个人工具
登录
查看“EncryptedFilesystem”的源代码 - Ubuntu中文
页面
讨论
查看源代码
历史
搜索
导航
首页
最近更改
随机页面
页面分类
帮助
编辑
编辑指南
沙盒
新闻动态
字词处理
工具
链入页面
相关更改
特殊页面
页面信息
查看“EncryptedFilesystem”的源代码
来自Ubuntu中文
←
EncryptedFilesystem
跳转至:
导航
,
搜索
因为以下原因,你没有权限编辑本页:
您所请求的操作仅限于该用户组的用户使用:
用户
您可以查看与复制此页面的源代码。
== Encrypted Root and Swap with LUKS (on Ubuntu 6.06) == == 使用 LUKS 加密 Root 和 Swap (Ubuntu 6.06) == by Mikhail Lukyanchenko < uptimebox@gmail.com > 授权许可:[http://creativecommons.org/licenses/by-sa/2.0/ 创作共用协议Attribution-ShareAlike 2.0] [http://www.gnu.org/copyleft/fdl.html GNU自由文档许可证] 翻译人员:yusy 校对人员: 贡献者: 适用版本:Ubuntu 6.06 === Introduction === === 简介 === This is the way I did to get an Ubuntu 6.06 (Dapper Drake) with full encrypted file system: root (/) and swap. Since Ubuntu installer does not support yet this option, this process concerns, first, installing Ubuntu on a temporary partition and then, inside that installation, preparing all the encrypted partitions for the OS. The old root which I used in the beginning is turned into a swap partition. 这是我得到一个全面加密的Ubuntu 6.06(Dapper Drake)系统的方法:root (/) and swap.因为Ubuntu 安装文件还不支持这个选项,这个程序关注于:1,安装Ubuntu到一个临时分区,然后在这个安装过程中,会为操作系统准备一个全面加密的分区。在最开始时使用的root分区被变成swap分区. ==== Notes ==== ==== 注意 ==== In this tutorial we assume that: * old (unencrypted) and the new (encrypted) swap is in the partition '/dev/hda2' * new home (encrypted) is in the partition '/dev/hda3' replace '/dev/hda2' with your real swap partition and '/dev/hda3' with an empty partition that will become your new encrypted home partition. 本指导手册中,做如下假定: * 旧的(未加密的)和新的(加密的)swap分区为'/dev/hda2' * 新的的home(加密的)分区为'/dev/hda3' 将'/dev/hda2'替换为你的真实的swap分区,将'/dev/hda3'替换为一个空分区,这个分区将会成为你的新的加密的home分区。 ==== Warnings ==== ==== 警告 ==== Encrypting a partition is a destructive operation; then, your new root partition (/dev/hda3) must be empty, because all data on it will be erased. Also be warned, that this HOWTO is at beta state. I would not recommend to use it on production system. But it would be greatly appreciated if you test it and send me some feedback. 加密分区是危险操作,你的新root分区(/dev/hda3)一定要是空分区,因为所有的数据都将别擦除。 还要注意,这个指南还是在测试阶段。我不建议把它用在生产系统上。 感谢所有测试这个指南,以及给我反馈的人。 === Ubuntu installation === === 安装 Ubuntu === Note that you should install a ''server'' profile at this step even if you need a desktop profile at the end. The switch between the two profiles will be realized later on. 注意,在这一步,你需要安装server profile,尽管到最后你需要desktop profile。稍后将提到两个profiles的转换。 Install Ubuntu with the following initial partitioning scheme: 用下面的分区方案安装Ubuntu: <pre><nowiki> /dev/hda1 /boot 100 MB ext3 /dev/hda2 / 512 MB ext3 </nowiki></pre> Mark that 512 MB is really the shortest size you can set for a server type of installation. A complete Ubuntu installation requires at least 2.4 GB. Make your choice now. In addition, create one more space to hold your future encrypted root, so as the following: 如果安装sever模式,512MB是最小的分区。完整的Ubuntu安装,需要至少2.4GB。自己决定。此外,为你的新的加密的root建立一个新的分区: <pre><nowiki> /dev/hda3 future / 10GB </nowiki></pre> Set this partition in the installer option for filesystem as "do not use the partition". Just ignore the alert about not having a swap partition and keep walking. 在安装选项中,设置这个分区为“do not use the partition”。忽略没有swap分区的警告,继续安装。 === Cryptography software installation === === 安装加密软件 === Configures your apt to use all the optional repositories which come with Ubuntu. This is done by modifying /etc/apt/sources.list, uncommenting all the “deb” repositories.<br> 配置你的apt,应用所有的Ubuntu的可选软件库。可以通过更改/etc/apt/sources.list实现:去掉所有的“deb”软件库的注释“#”。 