ÔõÑùÉèÖÃCentOSϵͳ±£»¤Ãô¸ÐÊý¾ÝµÄ´«ÊäºÍ´æ´¢
ÔõÑùÉèÖÃcentosϵͳ±£»¤Ãô¸ÐÊý¾ÝµÄ´«ÊäºÍ´æ´¢
Ëæ×ÅÐÅϢʱ´úµÄÉú³¤£¬Êý¾ÝÒѳÉΪÆóÒµºÍСÎÒ˽ÈË×îÃû¹óµÄ²Æ²úÖ®Ò»¡£È»¶ø£¬ËæÖ®¶øÀ´µÄÊÇÊý¾Ýй¶ºÍÐÅÏ¢Çå¾²ÎÊÌ⡣ΪÁ˱£»¤Ãô¸ÐÊý¾ÝµÄ´«ÊäºÍ´æ´¢£¬ÎÒÃÇÐèÒªÔÚCentOSϵͳÖоÙÐÐÏìÓ¦µÄÉèÖúͲ½·¥¡£
ʹÓüÓÃÜÐÒé¾ÙÐÐÊý¾Ý´«Êä
Êý¾Ý´«ÊäÀú³ÌÖÐ×îÈÝÒ×Êܵ½¹¥»÷µÄ¾ÍÊÇÊý¾Ý°üµÄ×èµ²ºÍÇÔÈ¡¡£Òò´Ë£¬ÎÒÃÇÐèҪʹÓüÓÃÜÐÒéÀ´±£»¤Êý¾Ý´«ÊäµÄÇå¾²ÐÔ¡£×î³£¼ûµÄ¼ÓÃÜÐÒéÊÇSSL/TLS¡£ÔÚCentOSϵͳÖУ¬ÎÒÃÇ¿ÉÒÔʹÓÃOpenSSL¿âÀ´ÊµÏÖ¼ÓÃܹ¦Ð§¡£
Ê×ÏÈ£¬ÎÒÃÇÐèҪװÖÃOpenSSL¿â¡£ÔÚÖÕ¶ËÖÐÖ´ÐÐÒÔÏÂÏÂÁ
sudo yum install openssl
µÇ¼ºó¸´ÖÆ
½ÓÏÂÀ´£¬ÎÒÃÇÐèÒªÌìÉúSSLÖ¤Êé¡£¿ÉÒÔʹÓÃÒÔÏÂÏÂÁîÌìÉú×ÔÊðÃûÖ¤Ê飺
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365
µÇ¼ºó¸´ÖÆ
È»ºó£¬½«ÌìÉúµÄÖ¤ÊéÎļþkey.pemºÍcert.pem°²ÅÅÔÚЧÀÍÆ÷µÄSSLĿ¼Ï¡£
½Ó×Å£¬ÐÞ¸ÄЧÀÍÆ÷µÄÉèÖÃÎļþ£¬Ê¹ÆäÖ§³ÖSSLÅþÁ¬¡£ÔÚÖÕ¶ËÖÐÖ´ÐÐÒÔÏÂÏÂÁî·¿ªÉèÖÃÎļþ£º
sudo vi /etc/httpd/conf.d/ssl.conf
µÇ¼ºó¸´ÖÆ
½«ÒÔÏÂÐÐ×¢ÊÍ×÷·Ï£º
SSLEngine on SSLCertificateFile /path/to/cert.pem SSLCertificateKeyFile /path/to/key.pem
µÇ¼ºó¸´ÖÆ
ÉúÑIJ¢Í˳öÉèÖÃÎļþ£¬È»ºóÖØÆôApacheЧÀÍÆ÷£º
sudo systemctl restart httpd
µÇ¼ºó¸´ÖÆ
ÏÖÔÚ£¬Ð§ÀÍÆ÷½«Ê¹ÓÃSSLÐÒé¾ÙÐмÓÃÜ´«Êä¡£
Êý¾Ý´æ´¢µÄ¼ÓÃܱ£»¤
³ýÁËÊý¾Ý´«Ê䣬ÎÒÃÇ»¹ÐèÒª¶ÔÃô¸ÐÊý¾Ý¾ÙÐд洢¼ÓÃÜ£¬ÒÔ±ÜÃâÊý¾Ýй¶¡£ÔÚCentOSϵͳÖУ¬ÎÒÃÇ¿ÉÒÔʹÓÃLUKS£¨Linux Unified Key Setup£©À´ÊµÏÖ¶Ô´ÅÅ̵ļÓÃÜ¡£
Ê×ÏÈ£¬ÎÒÃÇÐèҪװÖÃcryptsetup¹¤¾ß¡£ÔÚÖÕ¶ËÖÐÖ´ÐÐÒÔÏÂÏÂÁ
sudo yum install cryptsetup
µÇ¼ºó¸´ÖÆ
