使用本指南我加密了一个卷,并且能够手动打开和安装它。
问题出现在重启后。启动时系统不会打开加密卷,/dev/mapper 中也没有解密的别名。
我可以继续使用以下命令手动创建别名:
[root@dhcp100051 ~]# cryptsetup luksOpen /dev/VolGroup/db00 db_fips
Enter passphrase for /dev/VolGroup/db00: [entered]
[root@dhcp100051 ~]# ll /dev/mapper/db_fips
lrwxrwxrwx. 1 root root 7 Jun 2 13:55 /dev/mapper/db_fips -> ../dm-7
[root@dhcp100051 ~]# mkfs -t ext4 /dev/mapper/db_fips
[root@dhcp100051 ~]# mount /dev/mapper/db_fips /db/
[root@dhcp100051 ~]#
我现在可以使用加密卷,但是当我发出命令时reboot,所有内容都消失了(包括我在 mkfs 文件系统后写入 /db/ 的数据)。我必须手动重新创建所有内容……直到下次重启时再次丢失。
请注意,这与简单地被要求启动时输入加密密码。
系统重启后,我缺少哪个步骤才能使卷可用?
以下是我在虚拟机中使用的完整命令链:
[root@dhcp100051 ~]# mkdir /www/db-backup
------------------------------------------------------------------
[root@dhcp100051 ~]# mv /db/* /www/db-backup
------------------------------------------------------------------
[root@dhcp100051 ~]# umount /db/
------------------------------------------------------------------
[root@dhcp100051 ~]# shred -v -n1 /dev/VolGroup/db00
------------------------------------------------------------------
shred: /dev/VolGroup/db00: pass 1/1 (random)...
shred: /dev/VolGroup/db00: pass 1/1 (random)...364MiB/2.0GiB 17%
shred: /dev/VolGroup/db00: pass 1/1 (random)...365MiB/2.0GiB 17%
shred: /dev/VolGroup/db00: pass 1/1 (random)...739MiB/2.0GiB 36%
shred: /dev/VolGroup/db00: pass 1/1 (random)...740MiB/2.0GiB 36%
shred: /dev/VolGroup/db00: pass 1/1 (random)...1.0GiB/2.0GiB 53%
shred: /dev/VolGroup/db00: pass 1/1 (random)...1.1GiB/2.0GiB 55%
shred: /dev/VolGroup/db00: pass 1/1 (random)...1.4GiB/2.0GiB 72%
shred: /dev/VolGroup/db00: pass 1/1 (random)...1.5GiB/2.0GiB 75%
shred: /dev/VolGroup/db00: pass 1/1 (random)...1.8GiB/2.0GiB 93%
shred: /dev/VolGroup/db00: pass 1/1 (random)...1.9GiB/2.0GiB 95%
shred: /dev/VolGroup/db00: pass 1/1 (random)...2.0GiB/2.0GiB 100%
------------------------------------------------------------------
[root@dhcp100051 ~]# cryptsetup -v --verify-passphrase luksFormat /dev/VolGroup/db00
Running in FIPS mode.
WARNING!
========
This will overwrite data on /dev/VolGroup/db00 irrevocably.
Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:
Command successful.
[root@dhcp100051 ~]#
------------------------------------------------------------------
[root@dhcp100051 ~]# cryptsetup luksOpen /dev/VolGroup/db00 db_fips
Enter passphrase for /dev/VolGroup/db00:
[root@dhcp100051 ~]# ll /dev/mapper/db_fips
lrwxrwxrwx. 1 root root 7 Jun 2 13:55 /dev/mapper/db_fips -> ../dm-7
[root@dhcp100051 ~]#
------------------------------------------------------------------
[root@dhcp100051 ~]# mkfs -t ext4 /dev/mapper/db_fips
mke2fs 1.41.12 (17-May-2010)
Filesystem label=
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
Stride=0 blocks, Stripe width=0 blocks
131072 inodes, 523776 blocks
26188 blocks (5.00%) reserved for the super user
First data block=0
Maximum filesystem blocks=536870912
16 block groups
32768 blocks per group, 32768 fragments per group
8192 inodes per group
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912
Writing inode tables: done
Creating journal (8192 blocks): done
Writing superblocks and filesystem accounting information: done
This filesystem will be automatically checked every 37 mounts or
180 days, whichever comes first. Use tune2fs -c or -i to override.
