dm-crypt/root 以外のファイルシステムの暗号化

提供: ArchWiki
2015年2月13日 (金) 18:19時点におけるKusakata (トーク | 投稿記録)による版 (ページの作成:「{{Lowercase title}} Category:セキュリティ Category:ファイルシステム en:dm-crypt/Encrypting a non-root file system dm-crypt に戻る。 以...」)
(差分) ← 古い版 | 最新版 (差分) | 新しい版 → (差分)
ナビゲーションに移動 検索に移動

dm-crypt に戻る。

以下は dm-crypt で root 以外のファイルシステムを暗号化するサンプルです。

概要

セカンダリファイルシステムの暗号化は基本的に重要なデータだけを保護します。オペレーティングシステムやプログラムファイルは暗号化されないままです。USB ドライブなどの外部メディアを暗号化したいときは、別のコンピュータに安全に持っていけるようになるので便利です。また、アクセスする人ごとに暗号化するデータを選択することもできます。

dm-crypt はブロックレベルの暗号化レイヤーなので、完全なデバイスやパーティションloop デバイスなどしか暗号化できません。個別のファイルを暗号化するには、eCryptfsEncFS などのファイルシステムレベルの暗号化レイヤーが必要です。個人データを守る方法に関する一般的な情報はディスク暗号化を見て下さい。

パーティション

This example covers the encryption of the /home partition, but it can be applied to any other comparable non-root partition containing user data.

ヒント: You can either have a single user's /home directory on a partition, or create a common partition for all user's /home partitions.

First, prepare the partition by securely erasing it, see Dm-crypt/Drive preparation#Secure erasure of the hard disk drive.

Then setup the LUKS header with: 

# cryptsetup options luksFormat device

Replace device with the previously created partition. See Dm-crypt/Device encryption#Encryption options for LUKS mode for details like the available options.

To gain access to the encrypted partition, unlock it with the device mapper, using: 

# cryptsetup open device name

After unlocking the partition, it will be available at /dev/mapper/name. Now create a file system of your choice with: 

# mkfs.fstype /dev/mapper/name

Mount the file system to /home, or if it should be accessible to only one user to /home/username, see #Manual mounting and unmounting.

ヒント: Unmount and mount once to verify that the mapping is working as intended.

手動でマウント・アンマウント

To mount the partition: 

# cryptsetup --type luks open device name
# mount -t ext4 /dev/mapper/name /mnt/home

To unmount it: 

# umount /mnt/home
# cryptsetup close name

ロック解除とマウントの自動化

There are two different solutions for automating the process of unlocking the partition and mounting its filesystem.

Crypttab

Using the /etc/crypttab configuration file, unlocking happens at boot time by systemd's automatic parsing. This is the recommended solution if you want to use one common partition for all user's home partitions or automatically mount another encrypted block device.

See Dm-crypt/System configuration#crypttab for references and Dm-crypt/System configuration#Mounting at boot time for an example set up.

Pam mount

With Pam mount, unlocking happens on user login: this is the recommended solution if you want to have a single user's home directory on a partition.

See Pam mount.

Loop デバイス

A loop device enables to map a blockdevice to a file with the standard util-linux tool losetup. The file can then contain a filesystem, which can be used quite like any other filesystem. A lot of users know Truecrypt as a tool to create encrypted containers. Just about the same functionality can be achieved with a loopback filesystem encrypted with LUKS and is shown in the following example.

First, start by creating an encrypted container, using an appropriate random number generator: 

# dd if=/dev/urandom of=/bigsecret bs=1M count=10

This will create the file bigsecret with a size of 10 megabytes.

ノート: To avoid having to resize the container later on, make sure to make it larger than the total size of the files to be encrypted, in order to at least also host the associated metadata needed by the internal file system. If you are going to use LUKS mode, its metadata header requires one to two megabytes alone.

Next create the device node /dev/loop0, so that we can mount/use our container: 

# losetup /dev/loop0 /bigsecret
ノート: If it gives you the error /dev/loop0: No such file or directory, you need to first load the kernel module with modprobe loop. These days (Kernel 3.2) loop devices are created on demand. Ask for a new loop device with # losetup -f.

From now on the procedure is the same as for #Partition, except for the fact that the container is already randomised and will not need another secure erasure.

ヒント: Containers with dm-crypt can be very flexible. Have a look at the features and documentation of Tomb. It provides a dm-crypt script wrapper for fast and flexible handling.

手動でマウント・アンマウント

To unmount the container: 

# umount /mnt/secret
# cryptsetup close secret
# losetup -d /dev/loop0

To mount the container again: 

# losetup /dev/loop0 /bigsecret
# cryptsetup --type luks open /dev/loop0 secret
# mount -t ext4 /dev/mapper/secret /mnt/secret

loopback ファイルシステムのサイズの変更

First unmount the encrypted container: 

# umount /mnt/secret
# cryptsetup close secret
# losetup -d /dev/loop0

Next, expand the container file with the size of the data you want to add: 

# dd if=/dev/urandom bs=1M count=1024 | cat - >> /bigsecret
警告: Be careful to really use two >, or you will override your current container.

Now map the container to the loop device: 

# losetup /dev/loop0 /bigsecret
# cryptsetup --type luks open /dev/loop0 secret

After this, resize the encrypted part of the container to the maximum size of the container file: 

# cryptsetup resize secret

Finally, perform a filesystem check and, if it is ok, resize it (example for ext2/3/4): 

# e2fsck -f /dev/mapper/secret
# resize2fs /dev/mapper/secret

You can now mount the container again: 

# mount /dev/mapper/secret /mnt/secret
https://wiki.archlinux.jp/index.php?title=Dm-crypt/root_以外のファイルシステムの暗号化&oldid=2107」から取得