Luks
無法將 LUKS 密鑰添加到加密交換
出於某種原因,我無法將密鑰添加到我的加密交換中。
我的
/etc/crypttab:swap_crypt /dev/disk/by-partuuid/c4f049d5-ae21-44d6-b753-6e72b7e21770 none luks,swap,discard,keyscript=decrypt_keyctl root_crypt UUID=26f3c181-e041-47f2-929b-de631a2f1d3f none luks,discard,keyscript=decrypt_keyctl所以要辨識這些磁碟:
# ls -l /dev/disk/by-partuuid/c4f049d5-ae21-44d6-b753-6e72b7e21770 lrwxrwxrwx 1 root root 15 Mar 5 22:34 /dev/disk/by-partuuid/c4f049d5-ae21-44d6-b753-6e72b7e21770 -> ../../nvme0n1p7# blkid |grep 26f3c181-e041-47f2-929b-de631a2f1d3f /dev/nvme0n1p8: UUID="26f3c181-e041-47f2-929b-de631a2f1d3f" TYPE="crypto_LUKS" PARTUUID="b178ae44-cf49-4dce-b7b5-293c9c0bb9c7"所以我知道我的交換是打開的
/dev/nvme0n1p7,我的根是/dev/nvme0n1p8.現在,當我嘗試為 root 添加密鑰時:
# cryptsetup luksAddKey /dev/nvme0n1p8 Enter any existing passphrase:但是,對於交換,一切正常:
# cryptsetup luksAddKey /dev/nvme0n1p7它只是退出。更多資訊:
# cryptsetup luksAddKey -v --debug /dev/nvme0n1p7 # cryptsetup 2.0.2 processing "cryptsetup luksAddKey -v --debug /dev/nvme0n1p7" # Running command luksAddKey. # Locking memory. # Installing SIGINT/SIGTERM handler. # Unblocking interruption on signal. # Allocating context for crypt device /dev/nvme0n1p7. # Trying to open and read device /dev/nvme0n1p7 with direct-io. # Initialising device-mapper backend library. # Trying to load any crypt type from device /dev/nvme0n1p7. # Crypto backend (gcrypt 1.8.1) initialized in cryptsetup library version 2.0.2. # Detected kernel Linux 5.0.0-050000-generic x86_64. # Loading LUKS2 header. # Opening lock resource file /run/cryptsetup/L_259:7 # Acquiring read lock for device /dev/nvme0n1p7. # Verifying read lock handle for device /dev/nvme0n1p7. # Device /dev/nvme0n1p7 READ lock taken. # Trying to read primary LUKS2 header at offset 0. # Opening locked device /dev/nvme0n1p7 # Veryfing locked device handle (bdev) # Trying to read secondary LUKS2 header at offset 8192. # Opening locked device /dev/nvme0n1p7 # Veryfing locked device handle (bdev) # Trying to read secondary LUKS2 header at offset 16384. # Opening locked device /dev/nvme0n1p7 # Veryfing locked device handle (bdev) # Trying to read secondary LUKS2 header at offset 32768. # Opening locked device /dev/nvme0n1p7 # Veryfing locked device handle (bdev) # Trying to read secondary LUKS2 header at offset 65536. # Opening locked device /dev/nvme0n1p7 # Veryfing locked device handle (bdev) # Trying to read secondary LUKS2 header at offset 131072. # Opening locked device /dev/nvme0n1p7 # Veryfing locked device handle (bdev) # Trying to read secondary LUKS2 header at offset 262144. # Opening locked device /dev/nvme0n1p7 # Veryfing locked device handle (bdev) # Trying to read secondary LUKS2 header at offset 524288. # Opening locked device /dev/nvme0n1p7 # Veryfing locked device handle (bdev) # Trying to read secondary LUKS2 header at offset 1048576. # Opening locked device /dev/nvme0n1p7 # Veryfing locked device handle (bdev) # Trying to read secondary LUKS2 header at offset 2097152. # Opening locked device /dev/nvme0n1p7 # Veryfing locked device handle (bdev) # Trying to read secondary LUKS2 header at offset 4194304. # Opening locked device /dev/nvme0n1p7 # Veryfing locked device handle (bdev) # LUKS2 header read failed (-22). # Device /dev/nvme0n1p7 READ lock released. # Releasing crypt device /dev/nvme0n1p7 context. # Releasing device-mapper backend. # Unlocking memory. Command failed with code -1 (wrong or missing parameters).知道問題是什麼嗎?
所以我最終自己解決了這個問題。對於遇到這種情況的任何人,請確保在執行時
cryptsetup status /dev/mapper/<device>類型是LUKS1而不是PLAIN. 看來 Ubuntu 安裝程序預設不正確,因此標準 LUKS 命令在設備上不起作用。由於它是交換的,我能夠正確地重新創建加密,現在一切順利。
如果加密交換也不打算用作休眠恢復設備,則通常使用隨機生成的密鑰對其進行初始化,該密鑰不會永久儲存在任何地方。這提供了一個非常有力的保證,一旦系統正確關閉,任何分析交換區域內容的取證嘗試都將毫無用處。
由於一旦關閉加密設備,RAM 中此類非持久密鑰的唯一副本將作為正常關閉的一部分主動歸零,因此在完全關閉後從 RAM 內容恢復密鑰的任何嘗試也將毫無用處。
crypttab您包含該選項的事實swap表明該方案可能正在使用中:該swap選項導致在初始化加密後cryptsetup繼續執行,只有在交換分區的現有內容是不可讀的亂碼時才需要這樣做……即使用加密不同的非持久鍵。mkswap``/dev/mapper/swap_crypt使用
systemdinit 系統時,該keyscript=選項可能會被忽略,systemd而是使用 cryptsetup 幫助程序,具體取決於您的 Linux 發行版所做的選擇。有關詳細資訊,請參見man systemd-cryptsetup-generator和man systemd-cryptsetup@.service。