운영 체제: Parabola GNU/Linux Libre, Arch의 GNU 버전.
루트 파티션을 암호화했지만 스왑 파티션을 암호화하는 방법을 잘 모르겠습니다. 스왑 파티션이 더 이상 사용되지 않고 스왑 파일이 선호된다는 것을 알고 있지만 btrfs는 여전히 이를 지원하지 않습니다.
LSBLK
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 223.6G 0 disk
├─sda2 8:2 0 221.1G 0 part
│ └─cryptroot 254:0 0 221.1G 0 crypt /
├─sda3 8:3 0 2G 0 part
│ └─cryptswap 254:1 0 2G 0 crypt
└─sda1 8:1 0 512M 0 part /boot
/etc/fstab
# /dev/mapper/cryptroot
UUID=0126cb9b-d3aa-4f05-a39a-71682fa847bb / btrfs rw,relatime,ssd,space_cache,subvolid=5,subvol=/ 0 0
# /dev/sda1
UUID=6F37-84A2 /boot vfat rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,errors=remount-ro 0 2
# /dev/mapper/cryptswap
UUID=aef00636-0183-48d1-ab87-8f6653a30dd8 none swap defaults 0 0
/boot/loader/entries/parabola.conf
title Parabola GNU/Linux-libre
linux /vmlinuz-linux-libre
initrd /initramfs-linux-libre.img
options rd.luks.uuid=c6b69115-15c6-4561-9691-fc4a05ac9622 rd.luks.name=c6b69115-15c6-4561-9691-fc4a05ac9622=cryptroot rd.luks.options=quiet rw root=/dev/mapper/cryptroot
/etc/crypttab
# crypttab: mappings for encrypted partitions
#
# Each mapped device will be created in /dev/mapper, so your /etc/fstab
# should use the /dev/mapper/<name> paths for encrypted devices.
#
# The Parabola specific syntax has been deprecated, see crypttab(5) for the
# new supported syntax.
#
# NOTE: Do not list your root (/) partition here, it must be set up
# beforehand by the initramfs (/etc/mkinitcpio.conf).
# <name> <device> <password> <options>
cryptswap /dev/disk/by-id/ata-PH4-CE240_511160905070017677-part3 /dev/urandom swap
logctl -b
Dec 22 23:35:54 MyComputer mkswap[341]: Setting up swapspace version 1, size = 2 GiB (2147459072 bytes)
Dec 22 23:35:54 MyComputer mkswap[341]: no label, UUID=c965e98e-b011-4e40-aef3-bb84d58d7a08
Dec 22 23:35:54 MyComputer systemd[1]: Started Cryptography Setup for swap.
Dec 22 23:35:54 MyComputer systemd[1]: Reached target Encrypted Volumes.
Dec 22 23:35:54 MyComputer systemd[1]: Found device /dev/mapper/swap.
Dec 22 23:37:23 MyComputer systemd[1]: dev-disk-by\x2duuid-aef00636\x2d0183\x2d48d1\x2dab87\x2d8f6653a30dd8.device: Job dev-disk-by\x2duuid-aef00636\x2d0183\x2d48d1\x2dab87\x2d8f6653a30dd8.device/start timed out.
Dec 22 23:37:23 MyComputer systemd[1]: Timed out waiting for device dev-disk-by\x2duuid-aef00636\x2d0183\x2d48d1\x2dab87\x2d8f6653a30dd8.device.
Dec 22 23:37:23 MyComputer systemd[1]: Dependency failed for /dev/disk/by-uuid/aef00636-0183-48d1-ab87-8f6653a30dd8.
Dec 22 23:37:23 MyComputer systemd[1]: Dependency failed for Swap.
Dec 22 23:37:23 MyComputer systemd[1]: swap.target: Job swap.target/start failed with result 'dependency'.
Dec 22 23:37:23 MyComputer systemd[1]: dev-disk-by\x2duuid-aef00636\x2d0183\x2d48d1\x2dab87\x2d8f6653a30dd8.swap: Job dev-disk-by\x2duuid-aef00636\x2d0183\x2d48d1\x2dab87\x2d8f6653a30dd8.swap/start failed with result 'dependency'.
