lost and found ( for me ? )

cryptsetup で暗号化ファイルシステムの作成

# cat /etc/redhat-release

CentOS release 5.4 (Final)

# uname -r
2.6.18-164.el5

# rpm -qa | grep cryptsetup
cryptsetup-luks-1.0.3-5.el5

/dev/sdb1 を暗号化用パーティションとする。

# fdisk -l 
/dev/sdb1               1         100      102384   83  Linux

cryptsetup で、暗号化パーティションを設定する。

暗号化アルゴリズム aes
ハッシュアルゴリズム sha256
鍵長 256bit

# cryptsetup -y luksFormat --cipher aes-cbc-essiv:sha256 --key-size 256 /dev/sdb1

WARNING!
========
This will overwrite data on /dev/sdb1 irrevocably.

Are you sure? (Type uppercase yes): YES  <- 大文字じゃないとダメ
Enter LUKS passphrase:
Verify passphrase:
Command successful.
#

LUKS とは:

Linux Unified Key Setup, is a standard for hard disk encryption. It
standardizes a partition header, as well as the format of the  bulk  data.
LUKS  can  manage  multiple passwords, that can be revoked effectively and
that are protected against dictionary attacks with PBKDF2.
暗号化したパーティションを device mapper でマッピング。
デバイスマッパー経由で、ファイルにアクセスする。

# cryptsetup luksOpen /dev/sdb1 encrypted
Enter LUKS passphrase for /dev/sdb1:
key slot 0 unlocked.
Command successful.

# ls -l /dev/mapper/
合計 0
crw------- 1 root root  10, 63  5月  6 15:21 control
brw-rw---- 1 root disk 253,  0  5月  6 15:49 encrypted

# mkfs.ext3 /dev/mapper/encrypted

# mount -t ext3 /dev/mapper/encrypted /mnt/encrypted

# cd /mnt/encrypted/
# echo hello > hello.txt

アンマウント

# umount /mnt/encrypted
# cryptsetup luksClose encrypted

# ls /dev/mapper/*
/dev/mapper/control

cryptsecup を使用しないで、マウントしようとするとマウントできない ( データが見れない )

# mount -t ext3 /dev/sdb1 /mnt/encrypted
mount: wrong fs type, bad option, bad superblock on /dev/sdb1,
       missing codepage or other error
       In some cases useful info is found in syslog - try
       dmesg | tail  or so

再接続

# cryptsetup luksOpen /dev/sdb1 encrypted
Enter LUKS passphrase for /dev/sdb1:
key slot 0 unlocked.
Command successful.

# mount /dev/mapper/encrypted /mnt/encrypted

# cat /mnt/encrypted/hello.txt
hello

# cryptsetup luksDump /dev/sdb1
LUKS header information for /dev/sdb1

Version:        1
Cipher name:    aes
Cipher mode:    cbc-essiv:sha256
Hash spec:      sha1
Payload offset: 2056
MK bits:        256
MK digest:      ce 2b 5f 63 5c 0e 84 15 5f ce 51 b4 1d 46 c1 6b 89 5b 6a cc
MK salt:        17 11 4a d0 b4 22 df b9 06 b3 8c d0 9f 22 cc 49
                c8 9c b4 25 2e fc d5 b7 0b 3d 60 e2 90 01 3b 61
MK iterations:  10
UUID:           96a0a006-bef8-4880-9950-5ebfb238276e

Key Slot 0: ENABLED
        Iterations:             328403
        Salt:                   8b f9 f5 05 d8 ae 86 af 28 09 a7 71 5a 8a 85 e6
                                28 48 96 c2 8a bf 66 a5 ba dc 4e 3c 8b f7 3a 66
        Key material offset:    8
        AF stripes:             4000
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED

[ パスフレーズの入力なしでマウント ]

キーファイルの作成

# dd if=/dev/urandom of=/root/encrypted_key bs=1 count=1024

登録

# cryptsetup luksAddKey /dev/sdb1 /root/encrypted_key
Enter any LUKS passphrase:
Verify passphrase:
key slot 0 unlocked.
Command successful.

slot1に登録された

# cryptsetup luksDump /dev/sdb1
LUKS header information for /dev/sdb1

Version:        1
Cipher name:    aes
Cipher mode:    cbc-essiv:sha256
Hash spec:      sha1
Payload offset: 2056
MK bits:        256
MK digest:      ce 2b 5f 63 5c 0e 84 15 5f ce 51 b4 1d 46 c1 6b 89 5b 6a cc
MK salt:        17 11 4a d0 b4 22 df b9 06 b3 8c d0 9f 22 cc 49
                c8 9c b4 25 2e fc d5 b7 0b 3d 60 e2 90 01 3b 61
MK iterations:  10
UUID:           96a0a006-bef8-4880-9950-5ebfb238276e

Key Slot 0: ENABLED
        Iterations:             328403
        Salt:                   8b f9 f5 05 d8 ae 86 af 28 09 a7 71 5a 8a 85 e6
                                28 48 96 c2 8a bf 66 a5 ba dc 4e 3c 8b f7 3a 66
        Key material offset:    8
        AF stripes:             4000
Key Slot 1: ENABLED
        Iterations:             335538
        Salt:                   4a f0 e5 cc d8 a9 db 37 de 1f 0d 10 13 54 a3 3e
                                d4 71 21 fb 57 a6 22 66 c0 1b 54 ad 3f b7 0a de
        Key material offset:    264
        AF stripes:             4000
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED

登録したキーファイルでマウント

# cryptsetup luksOpen /dev/sdb1 encrypted --key-file /root/encrypted_key
key slot 1 unlocked.
Command successful.

# mount -t ext3 /dev/mapper/encrypted /mnt/encrypted

# cat /mnt/encrypted/hello.txt
hello

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.