滴滴雲上使用 eCryptfs 加密資料
阿新 • • 發佈:2018-12-18
1. eCryptfs 簡介
eCryptfs 是在 Linux kernel 實現的一個加密檔案系統,在 Linux kernel 2.6.19 版本收納入官方 Linux kernel。它採用堆疊式的設計思想,邏輯上位於 VFS 和傳統檔案系統之間。使用者應用程式對傳統檔案系統的讀寫操作,經過系統呼叫通過 VFS 首先被 eCryptfs 截獲,eCryptfs 對檔案資料進行加解密的操作,再轉發給傳統檔案系統,為應用提供透明、動態、高效的加密功能。
eCryptfs 對每個檔案採用不同的檔案加密金鑰 ( File Encryption Key, FEK ),檔案加密演算法推薦使用 AES-128。FEK 不能以明文的形式存放,eCryptfs 使用使用者提供的口令(Passphrase)、非對稱金鑰演算法(如 RSA 演算法)或 TPM(Trusted Platform Module)的公鑰來加密保護 FEK。
例如,當使用使用者口令的時候,口令先經 hash 函式處理,再做為金鑰加密 FEK。口令/公鑰稱為檔案加密金鑰加密金鑰(File Encryption Key Encryption Key,FEFEK),加密後的 FEK 則稱為加密檔案金鑰(Encrypted File Encryption Key,EFEK )。如果一個檔案被多個授權使用者訪問,則有多份 EFEK。 此外,eCryptfs 還支援檔名的加密。
2. eCryptfs 安裝
CentOS
以 CentOS-7.3 的滴滴雲的 DC2 雲主機為例。
檢視 eCryptfs 使用者態的工具是否安裝:
[[email protected] 如果沒有安裝,則執行以下命令安裝:
[[email protected] ~]$ sudo yum install ecryptfs-utils
螢幕輸出如下:
Loaded plugins: fastestmirror base | 3.6 kB 00:00:00 epel | 3.2 kB 00:00:00 extras | 3.4 kB 00:00:00 updates | 3.4 kB 00:00:00 (1/2): epel/7/x86_64/updateinfo | 935 kB 00:00:00 (2/2): epel/7/x86_64/primary | 3.6 MB 00:00:00 Determining fastest mirrors epel 12738/12738 Resolving Dependencies --> Running transaction check ---> Package ecryptfs-utils.x86_64 0:111-5.el7 will be installed --> Processing Dependency: cryptsetup-luks for package: ecryptfs-utils-111-5.el7.x86_64 --> Processing Dependency: libpkcs11-helper.so.1()(64bit) for package: ecryptfs-utils-111-5.el7.x86_64 --> Running transaction check ---> Package cryptsetup.x86_64 0:1.7.4-3.el7_4.1 will be installed --> Processing Dependency: cryptsetup-libs(x86-64) = 1.7.4-3.el7_4.1 for package: cryptsetup-1.7.4-3.el7_4.1.x86_64 ---> Package pkcs11-helper.x86_64 0:1.11-3.el7 will be installed --> Running transaction check ---> Package cryptsetup-libs.x86_64 0:1.7.2-1.el7 will be updated ---> Package cryptsetup-libs.x86_64 0:1.7.4-3.el7_4.1 will be an update --> Finished Dependency Resolution Dependencies Resolved ============================================================================================================================================================= Package Arch Version Repository Size ============================================================================================================================================================= Installing: ecryptfs-utils x86_64 111-5.el7 epel 186 k Installing for dependencies: cryptsetup x86_64 1.7.4-3.el7_4.1 updates 128 k pkcs11-helper x86_64 1.11-3.el7 epel 56 k Updating for dependencies: cryptsetup-libs x86_64 1.7.4-3.el7_4.1 updates 223 k Transaction Summary ============================================================================================================================================================= Install 1 Package (+2 Dependent packages) Upgrade ( 1 Dependent package) Total download size: 592 k Is this ok [y/d/N]: y
鍵入’y’回車,螢幕輸出如下:
Downloading packages:
Delta RPMs disabled because /usr/bin/applydeltarpm not installed.
