/vda:

root@archiso ~ # ll /dev/mapper/vd_root

lrwxrwxrwx  root root  Jun   : /dev/mapper/vd_root -> ../dm-

3.  初始化文件系统

 root@archiso ~ # mkfs.xfs /dev/mapper/vd_root

4.  挂载使用

root@archiso ~ # mount /dev/mapper/vd_root mnt

root@archiso ~ # ll

total

-rw-r--r--  root root  May   : install.txt

drwxr-xr-x  root root     Jun   : mnt

root@archiso ~ # cd mnt

root@archiso ~/mnt # ll

total

root@archiso ~/mnt # touch

root@archiso ~/mnt # touch txt

root@archiso ~/mnt # vim txt

root@archiso ~/mnt # cat txt 

root@archiso ~/mnt # ls

  txt

root@archiso ~/mnt # ll

total

-rw-r--r--  root root  Jun   :

-rw-r--r--  root root  Jun   : txt

root@archiso ~/mnt # cd ..

5. 卸载关闭

root@archiso ~ # umount mnt

root@archiso ~ # cryptsetup close vd_root

root@archiso ~ # ll /dev/mapper

total

crw-------  root root ,  Jun   : control

root@archiso ~ #

三, 加密全系统

https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system

有多种方式,以及包括boot分区加密等。内容很多

boot分区,MBR加密:https://wiki.archlinux.org/index.php/Dm-crypt/Specialties#Securing_the_unencrypted_boot_partition

chkboot(检查分区是否被串改?)

首先,我选用简单的方法,在LUKS上创建btrfs。查看上述文档的btrfs章节。

btrfs的详细内容,branch到这里:http://www.cnblogs.com/hugetong/p/6934247.html

全系统加密的关键在于,initrd,grub,boot partition,以及kernel。

分区什么的,与非根分区没什么区别,不再叙述。

还是有区别的,这块盘,我需要分出boot partition,swap partition,如果是uEFI的话,还有ESP分区。

有关 parted的unit问题 https://www.gnu.org/software/parted/manual/parted.html#unit

1.  分区表使用 GPT

root@archiso ~ # parted /dev/vda

GNU Parted 3.2

Using /dev/vda

Welcome to GNU Parted! Type 'help' to view a list of commands.

(parted) mktable gpt

2.  创建BIOS grub分区

  bios_grub分区只需要31KiB,但是为了对齐以及扩展,我们用1MiB

https://www.gnu.org/software/grub/manual/html_node/BIOS-installation.html

(parted) mkpart fat32 1MiB 2MiB

(parted) set  bios_grub on

(parted) print

Model: Virtio Block Device (virtblk)

Disk /dev/vda: 20971520kiB

Sector size (logical/physical): 512B/512B

Partition Table: gpt

Disk Flags: 

Number  Start    End      Size     File system  Name  Flags

       1024kiB  2048kiB  1024kiB                     bios_grub

(parted)

3. 创建boot分区。挂载根分区前的所有内容,都在这个分区里,我们选择1G的大小。

  A suggested size for /boot is 200 MiB unless using UEFI, in which case greater than 512 MiB is needed.

(parted) mkpart ext4 2MiB 1026MiB

(parted) print

Model: Virtio Block Device (virtblk)

Disk /dev/vda: 20971520kiB

Sector size (logical/physical): 512B/512B

Partition Table: gpt

Disk Flags: 

Number  Start    End         Size        File system  Name  Flags

       1024kiB  2048kiB     1024kiB                        bios_grub

       2048kiB  1050624kiB  1048576kiB

(parted)

4. swap分区。 时至今日,swap分区的大小已经没有要求了。要求只来自suspend and hibernate。

  文件 /sys/power/image_size配置了系统对于hibernate image大小的限制。默认为RAM大小的2/5

  https://wiki.archlinux.org/index.php/Partitioning#Swap

  https://wiki.archlinux.org/index.php/Power_management/Suspend_and_hibernate#Hibernation

(parted) mkpart primary linux-swap 1026MiB 3074MiB

(parted) print

Model: Virtio Block Device (virtblk)

Disk /dev/vda: 20480MiB

Sector size (logical/physical): 512B/512B

Partition Table: gpt

Disk Flags: 

Number  Start    End      Size     File system     Name  Flags

       .00MiB  .00MiB  .00MiB                        bios_grub

       .00MiB  1026MiB  1024MiB

       1026MiB  3074MiB  2048MiB  linux-swap(v1)

