document/TranslateProject
2
0
Fork 0
mirror of https://github.com/LCTT/TranslateProject.git synced 2025-01-13 22:30:37 +08:00
Code Issues Packages Projects Releases Wiki Activity

翻译完成

Browse Source
This commit is contained in:
runningwater 2014-06-17 00:59:40 +08:00
parent a03f78e038
commit 612134d0c1
2 changed files with 141 additions and 284 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

143
sources/tech/Encrypting Your Cat Photos.md
View File

@ -1,143 +0,0 @@
(翻译中 by runningwater)
Encrypting Your Cat Photos
================================================================================
The truth is, I really don't have anything on my hard drive that I would be upset over someone seeing. I have some cat photos. I have a few text files with ideas for future books and/or short stories, and a couple half-written starts to NaNoWriMo novels. It would be easy to say that there's no point encrypting my hard drive, because I have nothing to hide. The problem is, we wrongly correlate a "desire for privacy" with "having something to hide". I think where I live, in America, we've taken our rights to privacy for granted. Rather than the traditional "he must be hiding porn or bombs", think about something a little more mundane.
I live in Michigan. It's cold here in the winter, and I tend to keep my thermostat set around 75 degrees. That might seem high to you, but for my family, it's just right. Thanks to the privacy of my own home, my neighbors don't know how toasty warm we keep it. Some of those neighbors would be very upset to see how "wasteful" the Powers family is in the winter. In fact, there's one local man who makes it a point to let everyone know that anything over 60 degrees is ecologically wasteful. I don't want to get into a fight with Old Man Icebritches, so we just keep our comfortable house a secret. We don't have anything to hide, but it's not something everyone needs to know about.
Obviously my example is silly, but hopefully it makes you think. Modern Linux allows us to encrypt our data easily and reliably, so why not take advantage of it?
### How Does It Work? ###
I won't go into too much detail about how encryption works, but a basic understanding is necessary for even the simplest implementation. To encrypt and decrypt a file, two "keys" are required. One is the private key, which is just that, private. I like to think of the private key as an actual key—you can make copies if you want, but it's not wise to do so. The more copies of your private keys you make, the more likely someone nefarious will get one and break into your apartment—er, I mean files.
The public key is more like a schematic for a lock that only you can open (with your private key). You make this key available for anyone. You can post it on a Web site, put it in your e-mail, tattoo it on your back, whatever. When others want to create a file that only you can see, they encrypt it using your public key.
This one-to-many scenario also has a cool side effect. If you encrypt something using your private key, anyone can decrypt it using your public key. This may sound silly, but what makes such a scenario useful is that although the encrypted file isn't protected from prying eyes, it is guaranteed to be from you. Only a file encrypted with your private key can be decrypted with your public key. In this way, encrypting something with your private key digitally "signs" the file.
#### Usually it works like this: ####
1. You have a file you want to send to Suzy, so you encrypt it with Suzy's public key. Only Suzy can open it, but there's no way for Suzy to know that you are the one who sent it, since anyone could encrypt a file with her public key.
1. Therefore, you take the file you encrypted with Suzy's public key and encrypt that file with your private key. Suzy will have to decrypt the file twice, but she'll know it came from you.
1. Suzy receives the file and decrypts the first layer with your public key, proving it came from you.
1. Suzy then decrypts the second layer of encryption with her private key, as that's the only key able to decrypt the original file. (Because you originally encrypted it with her public key.)
That scenario is when encryption is used for safely transferring files, of course. It's also quite common simply to encrypt your files (or partitions) so that no one can see them unless you decrypt them first. Let's start with file encryption, because that's what most people will want to do on their systems.
### Starting Simple ###
Before I go into more complex type setting, let's discuss simply encrypting a file. There are various programs to handle encryption. In fact, it's easy to get overwhelmed with the available options for file and system encryption. Today, let's use a basic (but very powerful) command-line tool for encrypting a file. GPG (Gnu Privacy Guard) is an open-source implementation of PGP (Pretty Good Protection). It allows encryption and signing, and manages multiple keys and so on. For this example, let's simply encrypt a file.
