今天学习了 RHEL 对硬盘分区加密的知识,在 RHEL 系统里可以通过使用 cryptsetup 工具对硬盘分区进行加密,加密后的分区需要输入密码才能打开,可以把比较敏感的文件放在指定分区中,并启用加密,从而增强了文件的安全性,下面演示下。
一 cryptsetup 给分区加密--1.1 增加分区
[root@redhatB ~]# fdisk -cu /dev/sdc
Command (m for help): p
Disk /dev/sdc: 10.7 GB, 10737418240 bytes255 heads, 63 sectors/track, 1305 cylinders, total 20971520 sectorsUnits = sectors of 1 * 512 = 512 bytesSector size (logical/physical): 512 bytes / 512 bytesI/O size (minimum/optimal): 512 bytes / 512 bytesDisk identifier: 0xb097ae92
Device Boot Start End Blocks Id System/dev/sdc1 63 4209029 2104483+ 8e Linux LVM/dev/sdc2 4209030 8418059 2104515 8e Linux LVM/dev/sdc3 8418060 12627089 2104515 8e Linux LVM/dev/sdc4 12627090 20964824 4168867+ 5 Extended/dev/sdc5 12627153 14747669 1060258+ 8e Linux LVM/dev/sdc6 14747733 16868249 1060258+ 8e Linux LVM
Command (m for help): nFirst sector (16870298-20964824, default 16870298): Using default value 16870298Last sector, +sectors or +size{K,M,G} (16870298-20964824, default 20964824): +1G
Command (m for help): p
Disk /dev/sdc: 10.7 GB, 10737418240 bytes255 heads, 63 sectors/track, 1305 cylinders, total 20971520 sectorsUnits = sectors of 1 * 512 = 512 bytesSector size (logical/physical): 512 bytes / 512 bytesI/O size (minimum/optimal): 512 bytes / 512 bytesDisk identifier: 0xb097ae92
Device Boot Start End Blocks Id System/dev/sdc1 63 4209029 2104483+ 8e Linux LVM/dev/sdc2 4209030 8418059 2104515 8e Linux LVM/dev/sdc3 8418060 12627089 2104515 8e Linux LVM/dev/sdc4 12627090 20964824 4168867+ 5 Extended/dev/sdc5 12627153 14747669 1060258+ 8e Linux LVM/dev/sdc6 14747733 16868249 1060258+ 8e Linux LVM/dev/sdc7 16870298 18967449 1048576 83 Linux
Command (m for help): wThe partition table has been altered!
Calling ioctl() to re-read partition table.
WARNING: Re-reading the partition table failed with error 16: Device or resource busy.The kernel still uses the old table. The new table will be used atthe next reboot or after you run partprobe(8) or kpartx(8)Syncing disks.
备注:上例增加了分区 /dev/sdc7,大小为 1 GB。 --1.2 刷新kernel
[root@redhatB ~]# partx -a /dev/sdcBLKPG: Device or resource busyerror adding partition 1BLKPG: Device or resource busyerror adding partition 2BLKPG: Device or resource busyerror adding partition 3BLKPG: Device or resource busyerror adding partition 4BLKPG: Device or resource busyerror adding partition 5BLKPG: Device or resource busyerror adding partition 6
[root@redhatB ~]# ll /dev/sdc*brw-rw----. 1 root disk 8, 32 Jul 29 20:00 /dev/sdcbrw-rw----. 1 root disk 8, 33 Jul 22 20:51 /dev/sdc1brw-rw----. 1 root disk 8, 34 Jul 22 20:51 /dev/sdc2brw-rw----. 1 root disk 8, 35 Jul 22 20:51 /dev/sdc3brw-rw----. 1 root disk 8, 36 Jul 22 20:51 /dev/sdc4brw-rw----. 1 root disk 8, 37 Jul 22 20:51 /dev/sdc5brw-rw----. 1 root disk 8, 38 Jul 22 20:51 /dev/sdc6brw-rw----. 1 root disk 8, 39 Jul 29 20:01 /dev/sdc7
备注:使用命令 partx 刷新 kernel,使系统能读到新增分区 /dev/sdc7。 --1.3 对分区进行加密,并设置密码
[root@redhatB ~]# cryptsetup luksFormat /dev/sdc7
WARNING!========This will overwrite data on /dev/sdc7 irrevocably.
