Posts
----------
Forwarded message ----------
From: wen xie
<xiewenxiewen at googlemail.com>
Date:
2008/12/3
Subject: Fwd: create encrypted virtual filesystem
To:
xiewenxiewen at googlemail.com
----------
Forwarded message ----------
From: XIE WEN-MFK346
<wenxie at motorola.com>
Date:
2008/12/3
Subject: create encrypted virtual filesystem
To: wen
xie <xiewenxiewen at googlemail.com>
创建加密的虚拟文件系统
losetup
命令可以将文件虚拟成一个循环设备,用户可以挂载这个设备,创建文件系统
cryptsetup
命令可以透明的加密一个块设备,保护用户数据
1.建立文件系统挂载点目录和虚拟文件系统镜像文件目录
mkdir
-p /mnt/loop0
mkdir -p /data/root
[root@DEV-pxy-1
~]# mkdir -p /mnt/loop0
[root@DEV-pxy-1 ~]# mkdir -p
/data/root
[root@DEV-pxy-1 ~]#
2.创建镜像文件,
关联到一个循环设备上
dd
if=/dev/zero of=/data/root/loop0file.img bs=1k count=10000
ls -l
/data/root/loop0file.img
[root@DEV-pxy-1
~]# dd if=/dev/zero of=/data/root/loop0file.img bs=1k
count=10000
10000+0 records in
10000+0 records out
10240000
bytes (10 MB) copied, 0.069987 seconds, 146 MB/s
[root@DEV-pxy-1
~]# ls -l /data/root/loop0file.img
-rw-r--r-- 1 root root 10240000
Dec 3 10:03 /data/root/loop0file.img
[root@DEV-pxy-1 ~]#
创建了一个10M大小的文件
建立关联
losetup
/dev/loop0 /data/root/loop0file.img
losetup /dev/loop0
[root@DEV-pxy-1
~]# losetup /dev/loop0 /data/root/loop0file.img
[root@DEV-pxy-1
~]# losetup /dev/loop0
/dev/loop0: [0805]:9437186
(/data/root/loop0file.img)
[root@DEV-pxy-1 ~]#
用losetup关联,并查看到关联信息
默认loop设备有8个,可以手工增加
3.加载dm-crypt内核模块,
modprobe
dm-crypt
lsmod |grep dm_
dmsetup targets
dmsetup ls
[root@DEV-pxy-1
~]# modprobe dm-crypt
[root@DEV-pxy-1 ~]# lsmod |grep
dm_
dm_crypt
46665 0
dm_mod
99737 1 dm_crypt
[root@DEV-pxy-1 ~]# dmsetup
targets
crypt
v1.3.0
striped
v1.0.2
linear
v1.0.2
error
v1.0.1
[root@DEV-pxy-1 ~]# dmsetup ls
No devices
found
[root@DEV-pxy-1 ~]#
查看到dm-crypt已加载
4.
创建加密设备
cryptsetup
create loop0crypt /dev/loop0
[root@DEV-pxy-1
~]# cryptsetup create loop0crypt /dev/loop0
Enter
passphrase:
[root@DEV-pxy-1 ~]#
这里要输入加密的密码,
比如abc
cryptsetup
status loop0crypt
dmsetup ls
ls -l /dev/mapper/
[root@DEV-pxy-1
~]# cryptsetup status loop0crypt
/dev/mapper/loop0crypt is
active:
cipher: aes-cbc-plain
keysize: 256
bits
device: /dev/loop0
offset: 0
sectors
size: 20000 sectors
mode: read/write
[root@DEV-pxy-1 ~]# dmsetup
ls
loop0crypt (253,
0)
[root@DEV-pxy-1 ~]# ls -l /dev/mapper/
total 0
crw-------
1 root root 10, 63 Dec 3 10:03 control
brw-rw---- 1
root disk 253, 0 Dec 3 10:04 loop0crypt
[root@DEV-pxy-1
~]#
在/dev/mapper/下创建了一个加密设备,叫loop0crypt
aes加密模块自动被加载
lsmod
|grep aes
[root@DEV-pxy-1
~]# lsmod |grep aes
aes_generic
59393 0
aes_x86_64
58601 1
[root@DEV-pxy-1 ~]#
5.创建文件系统,
并挂载
mkfs
-t ext3 /dev/mapper/loop0crypt 10000
[root@DEV-pxy-1
~]# mkfs -t ext3 /dev/mapper/loop0crypt 10000
mke2fs 1.39
(29-May-2006)
Filesystem label=
OS type: Linux
Block
size=1024 (log=0)
Fragment size=1024 (log=0)
2512 inodes, 10000
blocks
500 blocks (5.00%) reserved for the super user
First
data block=1
Maximum filesystem blocks=10485760
2 block
groups
8192 blocks per group, 8192 fragments per group
1256
inodes per group
Superblock backups stored on blocks:
8193
Writing
inode tables: done
Creating journal (1024 blocks): done
Writing
superblocks and filesystem accounting information: done
This
filesystem will be automatically checked every 31 mounts or
180
days, whichever comes first. Use tune2fs -c or -i to
override.
