「Dm-crypt/システム設定」の版間の差分
| 5行目: | 5行目: | ||
[[Dm-crypt]] に戻る。 |
[[Dm-crypt]] に戻る。 |
||
| + | {{Tip|リモートで root などのブートファイルシステムのロックを解除する必要がある場合 (ヘッドレスマシンや遠隔地のサーバーなど)、[[Dm-crypt/特記事項#root などのパーティションのリモート解除]]の指示に従って下さい。}} |
||
| − | {{Tip|If in need to remotely unlock root or other early-boot filesystems (headless machine, distant servers...), follow the specific instructions from [[Dm-crypt/Specialties#Remote_unlocking_of_the_root_.28or_other.29_partition|Dm-crypt/Specialties#Remote unlocking of encrypted root]].}} |
||
== mkinitcpio == |
== mkinitcpio == |
||
| 26行目: | 26行目: | ||
cryptdevice=''device'':''dmname'' |
cryptdevice=''device'':''dmname'' |
||
| + | * {{ic|''device''}} は暗号化されたデバイスのパスです。[[永続的なブロックデバイスの命名]]を使うことを推奨します。 |
||
| − | * {{ic|''device''}} is the path to the raw encrypted device. Usage of [[Persistent block device naming]] is advisable. |
||
* {{ic|''dmname''}} is the '''d'''evice-'''m'''apper name given to the device after decryption, which will be available as {{ic|/dev/mapper/''dmname''}}. |
* {{ic|''dmname''}} is the '''d'''evice-'''m'''apper name given to the device after decryption, which will be available as {{ic|/dev/mapper/''dmname''}}. |
||
| − | * If |
+ | * If a LVM contains the [[Dm-crypt/システム全体の暗号化#LUKS_on_LVM|encrypted root]], the LVM gets activated first and the volume group containing the logical volume of the encrypted root serves as ''device''. It is then followed by the respective volume group to be mapped to root. The parameter follows the form of {{ic|cryptdevice<nowiki>=</nowiki>''/dev/vgname/lvname'':''dmname''}}. |
| − | * If a LVM contains the [[Dm-crypt/Encrypting_an_entire_system#LUKS_on_LVM|encrypted root]], the LVM gets activated first and the volume group containing the logical volume of the encrypted root serves as ''device''. It is then followed by the respective volume group to be mapped to root. The parameter follows the form of {{ic|cryptdevice<nowiki>=</nowiki>''/dev/vgname/lvname'':''dmname''}}. |
||
=== root === |
=== root === |
||
| 45行目: | 44行目: | ||
resume=''device'' |
resume=''device'' |
||
| + | * {{ic|''device''}} は suspend2disk のために使われる復号化された (スワップ) ファイルシステムのデバイスファイルです。スワップが別のパーティション上にある場合、{{ic|/dev/mapper/swap}} という形式になります。[[Dm-crypt/スワップの暗号化]]を参照。 |
||
| − | * {{ic|''device''}} is the device file of the decrypted (swap) filesystem used for suspend2disk. If swap is on a separate partition, it will be in the form of {{ic|/dev/mapper/swap}}. See also [[Dm-crypt/Swap encryption]]. |
||
=== cryptkey === |
=== cryptkey === |
||
| 65行目: | 64行目: | ||
Example: {{ic|cryptkey<nowiki>=</nowiki>/dev/sdZ:0:512}} reads a 512 bit keyfile starting at the beginning of the device. |
Example: {{ic|cryptkey<nowiki>=</nowiki>/dev/sdZ:0:512}} reads a 512 bit keyfile starting at the beginning of the device. |
||
| + | [[Dm-crypt/デバイスの暗号化#キーファイル]]を参照。 |
||
| − | See also [[Dm-crypt/Device encryption#Keyfiles]]. |
||
=== crypto === |
=== crypto === |
||
| 73行目: | 72行目: | ||
{{bc|<nowiki>crypto=</nowiki><hash>:<cipher>:<keysize>:<offset>:<skip>}} |
{{bc|<nowiki>crypto=</nowiki><hash>:<cipher>:<keysize>:<offset>:<skip>}} |
||
| + | 引数は ''cryptsetup'' のオプションと直接関連します。[[Dm-crypt/デバイスの暗号化#plain モードの暗号化オプション]]を見て下さい。 |
||
| − | The arguments relate directly to the ''cryptsetup'' options. See [[Dm-crypt/Device encryption#Encryption options for plain mode]]. |
||
