Luks (Linux unified key setup) provides a standard for Linux hard disk encryption. It not only applies to different Linux Release versions, but also supports multiple users/passwords, because its encryption key is independent of the password, even if the password is lost, we do not need to re-encrypt the entire hard disk, just change the password in time to regain security!
Luks provides a standard disk encryption format, which not only provides high compatibility, but also provides a security mechanism for managing passwords for multiple users.
In our operating system, the tool used to encrypt the disk is cryptsetup. By default, this tool has been installed in our system.
Cryptsetup is a partition-level encryption mechanism that works at a lower level than the file system level. It is used to create a file system on an encrypted block device and mount it for use. Therefore, after the partition is encrypted using cryptsetup, the partition cannot be directly mounted.
Luks is also an encryption scheme based on the device mapper (DM) mechanism. To use encrypted partitions, you must map the encrypted partitions to the/dev/mapper directory. After the ing is completed, we can only mount this ing for use. During the ing, we also need to enter the encryption password of the encrypted partition.
Therefore, we usually place sensitive files in encrypted partitions to enhance file security.
Here is a brief introduction of the crypsetup ToolEncryption features:
1. cannot be directly mounted after Encryption
2. After encryption, you do not need to worry about data theft if the hard disk is lost.
3. After encryption, you must map to mount
The following describes how to create and use encrypted partitions:
1. Use the fdisk tool to create a new partition.
Steps for using fdisk partitioning (Omitted )!
2. If we want to achieve higher security, enter the device with random data in/dev/urandom. It should be noted that although this can greatly improve the encryption density, it also has a disadvantage, that is, it takes a long time.
[[Email protected] ~] # Dd If =/dev/urandom of =/dev/sda6 # optional steps
3. Use the tool cryptsetup to encrypt the partition. In this step, a warning message is displayed, prompting the operator that this step may damage data in/dev/sda6. If we are sure that the partition or disk is clean, we can press Yes. Note that the value must be in uppercase: Yes! Enter the password twice!
[[Email protected] ~] # Cryptsetup luksformat/dev/sda6warning! ========= This will overwrite data on/dev/sda6 irrevocably. Are you sure? (Type uppercase yes): Yes # Enter yes to confirm enter luks passphrase: # Enter your encrypted password verify passphrase: # Enter your encrypted password again
4. Continue to use cryptsetup to map the encrypted partition/dev/sda6. The ing file will be placed in the/dev/mapper directory. This step of ing must be done. Encrypted partitions cannot be used without doing so. In addition, during the ing, it will prompt you to enter the key encrypted in the previous step.
[[Email protected] ~] # Cryptsetup luksopen/dev/sda6 nolinux # enter the password enter passphrase for/dev/sda6: [email protected] ~] # Ll/dev/mapper/nolinux # view our generated ing device file lrwxrwxrwx 1 Root 7 July 9 21:06/dev/mapper/nolinux-> ../dm-0
The ing process is equivalent to opening the encrypted partition. Therefore, after the ing is completed, the encrypted partition has been opened. In this case, through access ing, the operation on the mapped device file is equivalent to the operation on our encrypted partition.
5. Create a file system on the decrypted ing file (ext4 file system is used here)
[[Email protected] ~] # Mkfs-T ext4/dev/mapper/nolinuxmke2fs 1.41.12 (17-may-2010 )... # This filesystem will be automatically checked every 27 mounts or180 days, whichever comes first. Use tune2fs-C or-I to override.
6. Mount the decrypted file system on the mapped Device
[[Email protected] ~] # Mkdir/nolinux # create a mount point [[email protected] ~] # Mount/dev/mapper/nolinux # Mount encrypted partitions
7. Perform a file read/write test on the mounted Partition
[[email protected] ~]# echo redhat > /nolinux/test[[email protected] ~]# cat /nolinux/testredhat
The above is the complete creation process of a luks encrypted partition. You have already used it. What should I do when I close the encrypted partition? See the following
1. Detach a mount point
[[email protected] ~]# umount /nolinux
2. unmount the decrypted mapped Device File
[[email protected] ~]# cryptsetup luksClose nolinux
Note: If you want to access the encrypted partition again, repeat steps 4th and 6th created above.
OK! The preceding section describes how to enable and disable protection for encrypted partitions. If you often use it, you need to automatically mount your encrypted partition when the system starts up. What should you do?
We know that luks-encrypted partitions must be mapped and a password is required for ing.
Luks provides us with such a solution by default. Please refer to the following operations:
Permanently Mount encrypted partitions
1. Use cryptsetup for encrypted partition ing
[[Email protected] ~] # Cryptsetup luksopen/dev/sda6 nolinux # enter the password enter passphrase for/dev/sda6: [email protected] ~] # Ll/dev/mapper/nolinux # view our generated ing device file lrwxrwxrwx 1 Root 7 July 9 37: 06/dev/mapper/nolinux-> ../dm-0
2. There is a crypttab file under the etc directory, which is responsible for processing the ing of the encrypted partition through cryptsetup and the corresponding password file. Therefore, we need to add an entry to the/etc/crypttab file.
[[Email protected] ~] # Echo 'nolinux/dev/sda6/root/passwd '>/etc/crypttab # ing relationship and password file path [email protected] ~] # Cat/etc/crypttabnolinux/dev/sda6/root/passwd
3. Create a password file
There are two methods to create a password file. One is to directly put the password in the password file specified in the/etc/crypttab file, another method is to use the random number generation device/dev/random that comes with the system to generate a 4 K random number file.
[[Email protected] ~] # Echo RedHat>/root/passwd or [[email protected] ~] # Dd If =/dev/random of =/root/passwd BS = 4096 COUNT = 1 records 0 + 1 read records 0 + 1 Write 128 bytes (128 B) copied, 0.000712986 seconds, 180 KB/second
4. Use the tool cryptsetup to manually add a luks key file for the encrypted partition. Note: This step will prompt you to enter the password for the encrypted partition!
[[Email protected] ~] # Cryptsetup luksaddkey/dev/sda6/root/passwd # enter the password "enter any passphrase:
5. Add permanent Mount entries in/etc/fstab.
[[email protected] ~]# echo ‘/dev/mapper/nolinux /nolinux ext4 defaults,_netdev 0 0‘ >> /etc/fstab[[email protected] ~]# tail -1 /etc/fstab/dev/mapper/nolinux /nolinux ext4 defaults,_netdev 0 0
Note: here the Mount parameter _ netdev is used to prevent the entire system from being unable to start due to the device's failure. After _ netdev is used, the encrypted partition cannot be mounted, it will not affect the startup of our entire system.
6. Mount
[[Email protected] ~] # Mount-A # Since the Mount entry has been written to/etc/fstab, we can directly execute Mount-A for mounting [[email protected] ~] # DF-H | tail-1/dev/mapper/nolinux 95 m 5.6 m 85 m 7%/nolinux
Of course, you can also directly restart your computer to test the automatic mounting function!
SupplementFor the luks encrypted disk status, we can use the following command to view the status when the encrypted partition is opened (that is, when a ing is established ):
[[email protected] ~]# cryptsetup status /dev/mapper/nolinux /dev/mapper/nolinux is active and is in use. type: LUKS1 cipher: aes-cbc-essiv:sha256 keysize: 256 bits device: /dev/sda6 offset: 4096 sectors size: 200704 sectors mode: read/write
The above content is related to luks encryption. I hope it will help you!
This article is from the not only Linux blog, please be sure to keep this source http://nolinux.blog.51cto.com/4824967/1436460