Disk encryption in Linux
Luks (Linux unified key setup) provides a standard for Linux hard disk encryption. It not only applies to different Linux Release versions, but also supports multiple users/passwords. Because its encryption key is independent of the password, if the password is lost, we can quickly change the password without re-encrypting the hard disk. By providing a standard disk format, it not only facilitates the compatibility between distributions, but also provides security management for multiple user passwords. You must decrypt the encrypted volume before mounting the file system.
Tool: cryptsetup (installed by default)
Common parameters: luksformat, luksopen, luksclose, and luksaddkey
After the partition is encrypted using cryptsetup, the partition is no longer allowed to be directly mounted. Luks is also an encryption scheme based on device mapper mechanism. To use this partition, you must map it to the/dev/mapper directory. We can only mount this ing for use. However, during the ing, you need to enter the decryption password.
Encryption features of the crypsetup tool:
Ø cannot be directly mounted after Encryption
Do not worry about data theft if the encrypted hard disk is lost
Ø after encryption, you must map the data to be mounted.
Steps:
1. Create and encrypt partitions
2. ing partitions
3. Format and mount the partition
4. Disable the ing partition.
Create a disk partition/dev/sdb1 without formatting
1. Encrypted partitioning
#Cryptsetup-v-y-C aes-CBC-plain luksformat/dev/sdb1 Warning! ========== This will overwrite data on/dev/sdb1 irrevocably. Are you sure? (Type uppercase yes ):Yes --> note that the value must be in uppercase: Yes Enter luks passphrase: Verify passphrase: Command successful. # |
2. ing partitions
#Cryptsetup luksopen/dev/sdb1 sx_disk// Map sdb1 to sx_disk Enter passphrase for/dev/sdb1: #Ll-D/dev/mapper/sx_disk Lrwxrwxrwx. 1 Root 7 June 25 03:24/dev/mapper/sx_disk-> ../dm-0 #Cryptsetup status/dev/mapper/sx_disk// View the ing partition status /Dev/mapper // DEV/mapper/sx_disk is active. Type: luks1 Cipher: AES-CBC-Plain Keysize: 256 bits Device:/dev/sdb1 Offset: 4096 sectors Size: 16767701 sectors Mode: read/write # |
3. Mount and use
#Mkdir/mnt/sx_disk #Mkfs. ext3/dev/mapper/sx_disk #Mount/dev/sdb1/mnt/sx_disk/// Direct mounting is not allowed. Mount: Unknown filesystem type 'crypto _ luk' #Mount/dev/mapper/sx_disk/mnt/sx_disk/// Mount the ing device. The device is mounted successfully. |
4. Close the ing. Uninstall the ing first and then close it.
#Umount/mnt/sx_disk/ #Cryptsetup luksclose sx_disk// Close the ing #Ll/dev/mapper/// The ing device has disappeared. Total usage 0 CrW-RW ----. 1 Root 10, June 25 03:01 Control # |
5. Set automatic mounting upon startup
Generate a key file. If you want to manually enter a password when starting the instance, do not generate a key file.
#Touch/root/cryptpasswd #Cryptsetup luksaddkey/dev/sdb1/root/cryptpasswd Enter any passphrase: #CAT/root/cryptpasswd// Check that the key is empty. # |
Set startup
#Vim/etc/crypttab #CAT/etc/crypttab Sx_disk/dev/sdb1/root/cryptpasswd // Sx_disk indicates the ing name,/dev/sdb1 indicates the encryption device, And/root/cryptpasswd indicates the password file. If you want to manually enter the password upon startup, leave the password file empty. #Vim/etc/fstab #Tail-1/etc/fstab /Dev/mapper/sx_disk/mnt/sx_disk ext4 defaults 0 0 # |