For a disk encrypted with just ''plain'' default options, the {{ic|crypto}} arguments must be specified, but each entry can be left blank: |
For a disk encrypted with just ''plain'' default options, the {{ic|crypto}} arguments must be specified, but each entry can be left blank: |
||
| 83行目: | 82行目: | ||
The {{ic|/etc/crypttab}} (or, encrypted device table) file contains a list of encrypted devices that are to be unlocked when the system boots, similar to [[fstab]]. This file can be used for automatically mounting encrypted swap devices or secondary filesystems. |
The {{ic|/etc/crypttab}} (or, encrypted device table) file contains a list of encrypted devices that are to be unlocked when the system boots, similar to [[fstab]]. This file can be used for automatically mounting encrypted swap devices or secondary filesystems. |
||
| − | It is read ''before'' [[fstab]], so that dm-crypt containers can be unlocked before the filesystem inside is mounted. Note that crypttab is read ''after'' the system has booted, so it is not a replacement for unlocking via [[#mkinitcpio|mkinitcpio]] hooks and [[# |
+ | It is read ''before'' [[fstab]], so that dm-crypt containers can be unlocked before the filesystem inside is mounted. Note that crypttab is read ''after'' the system has booted, so it is not a replacement for unlocking via [[#mkinitcpio|mkinitcpio]] hooks and [[#ブートローダー|boot loader options]] in the case of an [[Dm-crypt/システム全体の暗号化|encrypted root]] scenario. The boot time processing of crypttab is done by the {{ic|systemd-cryptsetup-generator}} automatically, i. e. there is no need to activate it. |
| − | + | 詳しくは crypttab の [http://linux.die.net/man/5/crypttab man page] を見て下さい。デバイスの UUID を使って設定する方法は [[#起動時にマウント]] を見て下さい。 |
|
| + | {{Warning|For ''dm-crypt'' [[Dm-crypt/デバイスの暗号化#plain モードの暗号化オプション|plain mode]] ({{ic|--type plain}}) devices, systemd issues in the crypttab processing logic exist: |
||
| − | {{Warning|An unresolved [https://bugs.freedesktop.org/show_bug.cgi?id=52630 systemd bug] exists in the crypttab processing logic for ''dm-crypt'' {{ic|--type plain}} devices with a keyfile. '''Do not''' use {{ic|systemd-cryptsetup}} manually for device creation to work around it! The systemd (>217) workaround is to add the {{ic|1=hash=plain}} option to crypttab. Another workaround is to use a small custom [[Systemd#Writing_unit_files|unit]] calling {{ic|cryptsetup}} with the [[Dm-crypt/Device_encryption#Encryption options for plain mode|plain mode]] options and the keyfile to open and mount such devices during boot/shutdown instead.}} |
||
| + | * For {{ic|--type plain}}) devices with a keyfile, it is necessary to add the {{ic|1=hash=plain}} option to crypttab due to a [https://bugs.freedesktop.org/show_bug.cgi?id=52630 systemd incompatibility]. '''Do not''' use {{ic|systemd-cryptsetup}} manually for device creation to work around it! |
||
| + | * It may further be required to add the {{ic|plain}} option explicitly to force systemd-cryptsetup to recognize a {{ic|--type plain}}) device at boot. [https://github.com/systemd/systemd/issues/442 GitHub issue in question.]}} |
||
{{hc|/etc/crypttab|<nowiki> |
{{hc|/etc/crypttab|<nowiki> |
||
| 110行目: | 111行目: | ||
The first parameter is your preferred device mapper's name for your encrypted drive. The option {{ic|none}} will trigger a prompt during boot to type the passphrase for unlocking the partition. The {{ic|timeout}} option defines the timeout in seconds for entering the decryption password while booting. |
