红帽全球峰会17.4. 使用 LUKS2 加密块设备上的现有数据
您可以使用 LUKS2 格式在尚未加密的设备上加密现有数据。新的 LUKS 标头保存在设备的标头中。
先决条件
- 块设备有一个文件系统。
已备份了数据。
警告由于硬件、内核或人为故障,您可能会在加密过程中丢失数据。在开始加密数据之前,请确保您有可靠的备份。
流程
卸载您要加密的设备上的所有文件系统,例如:
umount /dev/mapper/vg00-lv00
# umount /dev/mapper/vg00-lv00Copy to Clipboard Copied! Toggle word wrap Toggle overflow 为存储 LUKS 标头腾出空间。使用以下适合您场景的选项之一:
如果是加密逻辑卷,您可以扩展逻辑卷而无需调整文件系统的大小。例如:
lvextend -L+32M /dev/mapper/vg00-lv00
# lvextend -L+32M /dev/mapper/vg00-lv00Copy to Clipboard Copied! Toggle word wrap Toggle overflow -
使用分区管理工具(如
parted)扩展分区。 -
缩小该设备的文件系统。您可以对 ext2、ext3 或 ext4 文件系统使用
resize2fs工具。请注意,您无法缩小 XFS 文件系统。
初始化加密:
cryptsetup reencrypt --encrypt --init-only --reduce-device-size 32M /dev/mapper/vg00-lv00 lv00_encrypted
# cryptsetup reencrypt --encrypt --init-only --reduce-device-size 32M /dev/mapper/vg00-lv00 lv00_encrypted /dev/mapper/lv00_encrypted is now active and ready for online encryption.Copy to Clipboard Copied! Toggle word wrap Toggle overflow 挂载该设备:
mount /dev/mapper/lv00_encrypted /mnt/lv00_encrypted
# mount /dev/mapper/lv00_encrypted /mnt/lv00_encryptedCopy to Clipboard Copied! Toggle word wrap Toggle overflow 向
/etc/crypttab文件添加持久映射的一个条目:查找
luksUUID:cryptsetup luksUUID /dev/mapper/vg00-lv00
# cryptsetup luksUUID /dev/mapper/vg00-lv00 a52e2cc9-a5be-47b8-a95d-6bdf4f2d9325Copy to Clipboard Copied! Toggle word wrap Toggle overflow 在您选择的文本编辑器中打开
/etc/crypttab,并在此文件中添加设备:vi /etc/crypttab
$ vi /etc/crypttab lv00_encrypted UUID=a52e2cc9-a5be-47b8-a95d-6bdf4f2d9325 noneCopy to Clipboard Copied! Toggle word wrap Toggle overflow 将 a52e2cc9-a5be-47b8-a95d-6bdf4f2d9325 替换为您设备的
luksUUID。使用
dracut刷新 initramfs:dracut -f --regenerate-all
$ dracut -f --regenerate-allCopy to Clipboard Copied! Toggle word wrap Toggle overflow
-
如果
/etc/fstab文件中存在这个设备的条目,请确定使用文件系统 UUID,而不是设备名称。 恢复在线加密:
cryptsetup reencrypt --resume-only /dev/mapper/vg00-lv00
# cryptsetup reencrypt --resume-only /dev/mapper/vg00-lv00 Enter passphrase for /dev/mapper/vg00-lv00: Auto-detected active dm device 'lv00_encrypted' for data device /dev/mapper/vg00-lv00. Finished, time 00:31.130, 10272 MiB written, speed 330.0 MiB/sCopy to Clipboard Copied! Toggle word wrap Toggle overflow
验证
验证现有数据是否已加密:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow 查看加密的空白块设备的状态:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}