Let's say you have a file called secret_manifesto.txt, which contains the secrets to life, the universe and everything. Using GPG, you can encrypt the file with a passphrase. Using a passphrase is far simpler than using a public and private key pair, because it's simply encrypted using your passphrase. This does make your file more susceptible to cracking (using rainbow tables or other hacking tools), but like the label on the tin says, it's Pretty Good Protection. To encrypt your file, you can do this:
# gpg -c secret_manifesto.txt
# Enter passphrase:
# Repeat passphrase:
Once complete, you'll have a new file in the same directory. It will be named secret_manifesto.txt.gpg by default. This is a binary file, which means it's fairly small, but it can't be copy/pasted into an e-mail or IM. For portability, you can add the -a flag, which will create an encrypted file that contains only ASCII text:
# gpg -a -c secret_manifesto.txt
# Enter passphrase:
# Repeat passphrase:
# ls -l
-rw-rw-r-- 1 spowers spowers 6 Nov 23 1:26 secret_manifesto.txt
-rw-rw-r-- 1 spowers spowers 174 Nov 23 1:27 secret_manifesto.txt.asc
-rw-rw-r-- 1 spowers spowers 55 Nov 23 1:26 secret_manifesto.txt.gpg
Notice there is now a file with .asc as the extension. This is text-only, but you can see in the code snippet that it's also much larger than the binary encrypted file, and much much larger than the original text file. Once you've encrypted your file, if you truly want to keep your information secret, it would be wise to delete the original text file.
To decrypt the file, you'll again use the gpg program. The same command will decrypt either file, whether it's binary or ASCII:
# gpg secret_manifesto.txt.asc
# gpg: CAST5 encrypted data
# Enter passphrase:
# gpg: encrypted with 1 passphrase
# File `secret_manifesto.txt' exists. Overwrite? (y/N)
Notice in the example above, I hadn't deleted the original text file, so gpg gave me the option of overwriting. Once complete, I have my original file back, unencrypted. If you just have a file or two you want to protect, the command-line gpg program might be all you need. If you'd rather have an area on your system that automatically encrypts everything you save, it's a little more complicated. It's still not terribly difficult, but let's start with a fairly simplistic model.
### Encrypting a USB Drive ###
Like I mentioned earlier, there are many options when it comes to encryption. One of the more popular methods of encrypting partitions is the LUKS (Linux Unified Key Setup) system. A USB drive with a LUKS-formatted partition should be detected automatically by most systems. In fact, if you're using a desktop environment like Ubuntu Desktop, encrypting a USB drive is a simple check box during the formatting process. Although that's a perfectly acceptable way to encrypt your USB drive, I'm going to demonstrate how to do it on the command line, so you understand what's actually happening behind the scenes.
#### Step 1: identify your USB drive. ####
If you type `dmesg` after plugging in your USB drive, you should get all sorts of system information, including the device name of your freshly plugged-in USB device. Make sure you have the correct device identified, because what you're doing will destroy any data on the drive. You wouldn't want to format the wrong disk accidentally. (It should go without saying, but I'll say it anyway, make sure there's nothing on your USB drive that you want to save—this is a destructive process.)
#### Step 2: partition the USB drive. ####
Assuming that your USB drive is the /dev/sdb device on your system, you need to create a single partition on the drive. Let's use fdisk. Below is the interaction with fdisk required. Basically, you create a new empty partition with the o command, then write changes with w. Then, you'll restart fdisk and use the n command to create a new primary partition, using the defaults so that the entire drive is used:
# sudo fdisk /dev/sdb
Command (m for help): o
Building a new DOS disklabel with disk identifier 0x1234567.
Changes will remain in memory only, until you decide to write them.
After that, of course, the previous content won't be recoverable.
Command (m for help): w
The partition table has been altered!
# sudo fdisk /dev/sdb
Command (m for help): n
Command action
e extended
p primary partition (1-4)
p
Partition number (1-4, default 1): 1
Using default value 1
First sector (2048-1016522, default 2048):
Using default value 2048
Last sector, +sectors or +size{K,M,G} (2048-1016522, default 1016522):
Using default value 1016522
Command (m for help): w
The partition table has been altered!
Now you have a USB drive with a single partition (/dev/sdb1), but there is no filesystem on it. That's exactly what you want, because the LUKS system creates an encryption layer on the partition before you put a filesystem on it. So before creating a filesystem, let's create the LUKS layer on the partition, using the cryptsetup program. If you don't have cryptsetup, search for it in your distribution's repository; it should be there. To create the LUKS encrypted partition layer:
# cryptsetup luksFormat /dev/sdb1
WARNING!
========
This will overwrite data on /dev/sdb1 irrevocably.
Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:
Follow the directions, and be sure to remember your passphrase! Note, that a "passphrase" is usually more than just a word. It's most often a phrase, thus the name. The longer the phrase, the tougher to crack.
Once the process completes, you have an encrypted partition, but it's not mounted or formatted yet. The first step is to mount the partition, which again uses the cryptsetup utility:
# cryptsetup luksOpen /dev/sdb1 my_crypto_disk
Enter passphrase for /dev/sdb1:
When you type in your passphrase, the device name you entered will be mounted like a virtual hard drive. Usually, it's mounted under /dev/mapper/devicename, so this example mounts a partition at /dev/mapper/my_crypto_disk.
