"Linux disk encryption"-ны өөр хувилбарууд
Дусал нэвтэрхий толь-с
(Хуудас үүсгэв: "1. 2. Create the key file in the unencrypted /boot partition # dd if=/dev/urandom of=/boot/keyfile bs=1024 count=4 or # dd bs=256 count=1 if=/dev/random | base64 >...") |
|||
| 3-р мөр: | 3-р мөр: | ||
2. Create the key file in the unencrypted /boot partition | 2. Create the key file in the unencrypted /boot partition | ||
| + | <pre> | ||
# dd if=/dev/urandom of=/boot/keyfile bs=1024 count=4 | # dd if=/dev/urandom of=/boot/keyfile bs=1024 count=4 | ||
or # dd bs=256 count=1 if=/dev/random | base64 > keyfile | or # dd bs=256 count=1 if=/dev/random | base64 > keyfile | ||
| − | + | </pre> | |
3. Set permissions | 3. Set permissions | ||
| − | + | <pre> | |
# chmod 0400 /boot/keyfile | # chmod 0400 /boot/keyfile | ||
| + | </pre> | ||
| − | + | Encrypt the disk using LUKS | |
We’re now ready to get to the fun part, and encrypt the disk or partition. | We’re now ready to get to the fun part, and encrypt the disk or partition. | ||
| 17-р мөр: | 19-р мөр: | ||
To start, check the name of the disk you want to use, using lsblk: | To start, check the name of the disk you want to use, using lsblk: | ||
| + | <pre> | ||
$ lsblk | $ lsblk | ||
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT | NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT | ||
| 26-р мөр: | 29-р мөр: | ||
└─sdb1 8:17 0 4G 0 part /mnt | └─sdb1 8:17 0 4G 0 part /mnt | ||
sdc 8:32 0 32G 0 disk | sdc 8:32 0 32G 0 disk | ||
| + | </pre> | ||
| + | |||
In this example, I’m going to use the sdc disk. This is likely going to be different for you, so make sure you replace the disk name in all the commands below. | In this example, I’m going to use the sdc disk. This is likely going to be different for you, so make sure you replace the disk name in all the commands below. | ||
| 32-р мөр: | 37-р мөр: | ||
Before we start, install the cryptsetup utility: | Before we start, install the cryptsetup utility: | ||
| − | + | <pre> | |
# Debian, Ubuntu, Raspbian… | # Debian, Ubuntu, Raspbian… | ||
apt install -y cryptsetup | apt install -y cryptsetup | ||
| 38-р мөр: | 43-р мөр: | ||
# CentOS, Fedora, RedHat | # CentOS, Fedora, RedHat | ||
yum install -y cryptsetup-luks | yum install -y cryptsetup-luks | ||
| + | </pre> | ||
First, if your disk doesn’t have a partition yet (like mine), create a GPT partition table and a partition (without formatting it): | First, if your disk doesn’t have a partition yet (like mine), create a GPT partition table and a partition (without formatting it): | ||
| + | <pre> | ||
# Replace sdc with the drive you want to use | # Replace sdc with the drive you want to use | ||
parted /dev/sdc mklabel gpt | parted /dev/sdc mklabel gpt | ||
parted -a opt /dev/sdc mkpart datadisk ext4 0% 100% | parted -a opt /dev/sdc mkpart datadisk ext4 0% 100% | ||
| + | </pre> | ||
Encrypt the sdc1 partition using LUKS, create an ext4 volume in that partition, and then close the encrypted volume. In all commands that require a keyfile, we’re invoking the /etc/luks/key.sh script that we created before, and telling cryptsetup to read the keyfile from stdin. | Encrypt the sdc1 partition using LUKS, create an ext4 volume in that partition, and then close the encrypted volume. In all commands that require a keyfile, we’re invoking the /etc/luks/key.sh script that we created before, and telling cryptsetup to read the keyfile from stdin. | ||
| + | <pre> | ||
# Encrypt the disk | # Encrypt the disk | ||
# Replace sdc1 with the correct partition! | # Replace sdc1 with the correct partition! | ||
| 60-р мөр: | 69-р мөр: | ||