(1/4): cryptsetup-1.7.4-3.el7_4.1.x86_64.rpm | 128 kB 00:00:00
(2/4): pkcs11-helper-1.11-3.el7.x86_64.rpm | 56 kB 00:00:00
(3/4): ecryptfs-utils-111-5.el7.x86_64.rpm | 186 kB 00:00:00
(4/4): cryptsetup-libs-1.7.4-3.el7_4.1.x86_64.rpm | 223 kB 00:00:00
-------------------------------------------------------------------------------------------------------------------------------------------------------------
Total 2.6 MB/s | 592 kB 00:00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : pkcs11-helper-1.11-3.el7.x86_64 1/5
Updating : cryptsetup-libs-1.7.4-3.el7_4.1.x86_64 2/5
Installing : cryptsetup-1.7.4-3.el7_4.1.x86_64 3/5
Installing : ecryptfs-utils-111-5.el7.x86_64 4/5
Cleanup : cryptsetup-libs-1.7.2-1.el7.x86_64 5/5
Verifying : cryptsetup-libs-1.7.4-3.el7_4.1.x86_64 1/5
Verifying : cryptsetup-1.7.4-3.el7_4.1.x86_64 2/5
Verifying : ecryptfs-utils-111-5.el7.x86_64 3/5
Verifying : pkcs11-helper-1.11-3.el7.x86_64 4/5
Verifying : cryptsetup-libs-1.7.2-1.el7.x86_64 5/5
Installed:
ecryptfs-utils.x86_64 0:111-5.el7
Dependency Installed:
cryptsetup.x86_64 0:1.7.4-3.el7_4.1 pkcs11-helper.x86_64 0:1.11-3.el7
Dependency Updated:
cryptsetup-libs.x86_64 0:1.7.4-3.el7_4.1
Complete!
再檢查安裝狀態:
[[email protected] ~]$ yum list installed | grep ecryptfs-utils
ecryptfs-utils.x86_64 111-5.el7 @epel
工具已正確安裝。
Ubuntu
以 Ubuntu-16.04 的滴滴雲的 DC2 雲主機為例。
檢視 eCryptfs 使用者態的工具是否安裝:
[email protected]:~$ dpkg --status ecryptfs-utils
dpkg-query: package 'ecryptfs-utils' is not installed and no information is available
如果沒有安裝,則執行以下命令安裝:
[email protected]:~$ sudo apt-get install ecryptfs-utils
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
keyutils libecryptfs1 libnspr4 libnss3 libnss3-1d libnss3-nssdb
Suggested packages:
zescrow-client
The following NEW packages will be installed:
ecryptfs-utils keyutils libecryptfs1 libnspr4 libnss3 libnss3-1d libnss3-nssdb
0 upgraded, 7 newly installed, 0 to remove and 17 not upgraded.
Need to get 1,475 kB of archives.
After this operation, 5,175 kB of additional disk space will be used.
Do you want to continue? [Y/n]
直接回車即可:
Get:1 http://mirrors.intra.didiyun.com/ubuntu xenial-updates/main amd64 libnspr4 amd64 2:4.13.1-0ubuntu0.16.04.1 [112 kB]
Get:2 http://mirrors.intra.didiyun.com/ubuntu xenial-updates/main amd64 libnss3-nssdb all 2:3.28.4-0ubuntu0.16.04.3 [10.6 kB]
Get:3 http://mirrors.intra.didiyun.com/ubuntu xenial-updates/main amd64 libnss3 amd64 2:3.28.4-0ubuntu0.16.04.3 [1,148 kB]
Get:4 http://mirrors.intra.didiyun.com/ubuntu xenial-updates/main amd64 libnss3-1d amd64 2:3.28.4-0ubuntu0.16.04.3 [9,316 B]
Get:5 http://mirrors.intra.didiyun.com/ubuntu xenial-updates/main amd64 libecryptfs1 amd64 111-0ubuntu1.1 [45.4 kB]
Get:6 http://mirrors.intra.didiyun.com/ubuntu xenial/main amd64 keyutils amd64 1.5.9-8ubuntu1 [47.1 kB]
Get:7 http://mirrors.intra.didiyun.com/ubuntu xenial-updates/main amd64 ecryptfs-utils amd64 111-0ubuntu1.1 [103 kB]
Fetched 1,475 kB in 0s (20.2 MB/s)
Selecting previously unselected package libnspr4:amd64.
(Reading database ... 90601 files and directories currently installed.)
