操作系统:Parabola GNU/Linux Libre,Arch 的 GNU 版本。
我已设法加密我的根分区,但我不确定如何加密我的交换分区。我知道交换分区正在变得过时,并且交换文件是首选,但 btrfs 仍然不支持这一点。
LSBLK
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 223.6G 0 disk
├─sda2 8:2 0 221.1G 0 part
│ └─cryptroot 254:0 0 221.1G 0 crypt /
├─sda3 8:3 0 2G 0 part
│ └─cryptswap 254:1 0 2G 0 crypt
└─sda1 8:1 0 512M 0 part /boot
/etc/fstab
# /dev/mapper/cryptroot
UUID=0126cb9b-d3aa-4f05-a39a-71682fa847bb / btrfs rw,relatime,ssd,space_cache,subvolid=5,subvol=/ 0 0
# /dev/sda1
UUID=6F37-84A2 /boot vfat rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,errors=remount-ro 0 2
# /dev/mapper/cryptswap
UUID=aef00636-0183-48d1-ab87-8f6653a30dd8 none swap defaults 0 0
/boot/loader/entries/parabola.conf
title Parabola GNU/Linux-libre
linux /vmlinuz-linux-libre
initrd /initramfs-linux-libre.img
options rd.luks.uuid=c6b69115-15c6-4561-9691-fc4a05ac9622 rd.luks.name=c6b69115-15c6-4561-9691-fc4a05ac9622=cryptroot rd.luks.options=quiet rw root=/dev/mapper/cryptroot
/etc/crypttab
# crypttab: mappings for encrypted partitions
#
# Each mapped device will be created in /dev/mapper, so your /etc/fstab
# should use the /dev/mapper/<name> paths for encrypted devices.
#
# The Parabola specific syntax has been deprecated, see crypttab(5) for the
# new supported syntax.
#
# NOTE: Do not list your root (/) partition here, it must be set up
# beforehand by the initramfs (/etc/mkinitcpio.conf).
# <name> <device> <password> <options>
cryptswap /dev/disk/by-id/ata-PH4-CE240_511160905070017677-part3 /dev/urandom swap
日志ctl -b
Dec 22 23:35:54 MyComputer mkswap[341]: Setting up swapspace version 1, size = 2 GiB (2147459072 bytes)
Dec 22 23:35:54 MyComputer mkswap[341]: no label, UUID=c965e98e-b011-4e40-aef3-bb84d58d7a08
Dec 22 23:35:54 MyComputer systemd[1]: Started Cryptography Setup for swap.
Dec 22 23:35:54 MyComputer systemd[1]: Reached target Encrypted Volumes.
Dec 22 23:35:54 MyComputer systemd[1]: Found device /dev/mapper/swap.
Dec 22 23:37:23 MyComputer systemd[1]: dev-disk-by\x2duuid-aef00636\x2d0183\x2d48d1\x2dab87\x2d8f6653a30dd8.device: Job dev-disk-by\x2duuid-aef00636\x2d0183\x2d48d1\x2dab87\x2d8f6653a30dd8.device/start timed out.
Dec 22 23:37:23 MyComputer systemd[1]: Timed out waiting for device dev-disk-by\x2duuid-aef00636\x2d0183\x2d48d1\x2dab87\x2d8f6653a30dd8.device.
Dec 22 23:37:23 MyComputer systemd[1]: Dependency failed for /dev/disk/by-uuid/aef00636-0183-48d1-ab87-8f6653a30dd8.
Dec 22 23:37:23 MyComputer systemd[1]: Dependency failed for Swap.
Dec 22 23:37:23 MyComputer systemd[1]: swap.target: Job swap.target/start failed with result 'dependency'.
Dec 22 23:37:23 MyComputer systemd[1]: dev-disk-by\x2duuid-aef00636\x2d0183\x2d48d1\x2dab87\x2d8f6653a30dd8.swap: Job dev-disk-by\x2duuid-aef00636\x2d0183\x2d48d1\x2dab87\x2d8f6653a30dd8.swap/start failed with result 'dependency'.