# Close the encrypted volume | # Close the encrypted volume | ||
cryptsetup -v luksClose data | cryptsetup -v luksClose data | ||
| − | + | </pre> | |
4. Add the new file as unlock key to the encrypted volume | 4. Add the new file as unlock key to the encrypted volume | ||
| + | <pre> | ||
# cryptsetup -v luksAddKey /dev/sda5 /boot/keyfile | # cryptsetup -v luksAddKey /dev/sda5 /boot/keyfile | ||
Enter any passphrase: | Enter any passphrase: | ||
| 71-р мөр: | 81-р мөр: | ||
Key slot 0 unlocked. | Key slot 0 unlocked. | ||
Command successful. | Command successful. | ||
| − | + | </pre> | |
Note:The device names may vary depending on the hypervisor: XenServer would assign "xvda", Proxmox would assign "vda", while VMware would stick to "sda". | Note:The device names may vary depending on the hypervisor: XenServer would assign "xvda", Proxmox would assign "vda", while VMware would stick to "sda". | ||
5. Find the UUID of /dev/sda1 | 5. Find the UUID of /dev/sda1 | ||
| + | <pre> | ||
# ls -l /dev/disk/by-uuid/ | # ls -l /dev/disk/by-uuid/ | ||
| − | + | </pre> | |
6. Edit /etc/crypttab | 6. Edit /etc/crypttab | ||
| 83-р мөр: | 94-р мөр: | ||
Edit the contents of file /etc/crypttab (use the UUID of /dev/sda1 from the previous step) | Edit the contents of file /etc/crypttab (use the UUID of /dev/sda1 from the previous step) | ||
| + | <pre> | ||
# vi /etc/crypttab | # vi /etc/crypttab | ||
| + | </pre> | ||
This contents should be: | This contents should be: | ||
| + | <pre> | ||
sda5_crypt UUID=9b7200b5-0e0a-447a-93a8-7eb8f1f4a1ee none luks | sda5_crypt UUID=9b7200b5-0e0a-447a-93a8-7eb8f1f4a1ee none luks | ||
| + | </pre> | ||
(The UUID may be different) | (The UUID may be different) | ||
| 99-р мөр: | 114-р мөр: | ||
The final result: | The final result: | ||
| + | <pre> | ||
sda5_crypt UUID=9b7200b5-0e0a-447a-93a8-7eb8f1f4a1ee /dev/disk/by-uuid/2a5e9b7f-2128-4a50-83b6-d1c285410145:/keyfile luks,keyscript=/lib/cryptsetup/scripts/passdev | sda5_crypt UUID=9b7200b5-0e0a-447a-93a8-7eb8f1f4a1ee /dev/disk/by-uuid/2a5e9b7f-2128-4a50-83b6-d1c285410145:/keyfile luks,keyscript=/lib/cryptsetup/scripts/passdev | ||
| + | </pre> | ||
In this case the UUID for our /dev/sda1 UUID was 2a5e9b7f.... | In this case the UUID for our /dev/sda1 UUID was 2a5e9b7f.... | ||
| 105-р мөр: | 122-р мөр: | ||
If you run into any issues with file permissions, run: | If you run into any issues with file permissions, run: | ||
| + | <pre> | ||
# chmod 0777 /etc/crypttab | # chmod 0777 /etc/crypttab | ||
| + | </pre> | ||
After editing, run the following to reset the permissions: | After editing, run the following to reset the permissions: | ||
| + | <pre> | ||
# chmod 0440 /etc/crypttab | # chmod 0440 /etc/crypttab | ||
| + | </pre> | ||
7. Generate a new initramfs disk | 7. Generate a new initramfs disk | ||
| + | <pre> | ||
# mkinitramfs -o /boot/initrd.img-4.9.0-7-amd64 \ | # mkinitramfs -o /boot/initrd.img-4.9.0-7-amd64 \ | ||
4.9.0-7-amd64 | 4.9.0-7-amd64 | ||
| + | </pre> | ||
(Make sure 4.9.0-7 is your version, as on step 1) | (Make sure 4.9.0-7 is your version, as on step 1) | ||
| 120-р мөр: | 143-р мөр: | ||
8. Cross your fingers and reboot | 8. Cross your fingers and reboot | ||
| + | <pre> | ||
# reboot | # reboot | ||
| − | + | </pre> | |
Congratulations: You have effectively short-circuited the security of the encrypted drive. Be careful now! | Congratulations: You have effectively short-circuited the security of the encrypted drive. Be careful now! | ||
19:58, 24 Аравдугаар сар 2020-ий байдлаарх засвар
1.