After adding the repositories above don't forget to update so the packages below will be available:<br> 加好了上面的软件库以后,不要忘了更新你的软件包: <pre><nowiki> $ sudo apt-get update </nowiki></pre> <pre><nowiki> $ sudo apt-get install cryptsetup hashalot initramfs-tools </nowiki></pre> === Setting up mkinitramfs === === 配置mkinitramfs === Edit <code><nowiki>/etc/kernel-img.conf</nowiki></code>. Add the following line:<br> 编辑 <code><nowiki>/etc/Kernel-img.conf</nowiki></code>。加入下面这行: <pre><nowiki> ramdisk = /usr/sbin/mkinitramfs </nowiki></pre> Edit <code><nowiki>/etc/mkinitramfs/modules</nowiki></code>. Add folowing lines:<br> 编辑 <code><nowiki>/etc/mkinitramfs/modules</nowiki></code>。加入下面的内容: <pre><nowiki> dm_mod dm_crypt sha256 aes_i586 </nowiki></pre> Create file <code><nowiki>/etc/mkinitramfs/hooks/cryptoroot</nowiki></code>:<br> 创建文件 <code><nowiki>/etc/mkinitramfs/hooks/cryptoroot</nowiki></code>: <pre><nowiki> #!/bin/sh PREREQ="" prereqs() { echo "$PREREQ" } case $1 in prereqs) prereqs exit 0 ;; esac if [ ! -x /sbin/cryptsetup ]; then exit 0 fi . /usr/share/initramfs-tools/hook-functions mkdir ${DESTDIR}/etc/console cp /etc/console/boottime.kmap.gz ${DESTDIR}/etc/console copy_exec /bin/loadkeys /bin copy_exec /usr/bin/chvt /bin copy_exec /sbin/cryptsetup /sbin </nowiki></pre> Create file <code><nowiki>/etc/mkinitramfs/scripts/local-top/cryptoroot</nowiki></code>:<br> 创建文件 <code><nowiki>/etc/mkinitramfs/scripts/local-top/cryptoroot</nowiki></code>: <pre><nowiki> #!/bin/sh PREREQ="udev" prereqs() { echo "$PREREQ" } case $1 in # get pre-requisites prereqs) prereqs exit 0 ;; esac /bin/loadkeys /etc/console/boottime.kmap.gz modprobe -Qb dm_crypt modprobe -Qb aes_i586 modprobe -Qb sha256 if grep -q splash /proc/cmdline; then /bin/chvt 1 fi /sbin/cryptsetup luksOpen /dev/hda3 cryptoroot </nowiki></pre> '''TODO:''' find a way to switch back to bootsplash after password prompt.<br> '''TODO:'''在提示输入密码后,退回到bootsplash状态。(没有跟着做,所以不清楚这句话究竟指什么--yusy) Make created files executable:<br> 更改新建的文件的属性为可执行: <pre><nowiki> $ sudo chmod +x /etc/mkinitramfs/hooks/cryptoroot $ sudo chmod +x /etc/mkinitramfs/scripts/local-top/cryptoroot </nowiki></pre> Update initrd image:<br> 更新 initrd 镜像: <pre><nowiki> $ sudo update-initramfs -u ALL </nowiki></pre> === Creating the encrypted system === === 创建加密系统 === Now it is time to create the cryptography devices.<br> 现在开始建立一个加密的设备。 <pre><nowiki> $ sudo modprobe dm_crypt $ sudo modprobe sha256 $ sudo modprobe aes_i586 $ sudo luksformat -t ext3 /dev/hda3 </nowiki></pre> The following dialog should look like this:<br> 接下来的显示因该像如下的样子: <pre><nowiki> Creating encrypted device on /dev/hda3... WARNING! ======== This will owerwrite data on /dev/hda3 irrevocably. Are you shure? (Type uppercase yes): YES Enter LUKS passphrase: Verify passphrase: Command successfull. Please enter your passphrase again to verify it Enter LUKS passphrase: key slot 0 unlocked. Command successfull. mke2fs 1.38 (30-Jun-2005) ..... </nowiki></pre> Your encrypted partition is now created and formated. It's time to populate it:<br> 现在,你的加密分区已经建立并且被格式化好了。可以把整个系统转移过去了: <pre><nowiki> $ sudo cryptsetup luksOpen /dev/hda3 cryptoroot $ sudo mkdir /mnt/target $ sudo mount /dev/mapper/cryptoroot /mnt/target $ sudo cp -avx / /mnt/target $ sudo chown -R $(whoami):$(whoami) /mnt/target/home/$(whoami) </nowiki></pre> The copy process should take about two minutes for a server profile (depends on your hardware).<br> 拷贝server profile 的过程差不多要2分钟(取决于你的硬件)。 Then you need to correct <code><nowiki>/mnt/target/etc/fstab</nowiki></code>.<br> 然后你需要更正你的 <code><nowiki>/mnt/target/etc/fstab</nowiki></code>。 Find<br> 找到 <pre><nowiki> /dev/hda2 / ext3 defaults,errors=remount-ro 0 1 </nowiki></pre> Replace with<br> 更改为 <pre><nowiki> /dev/mapper/cryptoroot / ext3 defaults,errors=remount-ro 0 1 </nowiki></pre> === Configuring Grub === === 配置 Grub === Edit <code><nowiki>/boot/grub/menu.lst</nowiki></code>. Add following after the line containing <code><nowiki>### END DEBIAN AUTOMAGIC KERNELS LIST</nowiki></code>:<br> 编辑 <code><nowiki>/boot/grub/menu.lst</nowiki></code>。