This device is now being accessed as an unencrypted volume. As long as it stays mounted, it will act like any other unencrypted volume. That means you need to write a filesystem to it if you want to use it:
# mkfs.vfat /dev/mapper/my_crypto_disk -n my_crypto_disk
mkfs.vfat 3.0.9 (31 Jan 2010)
Now the drive is fully functional and can be mounted like any other disk. In fact, when you put the USB drive into your computer, if you have a modern GUI desktop, it should prompt you for a password and mount it automatically. Then you can eject it like a normal disk, and it will be encrypted until you next enter your passphrase. It's simple to unmount and, therefore, re-encrypt the drive on the command line too, using cryptsetup:
# cryptsetup luksClose my_crypto_disk
That's Only the Tip of the Iceberg
In this article, my hope is to peel back some of the mystery behind encryption. It's simple to encrypt and decrypt a file. It's not too much more difficult (especially if you use the GUI desktop tools) to encrypt an entire USB drive. With most distributions, it's possible to encrypt the entire home directory during the installation process! When encryption is set up on your entire home directory, however, there are some issues you need to address. For example, jobs that run while you're not logged in most likely will not have access to your home directory. If you have cron jobs that need access to your home directory, you should rewrite them to access data elsewhere on the system. I find a happy medium between security and convenience is to encrypt a USB drive and store my personal data on it.
Once you get the encryption bug, I must warn you, you'll want to start encrypting everything. That's not a bad thing, but like the home directory scenario, you'll run into a few snags. Cross-platform accessibility is a big one if you go between systems. For situations like that, I highly recommend [TrueCrypt][1]. I've mentioned TrueCrypt in UpFront pieces before, but it's basically an open-source, cross-platform encryption system that allows you to encrypt files, folders, partitions and more while being able to access that data on any system. Windows, Mac and Linux clients are all available, and the community has great support.
You don't have to have something to hide in order to desire encryption for your files. Just like it's wise to lock your house at night, even if you live in a good neighborhood, it's a smart move to encrypt your personal data. If you want to share your photos of Mr Whiskerton in his cute little beanie hat with everyone on the Internet, that's your right. But others don't need to see those things if they're being nosey and poking around your hard drive!
--------------------------------------------------------------------------------
via: http://www.linuxjournal.com/content/encrypting-your-cat-photos
译者:[runningwater](https://github.com/runningwater) 校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创翻译,[Linux中国](http://linux.cn/) 荣誉推出
[1]:http://www.truecrypt.org/

282
translated/tech/Encrypting Your Cat Photos.md Normal file → Executable file
View File

@ -1,142 +1,142 @@
给猫咪照片加密
================================================================================
事实上,我的硬盘上不存在那种不愿意被别人看到的东西,只存有一些猫咪的照片、一些记录着想写的书想法的文本文件或者是一些短篇故事的文本,也有一些写了一半的 NaNoWriMo 小说文件。简单的说,我的硬盘就没有加密的必要,因为没有什么可隐藏的。可问题是,我们错误的把“隐私的渴望”跟“要隐藏某东西”两概念混淆在一起。比如说我生活的美国,我们视隐私权利是理所当然的事,但不包括那些传统所认为的“某人隐藏色情或炸弹”。隐私考虑的是一些平常的事情。
我居住在密歇根州。这儿的冬天很冷,我趋向于把温度设置在 75 度左右。对您们来说这个温度可能高了,但在我的家里刚好合适。多亏我的家是属于私有的,我的邻居不可能知道我们保持了这么高的温度,否则一但他们看到冬天如此“浪费”能源的家庭,这些邻居心里会很不平衡的。事实上,本地条规中有一条明确指出任何超过 60 度的就算是生态浪费。我并不想与这种僵老的条例较真,所以我仅仅想保守我们舒适的房子的秘密。我们并不想隐藏任何事情,但也并不是任何事情都要让外人知道。
很明显,我举的例子有点弱智,但我希望的是这能引起大家的思考。现代的 Linux 系统很容易的就可以对我们的数据进行加密,并且很可靠,所以为什么不好好利用利用呢?