Preparing to unpack .../libnspr4_2%3a4.13.1-0ubuntu0.16.04.1_amd64.deb ...
Unpacking libnspr4:amd64 (2:4.13.1-0ubuntu0.16.04.1) ...
Selecting previously unselected package libnss3-nssdb.
Preparing to unpack .../libnss3-nssdb_2%3a3.28.4-0ubuntu0.16.04.3_all.deb ...
Unpacking libnss3-nssdb (2:3.28.4-0ubuntu0.16.04.3) ...
Selecting previously unselected package libnss3:amd64.
Preparing to unpack .../libnss3_2%3a3.28.4-0ubuntu0.16.04.3_amd64.deb ...
Unpacking libnss3:amd64 (2:3.28.4-0ubuntu0.16.04.3) ...
Selecting previously unselected package libnss3-1d:amd64.
Preparing to unpack .../libnss3-1d_2%3a3.28.4-0ubuntu0.16.04.3_amd64.deb ...
Unpacking libnss3-1d:amd64 (2:3.28.4-0ubuntu0.16.04.3) ...
Selecting previously unselected package libecryptfs1.
Preparing to unpack .../libecryptfs1_111-0ubuntu1.1_amd64.deb ...
Unpacking libecryptfs1 (111-0ubuntu1.1) ...
Selecting previously unselected package keyutils.
Preparing to unpack .../keyutils_1.5.9-8ubuntu1_amd64.deb ...
Unpacking keyutils (1.5.9-8ubuntu1) ...
Selecting previously unselected package ecryptfs-utils.
Preparing to unpack .../ecryptfs-utils_111-0ubuntu1.1_amd64.deb ...
Unpacking ecryptfs-utils (111-0ubuntu1.1) ...
Processing triggers for libc-bin (2.23-0ubuntu10) ...
Processing triggers for man-db (2.7.5-1) ...
Setting up libnspr4:amd64 (2:4.13.1-0ubuntu0.16.04.1) ...
Setting up keyutils (1.5.9-8ubuntu1) ...
Setting up libnss3-nssdb (2:3.28.4-0ubuntu0.16.04.3) ...
Setting up libnss3:amd64 (2:3.28.4-0ubuntu0.16.04.3) ...
Setting up libnss3-1d:amd64 (2:3.28.4-0ubuntu0.16.04.3) ...
Setting up libecryptfs1 (111-0ubuntu1.1) ...
Setting up ecryptfs-utils (111-0ubuntu1.1) ...
Processing triggers for libc-bin (2.23-0ubuntu10) ...
再檢查安裝狀態:
[email protected]:~$ dpkg --status ecryptfs-utils
Package: ecryptfs-utils
Status: install ok installed
Priority: optional
Section: misc
Installed-Size: 568
Maintainer: Dustin Kirkland <[email protected]>
Architecture: amd64
Version: 111-0ubuntu1.1
Depends: libc6 (>= 2.14), libecryptfs1 (>= 104-0ubuntu1), libkeyutils1 (>= 1.4), libpam0g (>= 0.99.7.1), gettext-base, keyutils, libnss3-1d, libpam-runtime (>= 1.0.1-6)
Recommends: cryptsetup, lsof, rsync
Suggests: zescrow-client
Description: ecryptfs cryptographic filesystem (utilities)
eCryptfs is a POSIX-compliant enterprise-class stacked cryptographic filesystem
for Linux.
.
It provides advanced key management and policy features. eCryptfs stores
cryptographic metadata in the header of each file written, so that encrypted
files can be copied between hosts; the file will be decryptable with the proper
key, and there is no need to keep track of any additional information aside
from what is already in the encrypted file itself. Think of eCryptfs as a sort
of "gnupgfs".
.
eCryptfs is a native Linux filesystem. The kernel module component of eCryptfs
is part of the Linux kernel since 2.6.19.
.
This package contains the userland utilities.
工具已正確安裝。
3. eCryptfs 使用
建立掛載口令,首先輸入使用者的登入口令,然後輸入兩次掛載口令:
[email protected]:~$ sudo ecryptfs-setup-private
Enter your login passphrase [dc2-user]:
Enter your mount passphrase [leave blank to generate one]:
Enter your mount passphrase (again):
************************************************************************
YOU SHOULD RECORD YOUR MOUNT PASSPHRASE AND STORE IT IN A SAFE LOCATION.
ecryptfs-unwrap-passphrase ~/.ecryptfs/wrapped-passphrase
THIS WILL BE REQUIRED IF YOU NEED TO RECOVER YOUR DATA AT A LATER TIME.