The first parameter is your preferred device mapper's name for your encrypted drive. The option {{ic|none}} will trigger a prompt during boot to type the passphrase for unlocking the partition. The {{ic|timeout}} option defines the timeout in seconds for entering the decryption password while booting. |
||
| − | A [[Dm-crypt/ |
+ | A [[Dm-crypt/デバイスの暗号化#キーファイル|keyfile]] can also be set up and referenced instead of {{ic|none}}. This results in an automatic unlocking, if the keyfile is accessible during boot. Since LUKS offers the option to have multiple keys, the chosen option can also be changed later. |
Use the device mapper's name you've defined in {{ic|/etc/crypttab}} in {{ic|/etc/fstab}} as shown here: |
Use the device mapper's name you've defined in {{ic|/etc/crypttab}} in {{ic|/etc/fstab}} as shown here: |
||
2015年8月20日 (木) 19:44時点における版
Dm-crypt に戻る。
目次
mkinitcpio
システムの暗号化をする場合、mkinitcpio を正しく設定した後に initial ramdisk を再生成する必要があります。特にシナリオによっては、以下のフックを有効しなくてはなりません:
encrypt: always needed when encrypting the root partition, or a partition that needs to be mounted before root. It is not needed in all the other cases, as system initialization scripts like/etc/crypttabtake care of unlocking other encrypted partitions.shutdown: recommended before mkinitcpio 0.16 to ensure controlled unmounting during system shutdown. It is still functional, but not deemed necessary anymore.keymap: provides support for foreign keymaps for typing encryption passwords; it must come before theencrypthook.keyboard: needed to make USB keyboards work in early userspace.usbinput: deprecated, but can be given a try in casekeyboarddoes not work.
Other hooks needed should be clear from other manual steps followed during the installation of the system.
ブートローダー
暗号化された root パーティションを起動できるようにするには、以下のカーネルパラメータのサブセットを設定する必要があります: 設定する方法はカーネルパラメータの使用しているブートローダーの手順を見て下さい。例えば GRUB を使用しているならブート設定を生成する前に /etc/default/grub にパラメータを追加するのが良いでしょう。
cryptdevice
This parameter will make the system prompt for the passphrase to unlock the device containing the encrypted root on a cold boot. It is parsed by the encrypt hook to identify which device contains the encrypted system:
cryptdevice=device:dmname
deviceは暗号化されたデバイスのパスです。永続的なブロックデバイスの命名を使うことを推奨します。dmnameis the device-mapper name given to the device after decryption, which will be available as/dev/mapper/dmname.- If a LVM contains the encrypted root, the LVM gets activated first and the volume group containing the logical volume of the encrypted root serves as device. It is then followed by the respective volume group to be mapped to root. The parameter follows the form of
cryptdevice=/dev/vgname/lvname:dmname.
root
root= パラメータは実際の (暗号化を解除した後の) root ファイルシステムの device を指定します:
root=device
- ファイルシステムが復号化されたデバイスファイル上に直接フォーマットされている場合、
/dev/mapper/dmnameとなります。 - LVM を先に有効にして暗号化した論理ルートボリュームを含めている場合も、上記と同じになります。
- root ファイルシステムが完全に暗号化された LVM の論理ボリュームに含まれている場合、device mapper は
root=/dev/mapper/volumegroup-logicalvolumeとなります。
resume
resume=device
deviceは suspend2disk のために使われる復号化された (スワップ) ファイルシステムのデバイスファイルです。スワップが別のパーティション上にある場合、/dev/mapper/swapという形式になります。Dm-crypt/スワップの暗号化を参照。
cryptkey
This parameter is required by the encrypt hook for reading a keyfile to unlock the cryptdevice. It can have two parameter sets, depending on whether the keyfile exists as a file or a bitstream starting on a specific location.