Dec 22 23:37:23 MyComputer systemd[1]: dev-disk-by\x2duuid-aef00636\x2d0183\x2d48d1\x2dab87\x2d8f6653a30dd8.device: Job dev-disk-by\x2duuid-aef00636\x2d0183\x2d48d1\x2dab87\x2d8f6653a30dd8.device/start failed with result 'timeout'.
Dec 22 23:37:23 MyComputer systemd[1]: Mounting Temporary Directory...
Dec 22 23:37:23 MyComputer systemd[1]: Mounted Temporary Directory.
Dec 22 23:37:23 MyComputer systemd[1]: Reached target Local File Systems.
Dec 22 23:37:23 MyComputer systemd[1]: Starting Create Volatile Files and Directories...
Dec 22 23:37:23 MyComputer systemd[1]: Started Create Volatile Files and Directories.
Dec 22 23:37:23 MyComputer systemd[1]: Starting Update UTMP about System Boot/Shutdown...
Dec 22 23:37:23 MyComputer systemd[1]: Started Update UTMP about System Boot/Shutdown.
Dec 22 23:37:23 MyComputer systemd[1]: Reached target System Initialization.
Dec 22 23:37:23 MyComputer systemd[1]: Started Daily Cleanup of Temporary Directories.
Dec 22 23:37:23 MyComputer systemd[1]: Started Daily verification of password and group files.
Dec 22 23:37:23 MyComputer systemd[1]: Listening on D-Bus System Message Bus Socket.
Dec 22 23:37:23 MyComputer systemd[1]: Reached target Sockets.
Dec 22 23:37:23 MyComputer systemd[1]: Reached target Basic System.
Dec 22 23:37:23 MyComputer systemd[1]: Starting Save/Restore Sound Card State...
Dec 22 23:37:23 MyComputer systemd[1]: Starting dhcpcd on enp4s0...
Dec 22 23:37:23 MyComputer systemd[1]: Starting Login Service...
Dec 22 23:37:23 MyComputer systemd[1]: Started D-Bus System Message Bus.
...
Dec 24 00:00:09 MyComputer systemd[1]: Started Update man-db cache.
Dec 24 00:01:36 MyComputer systemd[1]: dev-disk-by\x2duuid-aef00636\x2d0183\x2d48d1\x2dab87\x2d8f6653a30dd8.device: Job dev-disk-by\x2duuid-aef00636\x2d0183\x2d48d1\x2dab87\x2d8f6653a30dd8.device/start timed out.
Dec 24 00:01:36 MyComputer systemd[1]: Timed out waiting for device dev-disk-by\x2duuid-aef00636\x2d0183\x2d48d1\x2dab87\x2d8f6653a30dd8.device.
Dec 24 00:01:36 MyComputer systemd[1]: Dependency failed for /dev/disk/by-uuid/aef00636-0183-48d1-ab87-8f6653a30dd8.
Dec 24 00:01:36 MyComputer systemd[1]: dev-disk-by\x2duuid-aef00636\x2d0183\x2d48d1\x2dab87\x2d8f6653a30dd8.swap: Job dev-disk-by\x2duuid-aef00636\x2d0183\x2d48d1\x2dab87\x2d8f6653a30dd8.swap/start failed with result 'dependency'.
Dec 24 00:01:36 MyComputer systemd[1]: dev-disk-by\x2duuid-aef00636\x2d0183\x2d48d1\x2dab87\x2d8f6653a30dd8.device: Job dev-disk-by\x2duuid-aef00636\x2d0183\x2d48d1\x2dab87\x2d8f6653a30dd8.device/start failed with result 'timeout'.
[更新]
新信息已经曝光。看起来应该是加密的交换分区无法识别。
[更新]
我尝试了以下方法,结果与上面相同:
parted
rm 3
mkpart primary ext2 -2GiB 100%
(Ignore)
quit
dd if=/dev/urandom of=/dev/sda3 bs=1M
cryptsetup -v -y luksFormat /dev/sda3
YES
cryptsetup open /dev/sda3 cryptswap
mkswap /dev/mapper/cryptswap
swapon /dev/mapper/cryptswap
[更新]
在 Parabola 的 Live MATE 版本上像上面一样加密分区会返回错误。
1 root@parabolaiso / # cryptsetup -y -v luksFormat /dev/sda3 --debug :(
# cryptsetup 1.7.3 processing "cryptsetup -y -v luksFormat /dev/sda3 --debug"
# Running command luksFormat.
# Locking memory.
# Installing SIGINT/SIGTERM handler.
# Unblocking interruption on signal.
WARNING!