Dec 22 23:37:23 MyComputer systemd[1]: dev-disk-by\x2duuid-aef00636\x2d0183\x2d48d1\x2dab87\x2d8f6653a30dd8.device: Job dev-disk-by\x2duuid-aef00636\x2d0183\x2d48d1\x2dab87\x2d8f6653a30dd8.device/start failed with result 'timeout'.
Dec 22 23:37:23 MyComputer systemd[1]: Mounting Temporary Directory...
Dec 22 23:37:23 MyComputer systemd[1]: Mounted Temporary Directory.
Dec 22 23:37:23 MyComputer systemd[1]: Reached target Local File Systems.
Dec 22 23:37:23 MyComputer systemd[1]: Starting Create Volatile Files and Directories...
Dec 22 23:37:23 MyComputer systemd[1]: Started Create Volatile Files and Directories.
Dec 22 23:37:23 MyComputer systemd[1]: Starting Update UTMP about System Boot/Shutdown...
Dec 22 23:37:23 MyComputer systemd[1]: Started Update UTMP about System Boot/Shutdown.
Dec 22 23:37:23 MyComputer systemd[1]: Reached target System Initialization.
Dec 22 23:37:23 MyComputer systemd[1]: Started Daily Cleanup of Temporary Directories.
Dec 22 23:37:23 MyComputer systemd[1]: Started Daily verification of password and group files.
Dec 22 23:37:23 MyComputer systemd[1]: Listening on D-Bus System Message Bus Socket.
Dec 22 23:37:23 MyComputer systemd[1]: Reached target Sockets.
Dec 22 23:37:23 MyComputer systemd[1]: Reached target Basic System.
Dec 22 23:37:23 MyComputer systemd[1]: Starting Save/Restore Sound Card State...
Dec 22 23:37:23 MyComputer systemd[1]: Starting dhcpcd on enp4s0...
Dec 22 23:37:23 MyComputer systemd[1]: Starting Login Service...
Dec 22 23:37:23 MyComputer systemd[1]: Started D-Bus System Message Bus.
...
Dec 24 00:00:09 MyComputer systemd[1]: Started Update man-db cache.
Dec 24 00:01:36 MyComputer systemd[1]: dev-disk-by\x2duuid-aef00636\x2d0183\x2d48d1\x2dab87\x2d8f6653a30dd8.device: Job dev-disk-by\x2duuid-aef00636\x2d0183\x2d48d1\x2dab87\x2d8f6653a30dd8.device/start timed out.
Dec 24 00:01:36 MyComputer systemd[1]: Timed out waiting for device dev-disk-by\x2duuid-aef00636\x2d0183\x2d48d1\x2dab87\x2d8f6653a30dd8.device.
Dec 24 00:01:36 MyComputer systemd[1]: Dependency failed for /dev/disk/by-uuid/aef00636-0183-48d1-ab87-8f6653a30dd8.
Dec 24 00:01:36 MyComputer systemd[1]: dev-disk-by\x2duuid-aef00636\x2d0183\x2d48d1\x2dab87\x2d8f6653a30dd8.swap: Job dev-disk-by\x2duuid-aef00636\x2d0183\x2d48d1\x2dab87\x2d8f6653a30dd8.swap/start failed with result 'dependency'.
Dec 24 00:01:36 MyComputer systemd[1]: dev-disk-by\x2duuid-aef00636\x2d0183\x2d48d1\x2dab87\x2d8f6653a30dd8.device: Job dev-disk-by\x2duuid-aef00636\x2d0183\x2d48d1\x2dab87\x2d8f6653a30dd8.device/start failed with result 'timeout'.
[고쳐 쓰다]
새로운 정보가 밝혀졌습니다. 암호화해야 할 스왑 파티션이 인식되지 않는 것 같습니다.
[고쳐 쓰다]
위와 같은 결과로 다음을 시도했습니다.
parted
rm 3
mkpart primary ext2 -2GiB 100%
(Ignore)
quit
dd if=/dev/urandom of=/dev/sda3 bs=1M
cryptsetup -v -y luksFormat /dev/sda3
YES
cryptsetup open /dev/sda3 cryptswap
mkswap /dev/mapper/cryptswap
swapon /dev/mapper/cryptswap
[고쳐 쓰다]
Parabola의 Live MATE 버전에서 위와 같이 파티션을 암호화하면 오류가 반환됩니다.
