RHEL6 学习:使用 Cryptsetup 给分区加密

今天学习了 RHEL 对硬盘分区加密的知识,在 RHEL 系统里可以通过使用 cryptsetup 工具对硬盘分区进行加密,加密后的分区需要输入密码才能打开,可以把比较敏感的文件放在指定分区中,并启用加密,从而增强了文件的安全性,下面演示下。

Cryptsetup 给分区加密

1.1 增加分区

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
[root@redhatB ~]# fdisk -cu /dev/sdc
Command (m for help): p
Disk /dev/sdc: 10.7 GB, 10737418240 bytes
255 heads, 63 sectors/track, 1305 cylinders, total 20971520 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0xb097ae92
Device Boot Start End Blocks Id System
/dev/sdc1 63 4209029 2104483+ 8e Linux LVM
/dev/sdc2 4209030 8418059 2104515 8e Linux LVM
/dev/sdc3 8418060 12627089 2104515 8e Linux LVM
/dev/sdc4 12627090 20964824 4168867+ 5 Extended
/dev/sdc5 12627153 14747669 1060258+ 8e Linux LVM
/dev/sdc6 14747733 16868249 1060258+ 8e Linux LVM
Command (m for help): n
First sector (16870298-20964824, default 16870298):
Using default value 16870298
Last sector, +sectors or +size{K,M,G} (16870298-20964824, default 20964824): +1G
Command (m for help): p
Disk /dev/sdc: 10.7 GB, 10737418240 bytes
255 heads, 63 sectors/track, 1305 cylinders, total 20971520 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0xb097ae92
Device Boot Start End Blocks Id System
/dev/sdc1 63 4209029 2104483+ 8e Linux LVM
/dev/sdc2 4209030 8418059 2104515 8e Linux LVM
/dev/sdc3 8418060 12627089 2104515 8e Linux LVM
/dev/sdc4 12627090 20964824 4168867+ 5 Extended
/dev/sdc5 12627153 14747669 1060258+ 8e Linux LVM
/dev/sdc6 14747733 16868249 1060258+ 8e Linux LVM
/dev/sdc7 16870298 18967449 1048576 83 Linux
Command (m for help): w
The partition table has been altered!
Calling ioctl() to re-read partition table.
WARNING: Re-reading the partition table failed with error 16: Device or resource busy.
The kernel still uses the old table. The new table will be used at
the next reboot or after you run partprobe(8) or kpartx(8)
Syncing disks.

备注:上例增加了分区 /dev/sdc7,大小为 1 GB。

1.2 刷新kernel

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
[root@redhatB ~]# partx -a /dev/sdc  
BLKPG: Device or resource busy
error adding partition 1
BLKPG: Device or resource busy
error adding partition 2
BLKPG: Device or resource busy
error adding partition 3
BLKPG: Device or resource busy
error adding partition 4
BLKPG: Device or resource busy
error adding partition 5
BLKPG: Device or resource busy
error adding partition 6
[root@redhatB ~]# ll /dev/sdc*
brw-rw----. 1 root disk 8, 32 Jul 29 20:00 /dev/sdc
brw-rw----. 1 root disk 8, 33 Jul 22 20:51 /dev/sdc1
brw-rw----. 1 root disk 8, 34 Jul 22 20:51 /dev/sdc2
brw-rw----. 1 root disk 8, 35 Jul 22 20:51 /dev/sdc3
brw-rw----. 1 root disk 8, 36 Jul 22 20:51 /dev/sdc4
brw-rw----. 1 root disk 8, 37 Jul 22 20:51 /dev/sdc5
brw-rw----. 1 root disk 8, 38 Jul 22 20:51 /dev/sdc6
brw-rw----. 1 root disk 8, 39 Jul 29 20:01 /dev/sdc7

备注:使用命令 partx 刷新 kernel,使系统能读到新增分区 /dev/sdc7。

1.3 对分区进行加密,并设置密码

1
2
3
4
5
6
7
[root@redhatB ~]# cryptsetup luksFormat /dev/sdc7
WARNING!
========
This will overwrite data on /dev/sdc7 irrevocably.
Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:

