"Linux disk encryption"-ны өөр хувилбарууд

Дусал нэвтэрхий толь-с
(Хуудас үүсгэв: "1. 2. Create the key file in the unencrypted /boot partition # dd if=/dev/urandom of=/boot/keyfile bs=1024 count=4 or # dd bs=256 count=1 if=/dev/random | base64 >...")
 
3-р мөр: 3-р мөр:
 
2. Create the key file in the unencrypted /boot partition
 
2. Create the key file in the unencrypted /boot partition
  
 +
<pre>
 
# dd if=/dev/urandom of=/boot/keyfile bs=1024 count=4
 
# dd if=/dev/urandom of=/boot/keyfile bs=1024 count=4
 
or # dd bs=256 count=1 if=/dev/random | base64 > keyfile
 
or # dd bs=256 count=1 if=/dev/random | base64 > keyfile
 
+
</pre>
  
 
3. Set permissions
 
3. Set permissions
 
+
<pre>
 
# chmod 0400 /boot/keyfile
 
# chmod 0400 /boot/keyfile
 +
</pre>
  
Step 3: Encrypt the disk using LUKS
+
Encrypt the disk using LUKS
  
 
We’re now ready to get to the fun part, and encrypt the disk or partition.
 
We’re now ready to get to the fun part, and encrypt the disk or partition.
17-р мөр: 19-р мөр:
 
To start, check the name of the disk you want to use, using lsblk:
 
To start, check the name of the disk you want to use, using lsblk:
  
 +
<pre>
 
$ lsblk
 
$ lsblk
 
NAME    MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
 
NAME    MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
26-р мөр: 29-р мөр:
 
└─sdb1    8:17  0    4G  0 part /mnt
 
└─sdb1    8:17  0    4G  0 part /mnt
 
sdc      8:32  0  32G  0 disk
 
sdc      8:32  0  32G  0 disk
 +
</pre>
 +
  
 
In this example, I’m going to use the sdc disk. This is likely going to be different for you, so make sure you replace the disk name in all the commands below.
 
In this example, I’m going to use the sdc disk. This is likely going to be different for you, so make sure you replace the disk name in all the commands below.
32-р мөр: 37-р мөр:
  
 
Before we start, install the cryptsetup utility:
 
Before we start, install the cryptsetup utility:
 
+
<pre>
 
# Debian, Ubuntu, Raspbian…
 
# Debian, Ubuntu, Raspbian…
 
apt install -y cryptsetup
 
apt install -y cryptsetup
38-р мөр: 43-р мөр:
 
# CentOS, Fedora, RedHat
 
# CentOS, Fedora, RedHat
 
yum install -y cryptsetup-luks
 
yum install -y cryptsetup-luks
 +
</pre>
  
 
First, if your disk doesn’t have a partition yet (like mine), create a GPT partition table and a partition (without formatting it):
 
First, if your disk doesn’t have a partition yet (like mine), create a GPT partition table and a partition (without formatting it):
  
 +
<pre>
 
# Replace sdc with the drive you want to use
 
# Replace sdc with the drive you want to use
 
parted /dev/sdc mklabel gpt
 
parted /dev/sdc mklabel gpt
 
parted -a opt /dev/sdc mkpart datadisk ext4 0% 100%
 
parted -a opt /dev/sdc mkpart datadisk ext4 0% 100%
 +
</pre>
  
 
Encrypt the sdc1 partition using LUKS, create an ext4 volume in that partition, and then close the encrypted volume. In all commands that require a keyfile, we’re invoking the /etc/luks/key.sh script that we created before, and telling cryptsetup to read the keyfile from stdin.
 
Encrypt the sdc1 partition using LUKS, create an ext4 volume in that partition, and then close the encrypted volume. In all commands that require a keyfile, we’re invoking the /etc/luks/key.sh script that we created before, and telling cryptsetup to read the keyfile from stdin.
  
 +
<pre>
 
# Encrypt the disk
 
# Encrypt the disk
 
# Replace sdc1 with the correct partition!
 
# Replace sdc1 with the correct partition!
60-р мөр: 69-р мөр:
 
# Close the encrypted volume
 
# Close the encrypted volume
 
cryptsetup -v luksClose data
 
cryptsetup -v luksClose data
 
+
</pre>
  
 
4. Add the new file as unlock key to the encrypted volume
 
4. Add the new file as unlock key to the encrypted volume
  
 +
<pre>
 
# cryptsetup -v luksAddKey /dev/sda5 /boot/keyfile
 
# cryptsetup -v luksAddKey /dev/sda5 /boot/keyfile
 
Enter any passphrase:
 
Enter any passphrase:
71-р мөр: 81-р мөр:
 
Key slot 0 unlocked.
 
