Linux Encrypted Filesystem With Dm-Crypt: Búsqueda
Linux Encrypted Filesystem With Dm-Crypt: Búsqueda
http://wiki.centos.org/HowTos/EncryptedFilesystem
Bsqueda
Texto
Ttulos
Required Packages
Before getting started, make sure all the requisite packages are installed: cryptsetup (cryptsetup-luks for CentOS-5) device-mapper util-linux It's likely, however, that they're already present on your system, unless you performed a very minimal installation.
Initial FS Creation
1 of 5 29/10/11 14:40
http://wiki.centos.org/HowTos/EncryptedFilesystem
I typically encrypt les, not whole partitions, so I combine dm-crypt with the losetup loopback device maintenance tool. In the bare language of the Unix shell, here are the steps to create and mount an encrypted lesystem.
# Create an empty file sized to suit your needs. The one created # in this example will be a sparse file of 8GB, meaning that no # real blocks are written. Since we will force block allocation # lateron, it would not make much sense to do this now, since # the blocks will be rewritten anyway. dd of=/path/to/secretfs bs=1G count=0 seek=8 # Lock down normal access to the file chmod 600 /path/to/secretfs # Associate a loopback device with the file losetup /dev/loop0 /path/to/secretfs # Encrypt storage in the device. cryptsetup will use the Linux # device mapper to create, in this case, /dev/mapper/secretfs. # The -y option specifies that you'll be prompted to type the # passphrase twice (once for verification). cryptsetup -y create secretfs /dev/loop0 # Or, if you want to use LUKS, you should use the following two # commands (optionally with additional) parameters. The first # command initializes the volume, and sets an initial key. The # second command opens the partition, and creates a mapping # (in this case /dev/mapper/secretfs). cryptsetup -y luksFormat /dev/loop0 cryptsetup luksOpen /dev/loop0 secretfs # Check its status (optional) cryptsetup status secretfs # Now, we will write zeros to the new encrypted device. This # will force the allocation of data blocks. And since the zeros # are encrypted, this will look like random data to the outside # world, making it nearly impossible to track down encrypted # data blocks if someone gains access to the file that holds # the encrypted filesystem. dd if=/dev/zero of=/dev/mapper/secretfs # Create a filesystem and verify its status mke2fs -j -O dir_index /dev/mapper/secretfs tune2fs -l /dev/mapper/secretfs # Mount the new filesystem in a convenient location mkdir /mnt/cryptofs/secretfs mount /dev/mapper/secretfs /mnt/cryptofs/secretfs
2 of 5
29/10/11 14:40
HowTos/EncryptedFilesystem - CentOS Wiki # Or, for a LUKS volume cryptsetup luksClose secretfs # Disassociate file from loopback device losetup -d /dev/loop0
http://wiki.centos.org/HowTos/EncryptedFilesystem
Note that cryptsetup will not provide a useful error message if you mistype the passphrase. All you'll get is a somewhat unhelpful message from mount: mount: you must specify the filesystem type If that happens, then recycle cryptsetup and try mounting the lesystem again:
cryptsetup remove secretfs cryptsetup create secretfs /dev/loop0 mount /dev/mapper/secretfs /mnt/cryptofs/secretfs
This does not apply to LUKS volumes, where cryptsetup will provide a useful error message during the luksOpen step.
For instance, if you use the /dev/loop0 loopback device, you could execute:
cryptsetup luksAddKey /dev/loop0
cryptsetup will ask you to enter one of the existing passphrases twice. After that you will be asked to enter the additional key twice. When this step is also
3 of 5
29/10/11 14:40
http://wiki.centos.org/HowTos/EncryptedFilesystem
succesfully completed, you can use the existing key(s), and the new key to open the volume.
Though, normally you don't need all four elds: Most of the possible options for the options eld are ignored for LUKS volumes, because LUKS volumes have all the necessary information about the cipher, key size, and hash in the volume header. Second, Normally, you don't want to store a password le in plain text on the root partition. It's certainly possible to store it somewhere else, but at this boot stage in rc.sysinit only the root partition is normally mounted read-only. If the password eld is not present, or has the value none, the system will prompt for the password during the system boot. So, if you are using a LUKS volume and would like to prompt the system for a password, only the rst two elds are required. Let's look at a short example:
cryptedHome /dev/sdc5
This creates a mapping named cryptedHome for an encrypted volume that was previously created on /dev/sdc5 with crypsetup luksFormat /dev/sdc5. If you have also created a lesystem on the encrypted volume, you can also add an /etc/fstab entry to mount the lesystem during the system boot:
/dev/mapper/cryptedHome /home ext3 defaults 1 2
There are two options that are not ignored for LUKS partitions:
swap: the volume will be formatted as a swap partition after a mapping is set up. tmp: the volume will be formatted as an ext2 lesystem, with permissions set up correctly to be used as a lesystem for temporary les.
Both options require that there are entries for using the mapping in /etc/fstab,
4 of 5
29/10/11 14:40
http://wiki.centos.org/HowTos/EncryptedFilesystem
and both options are destructive. An entry for an encrypted swap partition could look like this:
cryptedSwap /dev/sda2 none swap
Or if you do not want to type a password for the swap partition during every boot:
cryptedSwap /dev/sda2 /dev/urandom swap
Note that this will not work if /dev/sda2 already is a LUKS partition, because LUKS partitions require a non-random key.
HowTos/EncryptedFilesystem (ltima edicin 2008-10-17 10:35:08 efectuada por RalphAngenendt)
5 of 5
29/10/11 14:40