Usandoesta guíaCifré un volumen y puedo abrirlo y montarlo manualmente.
El problema surge después de reiniciar. Al iniciarse, el sistema no abre el volumen cifrado ni el alias descifrado está disponible en /dev/mapper.
Puedo continuar creando el alias manualmente usando:
[root@dhcp100051 ~]# cryptsetup luksOpen /dev/VolGroup/db00 db_fips
Enter passphrase for /dev/VolGroup/db00: [entered]
[root@dhcp100051 ~]# ll /dev/mapper/db_fips
lrwxrwxrwx. 1 root root 7 Jun 2 13:55 /dev/mapper/db_fips -> ../dm-7
[root@dhcp100051 ~]# mkfs -t ext4 /dev/mapper/db_fips
[root@dhcp100051 ~]# mount /dev/mapper/db_fips /db/
[root@dhcp100051 ~]#
Ahora puedo usar mi volumen cifrado, pero cuando lo emito reboot
, todo desaparece (incluidos los datos que escribí en /db/ después de mkfs el sistema de archivos). Tengo que recrearlo todo manualmente... hasta que se pierda nuevamente en el próximo reinicio.
Tenga en cuenta que este es un problema diferente al de simplemente pedirle queingrese la contraseña de la cripta al iniciar.
¿Qué paso me falta para que el volumen esté disponible después de reiniciar el sistema?
Aquí está la cadena completa de comandos que utilicé en mi máquina virtual:
[root@dhcp100051 ~]# mkdir /www/db-backup
------------------------------------------------------------------
[root@dhcp100051 ~]# mv /db/* /www/db-backup
------------------------------------------------------------------
[root@dhcp100051 ~]# umount /db/
------------------------------------------------------------------
[root@dhcp100051 ~]# shred -v -n1 /dev/VolGroup/db00
------------------------------------------------------------------
shred: /dev/VolGroup/db00: pass 1/1 (random)...
shred: /dev/VolGroup/db00: pass 1/1 (random)...364MiB/2.0GiB 17%
shred: /dev/VolGroup/db00: pass 1/1 (random)...365MiB/2.0GiB 17%
shred: /dev/VolGroup/db00: pass 1/1 (random)...739MiB/2.0GiB 36%
shred: /dev/VolGroup/db00: pass 1/1 (random)...740MiB/2.0GiB 36%
shred: /dev/VolGroup/db00: pass 1/1 (random)...1.0GiB/2.0GiB 53%
shred: /dev/VolGroup/db00: pass 1/1 (random)...1.1GiB/2.0GiB 55%
shred: /dev/VolGroup/db00: pass 1/1 (random)...1.4GiB/2.0GiB 72%
shred: /dev/VolGroup/db00: pass 1/1 (random)...1.5GiB/2.0GiB 75%
shred: /dev/VolGroup/db00: pass 1/1 (random)...1.8GiB/2.0GiB 93%
shred: /dev/VolGroup/db00: pass 1/1 (random)...1.9GiB/2.0GiB 95%
shred: /dev/VolGroup/db00: pass 1/1 (random)...2.0GiB/2.0GiB 100%
------------------------------------------------------------------
[root@dhcp100051 ~]# cryptsetup -v --verify-passphrase luksFormat /dev/VolGroup/db00
Running in FIPS mode.
WARNING!
========
This will overwrite data on /dev/VolGroup/db00 irrevocably.
Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:
Command successful.
[root@dhcp100051 ~]#
------------------------------------------------------------------
[root@dhcp100051 ~]# cryptsetup luksOpen /dev/VolGroup/db00 db_fips
Enter passphrase for /dev/VolGroup/db00:
[root@dhcp100051 ~]# ll /dev/mapper/db_fips
lrwxrwxrwx. 1 root root 7 Jun 2 13:55 /dev/mapper/db_fips -> ../dm-7
[root@dhcp100051 ~]#
------------------------------------------------------------------
[root@dhcp100051 ~]# mkfs -t ext4 /dev/mapper/db_fips
mke2fs 1.41.12 (17-May-2010)
Filesystem label=
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
Stride=0 blocks, Stripe width=0 blocks
131072 inodes, 523776 blocks
26188 blocks (5.00%) reserved for the super user
First data block=0
Maximum filesystem blocks=536870912
16 block groups
32768 blocks per group, 32768 fragments per group
8192 inodes per group
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912
Writing inode tables: done
Creating journal (8192 blocks): done
Writing superblocks and filesystem accounting information: done
This filesystem will be automatically checked every 37 mounts or
180 days, whichever comes first. Use tune2fs -c or -i to override.
