在本文中,我们将简要介绍块加密、Linux 统一密钥设置 ( LUKS ),并描述在 Fedora Linux 中创建加密块设备的说明。
块设备加密
块设备加密用于通过加密来保护块设备上的数据,并且要解密数据,用户必须提供密码或密钥才能访问。这提供了额外的安全机制,因为即使设备已与系统物理分离,它也可以保护设备的内容。
卢克斯简介
LUKS(Linux 统一密钥设置)是 Linux 中块设备加密的标准,它通过建立数据的磁盘格式和密码/密钥管理策略来工作。它将所有必要的设置信息存储在分区标头(也称为LUKS 标头)中,从而允许您无缝传输或迁移数据。
LUKS利用带有dm-crypt模块的内核设备映射器子系统来提供保存设备数据加密和解密的低级映射。您可以使用cryptsetup 程序执行用户级任务,例如创建和访问加密设备。
准备块设备
以下说明显示了安装后创建和配置加密块设备的步骤。
安装cryptsetup包。
# dnf 安装 cryptsetup-luks
接下来,在加密之前用随机数据填充设备,因为这将显着提高使用以下命令的加密强度。
# dd if=/dev/urandom of=/dev/sdb1 [慢且高质量随机数据] 或者 # badblocks -c 10240 -s -w -t random -v /dev/sdb1 [快速且高质量随机数据]
![](https://www.alaica.com/wp-content/uploads/linux-548.png)
警告:上述命令将清除设备上的任何现有数据。
格式化加密设备
接下来,使用cryptsetup命令行工具将设备格式化为dm-crypt/LUKS加密设备。
# cryptsetup luksFormat /dev/sdb1
运行命令后,系统将提示您输入YES
(大写)两次密码,以便格式化设备以供使用,如以下屏幕截图所示。
![](https://www.alaica.com/wp-content/uploads/linux-549.png)
要验证操作是否成功,请运行以下命令。
# cryptsetup isLuks /dev/sdb1 && echo 成功
![](https://www.alaica.com/wp-content/uploads/linux-550.png)
您可以查看设备的加密信息摘要。
# cryptsetup luksDump /dev/sdb1
![](https://www.alaica.com/wp-content/uploads/linux-551.png)
创建映射以允许访问解密内容
In this section, we will configure how to access the encrypted device’s decrypted contents. We will create a mapping using the kernel device-mapper. It is recommended to create a meaningful name for this mapping, something like luk-uuid (where <uuid>
is replaced with the device’s LUKS UUID</strong (Universally Unique Identifier).
To get your encrypted device UUID, run the following command.
# cryptsetup luksUUID /dev/sdb1
![](https://www.alaica.com/wp-content/uploads/linux-552.png)
After getting the UUID, you can create the mapping name as shown (you will be prompted to enter the passphrase created earlier on).
# cryptsetup luksOpen /dev/sdb1 luk-59f2b688-526d-45c7-8f0a-1ac4555d1d7c
If the command is successful, a device node called /dev/mapper/luk-59f2b688-526d-45c7-8f0a-1ac4555d1d7c
which represents the decrypted device.
![](https://www.alaica.com/wp-content/uploads/linux-553.png)
The block device which has just been created can be read from and written to like any other unencrypted block device. You can see some information about the mapped device by running the following command.
# dmsetup info /dev/mapper/luk-59f2b688-526d-45c7-8f0a-1ac4555d1d7c
![](https://www.alaica.com/wp-content/uploads/linux-554.png)
Creating Filesystems on Mapped Device
Now we will look at how to create a filesystem on the mapped device, which will allow you to use the mapped device node just like any other block device.
To create an ext4 filesystem on the mapped device, run the following command.
# mkfs.ext4 /dev/mapper/luk-59f2b688-526d-45c7-8f0a-1ac4555d1d7c
![](https://www.alaica.com/wp-content/uploads/linux-555.png)
To mount the above filesystem, create a mount point for it e.g /mnt/encrypted-device
and then mount it as follows.
# mkdir -p /mnt/encrypted-device # mount /dev/mapper/luk-59f2b688-526d-45c7-8f0a-1ac4555d1d7c /mnt/encrypted-device/
Add Mapping Information to /etc/crypttab and /etc/fstab
Next, we need to configure the system to automatically set up a mapping for the device as well as mount it at boot time.
You should add the mapping information in the /etc/crypttab file, in the with the following format.
luk-59f2b688-526d-45c7-8f0a-1ac4555d1d7c UUID=59f2b688-526d-45c7-8f0a-1ac4555d1d7c none
in the above format:
- luk-59f2b688-526d-45c7-8f0a-1ac4555d1d7c – is the mapping name
- UUID=59f2b688-526d-45c7-8f0a-1ac4555d1d7c – is the device name
Save the file and close it.
Next, add the following entry to /etc/fstab to automatically mount the mapped device at system boot.
/dev/mapper/luk-59f2b688-526d-45c7-8f0a-1ac4555d1d7c /mnt/encrypted-device ext4 0 0
Save the file and close it.
Then run the following command to update systemd units generated from these files.
# systemctl daemon-reload
Backup LUKS Headers
最后,我们将介绍如何备份 LUKS 标头。这是避免丢失加密块设备中所有数据的关键步骤,以防包含 LUKS 标头的扇区因用户错误或硬件故障而损坏。此操作允许数据恢复。
备份 LUKS 标头。
# mkdir /根目录/备份 # cryptsetup luksHeaderBackup --header-backup-file luks-headers /dev/mapper/luk-59f2b688-526d-45c7-8f0a-1ac4555d1d7c
并恢复 LUKS 标头。
# cryptsetup luksHeaderRestore --header-backup-file /root/backups/luks-headers /dev/mapper/luk-59f2b688-526d-45c7-8f0a-1ac4555d1d7c
就这样!在本文中,我们解释了如何在Fedora Linux发行版中使用LUKS加密块设备。您对本主题或指南有任何疑问或意见,请使用下面的反馈表联系我们。