2. Create the key file in the unencrypted /boot partition
# dd if=/dev/urandom of=/boot/keyfile bs=1024 count=4 or # dd bs=256 count=1 if=/dev/random | base64 > keyfile
3. Set permissions
# chmod 0400 /boot/keyfile
Encrypt the disk using LUKS
We’re now ready to get to the fun part, and encrypt the disk or partition.
To start, check the name of the disk you want to use, using lsblk:
$ lsblk NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT sda 8:0 0 30G 0 disk ├─sda1 8:1 0 29.9G 0 part / ├─sda14 8:14 0 4M 0 part └─sda15 8:15 0 106M 0 part /boot/efi sdb 8:16 0 4G 0 disk └─sdb1 8:17 0 4G 0 part /mnt sdc 8:32 0 32G 0 disk
In this example, I’m going to use the sdc disk. This is likely going to be different for you, so make sure you replace the disk name in all the commands below.
Watch out! The commands below will delete all files on the drive you select.
Before we start, install the cryptsetup utility:
# Debian, Ubuntu, Raspbian… apt install -y cryptsetup # CentOS, Fedora, RedHat yum install -y cryptsetup-luks
First, if your disk doesn’t have a partition yet (like mine), create a GPT partition table and a partition (without formatting it):
# Replace sdc with the drive you want to use parted /dev/sdc mklabel gpt parted -a opt /dev/sdc mkpart datadisk ext4 0% 100%
Encrypt the sdc1 partition using LUKS, create an ext4 volume in that partition, and then close the encrypted volume. In all commands that require a keyfile, we’re invoking the /etc/luks/key.sh script that we created before, and telling cryptsetup to read the keyfile from stdin.
# Encrypt the disk # Replace sdc1 with the correct partition! /etc/luks/key.sh | cryptsetup -d - -v luksFormat /dev/sdc1 # Open the encrypted volume, with the name "data" # Replace sdc1 with the correct partition! /etc/luks/key.sh | cryptsetup -d - -v luksOpen /dev/sdc1 data # Create a filesystem on the encrypted volume mkfs.ext4 -F /dev/mapper/data # Close the encrypted volume cryptsetup -v luksClose data
4. Add the new file as unlock key to the encrypted volume
# cryptsetup -v luksAddKey /dev/sda5 /boot/keyfile Enter any passphrase: Enter your old/existing passphrase here. Expected output: Key slot 0 unlocked. Command successful.
Note:The device names may vary depending on the hypervisor: XenServer would assign "xvda", Proxmox would assign "vda", while VMware would stick to "sda". 5. Find the UUID of /dev/sda1
# ls -l /dev/disk/by-uuid/
6. Edit /etc/crypttab
Edit the contents of file /etc/crypttab (use the UUID of /dev/sda1 from the previous step)
# vi /etc/crypttab
This contents should be:
sda5_crypt UUID=9b7200b5-0e0a-447a-93a8-7eb8f1f4a1ee none luks
(The UUID may be different)
The changes we'll be making:
Replace the 3rd parameter ‐ none ‐ with /dev/disk/by-uuid/<uuid>:/keyfile with the UUID for sda1
Replace the 4th parameter ‐ luks‐ with luks,keyscript=/lib/cryptsetup/scripts/passdev
The final result:
sda5_crypt UUID=9b7200b5-0e0a-447a-93a8-7eb8f1f4a1ee /dev/disk/by-uuid/2a5e9b7f-2128-4a50-83b6-d1c285410145:/keyfile luks,keyscript=/lib/cryptsetup/scripts/passdev
In this case the UUID for our /dev/sda1 UUID was 2a5e9b7f....
If you run into any issues with file permissions, run:
# chmod 0777 /etc/crypttab
After editing, run the following to reset the permissions:
# chmod 0440 /etc/crypttab
7. Generate a new initramfs disk
# mkinitramfs -o /boot/initrd.img-4.9.0-7-amd64 \
4.9.0-7-amd64
(Make sure 4.9.0-7 is your version, as on step 1)
8. Cross your fingers and reboot
# reboot
Congratulations: You have effectively short-circuited the security of the encrypted drive. Be careful now!
https://withblue.ink/2020/01/19/auto-mounting-encrypted-drives-with-a-remote-key-on-linux.html