### 加密原理? ###
我不会涉及太多关于加密原理的细节,但要明白最基本的原理,即使是最简单的实现,这是必须的。要加密和解密一个文件,需要两把“钥匙”。一把是私钥,正如名字所示,属于私有的。我宁愿把私钥看作是真实的钥匙-你想要多少就可造出多少,但这样做是不明智的。同样的私钥你造的越多,某些不怀好意的人得到其中一把的机率就越大,他们就会闯入你的公寓(额,我的意思的文件)。
公钥更像是锁的样子,只有你能打开(用你的私钥)此锁。这公钥任何人都可以得到,你可以将它张贴在网站上、把它放在你的 E-mail 中、甚至纹在你的背上。其它人想创建一个只有你能访问的文件,就可以使用此公钥来加密。
这种一对多的情况也有个很酷的副作用。如果你用你的私钥来加密一些东西,任何人都可以用你提供的公钥来解密它们。这听起来很傻,但这种情景很有用。虽然加密的文件不能免于被窥视,但是它能保证此文件确实来自于你而没有被恶意改动过。用你的公钥能解密的文件仅仅只能是用你私钥加密过的。用这种方式,用私钥加密的文件即是数字“签名”文件。
#### 通用加密步骤: ####
1. 你有一个文件想要发送给苏茜 ,所以你得使用苏茜的公钥来加密,这样就只有 苏茜才能打开这个文件,但苏茜没有办法知道是谁给她发送的文件。因为任何一个人都可以用她的公钥来加密文件。
2. 因此,你得把你的文件用苏茜的公钥和你的私钥都加密。苏茜将不得不解密两次,但她知道它是来自于你的文件。
3. 苏茜接收到此文件后会用能证明来自于你的公钥来解密第一层。
4. 然后用她的私钥来解密第二层的密码,这是唯一的能够将原始文件进行解密的钥匙了(因为你是用她的公钥来加密的)。
当然,这情景就是用来安全传输文件的加密手段。这也是加密你的文件(或者分区)相当常用及简单的方法。就让我们开始来对文件进行加密吧,因为大多数人都想加密他们的系统。
### 始于简 ###
在深入更复杂的各种加密设置操作前,我们先做简单的对文件加密例子。能处理加密的应用程序有很多很多,事实上,对文件和系统进行加密的各种可用软件选择,很容易就会让我们变得焦头烂额。现在,我们就使用一款很基本的(但非常强大)命令行工具来对文件加密。 GPG 英文名Gnu Privacy Guard是一款对商业软件 PGP英文名Pretty Good Protection的开源实现软件。它具有加密、签名及管理多个密钥等功能。用例子说明让我们简单的加密一个文件吧。
我们假设你有一个名叫 secret_manifesto.txt 的文件,它包含有关于生命、宇宙及一切事物的秘密。使用 GPG你只需要一个密码就可以加密此文件。使用密码远比使用公钥和私钥对简单因为它只是用你的密码加密。虽然这很容易就让你的文件遭受到破解使用彩虹表或其他黑客工具但像锡上的标签上所说的这是相当不错的保护。要加密你的文件可以这样做
# gpg -c secret_manifesto.txt
# Enter passphrase:
# Repeat passphrase:
一但完成,在相同的目录下就会多出个新的文件,它默认的名字是 secret_manifesto.txt.gpg 。这是一个二进制文件,这意味着它非常非常小,但是要拷贝/粘贴进电子邮件e-mail或 即时消息IM 就不可能了。要使其可拷贝等操作,可以添加 -a 标志,这将创建一个只包含 ASCII 码文本的加密文件:
# gpg -a -c secret_manifesto.txt
# Enter passphrase:
# Repeat passphrase:
# ls -l
-rw-rw-r-- 1 spowers spowers 6 Nov 23 1:26 secret_manifesto.txt
-rw-rw-r-- 1 spowers spowers 174 Nov 23 1:27 secret_manifesto.txt.asc
-rw-rw-r-- 1 spowers spowers 55 Nov 23 1:26 secret_manifesto.txt.gpg
注意到现在多了一个以 .asc 为扩展名的文件。它是个纯文本文件,从上面的代码段示例可以看到它比二进制的加密文件还大,当然比原文本文件就大的更多了。一但你把文件加密了,也确实想要对些信息保密,最明智的就是把原文本文件删除掉。
要解密文件,你需要再一次使用 GPG 程序。不管是二进制的还是 ASCII 文件,使用相同的命令就可以解密。如下示:
# gpg secret_manifesto.txt.asc
# gpg: CAST5 encrypted data
# Enter passphrase:
# gpg: encrypted with 1 passphrase
# File `secret_manifesto.txt' exists. Overwrite? (y/N)
注意到上面的例子中,我没有删除源文本文件,所以 GPG 给出了是否覆盖选项提示。一但操作完成,我的未加密的源文件又回来了。如果你仅仅只有一两个文件要保护,那基于命令行的 GPG 程序正是你所需的。但如果你想实现在系统上指定一个区域,任何保存到这区域的的文件都会自动加密的话,就有点复杂了。可这也并不是非常的困难,让我们用一个非常简单的示范例子来讲解吧。
### 加密 USB 驱动盘 ###
如我前面提到的,要加密有很多可选的方式方法。加密磁盘分区最通用的一种方法是 LUKSLinux Unified Key Setup 系统。一个使用 LUKS 格式化分区的 USB 驱动盘可以被大多数系统自动被别到。实际上,如果你使用的是像 Ubuntu 桌面这样的桌面环境系统的话,加密 USB 驱动盘其实就是在格式化过程中简单的勾选上一个复选框而已。虽然这是加密 USB 盘最容易让人接受的方式,但我还是想演示如何在命令行下进行加密,因为这种方式可以让你明白在加密的后面具体发生了什么。
#### 步骤 1: 识别您的 USB 驱动盘。 ####
在您插入 USB 驱动盘后,如果输入 `dmesg` 命令,将会显示出所有的系统信息,包括刚插入的 USB 驱动盘的设备名字。 确保设备标识是正确的,因为后面要进行的操作会破坏驱动盘上的所有数据。您也不想一不小心就格式化掉正常的磁盘吧。(虽然不用提醒,但我还是要说,确保您的 USB 驱动盘已经没有你想保留的数据,因为这是一个破坏性的过程。)
#### 步骤 2: 对 USB 驱动盘进行分区。 ####
假设,在您的系统上 USB 驱动盘是 /dev/sdb 这个设备,您需要在这个驱动上创建一个单分区。我们使用 fdisk 命令。下面是 fdisk 必须的交互操作。一般地,用 o 命令来创建一个新的空分区,然后用 w 命令来保存设置。然后重新运行 fdisk 命令,并用 n 命令来创建一个新的主分区,接下来保持默认的以使用整个设备空间:
# sudo fdisk /dev/sdb
Command (m for help): o
Building a new DOS disklabel with disk identifier 0x1234567.
Changes will remain in memory only, until you decide to write them.
