Partition encryption technology in Red Hat Linux 7

Partition encryption technology in Red Hat Linux 7

1. Introduction to partition Encryption
The International Security Organization has adopted a solution to encrypt disk content because anti-virus software cannot guarantee higher security. Therefore, we adopt proactive security solutions in areas with high confidentiality levels, while partition encryption is one of them. Its encryption algorithm uses the most advanced encryption algorithms in the world, combining 256-bit hardware and software, in addition to passwords, a u-key is also required, and 256-bit data encryption is supported. Advanced Data Hiding Technology, 32-bit embedded microprocessor, and "true" random number generator are used, this ensures the security of partition encryption and the uniqueness of the key.

2. experiment environment and content
Environment: Red Hat Linux 7

Content: First split a partition, then encrypt it, And then store the file system. The advantage of this is that when the password fails to be cracked, the file content will be destroyed, this effectively protects our privacy content.

3. Specific operations
Because we are doing experiments, we should first create several new partitions,
1> RUN cat/proc/partitions to view
As follows:

[Root @ localhost Desktop] # cat/proc/partitions
Major minor # blocks name

253 0 10485760 vda
253 1 10484142 vda1
253 16 10485760 vdb
7 0 3655680 loop0
Next we will divide a new partition in/dev/vdb:
Run the command fdisk/dev/vdb and divide the following according to the prompts:
Use cat/proc/partitions to view
Obviously, our/dev/vdb1 has been divided successfully.

[Root @ localhost Desktop] # cat/proc/partitions
Major minor # blocks name

253 0 10485760 vda
253 1 10484142 vda1
253 16 10485760 vdb
253 17 1048576 vdb1
7 0 3655680 loop0
2> encrypt the newly created Partition
1:
Use the command cryptsetup luksFormat/dev/vdb1
Then, if the value is in uppercase or lowercase, it will not respond. I guess there should be a bug here.
Then enter the password, which must be greater than 8 characters long and cannot be too simple.

[Root @ localhost Desktop] # cryptsetup luksFormat/dev/vdb1

WARNING!
==========
This will overwrite data on/dev/vdb1 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter passphrase:
Verify passphrase:
2:
Next, decrypt and use it:
First, use the command cryptsetup open/dev/vdb1 haha (this name can be obtained at Will) for decryption.
Then enter your encrypted password:
Format the partition: mkfs. xfs/dev/mapper/haha
Mount/dev/mapper/haha/mnt in the next step. You can mount it as needed. This is my personal habit.
Run df to check whether the mounting is successful.

[Root @ localhost Desktop] # cryptsetup open/dev/vdb1 haha
Enter passphrase for/dev/vdb1:
[Root @ localhost Desktop] # mkfs. xfs/dev/mapper/
Control haha
[Root @ localhost Desktop] # mkfs. xfs/dev/mapper/haha
Meta-data =/dev/mapper/haha isize = 256 agcount = 4, agsize = 65408 blks
= Sectsz= 512 attr = 2, projid32bit = 1
= Crc = 0
Data = bsize = 4096 blocks = 261632, imaxpct = 25
= Sunit = 0 swidth = 0 blks
Naming = version 2 bsize = 4096 ascii-ci = 0 ftype = 0
Log = internal log bsize = 4096 blocks = 853, version = 2
= Sectsz= 512 sunit = 0 blks, lazy-count = 1
Realtime = none extsz = 4096 blocks = 0, rtextents = 0
[Root @ localhost Desktop] # mount/dev/mapper/haha/mnt
[Root @ localhost Desktop] # df
Filesystem 1K-blocks Used Available Use % Mounted on
/Dev/vda1 10473900 7014964 3458936 67%/
Devtmpfs 927072 0 927072 0%/dev
Tmpfs 942660 80 942580 1%/dev/shm
Tmpfs 942660 17024 925636 2%/run
Tmpfs 942660 0 942660 0%/sys/fs/cgroup
/Dev/loop0 3654720 3654720 0 100%/var/www/html/pub
/Dev/mapper/haha 1043116 32928 1010188 4%/mnt
3:
Now we can operate on this encrypted partition. For example, you can create some files.
Then uninstall it.
Disable device encryption. Remember to uninstall the device before it is disabled.
Then there will be nothing in/mnt

[Root @ localhost mnt] # touch file {1 .. 10}
[Root @ localhost mnt] # ls
File1 file10 file2 file3 file4 file5 file6 file7 file8 file9
[Root @ localhost/] # umount/mnt
[Root @ localhost/] # cryptsetup close/dev/mapper/haha
[Root @ localhost/] # cd/mnt
[Root @ localhost mnt] # ls

4:
If you want to open the previous confidential device
Cryptsetup open/dev/vdb1 heihei decryption
Mount/dev/mapper/heihei/mnt mount
Ls View

[Root @ localhost mnt] # cryptsetup open/dev/vdb1 heihei
Enter passphrase for/dev/vdb1:
[Root @ localhost mnt] # cd ..
[Root @ localhost/] # mount/dev/m
Mapper/mcelog mem mqueue/
[Root @ localhost/] # mount/dev/mapper/heihei/mnt
[Root @ localhost/] # cd/mnt
[Root @ localhost mnt] # ls
File1 file10 file2 file3 file4 file5 file6 file7 file8 file9
[Root @ localhost mnt] #
5:
If the files are still formatted after decryption, the files created earlier will no longer be formatted (you can understand the format, just like a brand new one)

Iv. Additional content, automatic mounting upon startup (of course, this is not necessary. It is only for reference here, and this method is also available)

If you are interested in the following operations, I have succeeded in the actual operation. Because the necessity is not great, only the text form is provided.
You can understand the following operations if you have a linux foundation. It is straightforward enough. If you do not understand it, please leave a message...

Vim/etc/crypttab command is used to set boot decryption
Such as heihei/dev/vdb1/root/passwd.

Vim/etc/fstab automatically mount the encryption device upon startup
/Dev/mapper/heihei/mnt xfs defaults 0 0

The vim/root/passwd system automatically reads the password record file.
Write the decryption password, for example, 2015 haha.

Cryptsetup luksAddKey/dev/vdb1/root/passwd associate the password record file with the device
Enter any passphrase: Enter the password, for example, 2015 haha.

Then you can start again.

This article permanently updates link: http://www.bkjia.com/Linux/2016-03/129282tm