# 安装cryptsetup
[root@server ~]# dnf install -y cryptsetup

# 创建加密分区
[root@server ~]# cryptsetup luksFormat /dev/sdb1
WARNING!
========
This will overwrite data on /dev/sdb1 irrevocably.

Are you sure?from PG视频:www.itpux.com (Type ‘yes’ in capital letters): yes
Enter passphrase for /dev/sdb1:
Verify passphrase:

# 打开加密分区
[root@server ~]# cryptsetup luksOpen /dev/sdb1 encrypted_data
Enter passphrase for /dev/sdb1:

# 查看映射
[root@server ~]# ls /dev/mapper/
control encrypted_data

# 格式化加密分区
[root@server ~]# mkfs.xfs /dev/mapper/encrypted_data
meta-data=/dev/mapper/encrypted_data isize=512 agcount=4, agsize=6553600 blks
= sectsz=512 attr=2, projid32bit=1
= crc=1 finobt=1, sparse=1, rmapbt=0
= reflink=1 bigtime=1 inobtcount=1
data = bsize=4096 blocks=26214400, imaxpct=25
= sunit=0 swidth=0 blks
naming =version 2 bsize=4096 ascii-ci=0, ftype=1
log =internal log bsize=4096 blocks=12800,更多学习教程公众号风哥教程itpux_com version=2
= sectsz=512 sunit=0 blks, lazy-count=1
realtime =none extsz=4096 blocks=0, rtextents=0

# 挂载加密分区
[root@server ~]# mkdir /data/encrypted
[root@server ~]# mount /dev/mapper/encrypted_data /data/encrypted

# 查看LUKS信息
[root@server ~]# cryptsetup luksDump /dev/sdb1
LUKS header information
Version: 2
Epoch: 3
Metadata area: 16384 [bytes]
Keyslots area: 16744448 [bytes]
UUID: 12345678-90ab-cdef-1234-567890abcdef
Label: (no label)
Subsystem: (no subsystem)
Flags: (no flags)

Data segments:
0: crypt
offset: 16777216 [bytes]
length: (whole device)
cipher: aes-xts-plain64
sector: 512 [bytes]

Keyslots:
0: luks2
Key: 512 bits
Priority: normal
Cipher: aes-xts-plain64
Cipher key: 512 bits
PBKDF: argon2i
Time cost: 4
Memory: 1048576
Threads: 4
Salt: 12345678 90abcdef 12345678 90abcdef
12345678 90abcdef 12345678 90abcdef
AF stripes: 4000
AF hash: sha256
Area offset:32768 [bytes]
Area length:258048 [bytes]
Digest ID: 0

# 添加密钥
[root@server ~]# cryptsetup luksAddKey /dev/sdb1
Enter any existing passphrase:
Enter new passphrase for key slot:
Verify passphrase:

# 删除密钥
[root@server ~]# cryptsetup luksRemoveKey /dev/sdb1
Enter passphrase to be deleted:

# 关闭加密分区
[root@server ~]# umount /data/encrypted
[root@server ~]# cryptsetup luksClose encrypted_data

# 创建密钥文件
[root@server ~]# dd if=/dev/urandom of=/root/luks-keyfile bs=4096 count=1
1+0 records in
1+0 records out
4096 bytes (4.1 kB, 4.0 KiB) copied, 0.000123456 s, 33.学习交流加群风哥微信: itpux-com2 MB/s