[root@dhcp100051 ~]#
------------------------------------------------------------------
[root@dhcp100051 ~]# mount /dev/mapper/db_fips /db/
[root@dhcp100051 ~]#
------------------------------------------------------------------
[root@dhcp100051 ~]# blkid
/dev/sda1: UUID="37e5d6db-4265-4d0d-a10e-951f1bc4beb0" TYPE="ext4"
/dev/sda2: UUID="f0079d24-daa2-472a-a557-384889dceb17" TYPE="swap"
/dev/sda3: UUID="K16Dlj-6QR2-LemJ-iBnJ-z4fa-khuP-jv2BoA" TYPE="LVM2_member"
/dev/mapper/VolGroup-LogVol01: UUID="425e6610-383b-4bb6-a3a3-1a68279a3460" TYPE="ext4"
/dev/mapper/VolGroup-LogVol05: UUID="fb04b576-fc59-409f-9049-c87b1c9c9437" TYPE="ext4"
/dev/mapper/VolGroup-LogVol04: UUID="2f88d451-03ac-4fe4-a21f-5ae2d786882b" TYPE="ext4"
/dev/mapper/VolGroup-LogVol06: UUID="6aaccab0-7e4d-423b-89d4-ef54a36bf520" TYPE="ext4"
/dev/mapper/VolGroup-LogVol03: UUID="6814ecfc-b28e-4f50-823e-7ba7d5380d90" TYPE="ext4"
/dev/mapper/VolGroup-LogVol02: UUID="b40668b5-cc3a-450c-973b-c2b09885c7b7" TYPE="ext4"
/dev/mapper/VolGroup-db00: UUID="a5320f38-2db4-4e71-8deb-c0169266c9fb" TYPE="crypto_LUKS"
[root@dhcp100051 ~]#
------------------------------------------------------------------
[root@dhcp100051 ~]# dd if=/dev/urandom of=/root/keyfile bs=1024 count=4
4+0 records in
4+0 records out
4096 bytes (4.1 kB) copied, 0.0025613 s, 1.6 MB/s
[root@dhcp100051 ~]# chmod 0400 /root/keyfile
[root@dhcp100051 ~]#
------------------------------------------------------------------
[root@dhcp100051 ~]# cryptsetup luksAddKey /dev/VolGroup/db00 /root/keyfile
Enter any passphrase:
[root@dhcp100051 ~]#
------------------------------------------------------------------
[root@dhcp100051 ~]# cryptsetup luksOpen /dev/VolGroup/db00 db_fips --key-file=/root/keyfile
[root@dhcp100051 ~]#
------------------------------------------------------------------
[root@dhcp100051 ~]# vi /etc/crypttab
## INSERT
db_fips UUID=”a5320f38-2db4-4e71-8deb-c0169266c9fb″ /root/keyfile
## SAVE AND CLOSE
[root@dhcp100051 ~]# date >> /db/date.txt
[root@dhcp100051 ~]# shutdown -r now
------------------------------------------------------------------
[REBOOTED]
[root@dhcp100051 ~]# ll /dev/mapper/db_fips
[root@dhcp100051 ~]#
ls: cannot access /dev/mapper/db_fips: No such file or directory
[root@dhcp100051 ~]# ll /db
total 0
[root@dhcp100051 ~]#
Respuesta1
Dependiendo de tu distribución tendrás que configurar un archivo./etc/cryptabpara definir qué volúmenes se desbloquearán en el momento del arranque.
Es posible que tengas que regenerar tu imagen de disco ram inicial. Este archivo debe estar disponible antes de montar cualquier sistema de archivos.