After that, of course, the previous content won't be recoverable.
Command (m for help): w
The partition table has been altered!
# sudo fdisk /dev/sdb
Command (m for help): n
Command action
e extended
p primary partition (1-4)
p
Partition number (1-4, default 1): 1
Using default value 1
First sector (2048-1016522, default 2048):
Using default value 2048
Last sector, +sectors or +size{K,M,G} (2048-1016522, default 1016522):
Using default value 1016522
Command (m for help): w
The partition table has been altered!
现在你的 USB 驱动盘有了一个单分区了(/dev/sdb1但还没有文件系统这正是我们所想要的因为 LUKS 系统需要在创建文件系统前在您的分区上创建一个加密层。因此,在创建文件系统之前,就让我们在分区上先创建一个 LUKS 层吧,可以使用 cryptsetup 程序。如果您还没有安装 cryptsetup 的话,可以搜索您系统发布版本的仓库源,里有就有。下面就开始创建 LUKS 加密分区层:
# cryptsetup luksFormat /dev/sdb1
WARNING!
========
This will overwrite data on /dev/sdb1 irrevocably.
Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:
按照提示的操作,一定要确保记得您的密码!注意,这儿的“密码单词”不仅仅只表示一个单词。这只是一个习惯,因而得名,设置的越长,越难被破解。
Once the process completes, you have an encrypted partition, but it's not mounted or formatted yet. The first step is to mount the partition, which again uses the cryptsetup utility: 一但上面的操作完成,就创建好了一个加密的分区,但它还没有被挂载或格式化。
# cryptsetup luksOpen /dev/sdb1 my_crypto_disk
Enter passphrase for /dev/sdb1:
When you type in your passphrase, the device name you entered will be mounted like a virtual hard drive. Usually, it's mounted under /dev/mapper/devicename, so this example mounts a partition at /dev/mapper/my_crypto_disk.
This device is now being accessed as an unencrypted volume. As long as it stays mounted, it will act like any other unencrypted volume. That means you need to write a filesystem to it if you want to use it:
# mkfs.vfat /dev/mapper/my_crypto_disk -n my_crypto_disk
mkfs.vfat 3.0.9 (31 Jan 2010)
Now the drive is fully functional and can be mounted like any other disk. In fact, when you put the USB drive into your computer, if you have a modern GUI desktop, it should prompt you for a password and mount it automatically. Then you can eject it like a normal disk, and it will be encrypted until you next enter your passphrase. It's simple to unmount and, therefore, re-encrypt the drive on the command line too, using cryptsetup:
# cryptsetup luksClose my_crypto_disk
That's Only the Tip of the Iceberg
In this article, my hope is to peel back some of the mystery behind encryption. It's simple to encrypt and decrypt a file. It's not too much more difficult (especially if you use the GUI desktop tools) to encrypt an entire USB drive. With most distributions, it's possible to encrypt the entire home directory during the installation process! When encryption is set up on your entire home directory, however, there are some issues you need to address. For example, jobs that run while you're not logged in most likely will not have access to your home directory. If you have cron jobs that need access to your home directory, you should rewrite them to access data elsewhere on the system. I find a happy medium between security and convenience is to encrypt a USB drive and store my personal data on it.