(parted)

5.  剩下的空间做成 crypt-LUKS + btrfs

(parted) mkpart primary 3074MiB %

(parted) print

Model: Virtio Block Device (virtblk)

Disk /dev/vda: 20480MiB

Sector size (logical/physical): 512B/512B

Partition Table: gpt

Disk Flags: 

Number  Start    End       Size      File system     Name  Flags

       .00MiB  .00MiB   .00MiB                         bios_grub

       .00MiB  1026MiB   1024MiB

       1026MiB  3074MiB   2048MiB   linux-swap(v1)

       3074MiB  20479MiB  17405MiB

(parted)

初始化各分区文件系统,与前文操作一至

root@archiso ~ # mkfs.fat /dev/sda1

mkfs.fat 4.1 (--)

mkfs.fat: unable to open /dev/sda1: No such file or directory

 root@archiso ~ # mkfs.fat /dev/vda1                                                                                                 :(

mkfs.fat 4.1 (--)

root@archiso ~ # mkfs.fat /dev/vda2

mkfs.fat 4.1 (--)

root@archiso ~ # mkswap /dev/vda3

Setting up swapspace version , size =  GiB ( bytes)

no label, UUID=3b11937b-85fb-4c8a-8f8f-97e75097b4e1

root@archiso ~ # cryptsetup luksFormat /dev/vda4 

WARNING!

========

This will overwrite data on /dev/vda4 irrevocably.

Are you sure? (Type uppercase yes): YES

Enter passphrase:

Verify passphrase:

cryptsetup luksFormat /dev/vda4  .00s user .03s system % cpu 20.180 total

root@archiso ~ # cryptsetup luksFormat /dev/vda4

WARNING!

========

This will overwrite data on /dev/vda4 irrevocably.

Are you sure? (Type uppercase yes): YES

Enter passphrase:

Verify passphrase:

Passphrases do not match.

 root@archiso ~ # cryptsetup luksFormat /dev/vda4                                                                                    :(

WARNING!

========

This will overwrite data on /dev/vda4 irrevocably.

Are you sure? (Type uppercase yes): YES

Enter passphrase:

Verify passphrase:

root@archiso ~ # cryptsetup luksFormat /dev/vda4

WARNING!

========

This will overwrite data on /dev/vda4 irrevocably.

Are you sure? (Type uppercase yes): YES

Enter passphrase:

Verify passphrase:

root@archiso ~ #

root@archiso ~ #

root@archiso ~ #

root@archiso ~ # parted -l /dev/vda

Warning: Unable to open /dev/sr0 read-write (Read-only file system).  /dev/sr0

has been opened read-only.

Model: QEMU QEMU DVD-ROM (scsi)

Disk /dev/sr0: 504MB

Sector size (logical/physical): 2048B/2048B

Partition Table: msdos

Disk Flags: 

Number  Start  End    Size   Type     File system  Flags

       336kB  269MB  268MB  primary               esp

Model: Virtio Block Device (virtblk)

Disk /dev/vda: .5GB

Sector size (logical/physical): 512B/512B

Partition Table: gpt

Disk Flags: 

Number  Start   End     Size    File system     Name       Flags

       1049kB  2097kB  1049kB                  bios_grub  bios_grub

       2097kB  1076MB  1074MB  fat32           boot

       1076MB  3223MB  2147MB  linux-swap(v1)  swap

       3223MB  .5GB  .3GB                  root

root@archiso ~ #

挂载crypt分区后,创建btrfs文件系统。

root@archiso ~ # cryptsetup open --type luks /dev/vda4 crypt_root

Enter passphrase for /dev/vda4:

root@archiso ~ # mkdir mnt

root@archiso ~ # mkfs.btrfs -L root /dev/mapper/crypt_root                                                                          :(

btrfs-progs v4.10.2

See http://btrfs.wiki.kernel.org for more information.