[root@DEV-pxy-1 ~]#
mount -t ext3
/dev/mapper/loop0crypt /mnt/loop0
mount|grep loop
df -h
/mnt/loop0
ls -l /mnt/loop0
[root@DEV-pxy-1
~]# mount -t ext3 /dev/mapper/loop0crypt /mnt/loop0
[root@DEV-pxy-1
~]# mount|grep loop
/dev/mapper/loop0crypt on /mnt/loop0 type ext3
(rw)
[root@DEV-pxy-1 ~]# df -h /mnt/loop0
Filesystem
Size Used Avail Use% Mounted
on
/dev/mapper/loop0crypt
9.5M 1.1M 7.9M 13% /mnt/loop0
[root@DEV-pxy-1
~]#
[root@DEV-pxy-1 ~]# ls -l /mnt/loop0
total 12
drwx------
2 root root 12288 Dec 3 10:04 lost+found
[root@DEV-pxy-1 ~]#
创建一个文件试试
echo
test >/mnt/loop0/a
ls -l /mnt/loop0/
[root@DEV-pxy-1
~]# echo test >/mnt/loop0/a
[root@DEV-pxy-1
~]# ls -l /mnt/loop0/
total
13
-rw-r--r-- 1 root
root 5 Dec 3 10:06 a
drwx------
2 root root 12288 Dec 3 10:04 lost+found
[root@DEV-pxy-1
~]#
6.卸载文件系统及关联
umount
/mnt/loop0
cryptsetup remove loop0crypt
losetup -d /dev/loop0
[root@DEV-pxy-1
~]# umount /mnt/loop0
[root@DEV-pxy-1 ~]# cryptsetup remove
loop0crypt
[root@DEV-pxy-1 ~]# losetup -d
/dev/loop0
[root@DEV-pxy-1 ~]#
7.重新建立关联和挂载
步骤跟前面类似,但不用mkfs创建文件系统
losetup
/dev/loop0 /data/root/loop0file.img
cryptsetup create loop0crypt
/dev/loop0
mount -t ext3 /dev/mapper/loop0crypt /mnt/loop0
[root@DEV-pxy-1
~]# losetup /dev/loop0 /data/root/loop0file.img
[root@DEV-pxy-1
~]# cryptsetup create loop0crypt /dev/loop0
Enter
passphrase:
[root@DEV-pxy-1 ~]# mount -t ext3
/dev/mapper/loop0crypt /mnt/loop0
[root@DEV-pxy-1 ~]#
密码输入创建时的那个,abc
ls -l
/mnt/loop0
cat /mnt/loop0/a
[root@DEV-pxy-1
~]# ls -l /mnt/loop0
total 13
-rw-r--r-- 1 root root
5 Dec 3 10:06 a
drwx------ 2 root root 12288 Dec 3
10:04 lost+found
[root@DEV-pxy-1 ~]# cat
/mnt/loop0/a
test
[root@DEV-pxy-1 ~]#
8.扩大文件系统大小
先卸载和去除关联
umount
/mnt/loop0
cryptsetup remove loop0crypt
losetup -d /dev/loop0
[root@DEV-pxy-1
~]# umount /mnt/loop0
[root@DEV-pxy-1 ~]# cryptsetup remove
loop0crypt
[root@DEV-pxy-1 ~]# losetup -d
/dev/loop0
[root@DEV-pxy-1 ~]#
扩大镜像文件
dd if=/dev/zero
bs=1k count=10000 >>/data/root/loop0file.img
ls -l
/data/root/loop0file.img
[root@DEV-pxy-1
~]# dd if=/dev/zero bs=1k count=10000
>>/data/root/loop0file.img
10000+0 records in
10000+0
records out
10240000 bytes (10 MB) copied, 0.070741 seconds, 145
MB/s
[root@DEV-pxy-1 ~]# ls -l /data/root/loop0file.img
-rw-r--r--
1 root root 20480000 Dec 3 10:25
/data/root/loop0file.img
[root@DEV-pxy-1 ~]#
扩大加密设备大小
losetup
/dev/loop0 /data/root/loop0file.img
cryptsetup create loop0crypt
/dev/loop0
cryptsetup resize loop0crypt
[root@DEV-pxy-1