Are you sure? (Type uppercase yes): YESEnter LUKS passphrase: Verify passphrase:
备注:关于 cryptsetup 命令的用法,可以 man 下,这里关键选项"luksFormat",注意大小写。
--1.4 输入密码,打开分区
[root@redhatB ~]# cryptsetup luksOpen /dev/sdc7 secretEnter passphrase for /dev/sdc7: No key available with this passphrase.Enter passphrase for /dev/sdc7: You have new mail in /var/spool/mail/root
[root@redhatB ~]# ll /dev/mapper/secret lrwxrwxrwx. 1 root root 7 Jul 29 20:06 /dev/mapper/secret -> ../dm-3
备注:成功打开分区后,将分区映射成 /dev/mapper/secret,这里关键选项"luksOpen", 注意大小写。 --1.5 格式化分区
[root@redhatB ~]# mke2fs -t ext4 /dev/mapper/secret mke2fs 1.41.12 (17-May-2010)Filesystem label=OS type: LinuxBlock size=4096 (log=2)Fragment size=4096 (log=2)Stride=0 blocks, Stripe width=0 blocks65408 inodes, 261632 blocks13081 blocks (5.00%) reserved for the super userFirst data block=0Maximum filesystem blocks=2684354568 block groups32768 blocks per group, 32768 fragments per group8176 inodes per groupSuperblock backups stored on blocks: 32768, 98304, 163840, 229376
Writing inode tables: done Creating journal (4096 blocks): doneWriting superblocks and filesystem accounting information: done
This filesystem will be automatically checked every 31 mounts or180 days, whichever comes first. Use tune2fs -c or -i to override.
--1.6 挂载
[root@redhatB ~]# mkdir -p /mnt/secret[root@redhatB ~]# mount -t ext4 /dev/mapper/secret /mnt/secret/[root@redhatB ~]# df -hFilesystem Size Used Avail Use% Mounted on/dev/mapper/vg_redhatb-lv_root 9.9G 3.6G 5.9G 38% /tmpfs 250M 264K 250M 1% /dev/shm/dev/sda1 485M 31M 429M 7% /boot/dev/sdb 9.9G 330M 9.1G 4% /pgdata_xc/dev/mapper/vg1-pgdata1 1008M 34M 924M 4% /database/pgdata1/dev/mapper/secret 1006M 18M 938M 2% /mnt/secret
备注:/mnt/secret 目录挂载成功。 --1.7 写入文件测试
[root@redhatB ~]# cd /mnt/secret[root@redhatB secret]# history > history.txt[root@redhatB secret]# lshistory.txt lost+found
--1.8 查看加密分区映射对应的分区。
[root@redhatB mnt]# cryptsetup status secret/dev/mapper/secret is active and is in use. type: LUKS1 cipher: aes-cbc-essiv:sha256 keysize: 256 bits device: /dev/sdc7 offset: 4096 sectors size: 2093056 sectors mode: read/write
二 使用 cryptsetup 关闭分区--2.1 umount
[root@redhatB ~]# umount /mnt/secret[root@redhatB ~]# ll /dev/mapper/secret lrwxrwxrwx. 1 root root 7 Jul 29 20:06 /dev/mapper/secret -> ../dm-3
--2.2 关闭分区
[root@redhatB ~]# cryptsetup luksClose /dev/mapper/secret [root@redhatB ~]# ll /dev/mapper/secret
[root@redhatB ~]# ll /dev/mapper/secret ls: cannot access /dev/mapper/secret: No such file or directory
备注:这步可以理解成删除之前映射的分区 /dev/mapper/secret,这里选项关键字"luksClose",注意
大小写;关闭分区后,之前映射在文件 /dev/mapper/secret 已经不存在了。
三 总结 本文演示了RHEL 对硬盘分区进行加密,mount,并且 umount 的过程,其中还可以设定密码文件实现开机自动 mount, 这里不演示了。
转载于:https://www.cnblogs.com/L-H-R-X-hehe/p/4099504.html
