Locations of visitors to this page

Wednesday, December 3, 2008

create encrypted virtual filesystem - 创建加密的虚拟文件系统







----------
Forwarded message ----------
From: wen xie
<xiewenxiewen at googlemail.com>
Date:
2008/12/3
Subject: Fwd: create encrypted virtual filesystem
To:
xiewenxiewen at googlemail.com







----------
Forwarded message ----------
From: XIE WEN-MFK346
<wenxie at motorola.com>
Date:
2008/12/3
Subject: create encrypted virtual filesystem
To: wen
xie <xiewenxiewen at googlemail.com>







创建加密的虚拟文件系统




losetup
命令可以将文件虚拟成一个循环设备,用户可以挂载这个设备,创建文件系统
cryptsetup
命令可以透明的加密一个块设备,保护用户数据





1.建立文件系统挂载点目录和虚拟文件系统镜像文件目录
mkdir
-p /mnt/loop0
mkdir -p /data/root





[root@DEV-pxy-1
~]# mkdir -p /mnt/loop0
[root@DEV-pxy-1 ~]# mkdir -p
/data/root
[root@DEV-pxy-1 ~]#






2.
创建镜像文件,
关联到一个循环设备上
dd
if=/dev/zero of=/data/root/loop0file.img bs=1k count=10000
ls -l
/data/root/loop0file.img





[root@DEV-pxy-1
~]# dd if=/dev/zero of=/data/root/loop0file.img bs=1k
count=10000
10000+0 records in
10000+0 records out
10240000
bytes (10 MB) copied, 0.069987 seconds, 146 MB/s
[root@DEV-pxy-1
~]# ls -l /data/root/loop0file.img
-rw-r--r-- 1 root root 10240000
Dec 3 10:03 /data/root/loop0file.img
[root@DEV-pxy-1 ~]#





创建了一个10M大小的文件






建立关联




losetup
/dev/loop0 /data/root/loop0file.img
losetup /dev/loop0





[root@DEV-pxy-1
~]# losetup /dev/loop0 /data/root/loop0file.img
[root@DEV-pxy-1
~]# losetup /dev/loop0
/dev/loop0: [0805]:9437186
(/data/root/loop0file.img)
[root@DEV-pxy-1 ~]#





losetup关联,并查看到关联信息





默认loop设备有8个,可以手工增加






3.
加载dm-crypt内核模块,





modprobe
dm-crypt
lsmod |grep dm_
dmsetup targets
dmsetup ls





[root@DEV-pxy-1
~]# modprobe dm-crypt
[root@DEV-pxy-1 ~]# lsmod |grep
dm_
dm_crypt
46665 0
dm_mod
99737 1 dm_crypt
[root@DEV-pxy-1 ~]# dmsetup
targets
crypt
v1.3.0
striped
v1.0.2
linear
v1.0.2
error
v1.0.1
[root@DEV-pxy-1 ~]# dmsetup ls
No devices
found
[root@DEV-pxy-1 ~]#





查看到dm-crypt已加载






4.
创建加密设备
cryptsetup
create loop0crypt /dev/loop0





[root@DEV-pxy-1
~]# cryptsetup create loop0crypt /dev/loop0
Enter
passphrase:
[root@DEV-pxy-1 ~]#





这里要输入加密的密码,
比如abc






cryptsetup
status loop0crypt
dmsetup ls
ls -l /dev/mapper/





[root@DEV-pxy-1
~]# cryptsetup status loop0crypt
/dev/mapper/loop0crypt is
active:
cipher: aes-cbc-plain
keysize: 256
bits
device: /dev/loop0
offset: 0
sectors
size: 20000 sectors

mode: read/write
[root@DEV-pxy-1 ~]# dmsetup
ls
loop0crypt (253,
0)
[root@DEV-pxy-1 ~]# ls -l /dev/mapper/
total 0
crw-------
1 root root 10, 63 Dec 3 10:03 control
brw-rw---- 1
root disk 253, 0 Dec 3 10:04 loop0crypt
[root@DEV-pxy-1
~]#





/dev/mapper/下创建了一个加密设备,loop0crypt





aes加密模块自动被加载
lsmod
|grep aes





[root@DEV-pxy-1
~]# lsmod |grep aes
aes_generic
59393 0
aes_x86_64
58601 1
[root@DEV-pxy-1 ~]#






5.
创建文件系统,
并挂载
mkfs
-t ext3 /dev/mapper/loop0crypt 10000





[root@DEV-pxy-1
~]# mkfs -t ext3 /dev/mapper/loop0crypt 10000
mke2fs 1.39
(29-May-2006)
Filesystem label=
OS type: Linux
Block
size=1024 (log=0)
Fragment size=1024 (log=0)
2512 inodes, 10000
blocks
500 blocks (5.00%) reserved for the super user
First
data block=1
Maximum filesystem blocks=10485760
2 block
groups
8192 blocks per group, 8192 fragments per group
1256
inodes per group
Superblock backups stored on blocks:

8193





Writing
inode tables: done
Creating journal (1024 blocks): done
Writing
superblocks and filesystem accounting information: done





This
filesystem will be automatically checked every 31 mounts or
180
days, whichever comes first. Use tune2fs -c or -i to
override.
[root@DEV-pxy-1 ~]#






mount -t ext3
/dev/mapper/loop0crypt /mnt/loop0
mount|grep loop
df -h
/mnt/loop0
ls -l /mnt/loop0





[root@DEV-pxy-1
~]# mount -t ext3 /dev/mapper/loop0crypt /mnt/loop0
[root@DEV-pxy-1
~]# mount|grep loop
/dev/mapper/loop0crypt on /mnt/loop0 type ext3
(rw)
[root@DEV-pxy-1 ~]# df -h /mnt/loop0
Filesystem
Size Used Avail Use% Mounted
on
/dev/mapper/loop0crypt

9.5M 1.1M 7.9M 13% /mnt/loop0
[root@DEV-pxy-1
~]#
[root@DEV-pxy-1 ~]# ls -l /mnt/loop0
total 12
drwx------
2 root root 12288 Dec 3 10:04 lost+found
[root@DEV-pxy-1 ~]#






创建一个文件试试
echo
test >/mnt/loop0/a
ls -l /mnt/loop0/




[root@DEV-pxy-1
~]# echo test >/mnt/loop0/a

[root@DEV-pxy-1
~]# ls -l /mnt/loop0/

total
13

-rw-r--r-- 1 root
root 5 Dec 3 10:06 a

drwx------
2 root root 12288 Dec 3 10:04 lost+found

[root@DEV-pxy-1
~]#






6.
卸载文件系统及关联





umount
/mnt/loop0
cryptsetup remove loop0crypt
losetup -d /dev/loop0





[root@DEV-pxy-1
~]# umount /mnt/loop0
[root@DEV-pxy-1 ~]# cryptsetup remove
loop0crypt
[root@DEV-pxy-1 ~]# losetup -d
/dev/loop0
[root@DEV-pxy-1 ~]#





7.重新建立关联和挂载





步骤跟前面类似,但不用mkfs创建文件系统
losetup
/dev/loop0 /data/root/loop0file.img
cryptsetup create loop0crypt
/dev/loop0
mount -t ext3 /dev/mapper/loop0crypt /mnt/loop0





[root@DEV-pxy-1
~]# losetup /dev/loop0 /data/root/loop0file.img
[root@DEV-pxy-1
~]# cryptsetup create loop0crypt /dev/loop0
Enter
passphrase:
[root@DEV-pxy-1 ~]# mount -t ext3
/dev/mapper/loop0crypt /mnt/loop0
[root@DEV-pxy-1 ~]#





密码输入创建时的那个,abc





ls -l
/mnt/loop0
cat /mnt/loop0/a





[root@DEV-pxy-1
~]# ls -l /mnt/loop0
total 13
-rw-r--r-- 1 root root
5 Dec 3 10:06 a
drwx------ 2 root root 12288 Dec 3
10:04 lost+found
[root@DEV-pxy-1 ~]# cat
/mnt/loop0/a
test
[root@DEV-pxy-1 ~]#






8.
扩大文件系统大小





先卸载和去除关联
umount
/mnt/loop0
cryptsetup remove loop0crypt
losetup -d /dev/loop0





[root@DEV-pxy-1
~]# umount /mnt/loop0
[root@DEV-pxy-1 ~]# cryptsetup remove
loop0crypt
[root@DEV-pxy-1 ~]# losetup -d
/dev/loop0
[root@DEV-pxy-1 ~]#






扩大镜像文件





dd if=/dev/zero
bs=1k count=10000 >>/data/root/loop0file.img
ls -l
/data/root/loop0file.img





[root@DEV-pxy-1
~]# dd if=/dev/zero bs=1k count=10000
>>/data/root/loop0file.img
10000+0 records in
10000+0
records out
10240000 bytes (10 MB) copied, 0.070741 seconds, 145
MB/s
[root@DEV-pxy-1 ~]# ls -l /data/root/loop0file.img
-rw-r--r--
1 root root 20480000 Dec 3 10:25
/data/root/loop0file.img
[root@DEV-pxy-1 ~]#






扩大加密设备大小
losetup
/dev/loop0 /data/root/loop0file.img
cryptsetup create loop0crypt
/dev/loop0
cryptsetup resize loop0crypt





[root@DEV-pxy-1
~]# losetup /dev/loop0 /data/root/loop0file.img
[root@DEV-pxy-1
~]# cryptsetup create loop0crypt /dev/loop0
Enter
passphrase:
[root@DEV-pxy-1 ~]# cryptsetup resize
loop0crypt
[root@DEV-pxy-1 ~]#