Label:              root

UUID:               cd3b27fb-f257-4afc-b402-fec0550d014e

Node size:

Sector size:

Filesystem size:    .00GiB

Block group profiles:

  Data:             single            .00MiB

  Metadata:         DUP               .00GiB

  System:           DUP               .00MiB

SSD detected:       no

Incompat features:  extref, skinny-metadata

Number of devices:

Devices:

   ID        SIZE  PATH

        .00GiB  /dev/mapper/crypt_root

root@archiso ~ # mount /dev/mapper/crypt_root mnt

root@archiso ~ # btrfs subvolume create mnt/top                                                                                     :(

Create subvolume 'mnt/top'

root@archiso ~/mnt # cd top

root@archiso ~/mnt/top # mkdir snapshot

root@archiso ~/mnt/top # btrfs subvolume create root

Create subvolume './root'

root@archiso ~/mnt/top # btrfs subvolume create home

Create subvolume './home'

root@archiso ~/mnt/top # ll

total

drwxr-xr-x  root root  Jun   : home

drwxr-xr-x  root root  Jun   : root

drwxr-xr-x  root root  Jun   : snapshot

root@archiso ~/mnt/top # cd ..

root@archiso ~/mnt # ls

top

root@archiso ~/mnt # cd ..

root@archiso ~ # ls

install.txt  mnt

root@archiso ~ # btrfs subvolume list mnt

ID  gen  top level  path top

ID  gen  top level  path top/root

ID  gen  top level  path top/home

root@archiso ~ #

root@archiso ~ #

root@archiso ~ # umount mnt

root@archiso ~ # cryptsetup close /dev/mapper/crypt_root

root@archiso ~ #

6. 安装系统

6.1 安装目录树结构挂起来

root@archiso ~ # parted -l /dev/sda

Number  Start   End     Size    File system     Name       Flags

       1049kB  2097kB  1049kB                  bios_grub  bios_grub

       2097kB  1076MB  1074MB  fat32           boot

       1076MB  3223MB  2147MB  linux-swap(v1)  swap

       3223MB  .5GB  .3GB                  root

root@archiso ~ # btrfs subvolume list mnt

ID  gen  top level  path top

ID  gen  top level  path top/root

ID  gen  top level  path top/home

root@archiso ~ # mount -o compress=lzo,subvol=top/root /dev/mapper/crypt_root mnt

root@archiso ~ # mkdir mnt/boot

root@archiso ~ # mkdir mnt/home

root@archiso ~ # mount -o compress=lzo,subvol=top/home /dev/mapper/crypt_root mnt/home

root@archiso ~ # mount /dev/vda2 mnt/boot

root@archiso ~ # swapon /dev/vda3

6.2  设置键盘

6.3  查看boot mode

6.4  设置时间

root@archiso ~ # ll /etc/localtime

lrwxrwxrwx  root root  May   : /etc/localtime -> /usr/share/zoneinfo/UTC

root@archiso ~ # rm /etc/localtime

root@archiso ~ # ln -s /usr/share/zoneinfo/Asia/Shanghai /etc/localtime

root@archiso ~ # timedatectl set-ntp true

root@archiso ~ # timedatectl status

      Local time: Sat -- :: CST

  Universal time: Sat -- :: UTC

        RTC time: Sat -- ::

       Time zone: Asia/Shanghai (CST, +)

 Network time on: yes

NTP synchronized: no

 RTC in local TZ: no

root@archiso ~ # date

Sat Jun   :: CST

root@archiso ~ #

6.5  修改 /etc/pacman.d/mirrorlist

6.6  strap 根分区

root@archiso ~ # pacstrap mnt base

6.7  生成分区挂载信息

root@archiso ~ # genfstab -U mnt >> mnt/etc/fstab

6.8  change root

root@archiso ~ # arch-chroot mnt

[root@archiso /]# ll

6.9  改时区

[root@archiso /]# ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime 
[root@archiso /]# hwclock --systohc

6.10  本地化 localizations

[root@archiso /]# vi /etc/locale.gen

[root@archiso /]# locale-gen

Generating locales...

  en_US.UTF-... done

  zh_CN.GBK... done

  zh_CN.UTF-... done

  zh_CN.GB2312... done

Generation complete.

[root@archiso /]# echo "LANG=en_US.UTF-8" >> /etc/locale.conf

6.11  config network with netctl

[root@archiso netctl]# cp examples/ethernet-static lan0

[root@archiso netctl]# vi lan0

[root@archiso netctl]# netctl list

* lan0

6.12 初始化 initramfs

根分区是加密的,ramfs 复杂解密,所以关于加密的所有特异性配置,都在这里了。

[root@archiso ~]# vim /etc/mkinitcpio.conf 
[root@archiso etc]# diff mkinitcpio.conf mkinitcpio.conf.bak  
52c52
< HOOKS="base udev autodetect modconf keyboard keymap block encrypt filesystems fsck"
---
> HOOKS="base udev autodetect modconf block filesystems keyboard fsck"
[root@archiso etc]#

mkinitcpio 时有一个错误

==> ERROR: file not found: `fsck.btrfs'

