Shulou(Shulou.com)06/01 Report--

How to automatically unlock the encrypted disk on Linux? I believe many inexperienced people don't know what to do about it. Therefore, this paper summarizes the causes and solutions of the problem. Through this article, I hope you can solve this problem.

By using Network bound disk encryption (NBDE), you can open an encrypted disk without manually entering a password.

For system security, it is very important to prevent hackers from snooping and attacking data. Unified key is a very useful tool in Linux system. One drawback of using LUSK to encrypt disks is that you have to provide a password manually every time the system is rebooted or the disk is remounted.

Server installation

Install Tang with sudo:

Sudo yum install tang-y

Enable the Tang server:

Sudo systemctl enable tangd.socket-now

The Tang server works on port 80 and needs to be added to the firewalld firewall. Add the appropriate firewalld rules:

Sudo firewall-cmd-add-port=tcp/80-perm

Sudo firewall-cmd-reload

The server is now installed.

Client installation

In this example, suppose you have added a new 1GB disk called / dev/vdc to your system.

Create a primary partition using fdisk or parted:

Sudo fdisk / dev/vdc

Complete the following steps to install the client:

Welcome to fdisk (util-linux 2.23.2).

Changes will remain in memory only, until you decide to write them.

Be careful before using the write command.

Device does not contain a recognized partition table

Building a new DOS disklabel with disk identifier 0x4a6812d4.

Command (m for help):

Enter n to create a new partition:

Partition type:

P primary (0 primary, 0 extended, 4 free)

E extended

Select (default p):

Press enter to select the primary partition:

Using default response p

Partition number (1-4, default 1):

Press enter to select the default partition number:

First sector (2048-2097151, default 2048):

Using default value 2048

Last sector, + sectors or + size {KMagne Mpeng} (2048-2097151, default 2097151):

Press enter to select the last sector:

Using default value 2097151

Partition 1 of type Linux and of size 1023 MiB is set

Command (m for help): wq

Enter wq to save the changes and exit fdisk:

The partition table has been altered!

Calling ioctl () to re-read partition table.

Syncing disks.

Run partprobe to notify the system of changes in the partition table:

Sudo partprobe

Install the cryptsetup package using sudo:

Sudo yum install cryptsetup-y

Use the cryptsetup luksFormat command to encrypt the disk. When prompted, you need to enter an uppercase YES and enter a password to encrypt the disk:

Sudo cryptsetup luksFormat / dev/vdc1

WARNING!

=

This will overwrite data on / dev/vdc1 irrevocably.

Are you sure? (Type uppercase yes):

Enter passphrase for / dev/vdc1:

Verify passphrase:

Use the cryptsetup luksOpen command to map the encrypted partition to a logical device. For example, use encryptedvdc1 as the name. You also need to enter the password again:

Sudo cryptsetup luksOpen / dev/vdc1 encryptedvdc1

Enter passphrase for / dev/vdc1:

Encrypted partitions are now available in / dev/mapper/encryptedvdc1.

Create a XFS file system on the encrypted partition:

Sudo mkfs.xfs / dev/mapper/encryptedvdc1

Create a directory where the encrypted partition is mounted:

Sudo mkdir / encrypted

Use the cryptsetup luksClose command to lock the partition:

Cryptsetup luksClose encryptedvdc1

Install the Clevis package using sudo:

Sudo yum install clevis clevis-luks clevis-dracut-y

Modify / etc/crypttab to open the encrypted volume at startup:

Sudo vim / etc/crypttab

Add the following line:

Encryptedvdc1 / dev/vdc1 none _ netdev

Modify / etc/fstab to mount the encrypted volume automatically on reboot or startup:

Sudo vim / etc/fstab

Add the following line:

/ dev/mapper/encryptedvdc1 / encrypted xfs _ netdev 1 2

In this example, assume that the IP address of the Tang server is 192.168.1.20. If you like, you can also use the hostname or domain name.

Run the following clevis command:

Sudo clevis bind luks-d / dev/vdc1 tang'{"url": "http://192.168.1.20"}'

The advertisement contains the following signing keys:

RwA2BAITfYLuyNiIeYUMBzkhk7M

Do you wish to trust these keys? [ynYN] Y

Enter existing LUKS password:

Enter Y to accept the key of the Tang server and provide the existing LUKS password for initial setup.

Enable clevis-luks-askpass.path through systemctl to prevent non-root partitions from being prompted for a password.

Sudo systemctl enable clevis-luks-askpass.path

The client has been installed. Now, every time you restart the server, the encrypted disk should be automatically decrypted and the key retrieved from the Tang server for mounting.

If the Tang server is not available for any reason, you need to provide a password manually to decrypt and mount the partition.

What is Linux system Linux is a free-to-use and free-spread UNIX-like operating system, is a POSIX-based multi-user, multi-task, multi-threaded and multi-CPU operating system, using Linux can run major Unix tools, applications and network protocols.

After reading the above, do you know how to automatically unlock the encrypted disk on Linux? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.