Dm-crypt/zh-cn

dm-crypt 是使用内核加密API框架和设备映射器（device mapper）子系统的磁盘加密系统. 使用dm-crypt，管理员可以加密整个磁盘，逻辑卷，分区以及单个文件.

dm-crypt子系统支持Linux Unified Key Setup (LUKS)结构，允许多个密钥访问加密数据，以及操作密钥（例如更改密钥，添加额外的密码等）. 尽管dm-crypt也支持非LUKS，本文将重点关注LUKS功能，主要是因为它的灵活性，可管理性以及社区中的广泛支持.

配置
在开始使用dm-crypt之前有两个先决条件：


 * 1) 配置Linux内核
 * 2) 安装  包

内核配置
要使用dm-crypt，有一些必要的配置条目.

首先，必须包括对device mapper基础结构以及'crypt target'' 的支持：

接下来，Linux内核需要支持管理员想要用于加密的一组加密API. 这些可以在Cryptographic API部分找到：

如果根文件系统也要被加密，则需要创建初始ram文件系统，其中根文件系统在挂载之前被解密. 因此，这也需要initramfs支持：

如果使用tcrypt加密选项（TrueCrypt/tcplay/VeraCrypt兼容模式），则还需要将以下项目添加到内核中. 否则，cryptsetup将返回以下错误："device-mapper: reload ioctl failed: Invalid argument" 和 "Kernel doesn't support TCRYPT compatible mapping".

安装 Cryptsetup
包提供命令，该命令用于打开或关闭加密存储以及管理与之关联的密码或密钥.

密钥文件或密码
为了开始加密存储，管理员需要决定使用哪种方法作为加密密钥. 支持使用密码或密钥文件. 对于密钥文件，这可以是任何文件，但建议使用具有适当保护的随机数据的文件（考虑到访问此密钥文件将意味着访问加密数据）.

要创建密钥文件，可以使用命令：

在接下来的部分中，我们将显示两种情况的每个命令 - 密码和密钥文件. 当然，只需要其中一种方法.

创建加密存储平台
要创建加密存储平台（可以是磁盘，分区，文件......），请使用命令和 操作.

例如，要将 作为加密数据的存储介质：

要使用密钥文件而不是密码：

告诉用于真实加密密钥的密钥长度（与密码或密钥文件不同，这是用于真实加密密钥的）.

打开加密存储
为了打开加密存储（即通过透明解密使真实数据可访问），请使用 操作.

If a keyfile is used, then the command would look like so:

When the command finishes successfully, then a new device file called will be made available.

If this is the first time this encrypted device is used, it needs to be formatted. The following example uses the Btrfs file system but of course any other file system will do:

Once the file system is formatted, or the formatting was already done in the past, then the device file can be mounted on the system:

Closing the encrypted storage
In order to close the encrypted storage (i.e. ensure that the real data is no longer accessible through transparent decryption), use the  action:

Of course, make sure that the device is no longer in use.

Manipulating LUKS keys
LUKS keys are used to access the real encryption key. They are stored in slots in the header of the (encrypted) partition, disk or file.

Listing the slots
With the  action, information about the encrypted partition, disk or file can be shown. This includes the slots:

In the above example, two slots are used. Note that  does not give away anything sensitive - it is merely displaying the LUKS header content. No decryption key has to be provided in order to call.

Adding a keyfile or passphrase
In order to add an additional keyfile or passphrase to access the encrypted storage, use the  action:

To use a keyfile to unlock the key (but still add in a passphrase):

If a keyfile is to be added (say ):

Or, to use the first keyfile to unlock the main key:

Removing a keyfile or passphrase
With the  action, a keyfile or passphrase can be removed (so they can no longer be used to decrypt the storage):

Or to remove a keyfile:

Make sure that at least one method for accessing the data is still available. Once a passphrase or keyfile is removed for use, this cannot be recovered again.

Emptying a slot
Suppose the passphrase or keyfile is no longer known, then the slot can be freed. Of course, this does require prior knowledge of which slot that the passphrase or keyfile was stored in.

For instance, to empty out slot 2 (which is the third slot as slots are numbered starting from 0):

This command will ask for a valid passphrase before continuing. Or one can pass on the keyfile to use:

Automate mounting encrypted file systems
Until now, the article focused on manual setup and mounting/unmounting of encrypted file systems. An init service exists which automates the decrypting and mounting of encrypted file systems.

Configuring dm-crypt
Edit the file and add in entries for each file system. The supported entries are well documented in the file, the below example is just that - an example:

Configuring fstab
The next step is to configure to automatically mount the (decrypted) file systems when they become available. It is recommended to first obtain the UUID of the decrypted (mounted) file system:

Then, update the file accordingly:

Add initscript to bootlevel
Don't forget to have the init service launched at boot:

Mounting TrueCrypt/tcplay/VeraCrypt volumes
Replace container-to-mount with the device file under or the path to the file you wish to open. Upon successful opening, the plaintext device will appear as, which you can  like any normal device.

If you are using key files, supply them using the  option, to open a hidden volume, supply the   option and for a partition or whole drive that is encrypted in system mode use the   option.

When done,  the volume, and close the container using the following command:

Additional resources

 * Dm-crypt full disk encryption on the Gentoo Wiki provides supplementary information on using encrypted file systems for Gentoo Linux installations
 * The cryptsetup FAQ hosted on GitLab covers a wide range of frequently asked questions.