扩大文件系统





e2fsck -f
/dev/mapper/loop0crypt
resize2fs /dev/mapper/loop0crypt





[root@DEV-pxy-1
~]# e2fsck -f /dev/mapper/loop0crypt
e2fsck 1.39
(29-May-2006)
Pass 1: Checking inodes, blocks, and sizes
Pass
2: Checking directory structure
Pass 3: Checking directory
connectivity
Pass 4: Checking reference counts
Pass 5: Checking
group summary information
/dev/mapper/loop0crypt: 12/2512 files
(8.3% non-contiguous), 1446/10000 blocks
[root@DEV-pxy-1 ~]#
resize2fs /dev/mapper/loop0crypt
resize2fs 1.39
(29-May-2006)
Resizing the filesystem on /dev/mapper/loop0crypt to
20000 (1k) blocks.
The filesystem on /dev/mapper/loop0crypt is now
20000 blocks long.





[root@DEV-pxy-1
~]#





挂载文件系统





mount -t ext3
/dev/mapper/loop0crypt /mnt/loop0
df -h /mnt/loop0
ls -l
/mnt/loop0/
cat /mnt/loop0/a






[root@DEV-pxy-1
~]# mount -t ext3 /dev/mapper/loop0crypt /mnt/loop0

[root@DEV-pxy-1
~]# df -h /mnt/loop0

Filesystem
Size Used Avail Use% Mounted
on

/dev/mapper/loop0crypt

20M 1.1M 17M 7%
/mnt/loop0

[root@DEV-pxy-1
~]# ls -l /mnt/loop0/

total
13

-rw-r--r-- 1 root
root 5 Dec 3 10:06 a

drwx------
2 root root 12288 Dec 3 10:04 lost+found

[root@DEV-pxy-1
~]# cat /mnt/loop0/a

test
[root@DEV-pxy-1
~]#






9.
缩小文件系统大小



随便考一个文件
cp -p /u01/software/oracle/apache-ant-1.7.1-bin.tar.gz
/mnt/loop0
ls -l /mnt/loop0/
df -h /mnt/loop0


[root@DEV-pxy-1 ~]# cp -p
/u01/software/oracle/apache-ant-1.7.1-bin.tar.gz /mnt/loop0

[root@DEV-pxy-1
~]# ls -l /mnt/loop0/
total 8987

-rw-r--r-- 1 root
root 5 Dec 3 10:06
a
-rw-r--r-- 1 s3op1 netop 9151860 Jul 9 09:19
apache-ant-1.7.1-bin.tar.gz

drwx------ 2 root root
12288 Dec 3 10:04 lost+found
[root@DEV-pxy-1 ~]# df -h
/mnt/loop0
Filesystem
Size Used Avail Use% Mounted
on
/dev/mapper/loop0crypt

20M 9.9M 8.3M 55% /mnt/loop0
[root@DEV-pxy-1
~]#



缩小文件系统大小
umount /mnt/loop0

e2fsck -f
/dev/mapper/loop0crypt
resize2fs /dev/mapper/loop0crypt 10m
resize2fs
/dev/mapper/loop0crypt 15m


[root@DEV-pxy-1 ~]# umount /mnt/loop0
[root@DEV-pxy-1 ~]#
e2fsck -f /dev/mapper/loop0crypt
e2fsck 1.39 (29-May-2006)
Pass 1:
Checking inodes, blocks, and sizes
Pass 2: Checking directory
structure
Pass 3: Checking directory connectivity
Pass 4: Checking
reference counts
Pass 5: Checking group summary
information
/dev/mapper/loop0crypt: 13/3768 files (7.7% non-contiguous),
10579/20000 blocks
[root@DEV-pxy-1 ~]# resize2fs /dev/mapper/loop0crypt
10m

resize2fs 1.39 (29-May-2006)
Resizing the filesystem on
/dev/mapper/loop0crypt to 10240 (1k) blocks.
resize2fs: No space left on
device while trying to resize /dev/mapper/loop0crypt
[root@DEV-pxy-1 ~]#
resize2fs /dev/mapper/loop0crypt 15m

resize2fs 1.39 (29-May-2006)
Resizing
the filesystem on /dev/mapper/loop0crypt to 15360 (1k) blocks.
The filesystem
on /dev/mapper/loop0crypt is now 15360 blocks long.


