Disk encryption in Linux-luks

Disk encryption in Linux-luks LUKS (Linux Unified Key Setup) provides a standard for Linux hard disk encryption. It can be used not only for different Linux releases, but also for multiple users/passwords. Because its encryption key is independent of the password, if the password is lost, we can quickly change the password without re-encrypting the hard disk. By providing a standard disk format, it not only facilitates the compatibility between distributions, but also provides security management for multiple user passwords. You must decrypt the encrypted volume before mounting the file system. Www.2cto.com tool: cryptsetup (installed by default) common parameters: luksFormat, luksOpen, luksClose, and luksAddKey after the partition is encrypted using cryptsetup, the partition is no longer allowed to be directly mounted. LUKS is also an encryption scheme based on device mapper mechanism. To use this partition, you must map it to the/dev/mapper directory. We can only mount this ing for use. However, during the ing, you need to enter the decryption password. Encryption features of the Crypsetup tool: you cannot mount the encrypted file directly after encryption. You do not have to worry about data theft after encryption. You must map the encrypted file to mount the file. Step 1. create a partition and encrypt the partition. ing partition 3. format the partition and mount it. 4. close the ing partition to create a disk partition/dev/sdb1 without formatting 1. encrypt the partition www.2cto.com # cryptsetup-v-y-c aes-cbc-plain luksFormat/dev/sdb1 WARNING! ========= This will overwrite data on/dev/sdb1 irrevocably. Are you sure? (Type uppercase yes): YES --> note that YESEnter LUKS passphrase: Verify passphrase: Command successful must be capitalized. #2. ing partition # cryptsetup luksOpen/dev/sdb1 sx_disk // map sdb1 to sx_diskEnter passphrase for/dev/sdb1: # ll-d/dev/mapper/sx_disklrwxrwxrwx. 1 root 7 June 25 03:24/dev/mapper/sx_disk-> .. /dm-0 # cryptsetup status/dev/mapper/sx_disk // view the ing partition status/dev/mapper/sx_disk is active. type: LUKS1 cipher: aes-cbc-plain keysize: 256 bits device:/dev/sdb1 offset: 4096 sectors size: 16767701 sectors mode: read/write # www.2cto.com 3. Mount and use # mkdir/mnt/sx_disk # mkfs. ext3/dev/mapper/sx_disk # mount/dev/sdb1/mnt/sx_disk // mount is not allowed directly: unknown filesystem type 'crypto _ LUKS '# mount/dev/mapper/sx_disk/mnt/sx_disk // mount the ing device. mount the device successfully. 4. Disable the ing, uninstall and disable # umount/mnt/sx_disk/# cryptsetup luksClose sx_disk // close the ing # ll/dev/mapper // The ing device has no longer seen the total usage of 0crw-rw ----. 1 root 10, June 25 03:01 control #5. Set automatic mounting upon startup to generate a key file, if you want to manually enter the password when starting the instance, do not generate # touch/root/cryptpasswd # cryptsetup luksAddKey/dev/sdb1/root/cryptpasswdEnter any passphrase: # cat/root/cryptpasswd // The Key is blank # www.2cto.com is set to boot # vim/etc/crypttab # cat/etc/crypttabsx_disk/dev/sdb1/root/cryptpasswd // sx_disk is the ing name, /dev/sdb1 is an encrypted device, And/root/cryptpasswd is the password file. If you want to start the device, manually enter the password, leave the password file empty. # vim/etc/fstab # tail-1/etc/fstab/dev/mapper/sx_disk/mnt/sx_disk ext4 defaults 0 0 # author kumu_Linux