Encrypt Disk是針對硬碟磁區做加密而非檔案加密,硬碟磁區的加密系統主要是以LUKS方式來加解密。LUKS 採用 kernel device mapper 下的 dm-crypt 子模組所完成。 因此可以先觀察看看此系統下是否以載入dm-crypt模組。

$ /sbin/lsmod|grep -i  'dm'

dm_crypt               17733  1 
rdma_cm                35833  1 ib_iser
ib_cm                  39853  1 rdma_cm
iw_cm                  13125  1 rdma_cm
ib_sa                  39349  2 rdma_cm,ib_cm
ib_core                63557  6 ib_iser,rdma_cm,ib_cm,iw_cm,ib_sa,ib_mad
ib_addr                11717  1 rdma_cm
dm_mirror              24649  0 
dm_multipath           26957  0 
scsi_dh                12481  1 dm_multipath
crypto_algapi          22721  6 cbc,cryptomgr,dm_crypt,testmgr,aead,crypto_blkcipher
crypto_api             12609  6 dm_crypt,xfrm_nalgo,testmgr,aead,crypto_blkcipher,crypto_algapi
dm_raid45              67401  0 
dm_message              6977  1 dm_raid45
dm_region_hash         15809  1 dm_raid45
dm_log                 14785  3 dm_mirror,dm_raid45,dm_region_hash
dm_mod                 63737  7 dm_crypt,dm_mirror,dm_multipath,dm_raid45,dm_log
dm_mem_cache            9921  1 dm_raid45

1. cryptsetup
2. device-mapper
3. util-linux

觀察看看
$ rpm -qa|egrep -i '(cryptsetup|device-mapper|util-linux)'

util-linux-2.13-0.56.el5
device-mapper-1.02.63-4.el5
cryptsetup-luks-1.0.3-8.el5   --->主要工作指令
device-mapper-event-1.02.63-4.el5
device-mapper-multipath-0.4.7-46.el5_7.1

$ rpm -ql cryptsetup-luks

/sbin/cryptsetup
/usr/lib/libcryptsetup.so.0
/usr/lib/libcryptsetup.so.0.0.0
/usr/share/doc/cryptsetup-luks-1.0.3
/usr/share/doc/cryptsetup-luks-1.0.3/AUTHORS
/usr/share/doc/cryptsetup-luks-1.0.3/COPYING
/usr/share/doc/cryptsetup-luks-1.0.3/ChangeLog
/usr/share/doc/cryptsetup-luks-1.0.3/INSTALL
/usr/share/doc/cryptsetup-luks-1.0.3/NEWS
/usr/share/doc/cryptsetup-luks-1.0.3/README
/usr/share/locale/de/LC_MESSAGES/cryptsetup-luks.mo
/usr/share/man/man8/cryptsetup.8.gz

1. 硬碟裝置格式化為LUKS
2. 開啟/dev/mapper與裝置硬碟的連結
3. 格式化一般檔案系統(ext3,ext4等等)
4. 掛載

用dd 及 losetup 先模擬一個裝置

#dd if=/dev/zero of=DiskTest bs=200M count=1
#losetup /dev/loop1 DiskTest

格式化LUKS
# /sbin/cryptsetup luksFormat /dev/loop1

WARNING!
========
This will overwrite data on /dev/loop1 irrevocably.

Are you sure? (Type uppercase yes):YES (記得大寫)
Enter LUKS passphrase:ali1234
Verify passphrase:ali1234
Command successful.

開啟連結
#/sbin/cryptsetup luksOpen /dev/loop1 Encdisk  (會在/dev/mapper/Encdisk建立)
Enter LUKS passphrase for /dev/loop1:ali1234 ( 鍵入剛建立的密碼)
key slot 0 unlocked.
Command successful.

格式化檔案系統
#mkfs -t ext3 /dev/mapper/Encdisk

掛載
#mount /dev/mapper/Encdisk /media/disk

#df -h 
~略~
/dev/mapper/Encdisk   194M  165M   20M  90% /media/disk

1. umount
2. 脫離LUKS連結(一般到此步驟即可)
3. losetup 脫離

# umount /dev/mapper/Encdisk

#cryptsetup luksClose /dev/mapper/Encdisk

#losetup -d /dev/loop1

#losetup /dev/loop1 DiskTest

#mount /dev/loop1 /media/disk
mount: unknown filesystem type 'crypt_LUKS' (無法掛載，以變成LUKS格式)

＃cryptsetup luksOpen /dev/loop1 Encdisk
Enter LUKS passphrase for /dev/loop1:ali1234 (是不是要鍵入密碼，表成功達到加密效果)
key slot 0 unlocked.
Command successful.


#mount /dev/mapper/Encdisk /media/disk

1. EncryptedFilesystem(CentOS_wiki)
2. Encrypt Disk