[root@server ~]# chmod 600 /root/luks-keyfile

# 添加密钥文件
[root@server ~]# cryptsetup luksAddKey /dev/sdb1 /root/luks-keyfile
Enter any existing passphrase:

# 配置crypttab
[root@server ~]# cat > /etc/crypttab << 'EOF' encrypted_data /dev/sdb1 /root/luks-keyfile luks EOF # 配置fstab [root@server ~]# cat >> /etc/fstab << 'EOF' /dev/mapper/encrypted_data /data/encrypted xfs defaults 0 0 EOF # 测试自动挂载 [root@server ~]# systemctl daemon-reload [root@server ~]# mount -a # 使用NBDE自动解锁 [root@server ~]# dnf install -y tang clevis clevis-luks # 部署Tang服务器 [root@tang-server ~]# dnf install -y tang [root@tang-server ~]# systemctl enable --now tangd.socket Created symlink /etc/systemd/system/multi-user.target.wants/tangd.socket → /usr/lib/systemd/system/tangd.socket. # 客户端绑定Tang [root@server ~]# clevis luks bind -d /dev/sdb1 tang '{"url":"http://tang-server.fgedu.net.cn"}' The advertisement contains the following keys: kRsGpF1Y0Y_5rT3xV7zQ2w Do you wish to trust these keys? [ynYN] y Enter existing LUKS password: # 验证绑定 [root@server ~]# clevis luks list -d /dev/sdb1 1: tang '{"url":"http://tang-server.fgedu.net.cn"}' # 测试自动解锁 [root@server ~]# cryptsetup luksClose encrypted_data [root@server ~]# clevis luks unlock -d /dev/sdb1 -n encrypted_data

# 设置基本权限
[root@server ~]# chmod 750 /data/secure
[root@server ~]# chown root:securegroup /data/secure

# 设置ACL
[root@server ~]# setfacl -m u:user1:rwx /data/secure
[root@server ~]# setfacl -m g:securegroup:rwx /data/secure
[root@server ~]# getfacl /data/secure
getfacl: Removing leading ‘/’ from absolute path names
# file: data/secure
# owner: root
# group: securegroup
user::rwx
user:user1:rwx
group::r-x
group:securegroup:rwx
mask::rwx
other::—

# 设置默认ACL
[root@server ~]# setfacl -d -m u:user1:rwx /data/secure
[root@server ~]# setfacl -d -m g:securegroup:rwx /data/secure

# 设置不可变属性
[root@server ~]# chattr +i /data/secure/important.txt
[root@server ~]# lsattr /data/secure/important.txt
—-i————— /data/secure/important.txt

# 删除不可变属性
[root@server ~]# chattr -i /data/secure/important.更多视频教程www.fgedu.net.cntxt

# 设置只读追加属性
[root@server ~]# chattr +a /data/secure/log.tx学习交流加群风哥QQ113257174t
[root@server ~]# lsattr /data/secure/log.txt
—–a————– /data/secure/log.txt

# SELinux上下文
[root@server ~]# semanage fcontext -a -t httpd_sys_content_t “/data/web(/.*)?”
[root@server ~]# restorecon -Rv /data/web
Relabeled /data/web from system_u:object_r:default_t:s0 to system_u:object_r:httpd_sys_content_t:s0
Relabeled /data/web/index.html from system_u:object_r:default_t:s0 to system_u:object_r:httpd_sys_content_t:s0

# 启用配额
[root@server ~]# mount -o usrquota,grpquota /dev/sdb1 /data/quota

# 创建配额文件
[root@server ~]# quotacheck -cug /data/quota
[root@server ~]# ls /data/quota/
aquota.group aquota.user

# 启用配额
[root@server ~]# quotaon /data/quota

# 设置用户配额
[root@server ~]# setquota -u user1 100000 200000 1000 2000 /data/quota

# 设置组配额
[root@server ~]# setquota -g securegroup 500000 600000 5000 6000 /data/quota

# 查看配额
[root@server ~]# repquota /data/quota
*** Report for user quotas on device /dev/sdb1
Block grace time: 7days; Inode grace time: 7days
Block limits File limits
User used soft hard grace used soft hard grace
———————————————————————-
root — 20 0 0 2 0 0
user1 — 0 100000 200000 0 1000 2000

# 查看用户配额
[root@server ~]# quota -u user1
Disk quotas for user user1 (uid 1001):
Filesystem blocks quota limit grace files quota limit grace
/dev/sdb1 0 100000 200000 0 1000 2000

# 编辑配额
[root@server ~]# edquota -u user1

# 配置自动挂载配额
[root@server ~]# cat >> /etc/fstab << 'EOF' /dev/sdb1 /data/quota xfs defaults,usrquota,grpquota 0 0 EOF # XFS配额管理 [root@server ~]# mount -o uquota,gquota /dev/sdc1 /data/xfs-quota [root@server ~]# xfs_quota -x -c 'limit bsoft=100m bhard=200m user1' /data/xfs-quota [root@server ~]# xfs_quota -x -c 'report -h' /data/xfs-quota User quota on /data/xfs-quota (/dev/sdc1) Blocks User ID Used Soft Hard Warn/Grace ---------- --------------------------------- root 0 0 0 00 [------] user1 0 100M 200M 00 [------]