[root@DEV-pxy-1 ~]#



缩小加密设备大小
cryptsetup status loop0crypt
cryptsetup --offset 0
--size $(( 40000 * 15360/20000 )) resize loop0crypt
cryptsetup status
loop0crypt


[root@DEV-pxy-1 ~]# cryptsetup status
loop0crypt
/dev/mapper/loop0crypt is active:
cipher:
aes-cbc-plain
keysize: 256 bits
device:
/dev/loop0
offset: 0 sectors
size:
40000 sectors
mode: read/write
[root@DEV-pxy-1
~]# cryptsetup --offset 0 --size $(( 40000 * 15360/20000 )) resize
loop0crypt

[root@DEV-pxy-1 ~]# cryptsetup status
loop0crypt
/dev/mapper/loop0crypt is active:
cipher:
aes-cbc-plain
keysize: 256 bits
device:
/dev/loop0
offset: 0 sectors
size:
30720 sectors

mode: read/write
[root@DEV-pxy-1
~]#



缩小镜像文件大小

cryptsetup remove loop0crypt
losetup -d
/dev/loop0
cp -p /data/root/loop0file.img /data/root/loop0file.img.bak
ls
-l /data/root/
dd if=/dev/null of=/data/root/loop0file.img bs=1 count=0
seek=$(( 15*1024*1024 ))

ls -l /data/root/


[root@DEV-pxy-1 ~]# cryptsetup remove
loop0crypt
[root@DEV-pxy-1 ~]# losetup -d /dev/loop0
[root@DEV-pxy-1 ~]#
cp -p /data/root/loop0file.img /data/root/loop0file.img.bak

[root@DEV-pxy-1
~]# ls -l /data/root/
total 40048
-rw-r--r-- 1 root root 20480000
Dec 3 10:25 loop0file.img
-rw-r--r-- 1 root root 20480000 Dec 3
10:25 loop0file.img.bak
[root@DEV-pxy-1 ~]# dd if=/dev/null
of=/data/root/loop0file.img bs=1 count=0 seek=$(( 15*1024*1024 ))
0+0 records
in
0+0 records out
0 bytes (0 B) copied, 1.8e-05 seconds, 0.0
kB/s

[root@DEV-pxy-1 ~]# ls -l /data/root/
total 35404
-rw-r--r-- 1
root root 15728640 Dec 4 05:55 loop0file.img
-rw-r--r-- 1 root root
20480000 Dec 3 10:25 loop0file.img.bak
[root@DEV-pxy-1 ~]#



挂载

losetup /dev/loop0 /data/root/loop0file.img
losetup
/dev/loop0
cryptsetup create loop0crypt /dev/loop0
mount -t ext3
/dev/mapper/loop0crypt /mnt/loop0
df -h /mnt/loop0
ls -l
/mnt/loop0/
diff /mnt/loop0/apache-ant-1.7.1-bin.tar.gz
/u01/software/oracle/apache-ant-1.7.1-bin.tar.gz


[root@DEV-pxy-1 ~]# losetup /dev/loop0
/data/root/loop0file.img
[root@DEV-pxy-1 ~]# losetup
/dev/loop0
/dev/loop0: [0805]:9437186
(/data/root/loop0file.img)
[root@DEV-pxy-1 ~]# cryptsetup create loop0crypt
/dev/loop0
Enter passphrase:
[root@DEV-pxy-1 ~]# mount -t ext3
/dev/mapper/loop0crypt /mnt/loop0
[root@DEV-pxy-1 ~]# df -h
/mnt/loop0
Filesystem
Size Used Avail Use% Mounted
on
/dev/mapper/loop0crypt

15M 9.9M 4.1M 71% /mnt/loop0

[root@DEV-pxy-1 ~]# ls -l
/mnt/loop0/
total 8987

-rw-r--r-- 1 root
root 5 Dec 3 10:06
a
-rw-r--r-- 1 s3op1 netop 9151860 Jul 9 09:19
apache-ant-1.7.1-bin.tar.gz

drwx------ 2 root root
12288 Dec 3 10:04 lost+found
[root@DEV-pxy-1 ~]# diff
/mnt/loop0/apache-ant-1.7.1-bin.tar.gz
/u01/software/oracle/apache-ant-1.7.1-bin.tar.gz
[root@DEV-pxy-1
~]#








外部链接:





Encryption-HOWTO-FAQ
http://encryptionhowto.sourceforge.net/Encryption-HOWTO-6.html





What is a loopback
device and how can I create more of
them?
http://kbase.redhat.com/faq/docs/DOC-1722





Use an Encrypted
Filesystem to Protect Your
Data
http://books.google.com/books?id=HZ37FT3unW8C&pg=PA265





玩转Ubuntu
Linux
之加密文件系统篇
http://www.51cto.com/art/200609/31687.htm

















Xie Wen (谢文)

Network &
Operations,
Multimedia Applications & Services (MDB)
MOTOROLA Inc.
NO.104 mail box,
8th floor, Motorola Tower,
No.
1 Wang Jing East Road, Chao Yang District,
Beijing 100102 P. R.
China
e-mail wenxie at motorola.com









No comments:

Website Analytics

Followers