安装 btrfs-progs, 它默认不再base里。

[root@archiso etc]# pacman -S btrfs-progs

制作 initramfs

[root@archiso etc]# mkinitcpio -p linux

==> Building image from preset: /etc/mkinitcpio.d/linux.preset: 'default'

  -> -k /boot/vmlinuz-linux -c /etc/mkinitcpio.conf -g /boot/initramfs-linux.img

==> Starting build: 4.11.--ARCH

  -> Running build hook: [base]

  -> Running build hook: [udev]

  -> Running build hook: [autodetect]

  -> Running build hook: [modconf]

  -> Running build hook: [keyboard]

  -> Running build hook: [keymap]

  -> Running build hook: [block]

  -> Running build hook: [encrypt]

  -> Running build hook: [filesystems]

  -> Running build hook: [keyboard]

  -> Running build hook: [fsck]

==> Generating module dependencies

==> Creating gzip-compressed initcpio image: /boot/initramfs-linux.img

==> Image generation successful

==> Building image from preset: /etc/mkinitcpio.d/linux.preset: 'fallback'

  -> -k /boot/vmlinuz-linux -c /etc/mkinitcpio.conf -g /boot/initramfs-linux-fallback.img -S autodetect

==> Starting build: 4.11.--ARCH

  -> Running build hook: [base]

  -> Running build hook: [udev]

  -> Running build hook: [modconf]

  -> Running build hook: [keyboard]

  -> Running build hook: [keymap]

  -> Running build hook: [block]

==> WARNING: Possibly missing firmware for module: wd719x

==> WARNING: Possibly missing firmware for module: aic94xx

  -> Running build hook: [encrypt]

  -> Running build hook: [filesystems]

  -> Running build hook: [keyboard]

  -> Running build hook: [fsck]

==> Generating module dependencies

==> Creating gzip-compressed initcpio image: /boot/initramfs-linux-fallback.img

==> Image generation successful

[root@archiso etc]#

根据:https://wiki.archlinux.org/index.php/Btrfs#Corruption_recovery 可以选择性添加如下配置:

14c14

< BINARIES="/usr/bin/btrfs"

---

> BINARIES=""

6.13 设置 password

[root@archiso etc]# passwd

New password:

Retype new password:

passwd: password updated successfully

[root@archiso etc]#

6.14 安装 boot loader

https://wiki.archlinux.org/index.php/GRUB

[root@archiso etc]# pacman -S grub
[root@archiso etc]# grub-install --target=i386-pc /dev/vda

Installing for i386-pc platform.

Installation finished. No error reported.

[root@archiso etc]#

https://wiki.archlinux.org/index.php/GRUB#Generate_the_main_configuration_file

[root@archiso ~]# vim /etc/default/grub

https://wiki.archlinux.org/index.php/Dm-crypt/System_configuration#Boot_loader

[root@archiso ~]# diff /etc/default/grub /etc/default/grub.bak

4c4

< GRUB_CMDLINE_LINUX_DEFAULT="cryptdevice=UUID=38312920-93be-4ff6-ba88-e53505fcfb93:vd_root resume=UUID=3b11937b-85fb-4c8a-8f8f-97e75097b4e1 quiet"

---

> GRUB_CMDLINE_LINUX_DEFAULT="quiet"

[root@archiso ~]# 
[root@archiso ~]# vim /boot/grub/grub.cfg

7  重启

reboot

[cipher][archlinux][disk encryption][btrfs] 磁盘分区加密 + btrfs的更多相关文章

  1. [filesystem][archlinux][disk encryption][btrfs] btrfs

    fork from here http://www.cnblogs.com/hugetong/p/6914248.html boot分区,MBR加密:https://wiki.archlinux.or ...

  2. disk磁盘分区软件使用教程,磁盘扩容无损备份

    前几天,因为我的笔记本电脑C盘D盘全红了,趁着双11固态降价,赶紧买了一张三星980 500g 给我的拯救者插上了,加上原来的500g,总共1T,已经够用了. 不得不说拯救者系列预留的1个M.2固态插 ...

  3. centos7基于luks对磁盘进行加密

    centos7基于luks对磁盘进行加密 1,504 views A+ 所属分类:linux 收  藏 LUKS(Linux Unified Key Setup)为Linux硬盘加密提供了一种标准,它 ...