Once you get the encryption bug, I must warn you, you'll want to start encrypting everything. That's not a bad thing, but like the home directory scenario, you'll run into a few snags. Cross-platform accessibility is a big one if you go between systems. For situations like that, I highly recommend [TrueCrypt][1]. I've mentioned TrueCrypt in UpFront pieces before, but it's basically an open-source, cross-platform encryption system that allows you to encrypt files, folders, partitions and more while being able to access that data on any system. Windows, Mac and Linux clients are all available, and the community has great support.
You don't have to have something to hide in order to desire encryption for your files. Just like it's wise to lock your house at night, even if you live in a good neighborhood, it's a smart move to encrypt your personal data. If you want to share your photos of Mr Whiskerton in his cute little beanie hat with everyone on the Internet, that's your right. But others don't need to see those things if they're being nosey and poking around your hard drive!
--------------------------------------------------------------------------------
via: http://www.linuxjournal.com/content/encrypting-your-cat-photos
译者:[runningwater](https://github.com/runningwater) 校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创翻译,[Linux中国](http://linux.cn/) 荣誉推出
给猫咪照片加密
================================================================================
事实上,我的硬盘上不存在那种不愿意被别人看到的东西,只存有一些猫咪的照片、一些记录着想写的书想法的文本文件或者是一些短篇故事的文本,也有一些写了一半的 NaNoWriMo 小说文件。简单的说,我的硬盘就没有加密的必要,因为没有什么可隐藏的。可问题是,我们错误的把“隐私的渴望”跟“要隐藏某东西”两概念混淆在一起。比如说我生活的美国,我们视隐私权利是理所当然的事,但不包括那些传统所认为的“某人隐藏色情或炸弹”。隐私考虑的是一些平常的事情。
我居住在密歇根州。这儿的冬天很冷,我趋向于把温度设置在 75 度左右。对您们来说这个温度可能高了,但在我的家里刚好合适。多亏我的家是属于私有的,我的邻居不可能知道我们保持了这么高的温度,否则一但他们看到冬天如此“浪费”能源的家庭,这些邻居心里会很不平衡的。事实上,本地条规中有一条明确指出任何超过 60 度的就算是生态浪费。我并不想与这种僵老的条例较真,所以我仅仅想保守我们舒适的房子的秘密。我们并不想隐藏任何事情,但也并不是任何事情都要让外人知道。
很明显,我举的例子有点弱智,但我希望的是这能引起大家的思考。现代的 Linux 系统很容易的就可以对我们的数据进行加密,并且很可靠,所以为什么不好好利用利用呢?
### 加密原理? ###
我不会涉及太多关于加密原理的细节,但要明白最基本的原理,即使是最简单的实现,这是必须的。要加密和解密一个文件,需要两把“钥匙”。一把是私钥,正如名字所示,属于私有的。我宁愿把私钥看作是真实的钥匙-你想要多少就可造出多少,但这样做是不明智的。同样的私钥你造的越多,某些不怀好意的人得到其中一把的机率就越大,他们就会闯入你的公寓(额,我的意思的文件)。
公钥更像是锁的样子,只有你能打开(用你的私钥)此锁。这公钥任何人都可以得到,你可以将它张贴在网站上、把它放在你的 E-mail 中、甚至纹在你的背上。其它人想创建一个只有你能访问的文件,就可以使用此公钥来加密。
这种一对多的情况也有个很酷的副作用。如果你用你的私钥来加密一些东西,任何人都可以用你提供的公钥来解密它们。这听起来很傻,但这种情景很有用。虽然加密的文件不能免于被窥视,但是它能保证此文件确实来自于你而没有被恶意改动过。用你的公钥能解密的文件仅仅只能是用你私钥加密过的。用这种方式,用私钥加密的文件即是数字“签名”文件。
