sudo apt-get install cryptsetup
sudo fallocate -l 64G /root/fordocker
sudo cryptsetup -y luksFormat /root/fordocker
sudo file /root/fordocker
sudo cryptsetup luksOpen /root/test2 volume1
sudo mkfs.ext4 -j /dev/mapper/volume1
sudo mkdir /var/lib/docker
sudo mount /dev/mapper/volume1 /var/lib/docker
df -h
LUKS is a on-disk format for encrypted volumes. It puts metadata in front of the actual encrypted data. The metadata stores the encryption algorithm, key length, block chaining method etc. Therefore one does not need to memorize those parameters which make LUKS suitable for use on e.g. USB memory sticks. Additionally LUKS uses a master key that is encrypted using the passphrase hash. That way it's possible to change the passphrase and one can use multiple passphrases. cryptsetup is able to handle LUKS volumes.
Luks is an encryption layer on a block device, it operates on a particular block device, and exposes a new block device which is the decrypted version. Access to this device will trigger transparent encryption/decryption while it's in use.
LUKs stores a bunch of metadata at the start of the device.
It has slots for multiple passphrases. Each slot has a 256-bit salt that is shown in the clear along with an encrypted message. When entering a passphrase LUKS combines it with each of the salts, in turn, hashing the result and tries to use the result as keys to decrypt an encrypted message in each slot. This message consists of some known text and a copy of the master key. If it works for any one of the slots because of the known text matches, the master key is now known and you can decrypt the entire container. The master key must remain unencrypted in RAM while the container is in use.
Knowing the master key allows you access to all the data in the container, but doesn't reveal the passwords in the password slots so one user cannot see the passwords of other users. The system is not designed for users to be able to see the master key while in operation, and this key can't be changed without re-encrypting. The use of password slots, however, means that passwords can be changed without re-encrypting the entire container, and allows for use of multiple passwords.
sudo fallocate -l 64G /root/fordocker
sudo cryptsetup -y luksFormat /root/fordocker
sudo file /root/fordocker
sudo cryptsetup luksOpen /root/test2 volume1
sudo mkfs.ext4 -j /dev/mapper/volume1
sudo mkdir /var/lib/docker
sudo mount /dev/mapper/volume1 /var/lib/docker
df -h
LUKS is a on-disk format for encrypted volumes. It puts metadata in front of the actual encrypted data. The metadata stores the encryption algorithm, key length, block chaining method etc. Therefore one does not need to memorize those parameters which make LUKS suitable for use on e.g. USB memory sticks. Additionally LUKS uses a master key that is encrypted using the passphrase hash. That way it's possible to change the passphrase and one can use multiple passphrases. cryptsetup is able to handle LUKS volumes.
Luks is an encryption layer on a block device, it operates on a particular block device, and exposes a new block device which is the decrypted version. Access to this device will trigger transparent encryption/decryption while it's in use.
LUKs stores a bunch of metadata at the start of the device.
It has slots for multiple passphrases. Each slot has a 256-bit salt that is shown in the clear along with an encrypted message. When entering a passphrase LUKS combines it with each of the salts, in turn, hashing the result and tries to use the result as keys to decrypt an encrypted message in each slot. This message consists of some known text and a copy of the master key. If it works for any one of the slots because of the known text matches, the master key is now known and you can decrypt the entire container. The master key must remain unencrypted in RAM while the container is in use.
Knowing the master key allows you access to all the data in the container, but doesn't reveal the passwords in the password slots so one user cannot see the passwords of other users. The system is not designed for users to be able to see the master key while in operation, and this key can't be changed without re-encrypting. The use of password slots, however, means that passwords can be changed without re-encrypting the entire container, and allows for use of multiple passwords.
No comments:
Post a Comment