  4. Linux系统添加硬盘设备(磁盘分区-格式化-挂载-使用)

    当全新安装了一块新的硬盘设备后,为了更充分.更安全的利用硬盘空间首先要进行磁盘的分区, 然后格式化,最后挂载使用. 实例:对新添加的硬盘设备进行分区.格式化并挂载到/newFS目录. 第一步:在vmw ...

  5. 【Linux探索之旅】第一部分第四课:磁盘分区,并完成Ubuntu安装

    内容简介 1.第一部分第四课:磁盘分区,并完成Ubuntu安装 2.第一部分第五课预告:Unity桌面,人生若只如初见 磁盘分区 上一课我们正式开始安装Ubuntu了,但是到了分区的那一步,小编却戛然 ...

  6. 【linux相识相知】磁盘分区及文件系统管理详解

    磁盘,提供持久的数据存储,它不像我们的内存,如果突然断电了,在内存中的数据一般都会被丢掉了,内存中的数据在保存的时候,会被写到硬盘里面,磁盘也是一种I/O设备. 我们都知道磁盘分区完成之后,还要进行格 ...

  7. Linux下的磁盘分区和逻辑卷

    一.硬盘接口类型 硬盘的接口主要有IDE.SATA.SCSI .SAS和光纤通道等五种类型.其中IDE和SATA接口硬盘多用于家用产品中,也有部分应用于服务器,SATA是一种新生的硬盘接口类型,已经取 ...

  8. Linux磁盘分区与文件系统

    一 Linux磁盘分区与文件系统 在Linux中常见的操作系统有:ext2 ext3 ext4 xfs btrfs reiserfs等文件系统的作用主要是明确磁盘或分区上的文件存储方法以及数据结构,L ...

  9. [转]使用fdisk磁盘分区和 Linux 文件系统

    概述 在本文中,学习磁盘分区和 Linux 文件系统相关内容.学习: 创建分区 使用 mkfs 命令来设置 ext2.ext3.ext4.xfs.Reiser v3 和 vfat 文件系统 创建和管理 ...

随机推荐

  1. [k8s]通过openssl生成证书

    证书认证原理: http://www.cnblogs.com/iiiiher/p/7873737.html [root@m1 ssl]# cat master_ssl.cnf [req] req_ex ...

  2. iOS开发支付宝支付

    iOS支付宝支付(Alipay)详细接入流程以及项目中遇到的问题分析    浏览: 149 发布日期: 2016-10-19  分类: ios 最近在项目中接入了微信支付和支付宝支付,总的来说没有那么 ...

  3. Java Utils工具类大全(转)

    源码和jar见:https://github.com/evil0ps/utils #Java Utils --- 封装了一些常用Java操作方法,便于重复开发利用. 另外希望身为Java牛牛的你们一起 ...

  4. mysql解除死锁状态

    方案一: 1.查看是否有锁表 show OPEN TABLES ; 2.查询进程(如果你有SUPER权限,你可以看到所有线程.否则,只能看到你自己的线程) show processlist; 3.杀死 ...

  5. Java知多少(12)运算符

    Java中的运算符和C/C++相差无几. 数学运算符 数学运算,结果为一个数值.见下表: 运算符 说明 举例 + 加法 1 + 2 - 减法 4 - 3.4 * 乘法 7 * 1.5 / 除法 3.5 ...

  6. Oracle Grid 11.2.0.4 安装是出现"INS-30510: Insufficient number of ASM disks selected."

    最新文章:Virson's Blog 错误的原因是由于磁盘数和冗余层级不匹配: 如果创建用来存放OCR和VOTEDISK的ASM磁盘组,那么External.Normal.High三种冗余级别对应的F ...

  7. 安装psycopg2时出错:Error: pg_config executable not found.

    红帽系: 安装postgresql-devel Debian系: 安装libpq-dev

  8. H3C S5120-52P-WiNet交换机配置

    配置console口登录验证密码 <H3C>system-view [H3C]user-interface aux 0 [H3C-ui-aux0]authentication-mode p ...

  9. USI和USCI的区别

    在 MSP430 系列中微控制器中有三种串行通讯模块.它们分别是 USART . USI 和 USCI . USART 支持同一硬件模块的两种串行模式,分别是 UART 和 SPI . USART 实 ...

  10. 【03月04日】A股滚动市盈率PE历史新低排名

    2010年01月01日 到 2018年12月05日 之间,滚动市盈率历史新低排名. 上市三年以上的公司,2018年12月05日市盈率在300以下的公司. 1 - 青松股份(SZ300132) - 历史 ...