~]# losetup /dev/loop0 /data/root/loop0file.img
[root@DEV-pxy-1
~]# cryptsetup create loop0crypt /dev/loop0
Enter
passphrase:
[root@DEV-pxy-1 ~]# cryptsetup resize
loop0crypt
[root@DEV-pxy-1 ~]#
扩大文件系统
e2fsck -f
/dev/mapper/loop0crypt
resize2fs /dev/mapper/loop0crypt
[root@DEV-pxy-1
~]# e2fsck -f /dev/mapper/loop0crypt
e2fsck 1.39
(29-May-2006)
Pass 1: Checking inodes, blocks, and sizes
Pass
2: Checking directory structure
Pass 3: Checking directory
connectivity
Pass 4: Checking reference counts
Pass 5: Checking
group summary information
/dev/mapper/loop0crypt: 12/2512 files
(8.3% non-contiguous), 1446/10000 blocks
[root@DEV-pxy-1 ~]#
resize2fs /dev/mapper/loop0crypt
resize2fs 1.39
(29-May-2006)
Resizing the filesystem on /dev/mapper/loop0crypt to
20000 (1k) blocks.
The filesystem on /dev/mapper/loop0crypt is now
20000 blocks long.
[root@DEV-pxy-1
~]#
挂载文件系统
mount -t ext3
/dev/mapper/loop0crypt /mnt/loop0
df -h /mnt/loop0
ls -l
/mnt/loop0/
cat /mnt/loop0/a
[root@DEV-pxy-1
~]# mount -t ext3 /dev/mapper/loop0crypt /mnt/loop0
[root@DEV-pxy-1
~]# df -h /mnt/loop0
Filesystem
Size Used Avail Use% Mounted
on
/dev/mapper/loop0crypt
20M 1.1M 17M 7%
/mnt/loop0
[root@DEV-pxy-1
~]# ls -l /mnt/loop0/
total
13
-rw-r--r-- 1 root
root 5 Dec 3 10:06 a
drwx------
2 root root 12288 Dec 3 10:04 lost+found
[root@DEV-pxy-1
~]# cat /mnt/loop0/a
test
[root@DEV-pxy-1
~]#
9.缩小文件系统大小
cp -p /u01/software/oracle/apache-
/mnt/loop0
ls -l /mnt/loop0/
df -h /mnt/loop0
/u01/software/oracle/apache-
[root@DEV-pxy-1
~]# ls -l /mnt/loop0/
-rw-r--r-- 1 root
root 5 Dec 3 10:06
a
apache-ant-1.7.1-bin.tar.gz
drwx------ 2 root root
12288 Dec 3 10:04 lost+found
/mnt/loop0
Filesystem
Size Used Avail Use% Mounted
on
/dev/mapper/loop0crypt
20M 9.9M 8.3M 55% /mnt/loop0
[root@DEV-pxy-1
~]#
缩小文件系统大小
umount /mnt/loop0
e2fsck -f
/dev/mapper/loop0crypt
resize2fs
/dev/mapper/loop0crypt 15m
e2fsck -f /dev/mapper/loop0crypt
e2fsck 1.39 (29-May-2006)
Pass 1:
Checking inodes, blocks, and sizes
Pass 2: Checking directory
structure
Pass 3: Checking directory connectivity
Pass 4: Checking
reference counts
Pass 5: Checking group summary
information
10579/20000 blocks
[root@DEV-pxy-1 ~]# resize2fs /dev/mapper/loop0crypt
10m
resize2fs 1.39 (29-May-2006)
/dev/mapper/loop0crypt to 10240 (1k) blocks.
resize2fs: No space left on
device while trying to resize /dev/mapper/loop0crypt
[root@DEV-pxy-1 ~]#
resize2fs /dev/mapper/loop0crypt 15m
resize2fs 1.39 (29-May-2006)
the filesystem on /dev/mapper/loop0crypt to 15360 (1k) blocks.
