Linux下大硬盘分区与加密-使用GPT、LVM over LUKS

Linux下大硬盘分区与加密-使用GPT、LVM over LUKS

GPT LVM LUKS part dmcrypt Posted by crackfree on August 24, 2017
## 前言 --- 双十一买了块3T硬盘,今天有空折腾下,也记录下。
本文用到的技术有GPT、LUKS、LVM、ext4。
预定的结果为在使用GPT分区表的硬盘上,建立多个主分区。每个主分区使用LUKS整个分区加密。在加密的主分区内使用LVM建立多个所需的逻辑卷,简单的说为LVM over LUKS。 逻辑卷使用ext4格式格式化。 用一句话概括本文为ext4 over LVM over LUKS over GPT。 ## 分区 --- 分区前先要确立分区表格式。 ~~因通常MBR分区表最大支持到2T~~,所以需要使用GPT分区表。GPT[维基百科](https://zh.wikipedia.org/wiki/GUID%E7%A3%81%E7%A2%9F%E5%88%86%E5%89%B2%E8%A1%A8)
刚才看来wiki,西数与洗劫盘,使用MBR分区技术可以支持到16T。 > 对于那些扇区为512字节的磁盘,MBR分区表不支持容量大于2.2TB(2.2×1012字节)[1]的分区,然而,一些硬盘制造商(诸如希捷和西部数据)注意到这个局限性,并且将他们的容量较大的磁盘升级到4KB的扇区,这意味着MBR的有效容量上限提升到16 TiB。 这个看似“正确的”解决方案,在临时地降低人们对改进磁盘分配表的需求的同时,也给市场带来关于在有较大的块(block)的设备上从BIOS启动时,如何最佳的划分磁盘分区的困惑。 使用GPT分区比MBR分区有如下优点: - 主分区数目多,GPT最多128个,MBR 4个 - 安全性高,便于数据恢复,GPT将分区信息在每个分区首尾都存放一遍,MBR分区表只存一处,万一分区信息损坏,GPT恢复概率更高 - 大容量支持,MBR使用512B扇区大小最多2.2T,4K扇区大小16T,GPT 9.4ZB 缺点: - 兼容性,见[维基百科操作系统支持](https://zh.wikipedia.org/wiki/GUID%E7%A3%81%E7%A2%9F%E5%88%86%E5%89%B2%E8%A1%A8#.E6.93.8D.E4.BD.9C.E7.B3.BB.E7.BB.9F.E6.94.AF.E6.8C.81)
本文因需求使用GPT分区表,分区之前做了如下规划: |分区|大小| | ------ | ------ | | 1 | 2T | | 2 | 0.7T | 找到要分区的硬盘,如下sdc ``` # lsblk NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT sdc 8:32 0 2.7T 0 disk ``` 使用parted指定分区格式 ``` # parted /dev/sdc GNU Parted Using /dev/sdc Welcome to GNU Parted! Type 'help' to view a list of commands. (parted) mklabel gpt ``` ``` (parted) print free Model: TO Exter nal USB 3.0 (scsi) Disk /dev/sdc: 3001GB Sector size (logical/physical): 512B/4096B Partition Table: gpt Number Start End Size File system Name Flags 17.4kB 3001GB 3001GB Free Space ``` 创建一个主分区 ``` (parted) mkpart primary 0% 74% ``` 创建另外一个主分区 ``` (parted) mkpart primary 74% 100% ``` 查看之前创建的分区 ``` (parted) print free Model: TO Exter nal USB 3.0 (scsi) Disk /dev/sdc: 3001GB Sector size (logical/physical): 512B/4096B Partition Table: gpt Number Start End Size File system Name Flags 17.4kB 33.6MB 33.5MB Free Space 1 33.6MB 2220GB 2220GB primary 2 2220GB 3001GB 780GB primary 3001GB 3001GB 115kB Free Space ``` 运气不错没有出现 > Warning: The resulting partition is not properly aligned for best performance. Ignore/Cancel?
