1.给root用户加密
[root@localhost ~]# passwd --加密当前用户
Changing password for user root.
New password:
BAD PASSWORD: it is based on a dictionary word
BAD PASSWORD: is too simple
Retype new password:
passwd: all authentication tokens updated successfully.
[root@localhost ~]#
2.破解root用户的密码
3.给系统的grub加密,使用户无法进行单用户模式
[root@localhost ~]# grub-md5-crypt
Password: --输入密码
Retype password: --确认密码
$1$Bvp0X1$lzZrrThfQuLECYdk4wtAk1 --这是密钥,复制一下
[root@localhost ~]# vim /boot/grub/grub.conf
default=1
timeout=5
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
password --md5 $1$Bvp0X1$lzZrrThfQuLECYdk4wtAk1 --添加这一行
root (hd0,0)
kernel /vmlinuz-2.6.32-358.el6.i686 ro root=/dev/mapper/VolGroup-lv_root rd_NO_LUKS LANG=en_US.UTF-8 rd_NO_MD rd_LVM_LV=VolGroup/lv_swap SYSFONT=latarcyrheb-sun16 crashkernel=auto rd_LVM_LV=VolGroup/lv_root KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM rhgb quiet
initrd /initramfs-2.6.32-358.el6.i686.img
[root@localhost ~]# reboot
系统重启后不能编辑grub菜单
4.破解grub密码
5.对系统的分区加密
[root@localhost ~]# yum install cryptsetup --安装软件
Loaded plugins: fastestmirror
Determining fastest mirrors
c6-media | 4.0 kB 00:00 ...
c6-media/primary_db | 3.5 MB 00:00 ...
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package cryptsetup-luks.i686 0:1.2.0-7.el6 will be installed
--> Processing Dependency: cryptsetup-luks-libs = 1.2.0-7.el6 for package: cryptsetup-luks-1.2.0-7.el6.i686
--> Processing Dependency: libcryptsetup.so.1(CRYPTSETUP_1.0) for package: cryptsetup-luks-1.2.0-7.el6.i686
--> Processing Dependency: libcryptsetup.so.1 for package: cryptsetup-luks-1.2.0-7.el6.i686
--> Running transaction check
---> Package cryptsetup-luks-libs.i686 0:1.2.0-7.el6 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
====================================================================================================================
Package Arch Version Repository Size
====================================================================================================================
Installing:
cryptsetup-luks i686 1.2.0-7.el6 c6-media 94 k
Installing for dependencies:
cryptsetup-luks-libs i686 1.2.0-7.el6 c6-media 52 k
Transaction Summary
====================================================================================================================
Install 2 Package(s)
Total download size: 146 k
Installed size: 391 k
Is this ok [y/N]: y
Downloading Packages:
--------------------------------------------------------------------------------------------------------------------
Total 3.4 MB/s | 146 kB 00:00
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : cryptsetup-luks-libs-1.2.0-7.el6.i686 1/2
Installing : cryptsetup-luks-1.2.0-7.el6.i686 2/2
Verifying : cryptsetup-luks-1.2.0-7.el6.i686 1/2
Verifying : cryptsetup-luks-libs-1.2.0-7.el6.i686 2/2
Installed:
cryptsetup-luks.i686 0:1.2.0-7.el6
Dependency Installed:
cryptsetup-luks-libs.i686 0:1.2.0-7.el6
Complete!
[root@localhost ~]# fdisk -cu /dev/sdb --分区
Command (m for help): p
Disk /dev/sdb: 157 MB, 157286400 bytes
255 heads, 63 sectors/track, 19 cylinders, total 307200 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x2c917867
Device Boot Start End Blocks Id System
Command (m for help): n
Command action
e extended
p primary partition (1-4)
p
Partition number (1-4): 1
First sector (2048-307199, default 2048):
Using default value 2048
Last sector, +sectors or +size{K,M,G} (2048-307199, default 307199): +100M
Command (m for help): w
The partition table has been altered!
Calling ioctl() to re-read partition table.
Syncing disks.
[root@localhost ~]# partx -a /dev/sdb
BLKPG: Device or resource busy
[root@localhost ~]# cryptsetup luksFormat /dev/sdb1 --对/dev/sdb1分区进行加密
WARNING!
========
This will overwrite data on /dev/sdb1 irrevocably.
Are you sure? (Type uppercase yes): YES --一定是大写
Enter LUKS passphrase: --输入密码
Verify passphrase: --确认密码
[root@localhost ~]# cryptsetup luksOpen /dev/sdb1 tong --为分区创建别名
Enter passphrase for /dev/sdb1:
[root@localhost ~]# mkfs.ext4 /dev/mapper/tong --格式化分区
mke2fs 1.41.12 (17-May-2010)
Filesystem label=
OS type: Linux
Block size=1024 (log=0)
Fragment size=1024 (log=0)
Stride=0 blocks, Stripe width=0 blocks
25168 inodes, 100352 blocks
5017 blocks (5.00%) reserved for the super user
First data block=1
Maximum filesystem blocks=67371008
13 block groups
8192 blocks per group, 8192 fragments per group
1936 inodes per group
Superblock backups stored on blocks:
8193, 24577, 40961, 57345, 73729
Writing inode tables: done
Creating journal (4096 blocks): done
Writing superblocks and filesystem accounting information: done
This filesystem will be automatically checked every 31 mounts or
180 days, whichever comes first. Use tune2fs -c or -i to override.
[root@localhost ~]# mount /dev/mapper/tong /mnt/sdb/ --挂载成功
[root@localhost ~]# cd /mnt/sdb/
[root@localhost sdb]# mkdir 12 --写入数据
[root@localhost sdb]# cd
[root@localhost ~]# umount /mnt/sdb/ --卸载设备
[root@localhost ~]# cryptsetup luksClose /dev/mapper/tong --关闭加密分区
[root@localhost ~]# df -TH
Filesystem Type Size Used Avail Use% Mounted on
/dev/mapper/VolGroup-lv_root
ext4 6.9G 6.4G 177M 98% /
tmpfs tmpfs 262M 0 262M 0% /dev/shm
/dev/sda1 ext4 508M 48M 435M 10% /boot
[root@localhost ~]# cryptsetup luksOpen /dev/sdb1 tong --想使用分区必须输入密码
Enter passphrase for /dev/sdb1:
[root@localhost ~]# mount /dev/mapper/tong /mnt/sdb/
[root@localhost ~]# df -TH
Filesystem Type Size Used Avail Use% Mounted on
/dev/mapper/VolGroup-lv_root
ext4 6.9G 6.4G 177M 98% /
tmpfs tmpfs 262M 0 262M 0% /dev/shm
/dev/sda1 ext4 508M 48M 435M 10% /boot
/dev/mapper/tong
ext4 100M 5.8M 89M 7% /mnt/sdb
[root@localhost ~]# vim /etc/crypttab --修改配置文件
name /dev/sdb1 --启用这行,系统开机必须输入密码
要求输入sdb1分区的密码
开机不要求输入密码
[root@localhost ~]# vim /etc/crypttab
name /dev/sdb1 /home/sdb1.key --保存密码文件
[root@localhost ~]# echo "system" > /home/sdb1.key --system是密码
[root@localhost ~]# chown root.root /home/sdb1.key --修改权限
[root@localhost ~]# chmod 600 /home/sdb1.key
[root@localhost ~]# cryptsetup luksAddKey /dev/sdb1 /home/sdb1.key
6.关于分区解密目前不能破解。
作者:tongcheng
