查看“EncryptedFilesystem”的源代码
来自Ubuntu中文
←
EncryptedFilesystem
跳到导航
跳到搜索
因为以下原因,您没有权限编辑该页面:
您请求的操作仅限属于该用户组的用户执行:
用户
您可以查看和复制此页面的源代码。
== Encrypted Root and Swap with LUKS (on Ubuntu 6.06) == == 使用 LUKS 加密 Root 和 Swap (Ubuntu 6.06) == by Mikhail Lukyanchenko < uptimebox@gmail.com > 授权许可:[http://creativecommons.org/licenses/by-sa/2.0/ 创作共用协议Attribution-ShareAlike 2.0] [http://www.gnu.org/copyleft/fdl.html GNU自由文档许可证] 翻译人员:yusy 校对人员: 贡献者: 适用版本:Ubuntu 6.06 === Introduction === === 简介 === This is the way I did to get an Ubuntu 6.06 (Dapper Drake) with full encrypted file system: root (/) and swap. Since Ubuntu installer does not support yet this option, this process concerns, first, installing Ubuntu on a temporary partition and then, inside that installation, preparing all the encrypted partitions for the OS. The old root which I used in the beginning is turned into a swap partition. 这是我得到一个全面加密的Ubuntu 6.06(Dapper Drake)系统的方法:root (/) and swap.因为Ubuntu 安装文件还不支持这个选项,这个程序关注于:1,安装Ubuntu到一个临时分区,然后在这个安装过程中,会为操作系统准备一个全面加密的分区。在最开始时使用的root分区被变成swap分区. ==== Notes ==== ==== 注意 ==== In this tutorial we assume that: * old (unencrypted) and the new (encrypted) swap is in the partition '/dev/hda2' * new home (encrypted) is in the partition '/dev/hda3' replace '/dev/hda2' with your real swap partition and '/dev/hda3' with an empty partition that will become your new encrypted home partition. 本指导手册中,做如下假定: * 旧的(未加密的)和新的(加密的)swap分区为'/dev/hda2' * 新的的home(加密的)分区为'/dev/hda3' 将'/dev/hda2'替换为你的真实的swap分区,将'/dev/hda3'替换为一个空分区,这个分区将会成为你的新的加密的home分区。 ==== Warnings ==== ==== 警告 ==== Encrypting a partition is a destructive operation; then, your new root partition (/dev/hda3) must be empty, because all data on it will be erased. Also be warned, that this HOWTO is at beta state. I would not recommend to use it on production system. But it would be greatly appreciated if you test it and send me some feedback. 加密分区是危险操作,你的新root分区(/dev/hda3)一定要是空分区,因为所有的数据都将别擦除。 还要注意,这个指南还是在测试阶段。我不建议把它用在生产系统上。 感谢所有测试这个指南,以及给我反馈的人。 === Ubuntu installation === === 安装 Ubuntu === Note that you should install a ''server'' profile at this step even if you need a desktop profile at the end. The switch between the two profiles will be realized later on. 注意,在这一步,你需要安装server profile,尽管到最后你需要desktop profile。稍后将提到两个profiles的转换。 Install Ubuntu with the following initial partitioning scheme: 用下面的分区方案安装Ubuntu: <pre><nowiki> /dev/hda1 /boot 100 MB ext3 /dev/hda2 / 512 MB ext3 </nowiki></pre> Mark that 512 MB is really the shortest size you can set for a server type of installation. A complete Ubuntu installation requires at least 2.4 GB. Make your choice now. In addition, create one more space to hold your future encrypted root, so as the following: 如果安装sever模式,512MB是最小的分区。完整的Ubuntu安装,需要至少2.4GB。自己决定。此外,为你的新的加密的root建立一个新的分区: <pre><nowiki> /dev/hda3 future / 10GB </nowiki></pre> Set this partition in the installer option for filesystem as "do not use the partition". Just ignore the alert about not having a swap partition and keep walking. 在安装选项中,设置这个分区为“do not use the partition”。忽略没有swap分区的警告,继续安装。 === Cryptography software installation === === 安装加密软件 === Configures your apt to use all the optional repositories which come with Ubuntu. This is done by modifying /etc/apt/sources.list, uncommenting all the “deb” repositories.<br> 配置你的apt,应用所有的Ubuntu的可选软件库。可以通过更改/etc/apt/sources.list实现:去掉所有的“deb”软件库的注释“#”。 After adding the repositories above don't forget to update so the packages below will be available:<br> 加好了上面的软件库以后,不要忘了更新你的软件包: <pre><nowiki> $ sudo apt-get update </nowiki></pre> <pre><nowiki> $ sudo apt-get install cryptsetup hashalot initramfs-tools </nowiki></pre> === Setting up mkinitramfs === === 配置mkinitramfs === Edit <code><nowiki>/etc/kernel-img.conf</nowiki></code>. Add the following line:<br> 编辑 <code><nowiki>/etc/Kernel-img.conf</nowiki></code>。