如果出现参照:[链接](http://rainbow.chard.org/2013/01/30/how-to-align-partitions-for-best-performance-using-parted/)解决 ## 加密 --- 1. 创建加密容器 用 LUKS 方式格式化分区 ``` # sudo cryptsetup luksFormat /dev/sdc2 WARNING! ======== This will overwrite data on /dev/sdc2 irrevocably. Are you sure? (Type uppercase yes): YES (输入大写的YES) Enter passphrase: (输入密码) Verify passphrase: ``` 2. 打开加密盘 ``` cryptsetup luksOpen /dev/sdc2 westdata-hd2 Enter passphrase for /dev/sdc2: ``` 打开之后,该虚拟盘会被映射到 /dev/mapper/westdata-hd2 3. 开机自动挂载加密容器 创建添加keyfile ``` dd if=/dev/urandom of=keyfile bs=1k count=4 4+0 records in 4+0 records out 4096 bytes (4.1 kB) copied, 0.00206882 s, 2.0 MB/s cryptsetup luksAddKey /dev/sdc2 keyfile Enter any passphrase: ``` 添加自动挂载 ``` vim /etc/crypttab westdata-hd2 /dev/sdc2 keyfilepath luks vim /etc/fstab /dev/mapper/name keyfile ext4 _netdev 0 0 ``` 4. 添加/移除/修改LUKS密码 ``` #cryptsetup luksAddKey /dev/sdc2 Enter any passphrase: Enter new passphrase for key slot: Verify passphrase: #cryptsetup luksRemoveKey /dev/sdc2 Enter LUKS passphrase to be deleted: #cryptsetup luksAddKey /dev/sdc2 keyfile Enter any passphrase: ``` ## LVM分区 --- 1. 创建pv ``` pvcreate /dev/mapper/westdata-hd2 Physical volume "/dev/mapper/westdata-hd2" successfully created ``` 查看已有pv ``` pvs PV VG Fmt Attr PSize PFree .......... /dev/mapper/westdata-hd2 lvm2 a-- 726.55g 726.55g ``` 2. 创建vg(卷组) ``` vgcreate vg-westdata2 /dev/mapper/westdata-hd2 Volume group "vg-westdata" successfully created ``` 3. 创建lv(逻辑卷) ``` lvcreate -l 100%VG -n lv-westdata2 vg-westdata2 Logical volume "lv-westdata2" created ``` 显示已有lv ``` lvdisplay --- Logical volume --- LV Path /dev/vg-westdata2/lv-westdata2 LV Name lv-westdata2 VG Name vg-westdata2 LV UUID P1grmT-SWx5-QyeP-fnbw-18wW-w9uN-V2eVze LV Write Access read/write LV Creation host, time 2016-12-12 00:41:53 +0800 LV Status available # open 0 LV Size 726.55 GiB Current LE 185996 Segments 1 Allocation inherit Read ahead sectors auto - currently set to 256 Block device 252:8 ``` 4. 格式化逻辑卷 ``` mkfs.ext4 /dev/vg-westdata2/lv-westdata2 mke2fs 1.42.9 (4-Feb-2014) Filesystem label= OS type: Linux Block size=4096 (log=2) Fragment size=4096 (log=2) Stride=0 blocks, Stripe width=0 blocks 47620096 inodes, 190459904 blocks 9522995 blocks (5.00%) reserved for the super user First data block=0 Maximum filesystem blocks=4294967296 5813 block groups 32768 blocks per group, 32768 fragments per group 8192 inodes per group Superblock backups stored on blocks: 32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208, 4096000, 7962624, 11239424, 20480000, 23887872, 71663616, 78675968, 102400000 Allocating group tables: done Writing inode tables: done Creating journal (32768 blocks): done Writing superblocks and filesystem accounting information: done ``` 5. 挂载逻辑卷 ``` mkdir /media/test mount /dev/vg-westdata2/lv-westdata2 /media/test ``` 6. 逻辑卷自动挂载 ``` vim /etc/fstab /dev/vg-westdata2/lv-westdata2 /media/test ext4 _netdev 0 0 ``` ## 关闭加密盘 --- 1. 卸载逻辑卷 ``` umount /dev/vg-westdata2/test ``` 2. 关闭加密盘 ``` cryptsetup luksClose westdata-hd2 (之前打开容器后面跟的名称) ``` ## 引用 --- - [ 维基百科](https://zh.wikipedia.org/wiki/GUID%E7%A3%81%E7%A2%9F%E5%88%86%E5%89%B2%E8%A1%A8)