centos6.4系统对root用户,分区,grub加密解密

1.root用户加密

[root@localhost ~]# passwd       --加密当前用户
Changing password for user root.
New password:
BAD PASSWORD: it is based on a dictionary word
BAD PASSWORD: is too simple
Retype new password:
passwd: all authentication tokens updated successfully.
[root@localhost ~]#

2.破解root用户的密码

(1)重启系统安Esc键

(2)进入引导的编辑模式,选中高亮按e键

(3)选中引导菜单按e键

(4)在末尾输入1进入单用户模式,然后回车

(5)按b键重启

(6)系统重启后进入密码文件,修改密码

(7)查看root用户的密文

(8)删除root用户的密文,并保存退出

(9)输入reboot重启系统

(10)登陆系统,root用户的密码为空

3.给系统的grub加密,使用户无法进行单用户模式

[root@localhost ~]# grub-md5-crypt
Password:          --输入密码
Retype password:      --确认密码
$1$Bvp0X1$lzZrrThfQuLECYdk4wtAk1      --这是密钥,复制一下
[root@localhost ~]# vim /boot/grub/grub.conf
default=1
timeout=5
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
password --md5 $1$Bvp0X1$lzZrrThfQuLECYdk4wtAk1     --添加这一行
root (hd0,0)
kernel /vmlinuz-2.6.32-358.el6.i686 ro root=/dev/mapper/VolGroup-lv_root rd_NO_LUKS LANG=en_US.UTF-8 rd_NO_MD rd_LVM_LV=VolGroup/lv_swap SYSFONT=latarcyrheb-sun16 crashkernel=auto rd_LVM_LV=VolGroup/lv_root  KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM rhgb quiet
initrd /initramfs-2.6.32-358.el6.i686.img
[root@localhost ~]# reboot

系统重启后不能编辑grub菜单

4.破解grub密码

(1)放入系统光盘进入修复模式

(2)选择语言

(3)选择键盘

(4)选择系统光盘的位置

(5)选择网络环境(不需要网络)

(6)选择进入系统修复模式

(7)将系统挂载到/mnt/sysimage(chroot /mnt/sysimage可以改变根目录)

(8)挂载系统

(9)选择shell环境

(10)进入grub.conf文件

(11)删除grub.conf文件中的密码行

(12)重启系统

5.对系统的分区加密

[root@localhost ~]# yum install cryptsetup   -y  --安装软件
[root@localhost ~]# fdisk -cu /dev/sdb    --分区
Command (m for help): p
Disk /dev/sdb: 157 MB, 157286400 bytes
255 heads, 63 sectors/track, 19 cylinders, total 307200 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x2c917867
Device Boot      Start         End      Blocks   Id  System
Command (m for help): n
Command action
e   extended
p   primary partition (1-4)
p
Partition number (1-4): 1
First sector (2048-307199, default 2048):
Using default value 2048
Last sector, +sectors or +size{K,M,G} (2048-307199, default 307199): +100M
Command (m for help): w
The partition table has been altered!
Calling ioctl() to re-read partition table.
Syncing disks.
[root@localhost ~]# partx -a /dev/sdb
BLKPG: Device or resource busy
[root@localhost ~]# cryptsetup luksFormat /dev/sdb1    --对/dev/sdb1分区进行加密
WARNING!
========
This will overwrite data on /dev/sdb1 irrevocably.
Are you sure? (Type uppercase yes): YES     --一定是大写
Enter LUKS passphrase:     --输入密码
Verify passphrase:             --确认密码
[root@localhost ~]# cryptsetup  luksOpen /dev/sdb1  tong    --为分区创建别名
Enter passphrase for /dev/sdb1:
[root@localhost ~]# mkfs.ext4 /dev/mapper/tong     --格式化分区
mke2fs 1.41.12 (17-May-2010)
Filesystem label=
OS type: Linux
Block size=1024 (log=0)
Fragment size=1024 (log=0)
Stride=0 blocks, Stripe width=0 blocks
25168 inodes, 100352 blocks
5017 blocks (5.00%) reserved for the super user
First data block=1
Maximum filesystem blocks=67371008
13 block groups
8192 blocks per group, 8192 fragments per group
1936 inodes per group
Superblock backups stored on blocks:
8193, 24577, 40961, 57345, 73729
Writing inode tables: done
Creating journal (4096 blocks): done
Writing superblocks and filesystem accounting information: done
This filesystem will be automatically checked every 31 mounts or
180 days, whichever comes first.  Use tune2fs -c or -i to override.
[root@localhost ~]# mount /dev/mapper/tong  /mnt/sdb/    --挂载成功
[root@localhost ~]# cd /mnt/sdb/
[root@localhost sdb]# mkdir 12       --写入数据
[root@localhost sdb]# cd
[root@localhost ~]# umount  /mnt/sdb/    --卸载设备
[root@localhost ~]# cryptsetup  luksClose /dev/mapper/tong    --关闭加密分区
[root@localhost ~]# df -TH
Filesystem    Type     Size   Used  Avail Use% Mounted on
/dev/mapper/VolGroup-lv_root
ext4     6.9G   6.4G   177M  98% /
tmpfs        tmpfs     262M      0   262M   0% /dev/shm
/dev/sda1     ext4     508M    48M   435M  10% /boot
[root@localhost ~]# cryptsetup luksOpen /dev/sdb1  tong     --想使用分区必须输入密码
Enter passphrase for /dev/sdb1:
[root@localhost ~]# mount /dev/mapper/tong  /mnt/sdb/
[root@localhost ~]# df -TH
Filesystem    Type     Size   Used  Avail Use% Mounted on
/dev/mapper/VolGroup-lv_root
ext4     6.9G   6.4G   177M  98% /
tmpfs        tmpfs     262M      0   262M   0% /dev/shm
/dev/sda1     ext4     508M    48M   435M  10% /boot
/dev/mapper/tong
ext4     100M   5.8M    89M   7% /mnt/sdb
[root@localhost ~]# vim /etc/crypttab     --修改配置文件
name /dev/sdb1       --启用这行,系统开机必须输入密码

[root@localhost ~]#

进入系统要求输入sdb1分区的密码

开机不要求输入密码

[root@localhost ~]# vim /etc/crypttab
name /dev/sdb1 /home/sdb1.key    --保存密码文件
[root@localhost ~]# echo "system" > /home/sdb1.key    --system是密码
[root@localhost ~]# chown root.root /home/sdb1.key    --修改权限
[root@localhost ~]# chmod 600 /home/sdb1.key
[root@localhost ~]# cryptsetup luksAddKey /dev/sdb1 /home/sdb1.key

6.关于分区解密目前不能破解