Linux under disk encryption Luks use

Using Luks to encrypt the disk, the disk needs to be mapped before it can be mounted, and a password verification is required when mapping. Luks relative so to the hard drive on a lock, to open it must have the corresponding key, if opened can be arbitrary operation, and ordinary hard disk.

Here's how to use it:

0, partition create a disk partition/DEV/SDB1, do not format

[[email protected]] #fdisk/dev/sdb1  display the current partition command   (M for help):p  Delete partition   command (M for help):d  Start Partition   command (M for help): N  Command action     e   extended     p   Primary partition (1-4)   p　　  Partition Number (1-4): 1  First sector (1-104865, default 1): Enter last  sector, +sectors +size{m,k,g} (1-104865, default 104865): Enter to  save back Out   Wq  

1. Encrypted partition

[Email protected]]# cryptsetup-v-y-c aes-cbc-plain luksformat/dev/sdb1    warning!    ======== This would    overwrite data on/dev/sdb1 irrevocably.    Is you sure? (Type uppercase Yes): Yes  --note: This must be uppercase Yes  Enter LUKS passphrase:  Verify passphrase:   Command succ Essful.

2. Mapping partitions

[[Email protected]]# cryptsetup luksopen/dev/sdb1 sx_disk  //Map sdb1 to Sx_disk   Enter passphrase for/dev/sdb1:< C10/>[[email protected]]# ll-d/dev/mapper/sx_disk   lrwxrwxrwx. 1 root root 7  June 03:24/dev/mapper/sx_disk .. /dm-0   //view [[Email protected]]# cryptsetup status/dev/mapper/sx_disk//view map partition status  /dev/mapper//dev/mapper/　　Sx_disk is active.   Type:  LUKS1   cipher:  aes-cbc-plain  keysize:256 bits   device:  /dev/sdb1   Offset:  4096 sectors   Size:    16767701 sectors   mode:    read/write

3, Mount use

[Email protected]]# mkdir/mnt/sx_disk [email  protected]]# mkfs.ext3/dev/mapper/sx_disk [  email protected] ]# mount/dev/sdb1/mnt/sx_disk/   //Direct mount is not allowed   mount:unknown filesystem type ' Crypto_luks '  [[email protected]]# mount/dev/mapper/sx_disk/mnt/sx_disk///Mount mapping device, Mount succeeded

4, set the boot automatically mount key file, www.linuxidc.com if you want to enter the password manually can not generate

[Email protected]]# touch/root/cryptpasswd  [email protected]]# cryptsetup luksaddkey/dev/sdb1/root/ CRYPTPASSWD    Enter any passphrase:  [[Email protected]]# cat/root/cryptpasswd  //Direct view key is empty

5, set up automatic decryption

[Email protected]]# vim/etc/crypttab  [email protected]]# cat/etc/crypttab  sx_disk/dev/sdb1/root/ CRYPTPASSWD   //sx_disk for the mapping name,/DEV/SDB1 is the encryption device device,/ROOT/CRYPTPASSWD for the password file, if you want to power on manually enter the password, password file space can be  [[email protected]]# vim/etc/fstab  [[email protected]]# tail-1/etc/fstab/dev/mapper/sx_disk/mnt/sx_disk             ext4 defaults   0 0

6, the program set up boot, in/etc/rc.local add the following content

[Email protected]]vim/etc/rc.local   /bin/bash "program Path"  

7, close the mapping, first uninstall and close, note: After uninstalling the boot will not be self-loading password unlocked, this item is not used in the project. You need to exit the directory first

[Email protected]]# cd/root [[Email  protected]]# umount/mnt/sx_disk/[email  protected]]# Cryptsetup Luksclose Sx_disk  //close map  [[Email protected]]# ll/dev/mapper/  //mapping device is gone.  Total usage 0   crw-rw----. 1 Root root,  June 03:01 control

8, prohibit access to the single-user mode to add a password to grub, adding to prohibit others to enter the system in single-user mode. There are 2 ways: vim/boot/grub/grub.conf or vim/etc/grub.conf (/etc/grub.conf is the symbolic link of/boot/grub/grub.conf),

1, clear Text method: In splashimage This parameter next line adds: password= password.　　　After saving and restarting the computer, when you log in to the Grub menu page again, you will not be able to directly use the e command to edit the start tag, you must first use the P command, enter the correct password before you can edit the boot tag.    It is not safe to set the plaintext password, and you can modify the Grub boot tag to modify the root password if someone else has the plaintext password. 2, MD5 encryption method: Enter Grub-md5-crypt in the terminal, then the system will require the same password two times, then the system will output MD5 code.  all we need to do is to copy the generated MD5 ciphertext, and add the following line splashimage This parameter: password--md5 MD5 ciphertext such as:              #grub-md5-crypt              splashimage= (hd0,0 /grub/splash.xpm.gz                 password--md5 $1$xi6vs$wi5pi8jyorunnj3/0yq2/0                          hiddenmenu           to restart the computer after saving, When you log in to the Grub menu page again, you will not be able to edit the boot tag directly using the e command, you must first use the P command, enter the correct password before you can edit the boot tag.

Linux under disk encryption Luks use