Академический Документы
Профессиональный Документы
Культура Документы
Clear message
Windows and Mac OS X each provide its own standard cryptofs tools while Linux, of course, provides many
tools to accomplish the task. The tool of choice these days, it seems, is dm-crypt. Invoked with the userspace
cryptsetup utility, dm-crypt provides a fairly clean and easy-to-use cryptofs tool for Linux.
Additionally, CentOS 5 includes an improved version of dm-crypt that supports LUKS. LUKS is an
upcoming standard for an on-disk representation of information about encrypted volumes. Meta-data about
encrypted data is stored in the partition header, and allows for compatiblity between different systems and
support for multiple user passwords. Besides that, GNOME and HAL have support for handling LUKS
volumes, and can automatically prompt for a password if a removable medium with a LUKS volume is
attached. If you do not require compatiblity with older CentOS versions or systems that do not support LUKS,
it is advised to use the LUKS scheme. The commands for setting up encrypted LUKS volumes are also
described in the examples in this article.
Here are Scripts to automate creation, un-mounting, and remounting of LUKS encrypted filesystems following
the method described below.
Required Packages
Before getting started, make sure all the requisite packages are installed:
It's likely, however, that they're already present on your system, unless you performed a very minimal
installation.
Initial FS Creation
I typically encrypt files, not whole partitions, so I combine dm-crypt with the losetup loopback device
maintenance tool. In the bare language of the Unix shell, here are the steps to create and mount an encrypted
filesystem.
# Create an empty file sized to suit your needs. The one created
# in this example will be a sparse file of 8GB, meaning that no
Note that cryptsetup will not provide a useful error message if you mistype the passphrase. All you 'll get is
a somewhat unhelpful message from mount:
If that happens, then recycle cryptsetup and try mounting the filesystem again:
This does not apply to LUKS volumes, where cryptsetup will provide a useful error message during the
luksOpen step.
For instance, if you use the /dev/loop0 loopback device, you could execute:
cryptsetup will ask you to enter one of the existing passphrases twice. After that you will be asked to enter
the additional key twice. When this step is also succesfully completed, you can use the existing key(s), and the
new key to open the volume.
Most of the possible options for the options field are ignored for LUKS volumes, because LUKS
volumes have all the necessary information about the cipher, key size, and hash in the volume header.
Second,
Normally, you don't want to store a password file in plain text on the root partition. It's certainly
possible to store it somewhere else, but at this boot stage in rc.sysinit only the root partition is
normally mounted read-only. If the password field is not present, or has the value none, the system will
prompt for the password during the system boot.
So, if you are using a LUKS volume and would like to prompt the system for a password, only the first two
fields are required. Let's look at a short example:
cryptedHome /dev/sdc5
This creates a mapping named cryptedHome for an encrypted volume that was previously created on /dev/sdc5
with crypsetup luksFormat /dev/sdc5. If you have also created a filesystem on the encrypted volume, you can
also add an /etc/fstab entry to mount the filesystem during the system boot:
There are two options that are not ignored for LUKS partitions:
swap: the volume will be formatted as a swap partition after a mapping is set up.
tmp: the volume will be formatted as an ext2 filesystem, with permissions set up correctly to be used as
a filesystem for temporary files.
Both options require that there are entries for using the mapping in /etc/fstab, and both options are destructive.
An entry for an encrypted swap partition could look like this:
Or if you do not want to type a password for the swap partition during every boot:
Note that this will not work if /dev/sda2 already is a LUKS partition, because LUKS partitions require a non-
random key.