1 root@parabolaiso / # cryptsetup -y -v luksFormat /dev/sda3 --debug :(
# cryptsetup 1.7.3 processing "cryptsetup -y -v luksFormat /dev/sda3 --debug"
# Running command luksFormat.
# Locking memory.
# Installing SIGINT/SIGTERM handler.
# Unblocking interruption on signal.
WARNING!
========
This will overwrite data on /dev/sda3 irrevocably.
Are you sure? (Type uppercase yes): YES
# Allocating crypt device /dev/sda3 context.
# Trying to open and read device /dev/sda3 with direct-io.
# Initialising device-mapper backend library.
# Timeout set to 0 miliseconds.
# Iteration time set to 2000 milliseconds.
# Interactive passphrase entry requested.
Enter passphrase:
Verify passphrase:
# Formatting device /dev/sda3 as type LUKS1.
# Crypto backend (gcrypt 1.7.5) initialized in cryptsetup library version 1.7.3.
# Detected kernel Linux 4.8.6-gnu-1 x86_64.
# Topology: IO (512/0), offset = 0; Required alignment is 1048576 bytes.
# Checking if cipher aes-xts-plain64 is usable.
# Userspace crypto wrapper cannot use aes-xts-plain64 (-95).
# Using dmcrypt to access keyslot area.
# Calculated device size is 1 sectors (RW), offset 0.
# dm version [ opencount flush ] [16384] (*1)
# dm versions [ opencount flush ] [16384] (*1)
# Device-mapper backend running with UDEV support enabled.
# DM-UUID is CRYPT-TEMP-temporary-cryptsetup-10670
# dm versions [ opencount flush ] [16384] (*1)
# Device-mapper backend running with UDEV support enabled.
# Udev cookie 0xd4d2344 (semid 65536) created
# Udev cookie 0xd4d2344 (semid 65536) incremented to 1
# Udev cookie 0xd4d2344 (semid 65536) incremented to 2
# Udev cookie 0xd4d2344 (semid 65536) assigned to CREATE task(0) with flags DISABLE_SUBSYSTEM_RULES DISABLE_DISK_RULES DISABLE_OTHER_RULES (0xe)
# dm create temporary-cryptsetup-10670 CRYPT-TEMP-temporary-cryptsetup-10670 [ opencount flush ] [16384] (*1)
# dm reload temporary-cryptsetup-10670 [ opencount flush readonly ] [16384] (*1)
device-mapper: reload ioctl on temporary-cryptsetup-10670 failed: Invalid argument
# Udev cookie 0xd4d2344 (semid 65536) decremented to 1
# Udev cookie 0xd4d2344 (semid 65536) incremented to 2
# Udev cookie 0xd4d2344 (semid 65536) assigned to REMOVE task(2) with flags DISABLE_SUBSYSTEM_RULES DISABLE_DISK_RULES DISABLE_OTHER_RULES (0xe)
# dm remove temporary-cryptsetup-10670 [ opencount flush readonly ] [16384] (*1)
# temporary-cryptsetup-10670: Stacking NODE_DEL [verify_udev]
# Udev cookie 0xd4d2344 (semid 65536) decremented to 0
# Udev cookie 0xd4d2344 (semid 65536) waiting for zero
# Udev cookie 0xd4d2344 (semid 65536) destroyed
# temporary-cryptsetup-10670: Processing NODE_DEL [verify_udev]
# dm versions [ opencount flush ] [16384] (*1)
# Device-mapper backend running with UDEV support enabled.
Failed to setup dm-crypt key mapping for device /dev/sda3.
Check that kernel supports aes-xts-plain64 cipher (check syslog for more info).
# Releasing crypt device /dev/sda3 context.
# Releasing device-mapper backend.
# Unlocking memory.
Command failed with code 5: Input/output error
[고쳐 쓰다]
나는 실제로 systemd-swap을 사용하여 이 문제를 해결했습니다(아무것도 없는 것보다 낫습니다). btrfs가 실제 스왑을 지원할 때까지 기다릴 것입니다.
답변1
암호화된 컨테이너를 만들고 LVM을 사용하여 설정/교환하는 것이 더 간단할 것입니다.
이와 같이:
sda1 boot
sda2 LUKS-crypt
LVM
root-LV
swap-LV
그런 다음 열려면 키만 필요하므로 crypttab을 완전히 건너뛸 수 있습니다.