[cipher][archlinux][disk encryption][btrfs] 磁盘分区加密 + btrfs
科普链接:https://wiki.archlinux.org/index.php/Disk_encryption
前面的链接关于硬盘加密,讲了几种,基本上就是选dm-crypt with LUKS
在grub中,解密根分区以及/boot分区。
dm-crypt文档:https://wiki.archlinux.org/index.php/Dm-crypt
使用 dm-crypt加密一个非根分区。https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_a_non-root_file_system
dm-crypt 的两种加密方式: PLAIN, LUKS(Linux Unified Key Setup)。
具体什么区别我也不太知道,简单来说就是LUKS在文件系统(硬盘分区?)里存储了与加密信息加密方式相关的元数据。而PLAIN中没有。LUKS是dm-crypt的默认方式。
一堆破文档,都不及man手册讲的清楚。
DESCRIPTION cryptsetup is used to conveniently setup dm-crypt managed device-mapper mappings. These include plain dm-crypt volumes and LUKS volumes. The difference is that LUKS uses a metadata header and can hence offer more features than plain dm-crypt. On the other hand, the header is visible and vulnerable to damage.
这个man,写的这么好,在我看过的man里边可以排前三。
/home/tong/bin [tong@T7] [19:24] > man cryptsetup
一: 弄了台虚拟机做实验先:
[root@t206 arch-crypt]# qemu-system-x86_64 -vnc 0.0.0.0:1 --enable-kvm -smp 1 -m 1G -drive file=disk.qcow2,if=virtio -net bridge -net nic,model=virtio -cdrom ../iso/archlinux-2017.05.01-x86_64.iso
二: 加密非根分区
1. 格式化LUKS分区
root@archiso ~ # cryptsetup luksFormat /dev/vda WARNING! ======== This will overwrite data on /dev/vda irrevocably. Are you sure? (Type uppercase yes): YES Enter passphrase: Verify passphrase: cryptsetup luksFormat /dev/vda 5.00s user 0.01s system 41% cpu 12.157 total root@archiso ~ #
后边还能加一个参数 keyfile。意思是将keyfile里边的内容作为密码。
2. 挂载加密分区(解密)
root@archiso ~ # cryptsetup open /dev/vda vd_root Enter passphrase for /dev/vda: root@archiso ~ # ll /dev/mapper/vd_root lrwxrwxrwx 1 root root 7 Jun 1 11:58 /dev/mapper/vd_root -> ../dm-0
3. 初始化文件系统
root@archiso ~ # mkfs.xfs /dev/mapper/vd_root
4. 挂载使用
root@archiso ~ # mount /dev/mapper/vd_root mnt root@archiso ~ # ll total 9 -rw-r--r-- 1 root root 8864 May 1 07:04 install.txt drwxr-xr-x 2 root root 6 Jun 2 01:56 mnt root@archiso ~ # cd mnt root@archiso ~/mnt # ll total 0 root@archiso ~/mnt # touch 123 root@archiso ~/mnt # touch txt root@archiso ~/mnt # vim txt root@archiso ~/mnt # cat txt 123456 root@archiso ~/mnt # ls 123 txt root@archiso ~/mnt # ll total 4 -rw-r--r-- 1 root root 0 Jun 2 01:57 123 -rw-r--r-- 1 root root 7 Jun 2 01:57 txt root@archiso ~/mnt # cd ..
5. 卸载关闭
root@archiso ~ # umount mnt root@archiso ~ # cryptsetup close vd_root root@archiso ~ # ll /dev/mapper total 0 crw------- 1 root root 10, 236 Jun 1 11:58 control root@archiso ~ #
三, 加密全系统
https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system
有多种方式,以及包括boot分区加密等。内容很多
boot分区,MBR加密:https://wiki.archlinux.org/index.php/Dm-crypt/Specialties#Securing_the_unencrypted_boot_partition
chkboot(检查分区是否被串改?)
首先,我选用简单的方法,在LUKS上创建btrfs。查看上述文档的btrfs章节。
btrfs的详细内容,branch到这里:http://www.cnblogs.com/hugetong/p/6934247.html
全系统加密的关键在于,initrd,grub,boot partition,以及kernel。
分区什么的,与非根分区没什么区别,不再叙述。
还是有区别的,这块盘,我需要分出boot partition,swap partition,如果是uEFI的话,还有ESP分区。
有关 parted的unit问题 https://www.gnu.org/software/parted/manual/parted.html#unit
1. 分区表使用 GPT
root@archiso ~ # parted /dev/vda GNU Parted 3.2 Using /dev/vda Welcome to GNU Parted! Type 'help' to view a list of commands. (parted) mktable gpt
2. 创建BIOS grub分区
bios_grub分区只需要31KiB,但是为了对齐以及扩展,我们用1MiB
https://www.gnu.org/software/grub/manual/html_node/BIOS-installation.html
(parted) mkpart fat32 1MiB 2MiB (parted) set 1 bios_grub on (parted) print Model: Virtio Block Device (virtblk) Disk /dev/vda: 20971520kiB Sector size (logical/physical): 512B/512B Partition Table: gpt Disk Flags: Number Start End Size File system Name Flags 1 1024kiB 2048kiB 1024kiB bios_grub (parted)
3. 创建boot分区。挂载根分区前的所有内容,都在这个分区里,我们选择1G的大小。
A suggested size for /boot is 200 MiB unless using UEFI, in which case greater than 512 MiB is needed.