For a file the format is:
cryptkey=device:fstype:path
deviceis the raw block device where the key exists.fstypeis the filesystem type ofdevice(or auto).pathis the absolute path of the keyfile within the device.
Example: cryptkey=//dev/usbstick:vfat:/secretkey
For a bitstream on a device the key's location is specified with the following:
cryptkey=device:offset:size
Example: cryptkey=/dev/sdZ:0:512 reads a 512 bit keyfile starting at the beginning of the device.
crypto
This parameter is specific to pass dm-crypt plain mode options to the encrypt hook.
It takes the form
crypto=<hash>:<cipher>:<keysize>:<offset>:<skip>
引数は cryptsetup のオプションと直接関連します。Dm-crypt/デバイスの暗号化#plain モードの暗号化オプションを見て下さい。
For a disk encrypted with just plain default options, the crypto arguments must be specified, but each entry can be left blank:
crypto=::::
A specific example of arguments is
crypto=sha512:twofish-xts-plain64:512:0:
crypttab
The /etc/crypttab (or, encrypted device table) file contains a list of encrypted devices that are to be unlocked when the system boots, similar to fstab. This file can be used for automatically mounting encrypted swap devices or secondary filesystems.
It is read before fstab, so that dm-crypt containers can be unlocked before the filesystem inside is mounted. Note that crypttab is read after the system has booted, so it is not a replacement for unlocking via mkinitcpio hooks and boot loader options in the case of an encrypted root scenario. The boot time processing of crypttab is done by the systemd-cryptsetup-generator automatically, i. e. there is no need to activate it.
詳しくは crypttab の man page を見て下さい。デバイスの UUID を使って設定する方法は #起動時にマウント を見て下さい。
/etc/crypttab
# Example crypttab file. Fields are: name, underlying device, passphrase, cryptsetup options. # Mount /dev/lvm/swap re-encrypting it with a fresh key each reboot swap /dev/lvm/swap /dev/urandom swap,cipher=aes-xts-plain64,size=256 # Mount /dev/lvm/tmp as /dev/mapper/tmp using plain dm-crypt with a random passphrase, making its contents unrecoverable after it is dismounted. tmp /dev/lvm/tmp /dev/urandom tmp,cipher=aes-xts-plain64,size=256 # Mount /dev/lvm/home as /dev/mapper/home using LUKS, and prompt for the passphrase at boot time. home /dev/lvm/home # Mount /dev/sdb1 as /dev/mapper/backup using LUKS, with a passphrase stored in a file. backup /dev/sdb1 /home/alice/backup.key
起動時にマウント
If you want to mount an encrypted drive at boot time, just enter the device's UUID in /etc/crypttab. You get the UUID (partition) by using the command lsblk -f and adding it to
/etc/crypttab
externaldrive UUID=2f9a8428-ac69-478a-88a2-4aa458565431 none luks,timeout=180
The first parameter is your preferred device mapper's name for your encrypted drive. The option none will trigger a prompt during boot to type the passphrase for unlocking the partition. The timeout option defines the timeout in seconds for entering the decryption password while booting.
A keyfile can also be set up and referenced instead of none. This results in an automatic unlocking, if the keyfile is accessible during boot. Since LUKS offers the option to have multiple keys, the chosen option can also be changed later.
Use the device mapper's name you've defined in /etc/crypttab in /etc/fstab as shown here:
/etc/fstab
/dev/mapper/externaldrive /mnt/backup ext4 defaults,errors=remount-ro 0 2
Since /dev/mapper/externaldrive already is the result of a unique partition mapping, there is no need to specify an UUID for it. In any case, the mapper with the filesystem will have a different UUID than the partition it is encrypted in.