RH413 Unit 3 Create

发布时间:2019-06-30 16:51:51编辑:auto阅读(1611)

    There are two major reasons for allocating fire systems separately: containment and mounting with more restrictive mount options.Containment reduces the impact a file systems has on the rest of the system if it fills up. For example, if a program has an error and creates several large temporary file in /tmp , it should not prevent system logging or keep users from saving files in their home directories.

    Encryption at installation:

    kickstart configuration:

    part /home --fstype=ext4 --size=10000 --onpart=vda2 --encrypted --passphrase=PASSPHRARE

    Encryption Post-installation:

    • Create a LVM:

    pvcreate /dev/sdb1
    vgcreate storage /dev/sdb1
    Volume group "storage" successfully created
    lvcreate -l 100%FREE -n luks-test storage
    Tips:
    we don’t need to create a file system.

    • Encrypt the block device and assign it a password:

    cryptsetup luksFormat /dev/storage/luks-test
    WARNING!
    This will overwrite data on /dev/storage/luks-test irrevocably.
    Are you sure? (Type uppercase yes): YES
    Enter passphrase:
    Verify passphrase:

    • Unlock the encrypted volume and assign it a logical name:

      cryptsetup luksOpen /dev/storage/luks-test luks
      Enter passphrase for /dev/storage/luks-test:
      luks is the logical name.

    • Create a filesystem in the decrypted volume:

      mkfs.ext4 /dev/mapper/luks
      mke2fs 1.42.9 (28-Dec-2013)
      Filesystem label=
      OS type: Linux
      Block size=4096 (log=2)
      Fragment size=4096 (log=2)
      Stride=0 blocks, Stripe width=0 blocks
      65152 inodes, 260608 blocks
      13030 blocks (5.00%) reserved for the super user
      First data block=0
      Maximum filesystem blocks=268435456
      8 block groups
      32768 blocks per group, 32768 fragments per group
      8144 inodes per group
      Superblock backups stored on blocks:
      32768, 98304, 163840, 229376

    Allocating group tables: done
    Writing inode tables: done
    Creating journal (4096 blocks): done
    Writing superblocks and filesystem accounting information: done

    • Mount it:

      mkdir /mnt/luks
      mount /dev/mapper/luks /mnt/luks/

    • When finished, unmount the filesystem then lock the encrypted volume.

      cryptsetup luksClose luks

    Persistently Mount Encrypted Partitions
    • Locate or generate a key file.This is a typically created with random data on the server and kept on a separate storage device.Make sure it is own by root and the mode is 600

    dd if=/dev/urandom of=/root/luks.passwd bs=4096 count=1
    chmod 600 /root/luks.passwd

    • Add the key file for LUKS using the following command:

      cryptsetup luksAddKey /dev/storage/luks-test /root/luks.passwd
      Enter any existing passphrase:

    • Create an /etc/crypttab entry for the volume./etc/crypttab contains a list of devices to be

    unlocked during system root.
    name /dev/vdaN /path/to/password/file
    such as:
    luks /dev/storage/luks-test /root/luks.passwd

    1.name: Name device mapper will use for the device
    2.the underlying “Locked” device
    3.the absolute pathname to the password file used to unlock the device

    • Edit /etc/fstab
      /dev/mapper/name /mnt/xx ext4 defaults 1 2
      such as:
      /dev/mapper/luks /mnt/luks ext4 defaults 1 2

    references:

    cryptsetup(8) crypttab(5)

关键字

上一篇: 3、【华为HCIE-Storage】--

下一篇: Java操纵MongoDB_3(Mong