[root@dhcp100051 ~]#
------------------------------------------------------------------
[root@dhcp100051 ~]# mount /dev/mapper/db_fips /db/
[root@dhcp100051 ~]#
------------------------------------------------------------------
[root@dhcp100051 ~]# blkid
/dev/sda1: UUID="37e5d6db-4265-4d0d-a10e-951f1bc4beb0" TYPE="ext4"
/dev/sda2: UUID="f0079d24-daa2-472a-a557-384889dceb17" TYPE="swap"
/dev/sda3: UUID="K16Dlj-6QR2-LemJ-iBnJ-z4fa-khuP-jv2BoA" TYPE="LVM2_member"
/dev/mapper/VolGroup-LogVol01: UUID="425e6610-383b-4bb6-a3a3-1a68279a3460" TYPE="ext4"
/dev/mapper/VolGroup-LogVol05: UUID="fb04b576-fc59-409f-9049-c87b1c9c9437" TYPE="ext4"
/dev/mapper/VolGroup-LogVol04: UUID="2f88d451-03ac-4fe4-a21f-5ae2d786882b" TYPE="ext4"
/dev/mapper/VolGroup-LogVol06: UUID="6aaccab0-7e4d-423b-89d4-ef54a36bf520" TYPE="ext4"
/dev/mapper/VolGroup-LogVol03: UUID="6814ecfc-b28e-4f50-823e-7ba7d5380d90" TYPE="ext4"
/dev/mapper/VolGroup-LogVol02: UUID="b40668b5-cc3a-450c-973b-c2b09885c7b7" TYPE="ext4"
/dev/mapper/VolGroup-db00: UUID="a5320f38-2db4-4e71-8deb-c0169266c9fb" TYPE="crypto_LUKS"
[root@dhcp100051 ~]#
------------------------------------------------------------------
[root@dhcp100051 ~]# dd if=/dev/urandom of=/root/keyfile bs=1024 count=4
4+0 records in
4+0 records out
4096 bytes (4.1 kB) copied, 0.0025613 s, 1.6 MB/s
[root@dhcp100051 ~]# chmod 0400 /root/keyfile
[root@dhcp100051 ~]#
------------------------------------------------------------------
[root@dhcp100051 ~]# cryptsetup luksAddKey /dev/VolGroup/db00 /root/keyfile
Enter any passphrase:
[root@dhcp100051 ~]#
------------------------------------------------------------------
[root@dhcp100051 ~]# cryptsetup luksOpen /dev/VolGroup/db00 db_fips --key-file=/root/keyfile
[root@dhcp100051 ~]#
------------------------------------------------------------------
[root@dhcp100051 ~]# vi /etc/crypttab
## INSERT
db_fips UUID=”a5320f38-2db4-4e71-8deb-c0169266c9fb″ /root/keyfile
## SAVE AND CLOSE
[root@dhcp100051 ~]# date >> /db/date.txt
[root@dhcp100051 ~]# shutdown -r now
------------------------------------------------------------------
[REBOOTED]
[root@dhcp100051 ~]# ll /dev/mapper/db_fips
[root@dhcp100051 ~]#
ls: cannot access /dev/mapper/db_fips: No such file or directory
[root@dhcp100051 ~]# ll /db
total 0
[root@dhcp100051 ~]#
答案1
根据您的发行版,您必须设置一个文件/etc/cryptab定义在启动时将解锁哪些卷。
您可能需要重新生成初始 ramdisk 映像。此文件必须在挂载任何文件系统之前可用。