科普链接:https://wiki.archlinux.org/index.php/Disk_encryption
前面的链接关于硬盘加密,讲了几种,基本上就是选dm-crypt with LUKS
在grub中,解密根分区以及/boot分区。
dm-crypt文档:https://wiki.archlinux.org/index.php/Dm-crypt
使用 dm-crypt加密一个非根分区。https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_a_non-root_file_system
dm-crypt 的两种加密方式: PLAIN, LUKS(Linux Unified Key Setup)。
具体什么区别我也不太知道,简单来说就是LUKS在文件系统(硬盘分区?)里存储了与加密信息加密方式相关的元数据。而PLAIN中没有。LUKS是dm-crypt的默认方式。
一堆破文档,都不及man手册讲的清楚。
DESCRIPTION
cryptsetup is used to conveniently setup dm-crypt managed device-mapper mappings. These include plain dm-crypt volumes and
LUKS volumes. The difference is that LUKS uses a metadata header and can hence offer more features than plain dm-crypt. On the
other hand, the header is visible and vulnerable to damage.
这个man,写的这么好,在我看过的man里边可以排前三。
/home/tong/bin [tong@T7] [:]
> man cryptsetup
一: 弄了台虚拟机做实验先:
[root@t206 arch-crypt]# qemu-system-x86_64 -vnc 0.0.0.0: --enable-kvm -smp -m 1G -drive file=disk.qcow2,if=virtio -net bridge -net nic,model=virtio -cdrom ../iso/archlinux-2017.05.-x86_64.iso
二: 加密非根分区
1. 格式化LUKS分区
root@archiso ~ # cryptsetup luksFormat /dev/vda WARNING!
========
This will overwrite data on /dev/vda irrevocably. Are you sure? (Type uppercase yes): YES
Enter passphrase:
Verify passphrase:
cryptsetup luksFormat /dev/vda .00s user .01s system % cpu 12.157 total
root@archiso ~ #
后边还能加一个参数 keyfile。意思是将keyfile里边的内容作为密码。
2. 挂载加密分区(解密)
root@archiso ~ # cryptsetup open /dev/vda vd_root
Enter passphrase for /dev/vda:
root@archiso ~ # ll /dev/mapper/vd_root
lrwxrwxrwx root root Jun : /dev/mapper/vd_root -> ../dm-
3. 初始化文件系统
root@archiso ~ # mkfs.xfs /dev/mapper/vd_root
4. 挂载使用
root@archiso ~ # mount /dev/mapper/vd_root mnt
root@archiso ~ # ll
total
-rw-r--r-- root root May : install.txt
drwxr-xr-x root root Jun : mnt
root@archiso ~ # cd mnt
root@archiso ~/mnt # ll
total
root@archiso ~/mnt # touch
root@archiso ~/mnt # touch txt
root@archiso ~/mnt # vim txt
root@archiso ~/mnt # cat txt root@archiso ~/mnt # ls
txt
root@archiso ~/mnt # ll
total
-rw-r--r-- root root Jun :
-rw-r--r-- root root Jun : txt
root@archiso ~/mnt # cd ..
5. 卸载关闭
root@archiso ~ # umount mnt
root@archiso ~ # cryptsetup close vd_root
root@archiso ~ # ll /dev/mapper
total
crw------- root root , Jun : control
root@archiso ~ #
三, 加密全系统
https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system
有多种方式,以及包括boot分区加密等。内容很多
boot分区,MBR加密:https://wiki.archlinux.org/index.php/Dm-crypt/Specialties#Securing_the_unencrypted_boot_partition
chkboot(检查分区是否被串改?)
首先,我选用简单的方法,在LUKS上创建btrfs。查看上述文档的btrfs章节。
btrfs的详细内容,branch到这里:http://www.cnblogs.com/hugetong/p/6934247.html
全系统加密的关键在于,initrd,grub,boot partition,以及kernel。
分区什么的,与非根分区没什么区别,不再叙述。
还是有区别的,这块盘,我需要分出boot partition,swap partition,如果是uEFI的话,还有ESP分区。
有关 parted的unit问题 https://www.gnu.org/software/parted/manual/parted.html#unit
1. 分区表使用 GPT
root@archiso ~ # parted /dev/vda
GNU Parted 3.2
Using /dev/vda
Welcome to GNU Parted! Type 'help' to view a list of commands.
