我有这两个文件:
在/etc/crypttab中:
cry1 /dev/sda3 none luks
cry2 /dev/sda4 /mounted/sda3/keyfile luks
在 /etc/fstab 中:
/dev/sda1 /boot ext2 ro 0 2
/dev/sda2 / ext4 defaults 0 0
/dev/mapper/cry1 /cry1 ext4 defaults 0 2
/dev/mapper/cry2 /cry2 ext4 defaults 0 2
Debian 启动后,系统提示我输入 sda3/cry1 文件系统的密码。系统运行正常,并且已挂载。
但是 sda4/cry2 没有被安装,尽管我可以轻松地在命令行上解密并安装它,不仅使用密码,还可以使用密钥文件。
我最终将命令行放在 /etc/rc.local 上,但我对这种安排并不满意。为什么 crypttab/fstab 机制不起作用?
另外:我担心重新启动或关闭系统无法彻底卸载和解密文件系统,这可能会损坏文件系统。我如何确保一切都彻底关闭?
答案1
那么/dev/sda3
luksOpen 被挂载到/dev/mapper/cry1
,它被挂载到/cry1
? 是什么/在哪里/mounted/sda3
? 听起来应该是 sda3,也许这就是问题所在...
无论如何,如果挂载点正确,我听起来像是挂载的时间问题。crypttab 应该按顺序浏览条目,但我不确定它们是否在下一个条目之前挂载,其中有几个选项man crypttab
听起来很有希望。
尝试将这个添加到cry2
条目中:
noearly
The cryptsetup init scripts are invoked twice during the boot process -
once before lvm, raid, etc. are started and once again after that.
Sometimes you need to start your encrypted disks in a special order.
With this option the device is ignored during the first invocation of
the cryptsetup init scripts.
尝试此选项并检查日志以查看问题是什么:
loud
Be loud. Print warnings if a device does not exist. This option
overwrites the option quiet.
如果您除了运行自己的自定义脚本之外没有找到任何其他方法,可以尝试以下方法:
keyscript=<path>
The executable at the indicated path is executed with the key file from
the third field of the crypttab as its only argument and the output is
used as the key. This also works with encrypted root filesystems via
initramfs if the executable is self-contained (i.e. an executable which
does not rely on any external program which is not present in the
initramfs environment).
关机时,一切应该被卸载,如果某些文件系统没有被卸载,那么这可能是一个更普遍的问题,我不确定它是否会自动与加密相关。