#### 通用加密步骤: ####
1. 你有一个文件想要发送给苏茜 ,所以你得使用苏茜的公钥来加密,这样就只有 苏茜才能打开这个文件,但苏茜没有办法知道是谁给她发送的文件。因为任何一个人都可以用她的公钥来加密文件。
2. 因此,你得把你的文件用苏茜的公钥和你的私钥都加密。苏茜将不得不解密两次,但她知道它是来自于你的文件。
3. 苏茜接收到此文件后会用能证明来自于你的公钥来解密第一层。
4. 然后用她的私钥来解密第二层的密码,这是唯一的能够将原始文件进行解密的钥匙了(因为你是用她的公钥来加密的)。
当然,这情景就是用来安全传输文件的加密手段。这也是加密你的文件(或者分区)相当常用及简单的方法。就让我们开始来对文件进行加密吧,因为大多数人都想加密他们的系统。
### 始于简 ###
在深入更复杂的各种加密设置操作前,我们先做简单的对文件加密例子。能处理加密的应用程序有很多很多,事实上,对文件和系统进行加密的各种可用软件选择,很容易就会让我们变得焦头烂额。现在,我们就使用一款很基本的(但非常强大)命令行工具来对文件加密。 GPG 英文名Gnu Privacy Guard是一款对商业软件 PGP英文名Pretty Good Protection的开源实现软件。它具有加密、签名及管理多个密钥等功能。用例子说明让我们简单的加密一个文件吧。
我们假设你有一个名叫 secret_manifesto.txt 的文件,它包含有关于生命、宇宙及一切事物的秘密。使用 GPG你只需要一个密码就可以加密此文件。使用密码远比使用公钥和私钥对简单因为它只是用你的密码加密。虽然这很容易就让你的文件遭受到破解使用彩虹表或其他黑客工具但像锡上的标签上所说的这是相当不错的保护。要加密你的文件可以这样做
# gpg -c secret_manifesto.txt
# Enter passphrase:
# Repeat passphrase:
一但完成,在相同的目录下就会多出个新的文件,它默认的名字是 secret_manifesto.txt.gpg 。这是一个二进制文件,这意味着它非常非常小,但是要拷贝/粘贴进电子邮件e-mail或 即时消息IM 就不可能了。要使其可拷贝等操作,可以添加 -a 标志,这将创建一个只包含 ASCII 码文本的加密文件:
# gpg -a -c secret_manifesto.txt
# Enter passphrase:
# Repeat passphrase:
# ls -l
-rw-rw-r-- 1 spowers spowers 6 Nov 23 1:26 secret_manifesto.txt
-rw-rw-r-- 1 spowers spowers 174 Nov 23 1:27 secret_manifesto.txt.asc
-rw-rw-r-- 1 spowers spowers 55 Nov 23 1:26 secret_manifesto.txt.gpg
注意到现在多了一个以 .asc 为扩展名的文件。它是个纯文本文件,从上面的代码段示例可以看到它比二进制的加密文件还大,当然比原文本文件就大的更多了。一但你把文件加密了,也确实想要对些信息保密,最明智的就是把原文本文件删除掉。
要解密文件,你需要再一次使用 GPG 程序。不管是二进制的还是 ASCII 文件,使用相同的命令就可以解密。如下示:
# gpg secret_manifesto.txt.asc
# gpg: CAST5 encrypted data
# Enter passphrase:
# gpg: encrypted with 1 passphrase
# File `secret_manifesto.txt' exists. Overwrite? (y/N)
注意到上面的例子中,我没有删除源文本文件,所以 GPG 给出了是否覆盖选项提示。一但操作完成,我的未加密的源文件又回来了。如果你仅仅只有一两个文件要保护,那基于命令行的 GPG 程序正是你所需的。但如果你想实现在系统上指定一个区域,任何保存到这区域的的文件都会自动加密的话,就有点复杂了。可这也并不是非常的困难,让我们用一个非常简单的示范例子来讲解吧。
### 加密 USB 驱动盘 ###
如我前面提到的,要加密有很多可选的方式方法。加密磁盘分区最通用的一种方法是 LUKSLinux Unified Key Setup 系统。一个使用 LUKS 格式化分区的 USB 驱动盘可以被大多数系统自动被别到。实际上,如果你使用的是像 Ubuntu 桌面这样的桌面环境系统的话,加密 USB 驱动盘其实就是在格式化过程中简单的勾选上一个复选框而已。虽然这是加密 USB 盘最容易让人接受的方式,但我还是想演示如何在命令行下进行加密,因为这种方式可以让你明白在加密的后面具体发生了什么。
#### 步骤 1: 识别您的 USB 驱动盘。 ####
在您插入 USB 驱动盘后,如果输入 `dmesg` 命令,将会显示出所有的系统信息,包括刚插入的 USB 驱动盘的设备名字。 确保设备标识是正确的,因为后面要进行的操作会破坏驱动盘上的所有数据。您也不想一不小心就格式化掉正常的磁盘吧。(虽然不用提醒,但我还是要说,确保您的 USB 驱动盘已经没有你想保留的数据,因为这是一个破坏性的过程。)
#### 步骤 2: 对 USB 驱动盘进行分区。 ####
假设,在您的系统上 USB 驱动盘是 /dev/sdb 这个设备,您需要在这个驱动上创建一个单分区。我们使用 fdisk 命令。下面是 fdisk 必须的交互操作。一般地,用 o 命令来创建一个新的空分区,然后用 w 命令来保存设置。然后重新运行 fdisk 命令,并用 n 命令来创建一个新的主分区,接下来保持默认的以使用整个设备空间:
# sudo fdisk /dev/sdb
Command (m for help): o
Building a new DOS disklabel with disk identifier 0x1234567.