(parted) mkpart ext4 2MiB 1026MiB (parted) print Model: Virtio Block Device (virtblk) Disk /dev/vda: 20971520kiB Sector size (logical/physical): 512B/512B Partition Table: gpt Disk Flags: Number Start End Size File system Name Flags 1 1024kiB 2048kiB 1024kiB bios_grub 2 2048kiB 1050624kiB 1048576kiB (parted)
4. swap分区。 时至今日,swap分区的大小已经没有要求了。要求只来自suspend and hibernate。
文件 /sys/power/image_size 中配置了系统对于hibernate image大小的限制。默认为RAM大小的2/5
https://wiki.archlinux.org/index.php/Partitioning#Swap
https://wiki.archlinux.org/index.php/Power_management/Suspend_and_hibernate#Hibernation
(parted) mkpart primary linux-swap 1026MiB 3074MiB (parted) print Model: Virtio Block Device (virtblk) Disk /dev/vda: 20480MiB Sector size (logical/physical): 512B/512B Partition Table: gpt Disk Flags: Number Start End Size File system Name Flags 1 1.00MiB 2.00MiB 1.00MiB bios_grub 2 2.00MiB 1026MiB 1024MiB 3 1026MiB 3074MiB 2048MiB linux-swap(v1) (parted)
5. 剩下的空间做成 crypt-LUKS + btrfs
(parted) mkpart primary 3074MiB 100% (parted) print Model: Virtio Block Device (virtblk) Disk /dev/vda: 20480MiB Sector size (logical/physical): 512B/512B Partition Table: gpt Disk Flags: Number Start End Size File system Name Flags 1 1.00MiB 2.00MiB 1.00MiB bios_grub 2 2.00MiB 1026MiB 1024MiB 3 1026MiB 3074MiB 2048MiB linux-swap(v1) 4 3074MiB 20479MiB 17405MiB (parted)
初始化各分区文件系统,与前文操作一至
root@archiso ~ # mkfs.fat /dev/sda1 mkfs.fat 4.1 (2017-01-24) mkfs.fat: unable to open /dev/sda1: No such file or directory 1 root@archiso ~ # mkfs.fat /dev/vda1 :( mkfs.fat 4.1 (2017-01-24) root@archiso ~ # mkfs.fat /dev/vda2 mkfs.fat 4.1 (2017-01-24) root@archiso ~ # mkswap /dev/vda3 Setting up swapspace version 1, size = 2 GiB (2147479552 bytes) no label, UUID=3b11937b-85fb-4c8a-8f8f-97e75097b4e1 root@archiso ~ # cryptsetup luksFormat /dev/vda4 WARNING! ======== This will overwrite data on /dev/vda4 irrevocably. Are you sure? (Type uppercase yes): YES Enter passphrase: Verify passphrase: cryptsetup luksFormat /dev/vda4 5.00s user 0.03s system 24% cpu 20.180 total root@archiso ~ # cryptsetup luksFormat /dev/vda4 WARNING! ======== This will overwrite data on /dev/vda4 irrevocably. Are you sure? (Type uppercase yes): YES Enter passphrase: Verify passphrase: Passphrases do not match. 2 root@archiso ~ # cryptsetup luksFormat /dev/vda4 :( WARNING! ======== This will overwrite data on /dev/vda4 irrevocably. Are you sure? (Type uppercase yes): YES Enter passphrase: Verify passphrase: root@archiso ~ # cryptsetup luksFormat /dev/vda4 WARNING! ======== This will overwrite data on /dev/vda4 irrevocably. Are you sure? (Type uppercase yes): YES Enter passphrase: Verify passphrase: root@archiso ~ # root@archiso ~ # root@archiso ~ # root@archiso ~ # parted -l /dev/vda Warning: Unable to open /dev/sr0 read-write (Read-only file system). /dev/sr0 has been opened read-only. Model: QEMU QEMU DVD-ROM (scsi) Disk /dev/sr0: 504MB Sector size (logical/physical): 2048B/2048B Partition Table: msdos Disk Flags: Number Start End Size Type File system Flags 2 336kB 269MB 268MB primary esp Model: Virtio Block Device (virtblk) Disk /dev/vda: 21.5GB Sector size (logical/physical): 512B/512B Partition Table: gpt Disk Flags: Number Start End Size File system Name Flags 1 1049kB 2097kB 1049kB bios_grub bios_grub 2 2097kB 1076MB 1074MB fat32 boot 3 1076MB 3223MB 2147MB linux-swap(v1) swap 4 3223MB 21.5GB 18.3GB root root@archiso ~ #