The filesystem
on /dev/mapper/loop0crypt is now 15360 blocks long.
缩小加密设备大小
cryptsetup status loop0crypt
cryptsetup --offset 0
--size $(( 40000 * 15360/20000 )) resize loop0crypt
cryptsetup status
loop0crypt
loop0crypt
/dev/mapper/loop0crypt is active:
cipher:
aes-cbc-plain
keysize: 256 bits
device:
/dev/loop0
offset: 0 sectors
size:
40000 sectors
mode: read/write
~]# cryptsetup --offset 0 --size $(( 40000 * 15360/20000 )) resize
loop0crypt
[root@DEV-pxy-1 ~]# cryptsetup status
loop0crypt
/dev/mapper/loop0crypt is active:
cipher:
aes-cbc-plain
keysize: 256 bits
device:
/dev/loop0
offset: 0 sectors
30720 sectors
mode: read/write
[root@DEV-pxy-1
~]#
缩小镜像文件大小
cryptsetup remove loop0crypt
losetup -d
/dev/loop0
ls
-l /data/root/
dd if=/dev/null of=/data/root/loop0file.img bs=1 count=0
seek=$(( 15*1024*1024 ))
ls -l /data/root/
loop0crypt
[root@DEV-pxy-1 ~]# losetup -d /dev/loop0
cp -p /data/root/loop0file.img /data/root/loop0file.img.bak
[root@DEV-pxy-1
~]# ls -l /data/root/
-rw-r--r-- 1 root root 20480000
Dec 3 10:25 loop0file.img
-rw-r--r-- 1 root root 20480000 Dec 3
10:25 loop0file.img.bak
[root@DEV-pxy-1 ~]# dd if=/dev/null
of=/data/root/loop0file.img bs=1 count=0 seek=$(( 15*1024*1024 ))
0+0 records
in
0+0 records out
0 bytes (0 B) copied, 1.8e-05 seconds, 0.0
kB/s
[root@DEV-pxy-1 ~]# ls -l /data/root/
-rw-r--r-- 1
root root 15728640 Dec 4 05:55 loop0file.img
-rw-r--r-- 1 root root
20480000 Dec 3 10:25 loop0file.img.bak
[root@DEV-pxy-1 ~]#
挂载
losetup /dev/loop0 /data/root/loop0file.img
losetup
/dev/loop0
mount -t ext3
/dev/mapper/loop0crypt /mnt/loop0
ls -l
/mnt/loop0/
diff /mnt/loop0/apache-ant-1.7.1-
/u01/software/oracle/apache-
/data/root/loop0file.img
[root@DEV-pxy-1 ~]# losetup
/dev/loop0
/dev/loop0: [0805]:9437186
(/data/root/loop0file.img)
/dev/loop0
Enter passphrase:
[root@DEV-pxy-1 ~]# mount -t ext3
/dev/mapper/loop0crypt /mnt/loop0
/mnt/loop0
Filesystem
Size Used Avail Use% Mounted
on
/dev/mapper/loop0crypt
15M 9.9M 4.1M 71% /mnt/loop0
[root@DEV-pxy-1 ~]# ls -l
/mnt/loop0/
-rw-r--r-- 1 root
root 5 Dec 3 10:06
a
apache-ant-1.7.1-bin.tar.gz
drwx------ 2 root root
12288 Dec 3 10:04 lost+found
/mnt/loop0/apache-ant-1.7.1-
/u01/software/oracle/apache-
[root@DEV-pxy-1
~]#
外部链接:
Encryption-HOWTO-FAQ
http://encryptionhowto.sourceforge.net/Encryption-HOWTO-6.html
What is a loopback
device and how can I create more of
them?
http://kbase.redhat.com/faq/docs/DOC-1722
Use an Encrypted
Filesystem to Protect Your
Data
http://books.google.com/books?id=HZ37FT3unW8C&pg=PA265
玩转Ubuntu
Linux之加密文件系统篇
http://www.51cto.com/art/200609/31687.htm
Network &
Operations,
Multimedia Applications & Services (MDB)
MOTOROLA Inc.
NO.104 mail box,
8th floor, Motorola Tower,
No.
1 Wang Jing East Road, Chao Yang District,
Beijing 100102 P. R.
China
e-mail wenxie at motorola.com
No comments:
Post a Comment