Compared with other methods for creating an encrypted file system, the dm-crypt system has unparalleled advantages: it is faster and easier to use. In addition, it is widely used and can run on a variety of Block devices, even if these devices use RAID and LVM, there is no obstacle. The dm-crypt system has these advantages mainly because the technology is based on the device-mapper feature of the kernel version 2.6. Device-mapper is designed to provide a general and flexible method for adding a virtual layer to an actual block device to facilitate developers to process images, snapshots, cascading and encryption. In addition, dm-crypt uses the kernel password Application Programming Interface to implement transparent encryption and is compatible with the cryptloop system.
Step 1: Kernel preparation
Dm-crypt uses the kernel's Cryptographic Application Programming Interface to complete password operations. Generally, the kernel usually loads various encryption programs in the form of modules. For AES, its security strength is already very high, even if it is used to protect top-secret data. To ensure that the user's kernel has loaded the AES password module, perform the check according to the following command:
# Cat/proc/crypto
Otherwise, you can use modprobe to manually load the AES module. The command is as follows:
# Modprobe aes
Next, install the dmsetup package, which contains the tools required to configure device-mapper, as shown in the following command:
# Yum install dmsetup cryptsetup
To check whether the device image program has been established in the dmsetup package, type the following command:
# Ls-l/dev/mapper/control
Then, run the following command to load the dm-crypt kernel module:
# Modprobe dm-crypt
After dm-crypt is loaded, it is automatically registered with evice-mapper. If you perform another test, device-mapper can recognize dm-crypt and add crypt as an available object. After performing the preceding steps, you can view the following output of crypt according to the following command:
# Dmsetup targets
This indicates that the system is ready to load the encryption device. Next, we will first create an encryption device.
Step 2: Create an encrypted device
To create a file system loaded as an encrypted device, you have two options: Create a disk image and load it as a return device; and use a physical device. In either case, except for the creation and bundling of delivery devices, other operations are similar.
Create a disk image
If you do not have a physical device (such as a storage stick or another disk partition) for encryption, you can use the command dd to create an empty disk image, then, the image is loaded as a return device and can still be used. We will introduce the following example:
# Dd if =/dev/zero of =/virtual. img bs = 1 M count = 100
Here we create a 100 MB disk image named virtual. img. To change its size, you can change the value of count.
Next, we use the losetup command to associate the image with a delivery device:
# Losetup/dev/loop0/virtual. img
Now we have a virtual block device, which is located at/dev/loop0 and can be used just like other devices.
Set Block devices
Prepare physical block devices (such as/dev/hda1), or virtual block devices (such as the previous delivery image, and use device-mapper to load the encrypted logical volume), we can configure the block device.
The following uses cryptsetup to create a logical volume and bind it with the block device:
# Cryptsetup-y create ly_EFS device_name
Ly_EFS is the name of the new logical volume. The last device_name parameter must be the block device that will be used as the encrypted volume. Therefore, to use the previously created image as a virtual block device, run the following command:
# Cryptsetup-y create ly_EFS/dev/loop0
Whether it is a physical block device or a virtual block device, the program requires the password of the logical volume.-y is used to enter the password twice to ensure that it is correct. This is important because your data will be locked once the password is wrong. to confirm whether the logical volume has been created, run the following command to check whether:
# Dmsetup ls
As long as the command lists the logical volumes, it indicates that the logical volumes have been successfully created. However, depending on the machine, the device number may be different. Device-mapper will load its virtual device to/dev/mapper. Therefore, your virtual block device should be/dev/mapper/ly_EFS, although it is no different from other Block devices, it is actually transparent and encrypted.
Like a physical device, you can also create a file system on a virtual device:
# Mkfs. ext3/dev/mapper/ly_EFS
Create a mount point for the new virtual block device and load it. The command is as follows:
# Mkdir/mnt/ly_EFS
# Mount/dev/mapper/ly_EFS/mnt/ly_EFS
You can use the following command to view the information after loading:
# Df-h/mnt/ly_EFS
After completing the preceding steps, the user can see that the mounted file system, although seemingly identical to other file systems, actually writes all data under/mnt/ly_EFS, data is written to the disk only after transparent encryption. Therefore, the data read from the disk is ciphertext.
Unmount an encrypted device
To uninstall the encrypted file system, there is no difference between the two methods:
# Umount/mnt/ly_EFS
Even if a block device has been uninstalled, it is still considered as a virtual device in dm-crypt. If you do not believe it, run the command dmsetup ls again to verify that the device is still listed. Because dm-crypt caches the password, other users on the machine can reload the device without knowing the password. To avoid this, you must explicitly Delete the device from dm-crypt After detaching the device. The command is as follows:
# Cryptsetup remove ly_EFS
After that, it will be completely cleared. to load it again, you must enter the password again.
Reload the encrypted device
After you detach an encrypted device, you may need to load it as a common user. To simplify this process, add the following content to the/etc/fstab file:
/Dev/mapper/ly_EFS/mnt/ly_EFS ext3 noauto, noatime 0 0
In addition, you can also create a script for the dm-crypt device and load the volume for us, the method is to replace/dev/DEVICENAME with the actual device name or file path:
#! /Bin/sh
Cryptsetup create ly_EFS/dev/DEVICENAME
Mount/dev/mapper/ly_EFS/mnt/ly_EFS
If you are using a send-back device, you can also use the script to bind the device. The script is as follows:
#! /Bin/sh
Losetup/dev/loop0 ~ /Virtual. img
Cryptsetup create ly_EFS/dev/loop0
Mount/dev/mapper/ly_EFS/mnt/ly_EFS