磁盘数据加密

FreeBSD

  • 使用系统自带的geli命令对/home/test加密
  • 要将/mnt挂载点独立一个分区出来,以免手动调整分区
  • 如果是aws,则把数据盘EBS挂载到/home/test

首次创建加密盘

  1. aws的话先创建分区,记得先umount原来分区
  • AWS:用gpart创建分区

    1
    2
    3
    4
    # gpart create -s gpt xbd1
    xbd1 created
    # gpart add -t freebsd-ufs xbd1
    xbd1p1 added
  • 安装: 先将原本的/mnt umount

    1
    2
    3
    4
    5
    # df -ah
    /dev/mfid0p7 9.7G 164k 8.9G 0% /home
    /dev/mfid0p8 518G 52k 477G 0% /mnt

    # umount /mnt
  1. 创建口令

    1
    2
    3
    #geli init -s 4096 /dev/mfid0p8
    Enter new passphrase:
    Reenter new passphrase:
  2. 将口令与分区关联

    1
    2
    #geli attach /dev/mfid0p8
    Enter passphrase:

    完成后,将生成/dev/mfid0p8.eli设备

  3. 创建新文件系统并挂载

    1
    2
    #newfs -b 16384 -U /dev/mfid0p8.eli
    #mkdir /home/test && mount /dev/mfid0p8.eli /home/test

重启系统后恢复加密盘

  1. 将口令与分区关联

    1
    2
    #geli attach /dev/mfid0p8
    Enter passphrase:

    完成后,将生成/dev/mfid0p8.eli设备

  2. 挂载加密盘

    1
    #mount /dev/mfid0p8.eli /home/test

Debian

  • 采用cryptsetup(可能需要aptitude install cryptsetup)对/home/test加密,注意要将/mnt挂载点独立一个分区出来.

首次创建加密盘

  1. 先将原本的/mnt umount

    1
    2
    3
    4
    #df -ah
    /dev/sda7 9.9G 151M 9.2G 2% /home
    /dev/sda8 177G 189M 168G 1% /mnt
    #umount /mnt
  2. 格式化加密盘

    1
    2
    3
    4
    5
    6
    7
    8
    9
    #cryptsetup luksFormat /dev/sda8
    WARNING!
    ========
    This will overwrite data on /dev/sdb1 irrevocably.

    Are you sure? (Type uppercase yes): YES
    Enter LUKS passphrase:
    Verify passphrase:
    Command successful.
  3. 使用cryptsetup luksOpen命令打开加密分区.

    1
    2
    3
    4
    # cryptsetup luksOpen /dev/sda8 private
    Enter LUKS passphrase:
    key slot 0 unlocked.
    Command successful.

    完成后,生成/dev/mapper/private 设备

  4. 格式化设备并挂载

    1
    2
    3
    #mkfs.ext4 /dev/mapper/private
    #mkdir /home/test
    #mount /dev/mapper/private /home/test

5.编辑`/etc/fstab`,去掉对应条目

重启系统后恢复加密盘

  1. 使用cryptsetup luksOpen命令打开加密分区.

    1
    2
    3
    4
    # cryptsetup luksOpen /dev/sda8 private
    Enter LUKS passphrase:
    key slot 0 unlocked.
    Command successful.

    完成后,生成/dev/mapper/private 设备

  2. 挂载

    1
    #mount /dev/mapper/private /home/test
-------------本文结束感谢您的阅读-------------