Key slot 0 unlocked.
 
Command successful.
 
Command successful.
 
+
</pre>
  
 
Note:The device names may vary depending on the hypervisor: XenServer would assign "xvda", Proxmox would assign "vda", while VMware would stick to "sda".
 
Note:The device names may vary depending on the hypervisor: XenServer would assign "xvda", Proxmox would assign "vda", while VMware would stick to "sda".
 
5. Find the UUID of /dev/sda1
 
5. Find the UUID of /dev/sda1
  
 +
<pre>
 
# ls -l /dev/disk/by-uuid/
 
# ls -l /dev/disk/by-uuid/
 
+
</pre>
  
 
6. Edit /etc/crypttab
 
6. Edit /etc/crypttab
83-р мөр: 94-р мөр:
 
Edit the contents of file /etc/crypttab (use the UUID of /dev/sda1 from the previous step)
 
Edit the contents of file /etc/crypttab (use the UUID of /dev/sda1 from the previous step)
  
 +
<pre>
 
# vi /etc/crypttab
 
# vi /etc/crypttab
 +
</pre>
  
 
This contents should be:
 
This contents should be:
  
 +
<pre>
 
sda5_crypt UUID=9b7200b5-0e0a-447a-93a8-7eb8f1f4a1ee none luks
 
sda5_crypt UUID=9b7200b5-0e0a-447a-93a8-7eb8f1f4a1ee none luks
 +
</pre>
  
 
(The UUID may be different)
 
(The UUID may be different)
99-р мөр: 114-р мөр:
 
The final result:
 
The final result:
  
 +
<pre>
 
sda5_crypt UUID=9b7200b5-0e0a-447a-93a8-7eb8f1f4a1ee /dev/disk/by-uuid/2a5e9b7f-2128-4a50-83b6-d1c285410145:/keyfile luks,keyscript=/lib/cryptsetup/scripts/passdev
 
sda5_crypt UUID=9b7200b5-0e0a-447a-93a8-7eb8f1f4a1ee /dev/disk/by-uuid/2a5e9b7f-2128-4a50-83b6-d1c285410145:/keyfile luks,keyscript=/lib/cryptsetup/scripts/passdev
 +
</pre>
  
 
In this case the UUID for our /dev/sda1 UUID was 2a5e9b7f....
 
In this case the UUID for our /dev/sda1 UUID was 2a5e9b7f....
105-р мөр: 122-р мөр:
 
If you run into any issues with file permissions, run:
 
If you run into any issues with file permissions, run:
  
 +
<pre>
 
# chmod 0777 /etc/crypttab
 
# chmod 0777 /etc/crypttab
 +
</pre>
  
 
After editing, run the following to reset the permissions:
 
After editing, run the following to reset the permissions:
  
 +
<pre>
 
# chmod 0440 /etc/crypttab
 
# chmod 0440 /etc/crypttab
 +
</pre>
  
 
7. Generate a new initramfs disk
 
7. Generate a new initramfs disk
  
 +
<pre>
 
# mkinitramfs -o /boot/initrd.img-4.9.0-7-amd64 \
 
# mkinitramfs -o /boot/initrd.img-4.9.0-7-amd64 \
 
     4.9.0-7-amd64
 
     4.9.0-7-amd64
 +
</pre>
  
 
(Make sure 4.9.0-7 is your version, as on step 1)
 
(Make sure 4.9.0-7 is your version, as on step 1)
120-р мөр: 143-р мөр:
 
8. Cross your fingers and reboot
 
8. Cross your fingers and reboot
  
 +
<pre>
 
# reboot
 
# reboot
 
+
</pre>
  
 
Congratulations: You have effectively short-circuited the security of the encrypted drive. Be careful now!
 
Congratulations: You have effectively short-circuited the security of the encrypted drive. Be careful now!

19:58, 24 Аравдугаар сар 2020-ий байдлаарх засвар

1.