将下面的内容加到 <code><nowiki>### END DEBIAN AUTOMAGIC KERNELS LIST</nowiki></code> 行下面: <pre><nowiki> title Cryptotest root (hd0,0) kernel /vmlinuz-<your kernel version here> root=/dev/mapper/cryptoroot ro initrd /initrd.img-<your kernel version here> savedefault boot </nowiki></pre> You may find your kernel version by running:<br> 用下面的命令查看你的Kernel 版本: <pre><nowiki> $ uname -r </nowiki></pre> === Rebooting and testing configuration === === 重启并测试配置 === As simple as it should be:<br> 如下命令重启: <pre><nowiki> $ sudo reboot </nowiki></pre> Now, after all your BIOS mumbo-jumbo, you should look very carefully and when you see following prompt:<br> 等你的BIOS重启以后,仔细的观察下面出现的提示: <pre><nowiki> GRUB Loading stage 1.5. GRUB Loading, please wait... Press `ESC` to enter the menu </nowiki></pre> Press ESC and select last option, namely "Cryptotest" Now you will see lots of kernel debugging info, since we didn't add <code><nowiki>quiet</nowiki></code> option to kernel options. It's ok.<br> 按 ESC ,选择最后一个选项,名字带“Cryptotest”。 现在你看到一大堆Kernel debugging信息,因为我们没有加入<code><nowiki>quiet</nowiki></code>选项。一切正常。 At some point you will see the promt:<br> 过一会,你会看到提示: <pre><nowiki> Enter LUKS passphrase: </nowiki></pre> Go on! Enter it. Now you have booted from crypted partition.<br> 继续!填入LUKS passphrase,现在你已经进入了加密的分区。 If something geos Very Wrong Way (tm), don't panic. Any way you still have unencrypted partition to boot from.<br> 如果出了什么错误,不要紧张。你始终可以从非加密的分区启动。 === Finishing === === 结束 === Let's enable swap partition.<br> 现在启用swap分区。 Edit <code><nowiki>/etc/crypttab</nowiki></code>: 编辑 <code><nowiki>/etc/crypttab</nowiki></code>: <pre><nowiki> cryptoswap /dev/hda2 /dev/urandom swap </nowiki></pre> Edit <code><nowiki>/etc/fstab</nowiki></code>. Add following line:<br> 编辑 <code><nowiki>/etc/fstab</nowiki></code>。加入下面的内容: <pre><nowiki> /dev/mapper/cryptoswap none swap sw 0 0 </nowiki></pre> <pre><nowiki> $ sudo invoke-rc.d cryptdisks restart $ sudo swapon /dev/mapper/cryptoswap </nowiki></pre> Edit <code><nowiki>/boot/grub/menu.lst</nowiki></code> and remove lines, you previously added after the line containing <code><nowiki>### END DEBIAN AUTOMAGIC KERNELS LIST</nowiki></code>.<br> 编辑 <code><nowiki>/boot/grub/menu.lst</nowiki></code>,删除刚刚加入在 <code><nowiki>### END DEBIAN AUTOMAGIC KERNELS LIST</nowiki></code> 后面的那几条。 In the same file find line containing<br> 在这个文件里面,找到下面这一行 <pre><nowiki> # kopt=root=/dev/hda2 ro </nowiki></pre> Change this to<br> 更改为 <pre><nowiki> # kopt=root=/dev/mapper/cryptoroot ro </nowiki></pre> Run<br> 运行 <pre><nowiki> $ sudo update-grub </nowiki></pre> Now you have an operational server profile with encrypted root and swap. If what you need is a desktop profile (i.e. a complete graphical environment like Gnome or KDE and lots of applications), you can install it now with the single command:<br> 现在你有了一个带有加密的root和swap的运行的server profile。如果你需要的是desktop profile(比如,像Gnome或者KDE一样的完全的图形环境,更多的应用程序),你可以用一个命令安装它: <pre><nowiki> $ sudo apt-get install ubuntu-desktop </nowiki></pre> Replace <code><nowiki>ubuntu-desktop</nowiki></code> with <code><nowiki>kubuntu-desktop</nowiki></code>, or <code><nowiki>xubuntu-desktop</nowiki></code>, or <code><nowiki>edubuntu-desktop</nowiki></code> according to your needs.<br> 根据你的需要更改 <code><nowiki>ubuntu-desktop</nowiki></code> 为 <code><nowiki>kubuntu-desktop</nowiki></code>,或者 <code><nowiki>xubuntu-desktop</nowiki></code>,或者 <code><nowiki>edubuntu-desktop</nowiki></code>。 That's all. Finished.<br> 任务完成! ---- [[category:CategoryCleanup]] ---- 文章来源:官方WIKI<br> 翻译人员:yusy<br> 校对人员:<br> 文章状态:[[等待校对]]
返回至
EncryptedFilesystem
。