加入下面这行: <pre><nowiki> ramdisk = /usr/sbin/mkinitramfs </nowiki></pre> Edit <code><nowiki>/etc/mkinitramfs/modules</nowiki></code>. Add folowing lines:<br> 编辑 <code><nowiki>/etc/mkinitramfs/modules</nowiki></code>。加入下面的内容: <pre><nowiki> dm_mod dm_crypt sha256 aes_i586 </nowiki></pre> Create file <code><nowiki>/etc/mkinitramfs/hooks/cryptoroot</nowiki></code>:<br> 创建文件 <code><nowiki>/etc/mkinitramfs/hooks/cryptoroot</nowiki></code>: <pre><nowiki> #!/bin/sh PREREQ="" prereqs() { echo "$PREREQ" } case $1 in prereqs) prereqs exit 0 ;; esac if [ ! -x /sbin/cryptsetup ]; then exit 0 fi . /usr/share/initramfs-tools/hook-functions mkdir ${DESTDIR}/etc/console cp /etc/console/boottime.kmap.gz ${DESTDIR}/etc/console copy_exec /bin/loadkeys /bin copy_exec /usr/bin/chvt /bin copy_exec /sbin/cryptsetup /sbin </nowiki></pre> Create file <code><nowiki>/etc/mkinitramfs/scripts/local-top/cryptoroot</nowiki></code>:<br> 创建文件 <code><nowiki>/etc/mkinitramfs/scripts/local-top/cryptoroot</nowiki></code>: <pre><nowiki> #!/bin/sh PREREQ="udev" prereqs() { echo "$PREREQ" } case $1 in # get pre-requisites prereqs) prereqs exit 0 ;; esac /bin/loadkeys /etc/console/boottime.kmap.gz modprobe -Qb dm_crypt modprobe -Qb aes_i586 modprobe -Qb sha256 if grep -q splash /proc/cmdline; then /bin/chvt 1 fi /sbin/cryptsetup luksOpen /dev/hda3 cryptoroot </nowiki></pre> '''TODO:''' find a way to switch back to bootsplash after password prompt.<br> '''TODO:'''在提示输入密码后,退回到bootsplash状态。(没有跟着做,所以不清楚这句话究竟指什么--yusy) Make created files executable:<br> 更改新建的文件的属性为可执行: <pre><nowiki> $ sudo chmod +x /etc/mkinitramfs/hooks/cryptoroot $ sudo chmod +x /etc/mkinitramfs/scripts/local-top/cryptoroot </nowiki></pre> Update initrd image:<br> 更新 initrd 镜像: <pre><nowiki> $ sudo update-initramfs -u ALL </nowiki></pre> === Creating the encrypted system === === 创建加密系统 === Now it is time to create the cryptography devices.<br> 现在开始建立一个加密的设备。 <pre><nowiki> $ sudo modprobe dm_crypt $ sudo modprobe sha256 $ sudo modprobe aes_i586 $ sudo luksformat -t ext3 /dev/hda3 </nowiki></pre> The following dialog should look like this:<br> 接下来的显示因该像如下的样子: <pre><nowiki> Creating encrypted device on /dev/hda3... WARNING! ======== This will owerwrite data on /dev/hda3 irrevocably. Are you shure? (Type uppercase yes): YES Enter LUKS passphrase: Verify passphrase: Command successfull. Please enter your passphrase again to verify it Enter LUKS passphrase: key slot 0 unlocked. Command successfull. mke2fs 1.38 (30-Jun-2005) ..... </nowiki></pre> Your encrypted partition is now created and formated. It's time to populate it:<br> 现在,你的加密分区已经建立并且被格式化好了。可以把整个系统转移过去了: <pre><nowiki> $ sudo cryptsetup luksOpen /dev/hda3 cryptoroot $ sudo mkdir /mnt/target $ sudo mount /dev/mapper/cryptoroot /mnt/target $ sudo cp -avx / /mnt/target $ sudo chown -R $(whoami):$(whoami) /mnt/target/home/$(whoami) </nowiki></pre> The copy process should take about two minutes for a server profile (depends on your hardware).<br> 拷贝server profile 的过程差不多要2分钟(取决于你的硬件)。 Then you need to correct <code><nowiki>/mnt/target/etc/fstab</nowiki></code>.<br> 然后你需要更正你的 <code><nowiki>/mnt/target/etc/fstab</nowiki></code>。 Find<br> 找到 <pre><nowiki> /dev/hda2 / ext3 defaults,errors=remount-ro 0 1 </nowiki></pre> Replace with<br> 更改为 <pre><nowiki> /dev/mapper/cryptoroot / ext3 defaults,errors=remount-ro 0 1 </nowiki></pre> === Configuring Grub === === 配置 Grub === Edit <code><nowiki>/boot/grub/menu.lst</nowiki></code>. Add following after the line containing <code><nowiki>### END DEBIAN AUTOMAGIC KERNELS LIST</nowiki></code>:<br> 编辑 <code><nowiki>/boot/grub/menu.lst</nowiki></code>。