CentOS release 5.4 (Final)
# uname -r
2.6.18-164.el5
# rpm -qa | grep cryptsetup
cryptsetup-luks-1.0.3-5.el5
/dev/sdb1 を暗号化用パーティションとする。
# fdisk -l
/dev/sdb1 1 100 102384 83 Linuxcryptsetup で、暗号化パーティションを設定する。
暗号化アルゴリズム aes
ハッシュアルゴリズム sha256
鍵長 256bit
# cryptsetup -y luksFormat --cipher aes-cbc-essiv:sha256 --key-size 256 /dev/sdb1
WARNING!
========
This will overwrite data on /dev/sdb1 irrevocably.
Are you sure? (Type uppercase yes): YES <- 大文字じゃないとダメ
Enter LUKS passphrase:
Verify passphrase:
Command successful.
#LUKS とは:
暗号化したパーティションを device mapper でマッピング。Linux Unified Key Setup, is a standard for hard disk encryption. It
standardizes a partition header, as well as the format of the bulk data.
LUKS can manage multiple passwords, that can be revoked effectively and
that are protected against dictionary attacks with PBKDF2.
デバイスマッパー経由で、ファイルにアクセスする。
# cryptsetup luksOpen /dev/sdb1 encrypted
Enter LUKS passphrase for /dev/sdb1:
key slot 0 unlocked.
Command successful.
# ls -l /dev/mapper/
合計 0
crw------- 1 root root 10, 63 5月 6 15:21 control
brw-rw---- 1 root disk 253, 0 5月 6 15:49 encrypted
# mkfs.ext3 /dev/mapper/encrypted
# mount -t ext3 /dev/mapper/encrypted /mnt/encrypted
# cd /mnt/encrypted/
# echo hello > hello.txt
アンマウント
# umount /mnt/encrypted
# cryptsetup luksClose encrypted
# ls /dev/mapper/*
/dev/mapper/control
cryptsecup を使用しないで、マウントしようとするとマウントできない ( データが見れない )
# mount -t ext3 /dev/sdb1 /mnt/encrypted
mount: wrong fs type, bad option, bad superblock on /dev/sdb1,
missing codepage or other error
In some cases useful info is found in syslog - try
dmesg | tail or so
再接続
# cryptsetup luksOpen /dev/sdb1 encrypted
Enter LUKS passphrase for /dev/sdb1:
key slot 0 unlocked.
Command successful.
# mount /dev/mapper/encrypted /mnt/encrypted
# cat /mnt/encrypted/hello.txt
hello
# cryptsetup luksDump /dev/sdb1
LUKS header information for /dev/sdb1
Version: 1
Cipher name: aes
Cipher mode: cbc-essiv:sha256
Hash spec: sha1
Payload offset: 2056
MK bits: 256
MK digest: ce 2b 5f 63 5c 0e 84 15 5f ce 51 b4 1d 46 c1 6b 89 5b 6a cc
MK salt: 17 11 4a d0 b4 22 df b9 06 b3 8c d0 9f 22 cc 49
c8 9c b4 25 2e fc d5 b7 0b 3d 60 e2 90 01 3b 61
MK iterations: 10
UUID: 96a0a006-bef8-4880-9950-5ebfb238276e
Key Slot 0: ENABLED
Iterations: 328403
Salt: 8b f9 f5 05 d8 ae 86 af 28 09 a7 71 5a 8a 85 e6
28 48 96 c2 8a bf 66 a5 ba dc 4e 3c 8b f7 3a 66
Key material offset: 8
AF stripes: 4000
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED
[ パスフレーズの入力なしでマウント ]
キーファイルの作成
# dd if=/dev/urandom of=/root/encrypted_key bs=1 count=1024
登録
# cryptsetup luksAddKey /dev/sdb1 /root/encrypted_key
Enter any LUKS passphrase:
Verify passphrase:
key slot 0 unlocked.
Command successful.
slot1に登録された
# cryptsetup luksDump /dev/sdb1
LUKS header information for /dev/sdb1
Version: 1
Cipher name: aes
Cipher mode: cbc-essiv:sha256
Hash spec: sha1
Payload offset: 2056
MK bits: 256
MK digest: ce 2b 5f 63 5c 0e 84 15 5f ce 51 b4 1d 46 c1 6b 89 5b 6a cc
MK salt: 17 11 4a d0 b4 22 df b9 06 b3 8c d0 9f 22 cc 49
c8 9c b4 25 2e fc d5 b7 0b 3d 60 e2 90 01 3b 61
MK iterations: 10
UUID: 96a0a006-bef8-4880-9950-5ebfb238276e
Key Slot 0: ENABLED
Iterations: 328403
Salt: 8b f9 f5 05 d8 ae 86 af 28 09 a7 71 5a 8a 85 e6
28 48 96 c2 8a bf 66 a5 ba dc 4e 3c 8b f7 3a 66
Key material offset: 8
AF stripes: 4000
Key Slot 1: ENABLED
Iterations: 335538
Salt: 4a f0 e5 cc d8 a9 db 37 de 1f 0d 10 13 54 a3 3e
d4 71 21 fb 57 a6 22 66 c0 1b 54 ad 3f b7 0a de
Key material offset: 264
AF stripes: 4000
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED
登録したキーファイルでマウント
# cryptsetup luksOpen /dev/sdb1 encrypted --key-file /root/encrypted_key
key slot 1 unlocked.
Command successful.
# mount -t ext3 /dev/mapper/encrypted /mnt/encrypted
# cat /mnt/encrypted/hello.txt
hello
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.