dm-crypt (简体中文)/Encrypting a non-root file system (简体中文)

The following are examples of encrypting a secondary, i.e. non-root, filesystem with dm-crypt.

Overview

Encrypting a secondary filesystem usually protects only sensitive data, while leaving the operating system and program files unencrypted. This is useful for encrypting an external medium, such as a USB drive, so that it can be moved to different computers securely. One might also choose to encrypt sets of data separately according to who has access to it.

Because dm-crypt is a block-level encryption layer, it only encrypts full devices, full partitions and loop devices. To encrypt individual files requires a filesystem-level encryption layer, such as eCryptfs or EncFS. See Disk encryption for general information about securing private data.

分区

这个例子说的是对 /home 分区的加密，但是也可以应用到其他非根分区的、包含用户数据的分区。

首先要保证分区是空的（上面没有建立文件系统）。如果有文件系统，删除这个分区并重新建立一个空的分区。然后对其安全擦除，参见 Dm-crypt/Drive preparation#Secure erasure of the hard disk drive.

接下来建立包含加密容器的分区。

建立 LUKS 头：

# cryptsetup options luksFormat device

把 device 替换成之前建立的分区。参见 Dm-crypt/Device encryption#Encryption options for LUKS mode 来知道 options 可以写什么。

为了对加密分区进行操作，用设备映射器来解锁它：

# cryptsetup open device name

解锁分区之后，它会被映射成块设备 /dev/mapper/name，现在要建立 文件系统：

# mkfs.fstype /dev/mapper/name

把文件系统挂载到 /home；或者如果它是某个用户专用的的话，挂载到 /home/username，参见 #手动挂载和卸载。

手动挂载和卸载

挂载分区：

# cryptsetup open device name
# mount -t fstype /dev/mapper/name /mnt/home

卸载：

# umount /mnt/home
# cryptsetup close name

自动解锁并挂载

有三种不同方法来进行自动化解锁分区并挂载文件系统。

启动时解锁

配置 /etc/crypttab 文件，systemd 的自动解析会在启动过程中自动解锁。如果home分区是所有用户一起用的（或者要自动挂载其他加密块设备），这种方法是最推荐使用的。

更多细节参见 Dm-crypt/System configuration#crypttab 和 Dm-crypt/System configuration#Mounting at boot time。

用户登录时解锁

借助 pam_exec 调用cryptsetup open 来实现用户登录时解锁分区。如果整个分区都是某个用户专用的 home 目录，这个方法就比较推荐。参见 dm-crypt/Mounting at login。

此外也可以用 pam_mount。

Loop device

There are two methods for using a loop device as an encrypted container, one using losetup directly and one without.

Without losetup

Using losetup directly can be avoided completely by doing the following [1]:

$ dd if=/dev/urandom of=bigsecret.img bs=100M count=1 iflag=fullblock
$ cryptsetup luksFormat bigsecret.img

Make sure to not omit the iflag=fullblock option, otherwise dd might return a partial read. See dd#Partial read for details.

Before running cryptsetup, look at the encryption options for LUKS mode and ciphers and modes of operation first to select your additional desired settings.

The instructions for opening the device and making the file system are the same as #分区.

Creating a file smaller than the LUKS2 header (16 MiB) will give a Requested offset is beyond real size of device bigsecret.img error when trying to open the device.

Manual mounting and unmounting procedure is equivalent to #Manual mounting and unmounting.

Using losetup

A loop device enables to map a blockdevice to a file with the standard util-linux tool losetup. The file can then contain a filesystem, which can be used quite like any other filesystem. A lot of users know TrueCrypt as a tool to create encrypted containers. Just about the same functionality can be achieved with a loopback filesystem encrypted with LUKS and is shown in the following example.

First, start by creating an encrypted container with dd, using an appropriate random number generator:

$ dd if=/dev/urandom of=bigsecret.img bs=100M count=1 iflag=fullblock

This will create the file bigsecret.img with a size of 100 mebibytes.

Next create the device node /dev/loop0, so that we can mount/use our container:

# losetup /dev/loop0 bigsecret.img

From now on the procedure is the same as for #分区, except for the fact that the container is already randomised and will not need another secure erasure.

Manual mounting and unmounting

To unmount the container:

# umount /mnt/secret
# cryptsetup close secret
# losetup -d /dev/loop0

To mount the container again:

# losetup /dev/loop0 bigsecret.img
# cryptsetup open /dev/loop0 secret
# mount -t ext4 /dev/mapper/secret /mnt/secret