将下面的内容加到 <code><nowiki>### END DEBIAN AUTOMAGIC KERNELS LIST</nowiki></code> 行下面: <pre><nowiki> title Cryptotest root (hd0,0) kernel /vmlinuz-<your kernel version here> root=/dev/mapper/cryptoroot ro initrd /initrd.img-<your kernel version here> savedefault boot </nowiki></pre> You may find your kernel version by running:<br> 用下面的命令查看你的Kernel 版本: <pre><nowiki> $ uname -r </nowiki></pre> === Rebooting and testing configuration === === 重启并测试配置 === As simple as it should be:<br> 如下命令重启: <pre><nowiki> $ sudo reboot </nowiki></pre> Now, after all your BIOS mumbo-jumbo, you should look very carefully and when you see following prompt:<br> 等你的BIOS重启以后,仔细的观察下面出现的提示: <pre><nowiki> GRUB Loading stage 1.5. GRUB Loading, please wait... Press `ESC` to enter the menu </nowiki></pre> Press ESC and select last option, namely "Cryptotest" Now you will see lots of kernel debugging info, since we didn't add <code><nowiki>quiet</nowiki></code> option to kernel options. It's ok.<br> 按 ESC ,选择最后一个选项,名字带“Cryptotest”。 现在你看到一大堆Kernel debugging信息,因为我们没有加入<code><nowiki>quiet</nowiki></code>选项。一切正常。 At some point you will see the promt:<br> 过一会,你会看到提示: <pre><nowiki> Enter LUKS passphrase: </nowiki></pre> Go on! Enter it. Now you have booted from crypted partition.<br> 继续!填入LUKS passphrase,现在你已经进入了加密的分区。 If something geos Very Wrong Way (tm), don't panic. Any way you still have unencrypted partition to boot from.<br> 如果出了什么错误,不要紧张。你始终可以从非加密的分区启动。 === Finishing === === 结束 === Let's enable swap partition.<br> 现在启用swap分区。 Edit <code><nowiki>/etc/crypttab</nowiki></code>: 编辑 <code><nowiki>/etc/crypttab</nowiki></code>: <pre><nowiki> cryptoswap /dev/hda2 /dev/urandom swap </nowiki></pre> Edit <code><nowiki>/etc/fstab</nowiki></code>. Add following line:<br> 编辑 <code><nowiki>/etc/fstab</nowiki></code>。加入下面的内容: <pre><nowiki> /dev/mapper/cryptoswap none swap sw 0 0 </nowiki></pre> <pre><nowiki> $ sudo invoke-rc.d cryptdisks restart $ sudo swapon /dev/mapper/cryptoswap </nowiki></pre> Edit <code><nowiki>/boot/grub/menu.lst</nowiki></code> and remove lines, you previously added after the line containing <code><nowiki>### END DEBIAN AUTOMAGIC KERNELS LIST</nowiki></code>.<br> 编辑 <code><nowiki>/boot/grub/menu.lst</nowiki></code>,删除刚刚加入在 <code><nowiki>### END DEBIAN AUTOMAGIC KERNELS LIST</nowiki></code> 后面的那几条。 In the same file find line containing<br> 在这个文件里面,找到下面这一行 <pre><nowiki> # kopt=root=/dev/hda2 ro </nowiki></pre> Change this to<br> 更改为 <pre><nowiki> # kopt=root=/dev/mapper/cryptoroot ro </nowiki></pre> Run<br> 运行 <pre><nowiki> $ sudo update-grub </nowiki></pre> Now you have an operational server profile with encrypted root and swap. If what you need is a desktop profile (i.e. a complete graphical environment like Gnome or KDE and lots of applications), you can install it now with the single command:<br> 现在你有了一个带有加密的root和swap的运行的server profile。如果你需要的是desktop profile(比如,像Gnome或者KDE一样的完全的图形环境,更多的应用程序),你可以用一个命令安装它: <pre><nowiki> $ sudo apt-get install ubuntu-desktop </nowiki></pre> Replace <code><nowiki>ubuntu-desktop</nowiki></code> with <code><nowiki>kubuntu-desktop</nowiki></code>, or <code><nowiki>xubuntu-desktop</nowiki></code>, or <code><nowiki>edubuntu-desktop</nowiki></code> according to your needs.<br> 根据你的需要更改 <code><nowiki>ubuntu-desktop</nowiki></code> 为 <code><nowiki>kubuntu-desktop</nowiki></code>,或者 <code><nowiki>xubuntu-desktop</nowiki></code>,或者 <code><nowiki>edubuntu-desktop</nowiki></code>。 That's all. Finished.<br> 任务完成! ---- [[category:CategoryCleanup]] ---- 文章来源:官方WIKI<br> 翻译人员:yusy<br> 校对人员:<br> 文章状态:[[等待校对]]
返回
EncryptedFilesystem
。
导航菜单
页面操作
页面
讨论
阅读
查看源代码
历史
页面操作
页面
讨论
更多
工具
个人工具
登录
导航
首页
最近更改
随机页面
页面分类
帮助
搜索
编辑
编辑指南
沙盒
新闻动态
字词处理
工具
链入页面
相关更改
特殊页面
页面信息