(parted) mktable gpt
2. 创建BIOS grub分区
bios_grub分区只需要31KiB,但是为了对齐以及扩展,我们用1MiB
https://www.gnu.org/software/grub/manual/html_node/BIOS-installation.html
(parted) mkpart fat32 1MiB 2MiB
(parted) set bios_grub on
(parted) print
Model: Virtio Block Device (virtblk)
Disk /dev/vda: 20971520kiB
Sector size (logical/physical): 512B/512B
Partition Table: gpt
Disk Flags: Number Start End Size File system Name Flags
1024kiB 2048kiB 1024kiB bios_grub (parted)
3. 创建boot分区。挂载根分区前的所有内容,都在这个分区里,我们选择1G的大小。
A suggested size for /boot is 200 MiB unless using UEFI, in which case greater than 512 MiB is needed.
(parted) mkpart ext4 2MiB 1026MiB
(parted) print
Model: Virtio Block Device (virtblk)
Disk /dev/vda: 20971520kiB
Sector size (logical/physical): 512B/512B
Partition Table: gpt
Disk Flags: Number Start End Size File system Name Flags
1024kiB 2048kiB 1024kiB bios_grub
2048kiB 1050624kiB 1048576kiB (parted)
4. swap分区。 时至今日,swap分区的大小已经没有要求了。要求只来自suspend and hibernate。
文件 /sys/power/image_size 中配置了系统对于hibernate image大小的限制。默认为RAM大小的2/5
https://wiki.archlinux.org/index.php/Partitioning#Swap
https://wiki.archlinux.org/index.php/Power_management/Suspend_and_hibernate#Hibernation
(parted) mkpart primary linux-swap 1026MiB 3074MiB
(parted) print
Model: Virtio Block Device (virtblk)
Disk /dev/vda: 20480MiB
Sector size (logical/physical): 512B/512B
Partition Table: gpt
Disk Flags: Number Start End Size File system Name Flags
.00MiB .00MiB .00MiB bios_grub
.00MiB 1026MiB 1024MiB
1026MiB 3074MiB 2048MiB linux-swap(v1) (parted)
5. 剩下的空间做成 crypt-LUKS + btrfs
(parted) mkpart primary 3074MiB %
(parted) print
Model: Virtio Block Device (virtblk)
Disk /dev/vda: 20480MiB
Sector size (logical/physical): 512B/512B
Partition Table: gpt
Disk Flags: Number Start End Size File system Name Flags
.00MiB .00MiB .00MiB bios_grub
.00MiB 1026MiB 1024MiB
1026MiB 3074MiB 2048MiB linux-swap(v1)
3074MiB 20479MiB 17405MiB (parted)
初始化各分区文件系统,与前文操作一至
root@archiso ~ # mkfs.fat /dev/sda1
mkfs.fat 4.1 (--)
mkfs.fat: unable to open /dev/sda1: No such file or directory
root@archiso ~ # mkfs.fat /dev/vda1 :(
mkfs.fat 4.1 (--)
root@archiso ~ # mkfs.fat /dev/vda2
mkfs.fat 4.1 (--)
root@archiso ~ # mkswap /dev/vda3
Setting up swapspace version , size = GiB ( bytes)
no label, UUID=3b11937b-85fb-4c8a-8f8f-97e75097b4e1
root@archiso ~ # cryptsetup luksFormat /dev/vda4 WARNING!
========
This will overwrite data on /dev/vda4 irrevocably. Are you sure? (Type uppercase yes): YES
Enter passphrase:
Verify passphrase:
cryptsetup luksFormat /dev/vda4 .00s user .03s system % cpu 20.180 total
root@archiso ~ # cryptsetup luksFormat /dev/vda4 WARNING!
========
This will overwrite data on /dev/vda4 irrevocably. Are you sure? (Type uppercase yes): YES
Enter passphrase:
Verify passphrase:
Passphrases do not match.
root@archiso ~ # cryptsetup luksFormat /dev/vda4 :( WARNING!
========
This will overwrite data on /dev/vda4 irrevocably. Are you sure? (Type uppercase yes): YES
Enter passphrase:
Verify passphrase:
root@archiso ~ # cryptsetup luksFormat /dev/vda4 WARNING!
========
This will overwrite data on /dev/vda4 irrevocably. Are you sure? (Type uppercase yes): YES
Enter passphrase:
Verify passphrase:
root@archiso ~ #
root@archiso ~ #
root@archiso ~ #
root@archiso ~ # parted -l /dev/vda
Warning: Unable to open /dev/sr0 read-write (Read-only file system). /dev/sr0
has been opened read-only.
