0

我正在尝试销毁我的一个逻辑卷 data1 上的 luks 标头,删除 luks 标头后,我仍然能够读取 data1 中的文件。我想应该不是这样吧?有人可以帮助我理解这个案例吗?

lsblk 输出

NAME                                            MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINT
sda                                               8:0    0 894.2G  0 disk
├─sda1                                            8:1    0   500M  0 part  /boot
└─sda2                                            8:2    0 893.8G  0 part
  ├─vg0-root                                    251:0    0 758.7G  0 lvm
  │ └─luks-45f803e5-3c17-4aaf-a9ad-d66c8b5458de 251:2    0 758.7G  0 crypt /
  ├─vg0-swap                                    251:1    0    75G  0 lvm   [SWAP]
  ├─vg0-data3                                   251:3    0    20G  0 lvm
  │ └─luks-6e168d35-26dc-429c-a3d6-8cb4f1c1d39e 251:7    0    20G  0 crypt /data3
  ├─vg0-data2                                   251:4    0    20G  0 lvm
  │ └─luks-75727dd1-a332-423d-8c37-4cedf9cbe83c 251:8    0    20G  0 crypt /data2
  └─vg0-data1                                   251:5    0    20G  0 lvm
    └─luks-cf2d9729-2d1b-48b8-8502-dea937ef602f 251:6    0    20G  0 crypt /data1

Luksdump 输出以检查 luks 标头是否存在:

-130-sapam@test-host:~ $ sudo cryptsetup luksDump /dev/mapper/vg0-data1
LUKS header information for /dev/mapper/vg0-data1

Version:        1
Cipher name:    aes
Cipher mode:    xts-plain64
Hash spec:      sha256
Payload offset: 4096
MK bits:        256
MK digest:      9f e7 1a b3 0e fb 4e bc 6d 1b 9e 46 f8 bd 15 22 ea 04 6e c3
MK salt:        83 5e 90 5b b3 a1 c5 a5 d4 22 a0 3e 23 25 51 50
                fc cd a8 ac db 9f d0 a8 8b 81 6e 9a 92 1f d8 d3
MK iterations:  43750
UUID:           cf2d9729-2d1b-48b8-8502-dea937ef602f

Key Slot 0: ENABLED
    Iterations:             439102
    Salt:                   f1 6d 23 b0 b7 ee fc 09 8c 6b 92 ef b2 17 ef d9
                            0c 83 64 29 bf bc 98 3f f6 93 4b 45 06 49 a9 21
    Key material offset:    8
    AF stripes:             4000
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED

销毁 luks 标头:

-130-sapam@test-host:~ $ sudo dd bs=512 count=4096 if=/dev/zero of=/dev/mapper/vg0-data1
4096+0 records in
4096+0 records out
2097152 bytes (2.1 MB) copied, 0.00444235 s, 472 MB/s
-0-sapam@test-host:~ $ sudo cryptsetup luksDump /dev/mapper/vg0-data1
-1-sapam@test-host:~ $

我仍然能够读取 /data1/ 中的文件

-1-sapam@test-host:~ $ cat /data1/foo
james
-0-sapam@test-host:~ $

据我了解,一旦标头被破坏, /data1 应该无法读取吧?

4

1 回答 1

2

看来您正在破坏已安装的分区。

挂载分区时,加密/解密密钥保存在内存中。您应该首先取消您的 LUKS 分区:

# umount /data1

然后擦除 LUKS 标头。您将无法再次安装它。

请注意cryptsetup实用程序有一个删除 LUKS 标头的命令:

# cryptsetup luksErase /dev/mapper/vg0-data1

此操作的优点是您可以从备份中恢复 LUKS 标头,如果您之前执行过此操作。

来自cryptsetup(8)

       erase <device>
       luksErase <device>

              Erase all keyslots and make the LUKS container permanently inac‐
              cessible.  You do not need to provide any password for this  op‐
              eration.

              WARNING: This operation is irreversible.
于 2020-03-09T08:57:27.587 回答