0%

周谈(46)-Linux磁盘加密测试

前言

Linux内部提供了一个dm-crypt的模块,支持对映射设备进行加密。Cryptsetup是一个基于DMCrypt内核模块来设置磁盘加密的工具。
此文主要介绍使用该工具实现磁盘加密的步骤,不涉及实现原理。

环境准备

运行cryptsetup系统需要cryptsetup-bin软件包,并且安装dm_crypt模块,支持相应的算法。一般发行版linux都已经编译了相关模块。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

apt install cryptsetup-bin

# 内核编译 dm_crypt模块
make menuconfig

# 选中 > Device Drivers > Multiple devices driver support (RAID and LVM) >Crypt target support

# 通过 dmsetup targets查看是否安装了dm_crypt

# 没有安装的话, 执行 modprobe dm_crypt 进行安装


root@keep-VirtualBox:~# dmsetup targets
striped v1.6.0
linear v1.4.0
error v1.5.0
root@keep-VirtualBox:~# modprobe dm_crypt
root@keep-VirtualBox:~# dmsetup targets
crypt v1.23.0
striped v1.6.0
linear v1.4.0
error v1.5.0

创建加密分区

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
# 在/testfile文件中存放密码,可以省去输入密码的步骤
echo -n 123456 >/testfile

# 使用aes-ecb算法创建加密分区


root@keep-VirtualBox:~# cryptsetup -c aes-ecb -d /testfile -y luksFormat /dev/sdb1
WARNING: Device /dev/sdb1 already contains a 'ext4' superblock signature.

WARNING!
========
This will overwrite data on /dev/sdb1 irrevocably.

Are you sure? (Type uppercase yes): YES
root@keep-VirtualBox:~#


# 进行磁盘映射, /dev/sdb1映射到 /dev/mapper/loop200_disk
root@keep-VirtualBox:~# cryptsetup -d /testfile open /dev/sdb1 loop200_disk
root@keep-VirtualBox:~# ll /dev/mapper/
total 0
drwxr-xr-x 2 root root 80 3月 19 17:27 ./
drwxr-xr-x 19 root root 4220 3月 19 17:27 ../
crw------- 1 root root 10, 236 3月 19 17:00 control
lrwxrwxrwx 1 root root 7 3月 19 17:27 loop200_disk -> ../dm-0
root@keep-VirtualBox:~#


# 通过命令可以查看映射设备的信息。

root@keep-VirtualBox:~# cryptsetup status loop200_disk
/dev/mapper/loop200_disk is active.
type: LUKS2
cipher: aes-ecb
keysize: 256 bits
key location: keyring
device: /dev/sdb1
sector size: 512
offset: 32768 sectors
size: 20936704 sectors
mode: read/write

# 创建文件系统并挂载

root@keep-VirtualBox:~# mkfs.ext4 /dev/mapper/loop200_disk # 创建ext4文件系统
mke2fs 1.45.5 (07-Jan-2020)
Creating filesystem with 2617088 4k blocks and 655360 inodes
Filesystem UUID: 14c88785-a680-4eb8-9807-22db87da8ce7
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632

Allocating group tables: done
Writing inode tables: done
Creating journal (16384 blocks): done
Writing superblocks and filesystem accounting information: done

root@keep-VirtualBox:~# mkdir -p /mnt/loop200_disk
root@keep-VirtualBox:~# mount /dev/mapper/loop200_disk /mnt/loop200_disk/
root@keep-VirtualBox:~#
root@keep-VirtualBox:~#
root@keep-VirtualBox:~# lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
loop0 7:0 0 4K 1 loop /snap/bare/5
loop1 7:1 0 63.3M 1 loop /snap/core20/1822
loop2 7:2 0 248.8M 1 loop /snap/gnome-3-38-2004/99
loop3 7:3 0 63.3M 1 loop /snap/core20/1828
loop4 7:4 0 346.3M 1 loop /snap/gnome-3-38-2004/119
loop5 7:5 0 49.8M 1 loop /snap/snapd/17950
loop6 7:6 0 45.9M 1 loop /snap/snap-store/599
loop7 7:7 0 91.7M 1 loop /snap/gtk-common-themes/1535
loop8 7:8 0 49.9M 1 loop /snap/snapd/18357
loop9 7:9 0 46M 1 loop /snap/snap-store/638
loop10 7:10 0 65.2M 1 loop /snap/gtk-common-themes/1519
sda 8:0 0 100G 0 disk
├─sda1 8:1 0 512M 0 part /boot/efi
├─sda2 8:2 0 1K 0 part
└─sda5 8:5 0 99.5G 0 part /
sdb 8:16 0 10G 0 disk
└─sdb1 8:17 0 10G 0 part
└─loop200_disk 253:0 0 10G 0 crypt /mnt/loop200_disk
sr0 11:0 1 58.3M 0 rom
root@keep-VirtualBox:~#

可以了,后面在/mnt/loop200_disk里面读写的数据都会自动解密加密了。

更多

这段时间比较忙了,开始管理一个小团队,很多事情都要过自己这关,慢慢的时间就觉得不够用了。慢慢习惯了就好了吧。


行动,才不会被动!

欢迎关注个人公众号 微信 -> 搜索 -> fishmwei,沟通交流。

博客地址: https://fishmwei.github.io

掘金主页: https://juejin.cn/user/2084329776486919