========
This will overwrite data on /dev/sda3 irrevocably.
Are you sure? (Type uppercase yes): YES
# Allocating crypt device /dev/sda3 context.
# Trying to open and read device /dev/sda3 with direct-io.
# Initialising device-mapper backend library.
# Timeout set to 0 miliseconds.
# Iteration time set to 2000 milliseconds.
# Interactive passphrase entry requested.
Enter passphrase:
Verify passphrase:
# Formatting device /dev/sda3 as type LUKS1.
# Crypto backend (gcrypt 1.7.5) initialized in cryptsetup library version 1.7.3.
# Detected kernel Linux 4.8.6-gnu-1 x86_64.
# Topology: IO (512/0), offset = 0; Required alignment is 1048576 bytes.
# Checking if cipher aes-xts-plain64 is usable.
# Userspace crypto wrapper cannot use aes-xts-plain64 (-95).
# Using dmcrypt to access keyslot area.
# Calculated device size is 1 sectors (RW), offset 0.
# dm version [ opencount flush ] [16384] (*1)
# dm versions [ opencount flush ] [16384] (*1)
# Device-mapper backend running with UDEV support enabled.
# DM-UUID is CRYPT-TEMP-temporary-cryptsetup-10670
# dm versions [ opencount flush ] [16384] (*1)
# Device-mapper backend running with UDEV support enabled.
# Udev cookie 0xd4d2344 (semid 65536) created
# Udev cookie 0xd4d2344 (semid 65536) incremented to 1
# Udev cookie 0xd4d2344 (semid 65536) incremented to 2
# Udev cookie 0xd4d2344 (semid 65536) assigned to CREATE task(0) with flags DISABLE_SUBSYSTEM_RULES DISABLE_DISK_RULES DISABLE_OTHER_RULES (0xe)
# dm create temporary-cryptsetup-10670 CRYPT-TEMP-temporary-cryptsetup-10670 [ opencount flush ] [16384] (*1)
# dm reload temporary-cryptsetup-10670 [ opencount flush readonly ] [16384] (*1)
device-mapper: reload ioctl on temporary-cryptsetup-10670 failed: Invalid argument
# Udev cookie 0xd4d2344 (semid 65536) decremented to 1
# Udev cookie 0xd4d2344 (semid 65536) incremented to 2
# Udev cookie 0xd4d2344 (semid 65536) assigned to REMOVE task(2) with flags DISABLE_SUBSYSTEM_RULES DISABLE_DISK_RULES DISABLE_OTHER_RULES (0xe)
# dm remove temporary-cryptsetup-10670 [ opencount flush readonly ] [16384] (*1)
# temporary-cryptsetup-10670: Stacking NODE_DEL [verify_udev]
# Udev cookie 0xd4d2344 (semid 65536) decremented to 0
# Udev cookie 0xd4d2344 (semid 65536) waiting for zero
# Udev cookie 0xd4d2344 (semid 65536) destroyed
# temporary-cryptsetup-10670: Processing NODE_DEL [verify_udev]
# dm versions [ opencount flush ] [16384] (*1)
# Device-mapper backend running with UDEV support enabled.
Failed to setup dm-crypt key mapping for device /dev/sda3.
Check that kernel supports aes-xts-plain64 cipher (check syslog for more info).
# Releasing crypt device /dev/sda3 context.
# Releasing device-mapper backend.
# Unlocking memory.
Command failed with code 5: Input/output error
[更新]
我实际上通过使用 systemd-swap (总比没有好)解决了这个问题,我将等待 btrfs 支持真正的交换。
答案1
制作一个加密容器并使用 LVM 设置 / 和交换会更简单。
像这样:
sda1 boot
sda2 LUKS-crypt
LVM
root-LV
swap-LV
然后你只需要一把钥匙就可以打开它,让你完全跳过 crypttab。