Model: QEMU QEMU DVD-ROM (scsi)
Disk /dev/sr0: 504MB
Sector size (logical/physical): 2048B/2048B
Partition Table: msdos
Disk Flags: Number Start End Size Type File system Flags
336kB 269MB 268MB primary esp Model: Virtio Block Device (virtblk)
Disk /dev/vda: .5GB
Sector size (logical/physical): 512B/512B
Partition Table: gpt
Disk Flags: Number Start End Size File system Name Flags
1049kB 2097kB 1049kB bios_grub bios_grub
2097kB 1076MB 1074MB fat32 boot
1076MB 3223MB 2147MB linux-swap(v1) swap
3223MB .5GB .3GB root root@archiso ~ #
挂载crypt分区后,创建btrfs文件系统。
root@archiso ~ # cryptsetup open --type luks /dev/vda4 crypt_root
Enter passphrase for /dev/vda4:
root@archiso ~ # mkdir mnt
root@archiso ~ # mkfs.btrfs -L root /dev/mapper/crypt_root :(
btrfs-progs v4.10.2
See http://btrfs.wiki.kernel.org for more information. Label: root
UUID: cd3b27fb-f257-4afc-b402-fec0550d014e
Node size:
Sector size:
Filesystem size: .00GiB
Block group profiles:
Data: single .00MiB
Metadata: DUP .00GiB
System: DUP .00MiB
SSD detected: no
Incompat features: extref, skinny-metadata
Number of devices:
Devices:
ID SIZE PATH
.00GiB /dev/mapper/crypt_root root@archiso ~ # mount /dev/mapper/crypt_root mnt
root@archiso ~ # btrfs subvolume create mnt/top :(
Create subvolume 'mnt/top'
root@archiso ~/mnt # cd top
root@archiso ~/mnt/top # mkdir snapshot
root@archiso ~/mnt/top # btrfs subvolume create root
Create subvolume './root'
root@archiso ~/mnt/top # btrfs subvolume create home
Create subvolume './home'
root@archiso ~/mnt/top # ll
total
drwxr-xr-x root root Jun : home
drwxr-xr-x root root Jun : root
drwxr-xr-x root root Jun : snapshot
root@archiso ~/mnt/top # cd ..
root@archiso ~/mnt # ls
top
root@archiso ~/mnt # cd ..
root@archiso ~ # ls
install.txt mnt
root@archiso ~ # btrfs subvolume list mnt
ID gen top level path top
ID gen top level path top/root
ID gen top level path top/home
root@archiso ~ #
root@archiso ~ #
root@archiso ~ # umount mnt
root@archiso ~ # cryptsetup close /dev/mapper/crypt_root
root@archiso ~ #
6. 安装系统
6.1 安装目录树结构挂起来
root@archiso ~ # parted -l /dev/sda
Number Start End Size File system Name Flags
1049kB 2097kB 1049kB bios_grub bios_grub
2097kB 1076MB 1074MB fat32 boot
1076MB 3223MB 2147MB linux-swap(v1) swap
3223MB .5GB .3GB root
root@archiso ~ # btrfs subvolume list mnt
ID gen top level path top
ID gen top level path top/root
ID gen top level path top/home
root@archiso ~ # mount -o compress=lzo,subvol=top/root /dev/mapper/crypt_root mnt
root@archiso ~ # mkdir mnt/boot
root@archiso ~ # mkdir mnt/home
root@archiso ~ # mount -o compress=lzo,subvol=top/home /dev/mapper/crypt_root mnt/home
root@archiso ~ # mount /dev/vda2 mnt/boot
root@archiso ~ # swapon /dev/vda3
6.2 设置键盘
6.3 查看boot mode
6.4 设置时间
root@archiso ~ # ll /etc/localtime
lrwxrwxrwx root root May : /etc/localtime -> /usr/share/zoneinfo/UTC
root@archiso ~ # rm /etc/localtime
root@archiso ~ # ln -s /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
root@archiso ~ # timedatectl set-ntp true
root@archiso ~ # timedatectl status
Local time: Sat -- :: CST
Universal time: Sat -- :: UTC
RTC time: Sat -- ::
Time zone: Asia/Shanghai (CST, +)
Network time on: yes
NTP synchronized: no
RTC in local TZ: no
root@archiso ~ # date
Sat Jun :: CST
root@archiso ~ #
6.5 修改 /etc/pacman.d/mirrorlist
6.6 strap 根分区
root@archiso ~ # pacstrap mnt base
6.7 生成分区挂载信息
root@archiso ~ # genfstab -U mnt >> mnt/etc/fstab
6.8 change root
root@archiso ~ # arch-chroot mnt
[root@archiso /]# ll
6.9 改时区
[root@archiso /]# ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
[root@archiso /]# hwclock --systohc
6.10 本地化 localizations
[root@archiso /]# vi /etc/locale.gen
[root@archiso /]# locale-gen
Generating locales...
en_US.UTF-... done
zh_CN.GBK... done
zh_CN.UTF-... done
zh_CN.GB2312... done
Generation complete.
