By using block device encryption the data is encrypted and decrypted at block-device level. The block device can be formatted with a filesystem. The decryption is performed once the filesystem is mounted by the operating system, transparently for users. This type of encryption protects best against media theft and can be used for datafile placement. In this recipe we will add a new disk and implement block-level encryption with Linux Unified Key Setup-on-disk-format (LUKS).
- Shut down
nodeorcl1, then add a new disk to thenodeorcl1system and boot it. Our new device will be seen by the operating system as/dev/sdb. Next, create a new partition/dev/sdb1usingfdiskas follows:[root@nodeorcl1 ~]# fdisk /dev/sdb WARNING: DOS-compatible mode is deprecated. It's strongly recommended to switch off the mode (command 'c') and change display units to sectors (command 'u'). Command (m for help): n Command action e extended p primary partition (1-4) p Partition number (1-4): 1 First cylinder (1-5577, default 1): Using default value 1 Last cylinder, +cylinders or +size{K,M,G} (1-5577, default 5577): Using default value 5577 Command (m for help): w The partition table has been altered! Calling ioctl() to re-read partition table. Syncing disks.
- Format and add a passphrase for encryption on
/dev/sdb1device with cryptsetup utility as follows:[root@nodeorcl1 dev]# cryptsetup luksFormat /dev/sdb1 WARNING! ======== This will overwrite data on /dev/sdb1 irrevocably. Are you sure? (Type uppercase yes): YES Enter LUKS passphrase: P5;@o[]klopY&P] Verify passphrase: P5;@o[]klopY&P] [root@nodeorcl1 dev]#
- The access on the encrypted device is not performed directly; all operations are performed through a device-mapper. Open the device-mapper for
/dev/sdb1as follows:[root@nodeorcl1 mapper]# cryptsetup luksOpen /dev/sdb1 storage Enter passphrase for /dev/sdb1: P5;@o[]klopY&P] [root@nodeorcl1 mapper]# [root@nodeorcl1 mapper]# ls -al /dev/mapper/storage lrwxrwxrwx. 1 root root 7 Sep 23 20:03 /dev/mapper/storage -> ../dm-4
- The formatting with a filesystem must also be performed on the device-mapper. Format the device-mapper with the
ext4filesystem as follows:[root@nodeorcl1 mapper]# mkfs.ext4 /dev/mapper/storage mke2fs 1.41.12 (17-May-2010) Filesystem label= OS type: Linux Block size=4096 (log=2) Fragment size=4096 (log=2) ........................................................................................................................ This filesystem will be automatically checked every 38 mounts or 180 days, whichever comes first. Use tune2fs -c or -i to override. [root@nodeorcl1 mapper]#
- Next we will configure the device-mapper
/dev/mapper/storagefor automatic mount during boot. Create a directory calledstoragethat will be used as themount point:[root@nodeorcl1 storage]# mkdir /storage - The mapper-device
/dev/mapper/storagecan be mounted as a normal device:[root@nodeorcl1 storage]# mount /dev/mapper/storage /storage - To make the mount persistent across reboots add
/storageas the mount point for/dev/mapper/storage. First add the mapper-device name into/etc/crypttab:[root@nodeorcl1 storage]# echo "storage /dev/sdb1" > /etc/crypttab
- Add the complete mapper-device path, mount point, and filesystem type in
/etc/fstabas follows:/dev/mapper/storage /storage ext4 defaults 1 2 - Reboot the system:
[root@nodeorcl1 storage]# shutdown –r now - At boot sequence, the passphrase for /storage will be requested. If no passphrase is typed then the mapper device will be not mounted.
Block device encryption is implemented to work below the filesystem level. Once the device is offline, the data appears like a large blob of random data. There is no way to determine what kind of filesystem and data it contains.
To dump information about the encrypted device you should execute the following command:
[root@nodeorcl1 dev]# cryptsetup luksDump /dev/sdb1 LUKS header information for /dev/sdb1 Version: 1 Cipher name: aes Cipher mode: cbc-essiv:sha256 Hash spec: sha1 Payload offset: 4096 MK bits: 256 MK digest: 2c 7a 4c 96 9d db 63 1c f0 15 0b 2c f0 1a d9 9b 8c 0c 92 4b MK salt: 59 ce 2d 5b ad 8f 22 ea 51 64 c5 06 7b 94 ca 38 65 94 ce 79 ac 2e d5 56 42 13 88 ba 3e 92 44 fc MK iterations: 51750 UUID: 21d5a994-3ac3-4edc-bcdc-e8bfbf5f66f1 Key Slot 0: ENABLED Iterations: 207151 Salt: 89 97 13 91 1c f4 c8 74 e9 ff 39 bc d3 28 5e 90 bf 6b 9a c0 6d b3 a0 21 13 2b 33 43 a7 0c f1 85 Key material offset: 8 AF stripes: 4000 Key Slot 1: DISABLED Key Slot 2: DISABLED Key Slot 3: DISABLED Key Slot 4: DISABLED Key Slot 5: DISABLED Key Slot 6: DISABLED Key Slot 7: DISABLED [root@nodeorcl1 ~]#
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.