备注:关于 cryptsetup 命令的用法,可以 man 下,这里关键选项”luksFormat”,注意大小写。

1.4 输入密码,打开分区

1
2
3
4
5
6
7
[root@redhatB ~]# cryptsetup luksOpen /dev/sdc7 secret  
Enter passphrase for /dev/sdc7:
No key available with this passphrase.
Enter passphrase for /dev/sdc7:
You have new mail in /var/spool/mail/root
[root@redhatB ~]# ll /dev/mapper/secret
lrwxrwxrwx. 1 root root 7 Jul 29 20:06 /dev/mapper/secret -> ../dm-3

备注:成功打开分区后,将分区映射成 /dev/mapper/secret,这里关键选项”luksOpen”,注意大小写。

1.5 格式化分区

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
[root@redhatB ~]# mke2fs -t ext4 /dev/mapper/secret  
mke2fs 1.41.12 (17-May-2010)
Filesystem label=
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
Stride=0 blocks, Stripe width=0 blocks
65408 inodes, 261632 blocks
13081 blocks (5.00%) reserved for the super user
First data block=0
Maximum filesystem blocks=268435456
8 block groups
32768 blocks per group, 32768 fragments per group
8176 inodes per group
Superblock backups stored on blocks:
32768, 98304, 163840, 229376
Writing inode tables: done
Creating journal (4096 blocks): done
Writing superblocks and filesystem accounting information: done
This filesystem will be automatically checked every 31 mounts or
180 days, whichever comes first. Use tune2fs -c or -i to override.

1.6 挂载

1
2
3
4
5
6
7
8
9
10
11
12
[root@redhatB ~]# mkdir -p /mnt/secret  
[root@redhatB ~]# mount -t ext4 /dev/mapper/secret /mnt/secret/
[root@redhatB ~]# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/vg_redhatb-lv_root
9.9G 3.6G 5.9G 38% /
tmpfs 250M 264K 250M 1% /dev/shm
/dev/sda1 485M 31M 429M 7% /boot
/dev/sdb 9.9G 330M 9.1G 4% /pgdata_xc
/dev/mapper/vg1-pgdata1
1008M 34M 924M 4% /database/pgdata1
/dev/mapper/secret 1006M 18M 938M 2% /mnt/secret

备注:/mnt/secret 目录挂载成功。

1.7 写入文件测试

1
2
3
4
[root@redhatB ~]# cd /mnt/secret  
[root@redhatB secret]# history > history.txt
[root@redhatB secret]# ls
history.txt lost+found

1.8 查看加密分区映射对应的分区。

1
2
3
4
5
6
7
8
9
[root@redhatB mnt]# cryptsetup status secret  
/dev/mapper/secret is active and is in use.
type: LUKS1
cipher: aes-cbc-essiv:sha256
keysize: 256 bits
device: /dev/sdc7
offset: 4096 sectors
size: 2093056 sectors
mode: read/write

使用 Cryptsetup 关闭分区

2.1 umount

1
2
3
[root@redhatB ~]# umount /mnt/secret  
[root@redhatB ~]# ll /dev/mapper/secret
lrwxrwxrwx. 1 root root 7 Jul 29 20:06 /dev/mapper/secret -> ../dm-3

2.2 关闭分区

1
2
3
[root@redhatB ~]# cryptsetup luksClose /dev/mapper/secret[root@redhatB ~]# ll /dev/mapper/secret
[root@redhatB ~]# ll /dev/mapper/secret
ls: cannot access /dev/mapper/secret: No such file or directory

备注:这步可以理解成删除之前映射的分区 /dev/mapper/secret,这里选项关键字”luksClose”,注意大小写;关闭分区后,之前映射在文件 /dev/mapper/secret 已经不存在了。

总结

本文演示了RHEL 对硬盘分区进行加密,mount,并且 umount 的过程,其中还可以设定密码文件实现开机自动 mount, 这里不演示了。

最后推荐和张文升共同编写的《PostgreSQL实战》,本书基于PostgreSQL 10 编写,共18章,重点介绍SQL高级特性、并行查询、分区表、物理复制、逻辑复制、备份恢复、高可用、性能优化、PostGIS等,涵盖大量实战用例!

购买链接:https://item.jd.com/12405774.html

PostgreSQL实战
感谢支持!
0%