Rhel
RHEL:無密碼的 FDE - 從分區上的密鑰啟動
我正在嘗試在 RHEL 7.2 上使用 LVM 加密我的作業系統,並通過使用未加密分區上的密鑰啟動它而無需輸入密碼。
LV VG Attr LSize Pool Origin Data% Meta% Move Log Cpy%Sync Convert home rhel -wi-ao---- 22.35g root rhel -wi-ao---- 27.94g swap rhel -wi-ao---- 1.86g我創建了一個未加密的掛載點
/media,在其中使用以下命令生成了一個密鑰:dd bs=512 count=4 if=/dev/urandom of=/media/fdekey iflag=fullblock我用我的密碼添加了密鑰,如下所示:
cryptsetup luksAddKey /dev/mapper/rhel-root /media/fdekey cryptsetup luksAddKey /dev/mapper/rhel-home /media/fdekey cryptsetup luksAddKey /dev/mapper/rhel-swap /media/fdekey然後我編輯
/etc/crypttab以添加密鑰:luks-b7ac522a-52fd-4540-917d-3454dafdf7dc UUID=b7ac522a-52fd-4540-917d-3454dafdf7dc /media/fdekey luks luks-ad431e02-a49d-4ba3-bf9c-06e7a9f9a7f9 UUID=ad431e02-a49d-4ba3-bf9c-06e7a9f9a7f9 /media/fdekey luks luks-a3819933-91d5-434b-bb6c-42d273bb34c2 UUID=a3819933-91d5-434b-bb6c-42d273bb34c2 /media/fdekey luks修改的
/etc/dracut.conf# dracut modules to omit omit_dracutmodules+="systemd" # dracut modules to add to the default add_dracutmodules+="crypt lvm"修改
/etc/default/grub:rd.luks.key=/media/fdekey:LABEL=media生成的grub:
grub2-mkconfig -o /boot/grub2/grub.cfg生成的initramfs:
dracut -fv輸出
df -h:Filesystem Size Used Avail Use% Mounted on /dev/dm-3 28G 876M 28G 4% / devtmpfs 9.6G 0 9.6G 0% /dev tmpfs 9.6G 0 9.6G 0% /dev/shm tmpfs 9.6G 8.4M 9.6G 1% /run tmpfs 9.6G 0 9.6G 0% /sys/fs/cgroup /dev/sda2 4.5G 19M 4.2G 1% /media /dev/sda1 950M 133M 818M 14% /boot /dev/dm-5 23G 33M 23G 1% /home tmpfs 2.0G 0 2.0G 0% /run/user/0輸出
fdisk -l:Disk /dev/sda: 64.4 GB, 64424509440 bytes, 125829120 sectors Units = sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disk label type: dos Disk identifier: 0x000a0a6e Device Boot Start End Blocks Id System /dev/sda1 * 2048 1953791 975872 83 Linux /dev/sda2 1953792 11718655 4882432 83 Linux /dev/sda3 11718656 121114623 54697984 8e Linux LVM Disk /dev/mapper/rhel-root: 30.0 GB, 30001856512 bytes, 58597376 sectors Units = sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disk /dev/mapper/rhel-swap: 2000 MB, 2000683008 bytes, 3907584 sectors Units = sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disk /dev/mapper/luks-b7ac522a-52fd-4540-917d-3454dafdf7dc: 1998 MB, 1998585856 bytes, 3903488 sectors Units = sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disk /dev/mapper/luks-a3819933-91d5-434b-bb6c-42d273bb34c2: 30.0 GB, 29999759360 bytes, 58593280 sectors Units = sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disk /dev/mapper/rhel-home: 24.0 GB, 23999807488 bytes, 46874624 sectors Units = sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disk /dev/mapper/luks-ad431e02-a49d-4ba3-bf9c-06e7a9f9a7f9: 24.0 GB, 23997710336 bytes, 46870528 sectors Units = sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes我覺得我錯過了一些步驟。啟動後,我仍然被要求輸入密碼。
我需要將我的密鑰文件的路徑添加到
dracut.conf並重建 initramfs。echo 'install_items+="/media/key"' >> /etc/dracut.conf dracut -fv
看起來您在修改磁碟配置後忘記重新創建 initramfs。要在 RHEL 6/7 中重新創建它,只需以 root 身份執行
dracut --force