Changes will remain in memory only, until you decide to write them.
After that, of course, the previous content won't be recoverable.
Command (m for help): w
The partition table has been altered!
# sudo fdisk /dev/sdb
Command (m for help): n
Command action
e extended
p primary partition (1-4)
p
Partition number (1-4, default 1): 1
Using default value 1
First sector (2048-1016522, default 2048):
Using default value 2048
Last sector, +sectors or +size{K,M,G} (2048-1016522, default 1016522):
Using default value 1016522
Command (m for help): w
The partition table has been altered!
现在你的 USB 驱动盘有了一个单分区了(/dev/sdb1但还没有文件系统这正是我们所想要的因为 LUKS 系统需要在创建文件系统前在您的分区上创建一个加密层。因此,在创建文件系统之前,就让我们在分区上先创建一个 LUKS 层吧,可以使用 cryptsetup 程序。如果您还没有安装 cryptsetup 的话,可以搜索您系统发布版本的仓库源,里有就有。下面就开始创建 LUKS 加密分区层:
# cryptsetup luksFormat /dev/sdb1
WARNING!
========
This will overwrite data on /dev/sdb1 irrevocably.
Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:
按照提示的操作,一定要确保记得您的密码!注意,这儿的“密码单词”不仅仅只表示一个单词。这只是一个习惯,因而得名,设置的越长,越难被破解。
一但上面的操作完成,就创建好了一个加密的分区,但它还没有被挂载或格式化。要做的第一步就是挂载分区,可以再一次使用 cryptsetup 工具:
# cryptsetup luksOpen /dev/sdb1 my_crypto_disk
Enter passphrase for /dev/sdb1:
当输入完密码后,您输入名字的设备就会像虚拟硬盘一样被挂载上。通常,它挂载在 /dev/mapper/devicename 目录下,所以这个例子所示的分区就挂载到了 /dev/mapper/my_crypto_disk 目录。
现在这个设备就可当做未加密的卷来访问了。 只要它一被挂载,就跟其它未加密的卷是一样的了,这就意味着您想要使用它的话就需要先写入文件系统:
# mkfs.vfat /dev/mapper/my_crypto_disk -n my_crypto_disk
mkfs.vfat 3.0.9 (31 Jan 2010)
现在驱动功能完备,可以像其它驱动盘一样正常挂载使用了。实际上,如果你使用的是现代的图形用户界面系统的话,只要你把 USB 驱动盘一插入计算机,将会提示您输入密码,然后就自动挂载上了。退出的时候跟普通盘一样,里面存储的数据会被加密,直到下次输入密码。在命令行里使用 cryptsetup 卸载以及重加密驱动盘也是很简单的:
# cryptsetup luksClose my_crypto_disk
这仅仅只是冰山一角
写这篇文章,我的目的是希望剥开加密后面的秘密。加密和解密单个文件很简单,要加密整个 USB 驱动盘也不是太困难(如果使用的是图形用户界面工具就更容易了)。对于大多数系统的发布版本来说,在安装过程中就可以对整个 home 目录进行加密。加密是对您的整个 home 目录起作用,然而有些问题就需要特别处理了。例如,您没登陆时就运行的任务在大多数情况下是不会访问您的 home 目录的,但如果您有调度任务需要访问 home 目录的话,应该进行修改,让其访问系统中其它目录的数据。我觉得安全和便利平衡的中庸之道还是加密 USB 驱动盘,然后在上面存储个人资料。
我必须警告您,一但您考虑安全的问题,就会想要把任何东西都加密起来。这不是什么坏的事情,但是像要对 home 目录加密这种情况,是会碰到一些问题的。如果您使用不用系统的话,跨平台访问也是个大问题。像这种情况,我强烈建议您使用 [TrueCrypt][1]。在前期的文章片段里我提到过 TrueCrypt它是一款开源的跨平台的加密系统软件。可以对文件、文件夹、分区等等进行加密同时可以在任何系统中访问加密的数据。像 Windows、Mac 及 Linux 客户端都可以使用。社区也有大力的支持。
希望对文件进行加密的目的并不是为了隐藏某些东西。就像即使您有个好邻居,最好夜里也得锁门一样,对您的个人数据进行加密也是个很正常的举动。如果您想在网上与大家分享你的 Whiskerton 先生戴着可爱的小豆豆帽子的照片的话,这是您的权利。但其它的人,比如他们索检你硬盘的时候,就不需要让看到了。
--------------------------------------------------------------------------------
via: http://www.linuxjournal.com/content/encrypting-your-cat-photos
译者:[runningwater](https://github.com/runningwater) 校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创翻译,[Linux中国](http://linux.cn/) 荣誉推出
[1]:http://www.truecrypt.org/