Redhat6.0 分区加密

lmwtzw6u5l0

Redhat6.0  分区加密

[root@honghaitao ~]# uname -r
2.6.32-71.el6.i686


一、新建一个分区/dev/sda6
[root@honghaitao ~]# fdisk -l /dev/sda

Disk /dev/sda: 21.5 GB, 21474836480 bytes
255 heads, 63 sectors/track, 2610 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x0003458d

   Device Boot      Start         End      Blocks   Id  System
/dev/sda1   *           1        1275    10240000   83  Linux
/dev/sda2            1275        1658     3072000   83  Linux
/dev/sda3            1658        1913     2048000   83  Linux
/dev/sda4            1913        2611     5610496    5  Extended
/dev/sda5            1913        2044     1048576   82  Linux swap / Solaris

[root@honghaitao ~]# fdisk /dev/sda

WARNING: DOS-compatible mode is deprecated. It's strongly recommended to
         switch off the mode (command 'c') and change display units to
         sectors (command 'u').

Command (m for help): m
Command action
   a   toggle a bootable flag
   b   edit bsd disklabel
   c   toggle the dos compatibility flag
   d   delete a partition
   l   list known partition types
   m   print this menu
   n   add a new partition
   o   create a new empty DOS partition table
   p   print the partition table
   q   quit without saving changes
   s   create a new empty Sun disklabel
   t   change a partition's system id
   u   change display/entry units
   v   verify the partition table
   w   write table to disk and exit
   x   extra functionality (experts only)

Command (m for help): n
First cylinder (2044-2611, default 2044):
Using default value 2044
Last cylinder, +cylinders or +size{K,M,G} (2044-2611, default 2611): +50M

Command (m for help): p

Disk /dev/sda: 21.5 GB, 21474836480 bytes
255 heads, 63 sectors/track, 2610 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x0003458d

   Device Boot      Start         End      Blocks   Id  System
/dev/sda1   *           1        1275    10240000   83  Linux
/dev/sda2            1275        1658     3072000   83  Linux
/dev/sda3            1658        1913     2048000   83  Linux
/dev/sda4            1913        2611     5610496    5  Extended
/dev/sda5            1913        2044     1048576   82  Linux swap / Solaris
/dev/sda6            2044        2050       54945+  83  Linux

Command (m for help): w
The partition table has been altered!

Calling ioctl() to re-read partition table.

WARNING: Re-reading the partition table failed with error 16: Device or resource busy.
The kernel still uses the old table. The new table will be used at
the next reboot or after you run partprobe(8) or kpartx(8)
Syncing disks.
[root@honghaitao ~]# partprobe



二、分区加密

1、对新分区进行加密，并设置密码：
[root@honghaitao ~]# cryptsetup luksFormat /dev/sda6

WARNING!
========
This will overwrite data on /dev/sda6 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:


2、这个时候我们的分区已经被加密，我们要使用必须先解密
[root@honghaitao ~]# cryptsetup luksOpen /dev/sda6 tt
Enter passphrase for /dev/sda6:
[root@honghaitao ~]# ll /dev/mapper/tt
lrwxrwxrwx. 1 root root 7 Sep 21 05:16 /dev/mapper/tt -> ../dm-1
这里通过luksOpen来进行解密 后面‘tt’可以写随意的名字，然后会将加密卷/dev/vda6解锁为/dev/mapper/tt


3、解密的卷进行格式化

[root@honghaitao ~]# mkfs.ext4 /dev/mapper/tt
mke2fs 1.41.12 (17-May-2010)
Filesystem label=
OS type: Linux
Block size=1024 (log=0)
Fragment size=1024 (log=0)
Stride=0 blocks, Stripe width=0 blocks
3184 inodes, 12732 blocks
636 blocks (5.00%) reserved for the super user
First data block=1
Maximum filesystem blocks=13107200
2 block groups
8192 blocks per group, 8192 fragments per group
1592 inodes per group
Superblock backups stored on blocks:
        8193

Writing inode tables: done                           
Creating journal (1024 blocks): done
Writing superblocks and filesystem accounting information: done

This filesystem will be automatically checked every 29 mounts or
180 days, whichever comes first.  Use tune2fs -c or -i to override.

4、把分区挂载到我们的系统上
-----在/mnt 下建立目录/data
[root@honghaitao mnt]# mkdir data
[root@honghaitao mnt]# ls
Data

-----将分区挂载到/data目录中
[root@honghaitao mnt]# mount /dev/mapper/tt   /mnt/data/

5、复制文件
[root@honghaitao mnt]# cp -r /etc/  /mnt/data/
  (由于分区太小，复制的过程中会报错)
[root@honghaitao ~]# df -h
Filesystem            Size  Used Avail Use% Mounted on
/dev/sda1             9.7G  419M  8.8G   5% /
tmpfs                 504M   88K  504M   1% /dev/shm
/dev/sda3             2.0G   36M  1.8G   2% /home
/dev/sda2             2.9G  2.0G  826M  71% /usr
/dev/mapper/tt         13M   13M     0 100% /mnt/data



[root@honghaitao mnt]# blkid
/dev/sda1: UUID="63a6cc5c-0700-416b-b7a4-6b18a1700d6c" TYPE="ext4"
/dev/sda2: UUID="16178a07-5a60-4ac2-b467-4bc92fc750e8" TYPE="ext4"
/dev/sda3: UUID="0f428181-bcb7-4167-a3ad-7e9ed3a1ac1c" TYPE="ext4"
/dev/sda5: UUID="a62d24e8-6700-4d31-90e4-87a9930d20b5" TYPE="swap"
/dev/sda6: UUID="4983206d-9a9d-4b3e-a5b6-fa030c515645" TYPE="crypto_LUKS"
/dev/mapper/tt: UUID="c628b5ae-5680-441e-88dc-b49e542073ef" TYPE="ext4"


三、设置为开机启动，开机提示输入密码：

1、  添加条目到/etc/fstab，确保在下次启动生效：

UUID="c628b5ae-5680-441e-88dc-b49e542073ef"     /mnt/data       ext4    defaults        0 0

2、  添加条目到/etc/crypttab中，确保下次启动的时候提示输入密码

data    UUID="4983206d-9a9d-4b3e-a5b6-fa030c515645"

下次启动的时候会出现下图，提示输入密码
   不输密码，系统都不能进，疼。。。



不用的时候可以先卸载再锁住，这样数据就能保护起来：
卸载：
[root@honghaitao ~]# umount /dev/mapper/tt
[root@honghaitao ~]# cryptsetup luksClose tt

如果下次先再用，就重复luksOpen就可以了：

[root@honghaitao ~]# cryptsetup luksOpen /dev/sda6 tt

[root@honghaitao ~]# mount /dev/mapper/tt

OK！