挂载crypt分区后,创建btrfs文件系统。
root@archiso ~ # cryptsetup open --type luks /dev/vda4 crypt_root Enter passphrase for /dev/vda4: root@archiso ~ # mkdir mnt root@archiso ~ # mkfs.btrfs -L root /dev/mapper/crypt_root :( btrfs-progs v4.10.2 See http://btrfs.wiki.kernel.org for more information. Label: root UUID: cd3b27fb-f257-4afc-b402-fec0550d014e Node size: 16384 Sector size: 4096 Filesystem size: 17.00GiB Block group profiles: Data: single 8.00MiB Metadata: DUP 1.00GiB System: DUP 8.00MiB SSD detected: no Incompat features: extref, skinny-metadata Number of devices: 1 Devices: ID SIZE PATH 1 17.00GiB /dev/mapper/crypt_root root@archiso ~ # mount /dev/mapper/crypt_root mnt root@archiso ~ # btrfs subvolume create mnt/top :( Create subvolume 'mnt/top' root@archiso ~/mnt # cd top root@archiso ~/mnt/top # mkdir snapshot root@archiso ~/mnt/top # btrfs subvolume create root Create subvolume './root' root@archiso ~/mnt/top # btrfs subvolume create home Create subvolume './home' root@archiso ~/mnt/top # ll total 0 drwxr-xr-x 1 root root 0 Jun 3 07:13 home drwxr-xr-x 1 root root 0 Jun 3 07:13 root drwxr-xr-x 1 root root 0 Jun 3 06:42 snapshot root@archiso ~/mnt/top # cd .. root@archiso ~/mnt # ls top root@archiso ~/mnt # cd .. root@archiso ~ # ls install.txt mnt root@archiso ~ # btrfs subvolume list mnt ID 257 gen 12 top level 5 path top ID 258 gen 11 top level 257 path top/root ID 259 gen 12 top level 257 path top/home root@archiso ~ # root@archiso ~ # root@archiso ~ # umount mnt root@archiso ~ # cryptsetup close /dev/mapper/crypt_root root@archiso ~ #
6. 安装系统
6.1 安装目录树结构挂起来
root@archiso ~ # parted -l /dev/sda Number Start End Size File system Name Flags 1 1049kB 2097kB 1049kB bios_grub bios_grub 2 2097kB 1076MB 1074MB fat32 boot 3 1076MB 3223MB 2147MB linux-swap(v1) swap 4 3223MB 21.5GB 18.3GB root root@archiso ~ # btrfs subvolume list mnt ID 257 gen 12 top level 5 path top ID 258 gen 11 top level 257 path top/root ID 259 gen 12 top level 257 path top/home root@archiso ~ # mount -o compress=lzo,subvol=top/root /dev/mapper/crypt_root mnt root@archiso ~ # mkdir mnt/boot root@archiso ~ # mkdir mnt/home root@archiso ~ # mount -o compress=lzo,subvol=top/home /dev/mapper/crypt_root mnt/home root@archiso ~ # mount /dev/vda2 mnt/boot root@archiso ~ # swapon /dev/vda3
6.2 设置键盘
6.3 查看boot mode
6.4 设置时间
root@archiso ~ # ll /etc/localtime lrwxrwxrwx 1 root root 23 May 1 07:04 /etc/localtime -> /usr/share/zoneinfo/UTC root@archiso ~ # rm /etc/localtime root@archiso ~ # ln -s /usr/share/zoneinfo/Asia/Shanghai /etc/localtime root@archiso ~ # timedatectl set-ntp true root@archiso ~ # timedatectl status Local time: Sat 2017-06-03 17:11:43 CST Universal time: Sat 2017-06-03 09:11:43 UTC RTC time: Sat 2017-06-03 09:11:42 Time zone: Asia/Shanghai (CST, +0800) Network time on: yes NTP synchronized: no RTC in local TZ: no root@archiso ~ # date Sat Jun 3 17:11:46 CST 2017 root@archiso ~ #
6.5 修改 /etc/pacman.d/mirrorlist
6.6 strap 根分区
root@archiso ~ # pacstrap mnt base
6.7 生成分区挂载信息
root@archiso ~ # genfstab -U mnt >> mnt/etc/fstab
6.8 change root
root@archiso ~ # arch-chroot mnt
[root@archiso /]# ll
6.9 改时区
[root@archiso /]# ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
[root@archiso /]# hwclock --systohc
6.10 本地化 localizations