[root@archiso /]# echo "LANG=en_US.UTF-8" >> /etc/locale.conf
6.11 config network with netctl
[root@archiso netctl]# cp examples/ethernet-static lan0
[root@archiso netctl]# vi lan0
[root@archiso netctl]# netctl list
* lan0
6.12 初始化 initramfs
根分区是加密的,ramfs 复杂解密,所以关于加密的所有特异性配置,都在这里了。
[root@archiso ~]# vim /etc/mkinitcpio.conf
[root@archiso etc]# diff mkinitcpio.conf mkinitcpio.conf.bak
52c52
< HOOKS="base udev autodetect modconf keyboard keymap block encrypt filesystems fsck"
---
> HOOKS="base udev autodetect modconf block filesystems keyboard fsck"
[root@archiso etc]#
mkinitcpio 时有一个错误
==> ERROR: file not found: `fsck.btrfs'
安装 btrfs-progs, 它默认不再base里。
[root@archiso etc]# pacman -S btrfs-progs
制作 initramfs
[root@archiso etc]# mkinitcpio -p linux
==> Building image from preset: /etc/mkinitcpio.d/linux.preset: 'default'
-> -k /boot/vmlinuz-linux -c /etc/mkinitcpio.conf -g /boot/initramfs-linux.img
==> Starting build: 4.11.--ARCH
-> Running build hook: [base]
-> Running build hook: [udev]
-> Running build hook: [autodetect]
-> Running build hook: [modconf]
-> Running build hook: [keyboard]
-> Running build hook: [keymap]
-> Running build hook: [block]
-> Running build hook: [encrypt]
-> Running build hook: [filesystems]
-> Running build hook: [keyboard]
-> Running build hook: [fsck]
==> Generating module dependencies
==> Creating gzip-compressed initcpio image: /boot/initramfs-linux.img
==> Image generation successful
==> Building image from preset: /etc/mkinitcpio.d/linux.preset: 'fallback'
-> -k /boot/vmlinuz-linux -c /etc/mkinitcpio.conf -g /boot/initramfs-linux-fallback.img -S autodetect
==> Starting build: 4.11.--ARCH
-> Running build hook: [base]
-> Running build hook: [udev]
-> Running build hook: [modconf]
-> Running build hook: [keyboard]
-> Running build hook: [keymap]
-> Running build hook: [block]
==> WARNING: Possibly missing firmware for module: wd719x
==> WARNING: Possibly missing firmware for module: aic94xx
-> Running build hook: [encrypt]
-> Running build hook: [filesystems]
-> Running build hook: [keyboard]
-> Running build hook: [fsck]
==> Generating module dependencies
==> Creating gzip-compressed initcpio image: /boot/initramfs-linux-fallback.img
==> Image generation successful
[root@archiso etc]#
根据:https://wiki.archlinux.org/index.php/Btrfs#Corruption_recovery 可以选择性添加如下配置:
14c14
< BINARIES="/usr/bin/btrfs"
---
> BINARIES=""
6.13 设置 password
[root@archiso etc]# passwd
New password:
Retype new password:
passwd: password updated successfully
[root@archiso etc]#
6.14 安装 boot loader
https://wiki.archlinux.org/index.php/GRUB
[root@archiso etc]# pacman -S grub
[root@archiso etc]# grub-install --target=i386-pc /dev/vda
Installing for i386-pc platform.
Installation finished. No error reported.
[root@archiso etc]#
https://wiki.archlinux.org/index.php/GRUB#Generate_the_main_configuration_file
[root@archiso ~]# vim /etc/default/grub
https://wiki.archlinux.org/index.php/Dm-crypt/System_configuration#Boot_loader
[root@archiso ~]# diff /etc/default/grub /etc/default/grub.bak
4c4
< GRUB_CMDLINE_LINUX_DEFAULT="cryptdevice=UUID=38312920-93be-4ff6-ba88-e53505fcfb93:vd_root resume=UUID=3b11937b-85fb-4c8a-8f8f-97e75097b4e1 quiet"
---
> GRUB_CMDLINE_LINUX_DEFAULT="quiet"
[root@archiso ~]#
[root@archiso ~]# vim /boot/grub/grub.cfg
7 重启
reboot