************************************************************************
Done configuring.
建立希望加密的資料夾:
[email protected]:~$ mkdir private
設定資料夾許可權不允許其他人訪問:
[email protected]:~$ chmod 700 private
掛載加密資料夾,輸入掛載口令:
[email protected]:~$ sudo mount -t ecryptfs private private
Passphrase:
然後依次需要選擇加密演算法,金鑰長度,是否允許讀寫非 eCryptfs 檔案,是否檔名加密,可全部直接回車為預設:
Select cipher:
1) aes: blocksize = 16; min keysize = 16; max keysize = 32
2) blowfish: blocksize = 8; min keysize = 16; max keysize = 56
3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24
4) twofish: blocksize = 16; min keysize = 16; max keysize = 32
5) cast6: blocksize = 16; min keysize = 16; max keysize = 32
6) cast5: blocksize = 8; min keysize = 5; max keysize = 16
Selection [aes]:
Select key bytes:
1) 16
2) 32
3) 24
Selection [16]:
Enable plaintext passthrough (y/n) [n]:
Enable filename encryption (y/n) [n]:
Attempting to mount with the following options:
ecryptfs_unlink_sigs
ecryptfs_key_bytes=16
ecryptfs_cipher=aes
ecryptfs_sig=c03eaf5f09f59761
WARNING: Based on the contents of [/root/.ecryptfs/sig-cache.txt],
it looks like you have never mounted with this key
before. This could mean that you have typed your
passphrase wrong.
鍵入兩個 yes :
Would you like to proceed with the mount (yes/no)? : yes
Would you like to append sig [c03eaf5f09f59761] to
[/root/.ecryptfs/sig-cache.txt]
in order to avoid this warning in the future (yes/no)? : yes
Successfully appended new sig to user sig cache file
Mounted eCryptfs
eCryptfs 掛載成功,進入 eCryptfs 目錄:
[email protected]:~$ cd private
建立一個檔案:
[email protected]:~/private$ echo "this is a ecryptfs test file" > tes
[email protected]:~/private$ cat tes
this is a ecryptfs test file
解除安裝 eCryptfs 目錄:
[email protected]:~/private$ cd ..
[email protected]:~$ sudo umount private
檢視檔案,內容顯示密文:
[email protected]:~$ cat private/tes
m댶ş쫖_CONSOLEᄒ¯_ 梞妾8Ҙ}ɔ,ÆhW䴑[Y©iq龎h=~f°:ⲋᄴ1ࢄYꃵʨ㘐ÿͨ e৫[email protected]»B틠|思¬枾mΩ¥}R{zǩ§(³貮}KᄂKX S渤)$ߢ·©VDµ·>Uڨ붥1b鞺8iX*ҊNVn'ŝ2GzJe
@ÿ¡}`¾$L2ܨ§caАbn<ߨ[ǻ�BѪ©'ڼ?Lh·.x
吖³(ɛVz
重新掛載 eCryptfs,輸入相關引數:
[email protected]:~$ sudo mount -t ecryptfs private private
Passphrase:
Select cipher:
1) aes: blocksize = 16; min keysize = 16; max keysize = 32
2) blowfish: blocksize = 8; min keysize = 16; max keysize = 56
3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24
4) twofish: blocksize = 16; min keysize = 16; max keysize = 32
5) cast6: blocksize = 16; min keysize = 16; max keysize = 32
6) cast5: blocksize = 8; min keysize = 5; max keysize = 16
Selection [aes]:
Select key bytes:
1) 16
2) 32
3) 24
Selection [16]:
Enable plaintext passthrough (y/n) [n]:
Enable filename encryption (y/n) [n]:
Attempting to mount with the following options:
ecryptfs_unlink_sigs
ecryptfs_key_bytes=16
ecryptfs_cipher=aes
ecryptfs_sig=c03eaf5f09f59761
Mounted eCryptfs
檢視檔案,顯示檔案的正確內容:
[email protected]:~$ cat private/tes
this is a ecryptfs test file
eCryptfs 詳細使用引數:
[[email protected] ~]$ man ecryptfs