2. Create the key file in the unencrypted /boot partition

# dd if=/dev/urandom of=/boot/keyfile bs=1024 count=4
or # dd bs=256 count=1 if=/dev/random | base64 > keyfile

3. Set permissions

# chmod 0400 /boot/keyfile

Encrypt the disk using LUKS

We’re now ready to get to the fun part, and encrypt the disk or partition.

To start, check the name of the disk you want to use, using lsblk:

$ lsblk
NAME    MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
sda       8:0    0   30G  0 disk
├─sda1    8:1    0 29.9G  0 part /
├─sda14   8:14   0    4M  0 part
└─sda15   8:15   0  106M  0 part /boot/efi
sdb       8:16   0    4G  0 disk
└─sdb1    8:17   0    4G  0 part /mnt
sdc       8:32   0   32G  0 disk


In this example, I’m going to use the sdc disk. This is likely going to be different for you, so make sure you replace the disk name in all the commands below.

   Watch out! The commands below will delete all files on the drive you select.

Before we start, install the cryptsetup utility:

# Debian, Ubuntu, Raspbian…
apt install -y cryptsetup

# CentOS, Fedora, RedHat
yum install -y cryptsetup-luks

First, if your disk doesn’t have a partition yet (like mine), create a GPT partition table and a partition (without formatting it):

# Replace sdc with the drive you want to use
parted /dev/sdc mklabel gpt
parted -a opt /dev/sdc mkpart datadisk ext4 0% 100%

Encrypt the sdc1 partition using LUKS, create an ext4 volume in that partition, and then close the encrypted volume. In all commands that require a keyfile, we’re invoking the /etc/luks/key.sh script that we created before, and telling cryptsetup to read the keyfile from stdin.

# Encrypt the disk
# Replace sdc1 with the correct partition!
/etc/luks/key.sh | cryptsetup -d - -v luksFormat /dev/sdc1

# Open the encrypted volume, with the name "data"
# Replace sdc1 with the correct partition!
/etc/luks/key.sh | cryptsetup -d - -v luksOpen /dev/sdc1 data

# Create a filesystem on the encrypted volume
mkfs.ext4 -F /dev/mapper/data

# Close the encrypted volume
cryptsetup -v luksClose data

4. Add the new file as unlock key to the encrypted volume

# cryptsetup -v luksAddKey /dev/sda5 /boot/keyfile
Enter any passphrase:

Enter your old/existing passphrase here. Expected output:

Key slot 0 unlocked.
Command successful.

Note:The device names may vary depending on the hypervisor: XenServer would assign "xvda", Proxmox would assign "vda", while VMware would stick to "sda". 5. Find the UUID of /dev/sda1

# ls -l /dev/disk/by-uuid/

6. Edit /etc/crypttab

Edit the contents of file /etc/crypttab (use the UUID of /dev/sda1 from the previous step)

# vi /etc/crypttab

This contents should be:

sda5_crypt UUID=9b7200b5-0e0a-447a-93a8-7eb8f1f4a1ee none luks

(The UUID may be different)

The changes we'll be making:

   Replace the 3rd parameter ‐ none ‐ with /dev/disk/by-uuid/<uuid>:/keyfile with the UUID for sda1
   Replace the 4th parameter ‐ luks‐ with luks,keyscript=/lib/cryptsetup/scripts/passdev

The final result:

sda5_crypt UUID=9b7200b5-0e0a-447a-93a8-7eb8f1f4a1ee /dev/disk/by-uuid/2a5e9b7f-2128-4a50-83b6-d1c285410145:/keyfile luks,keyscript=/lib/cryptsetup/scripts/passdev

In this case the UUID for our /dev/sda1 UUID was 2a5e9b7f....

If you run into any issues with file permissions, run:

# chmod 0777 /etc/crypttab

After editing, run the following to reset the permissions:

# chmod 0440 /etc/crypttab

7. Generate a new initramfs disk

# mkinitramfs -o /boot/initrd.img-4.9.0-7-amd64 \
    4.9.0-7-amd64

(Make sure 4.9.0-7 is your version, as on step 1)

8. Cross your fingers and reboot

# reboot

Congratulations: You have effectively short-circuited the security of the encrypted drive. Be careful now!


https://withblue.ink/2020/01/19/auto-mounting-encrypted-drives-with-a-remote-key-on-linux.html