[root@archiso /]# vi /etc/locale.gen [root@archiso /]# locale-gen Generating locales... en_US.UTF-8... done zh_CN.GBK... done zh_CN.UTF-8... done zh_CN.GB2312... done Generation complete. [root@archiso /]# echo "LANG=en_US.UTF-8" >> /etc/locale.conf
6.11 config network with netctl
[root@archiso netctl]# cp examples/ethernet-static lan0 [root@archiso netctl]# vi lan0 [root@archiso netctl]# netctl list * lan0
6.12 初始化 initramfs
根分区是加密的,ramfs 复杂解密,所以关于加密的所有特异性配置,都在这里了。
[root@archiso ~]# vim /etc/mkinitcpio.conf
[root@archiso etc]# diff mkinitcpio.conf mkinitcpio.conf.bak
52c52
< HOOKS="base udev autodetect modconf keyboard keymap block encrypt filesystems fsck"
---
> HOOKS="base udev autodetect modconf block filesystems keyboard fsck"
[root@archiso etc]#
mkinitcpio 时有一个错误
==> ERROR: file not found: `fsck.btrfs'
安装 btrfs-progs, 它默认不再base里。
[root@archiso etc]# pacman -S btrfs-progs
制作 initramfs
[root@archiso etc]# mkinitcpio -p linux ==> Building image from preset: /etc/mkinitcpio.d/linux.preset: 'default' -> -k /boot/vmlinuz-linux -c /etc/mkinitcpio.conf -g /boot/initramfs-linux.img ==> Starting build: 4.11.3-1-ARCH -> Running build hook: [base] -> Running build hook: [udev] -> Running build hook: [autodetect] -> Running build hook: [modconf] -> Running build hook: [keyboard] -> Running build hook: [keymap] -> Running build hook: [block] -> Running build hook: [encrypt] -> Running build hook: [filesystems] -> Running build hook: [keyboard] -> Running build hook: [fsck] ==> Generating module dependencies ==> Creating gzip-compressed initcpio image: /boot/initramfs-linux.img ==> Image generation successful ==> Building image from preset: /etc/mkinitcpio.d/linux.preset: 'fallback' -> -k /boot/vmlinuz-linux -c /etc/mkinitcpio.conf -g /boot/initramfs-linux-fallback.img -S autodetect ==> Starting build: 4.11.3-1-ARCH -> Running build hook: [base] -> Running build hook: [udev] -> Running build hook: [modconf] -> Running build hook: [keyboard] -> Running build hook: [keymap] -> Running build hook: [block] ==> WARNING: Possibly missing firmware for module: wd719x ==> WARNING: Possibly missing firmware for module: aic94xx -> Running build hook: [encrypt] -> Running build hook: [filesystems] -> Running build hook: [keyboard] -> Running build hook: [fsck] ==> Generating module dependencies ==> Creating gzip-compressed initcpio image: /boot/initramfs-linux-fallback.img ==> Image generation successful [root@archiso etc]#
根据:https://wiki.archlinux.org/index.php/Btrfs#Corruption_recovery 可以选择性添加如下配置:
14c14
< BINARIES="/usr/bin/btrfs"
---
> BINARIES=""
6.13 设置 password
[root@archiso etc]# passwd New password: Retype new password: passwd: password updated successfully [root@archiso etc]#
6.14 安装 boot loader
https://wiki.archlinux.org/index.php/GRUB
[root@archiso etc]# pacman -S grub
[root@archiso etc]# grub-install --target=i386-pc /dev/vda Installing for i386-pc platform. Installation finished. No error reported. [root@archiso etc]#
https://wiki.archlinux.org/index.php/GRUB#Generate_the_main_configuration_file
[root@archiso ~]# vim /etc/default/grub
https://wiki.archlinux.org/index.php/Dm-crypt/System_configuration#Boot_loader
[root@archiso ~]# diff /etc/default/grub /etc/default/grub.bak 4c4 < GRUB_CMDLINE_LINUX_DEFAULT="cryptdevice=UUID=38312920-93be-4ff6-ba88-e53505fcfb93:vd_root resume=UUID=3b11937b-85fb-4c8a-8f8f-97e75097b4e1 quiet" --- > GRUB_CMDLINE_LINUX_DEFAULT="quiet" [root@archiso ~]#
[root@archiso ~]# vim /boot/grub/grub.cfg
7 重启
reboot