È»ºó£¬ÎÒÃÇ¿ÉÒÔʹÓÃÒÔÏÂÏÂÁîÀ´½¨ÉèLUKS¼ÓÃÜÈÝÆ÷£º
sudo cryptsetup -y luksFormat /dev/sdX
µÇ¼ºó¸´ÖÆ
ÆäÖУ¬/dev/sdX´ú±íÒª¾ÙÐмÓÃܵĴÅÅÌ¡£´ËÏÂÁÌáÐÑÄúÉèÖÃÃÜÔ¿ºÍÈ·ÈÏÃÜÂë¡£
½ÓÏÂÀ´£¬Ê¹ÓÃÒÔÏÂÏÂÁLUKSÈÝÆ÷Ó³ÉäΪһ¸ö×°±¸£º
sudo cryptsetup luksOpen /dev/sdX encrypted_device
µÇ¼ºó¸´ÖÆ
´ËÏÂÁҪÇóÊäÈëÃÜÔ¿ÒÔ·¿ªLUKSÈÝÆ÷£¬²¢½«ÆäÓ³ÉäΪencrypted_device¡£
×îºó£¬Ê¹ÓÃÒÔÏÂÏÂÁîÃûÌû¯¼ÓÃÜ×°±¸²¢¹ÒÔØ£º
sudo mkfs.ext4 /dev/mapper/encrypted_device sudo mount /dev/mapper/encrypted_device /mnt/encrypted
µÇ¼ºó¸´ÖÆ
ÏÖÔÚ£¬Äú¿ÉÒÔ½«Ãô¸ÐÊý¾Ý´æ´¢ÔÚ/mnt/encryptedĿ¼Ï£¬¸ÃĿ¼ÏµÄÎļþ½«×Ô¶¯¾ÙÐмÓÃÜ¡£
ΪÁËÔÚϵͳÆô¶¯Ê±×Ô¶¯¹ÒÔØLUKS¼ÓÃÜ×°±¸£¬ÎÒÃÇÐèÒª±à¼/etc/crypttabÎļþ¡£ÔÚÖÕ¶ËÖÐÖ´ÐÐÒÔÏÂÏÂÁîÒÔ·¿ª¸ÃÎļþ£º
sudo vi /etc/crypttab
µÇ¼ºó¸´ÖÆ
ÔÚÎļþÖÐÌí¼ÓÒÔÏÂÐУº
encrypted_device /dev/sdX none luks
µÇ¼ºó¸´ÖÆ
ÉúÑIJ¢Í˳öÎļþ¡£½ÓÏÂÀ´£¬ÎÒÃÇÐèÒª±à¼/etc/fstabÎļþ£¬ÒÔ±ãÔÚϵͳÆô¶¯Ê±×Ô¶¯¹ÒÔظÃ×°±¸¡£Ö´ÐÐÒÔÏÂÏÂÁî·¿ª¸ÃÎļþ£º
sudo vi /etc/fstab
µÇ¼ºó¸´ÖÆ
ÔÚÎļþÖÐÌí¼ÓÒÔÏÂÐУº
/dev/mapper/encrypted_device /mnt/encrypted ext4 defaults 0 0
µÇ¼ºó¸´ÖÆ
ÉúÑIJ¢Í˳öÎļþ¡£
ÏÖÔÚ£¬µ±ÏµÍ³Æô¶¯Ê±£¬LUKS¼ÓÃÜÈÝÆ÷½«×Ô¶¯±»½âËø²¢¹ÒÔص½/mnt/encryptedĿ¼Ï¡£
ͨ¹ýÒÔÉϵÄCentOSϵͳÉèÖã¬ÎÒÃÇ¿ÉÒÔÓÐÓñ£»¤Ãô¸ÐÊý¾ÝµÄ´«ÊäºÍ´æ´¢Çå¾²¡£¼ÓÃÜÐÒéÄܹ»°ü¹ÜÊý¾ÝÔÚ´«ÊäÀú³ÌÖеÄÇå¾²ÐÔ£¬¶øLUKS¼ÓÃÜÈÝÆ÷¿ÉÒÔ±£»¤Êý¾ÝÔÚ´æ´¢Àú³ÌÖеÄÇå¾²ÐÔ¡£ÕâЩ²½·¥ÍŽáÆðÀ´£¬ÎªÃô¸ÐÊý¾ÝµÄÇå¾²ÌṩÁËÖÜÈ«µÄ°ü¹Ü¡£
ÒÔÉϾÍÊÇÔõÑùÉèÖÃCentOSϵͳ±£»¤Ãô¸ÐÊý¾ÝµÄ´«ÊäºÍ´æ´¢µÄÏêϸÄÚÈÝ£¬¸ü¶àÇë¹Ø×¢±¾ÍøÄÚÆäËüÏà¹ØÎÄÕ£¡