QEMU + LUKS 加密镜像使用指南
1. 环境搭建
1.1 编译环境
apt install -y libgcrypt20-dev pkg-config
.../configure
--target-list=aarch64-softmmu
--disable-werror
--enable-gcrypt
2. 创建 LUKS 镜像
2.1 创建头文件
qemu-img create --object secret,id=sec0,data=abc123 -f luks
-o cipher-alg=aes-256,cipher-mode=xts,key-secret=sec0,detached-header=true
encrypted-header.img
说明:
密码:abc123
LUKS 头文件:encrypted-header.img
2.2 创建载荷文件(raw 格式)
qemu-img create -f raw encrypted-payload.raw 70G
2.3 创建密码文件
echo -n "abc123" > /tmp/luks.key
chmod 600 /tmp/luks.key
注意:
-n 防止换行符
权限必须是 600
2.4 打开加密容器
sudo cryptsetup open
--header encrypted-header.img
encrypted-payload.raw
my_encrypted_disk
--key-file=/tmp/luks.key
2.5 格式化文件系统
sudo mkfs.ext4 /dev/mapper/my_encrypted_disk
2.6 挂载 LUKS 磁盘
sudo mount /dev/mapper/my_encrypted_disk /mnt/encrypted
2.7 挂载原始镜像
kpartx -va system.img
mount /dev/loop1/ /mnt/orin
注意:loop 号可能不同
2.8 复制数据
sudo rsync -avHAX /mnt/orin/ /mnt/encrypted/
2.9 清理环境
umount /mnt/encrypted/
sudo cryptsetup close my_encrypted_disk
3. 启动 OS
.../0303/qemu-thor/build/qemu-system-aarch64
-machine virt,gic-version=3,accel=kvm,iommu=smmuv3
-cpu host
-smp 8
-m 40960M
-object secret,id=sec0,data=abc123
-blockdev driver=file,filename=encrypted-header.img,node-name=header
-blockdev driver=raw,file=header,node-name=header-raw
-blockdev driver=file,filename=encrypted-payload.raw,node-name=payload,aio=native,cache.direct=on,cache.no-flush=off
-blockdev driver=raw,file=payload,node-name=payload-raw
-blockdev driver=luks,file=payload-raw,header=header-raw,key-secret=sec0,node-name=luks-vol
-device virtio-blk-pci,drive=luks-vol,num-queues=8
-kernel .../Image_guest
-append "root=/dev/vda console=ttyAMA0 init=/sbin/init rootwait rw clk_ignore_unused pd_ignore_unused loglevel=20 isolcpus=domain,managed_irq,1-3 nohz_full=1-3 rcu_nocbs=1-3 nohlt"
-nographic
-device pcie-root-port,bus=pcie.0,id=rp1
-device vfio-platform,host=a80aa10000.usb
-device vfio-platform,host=a808680000.padctl
-device vfio-platform,host=8808c00000.display
-device vfio-platform,host=8181200000.host1x
-device vfio-platform,host=8808000000.dce
-device vfio-platform,host=nvdisplay-niso
-netdev tap,id=net0,ifname=tap0,script=no,downscript=no
-device virtio-net-pci,netdev=net0
-mem-prealloc
-mem-path /dev/hugepages
-name andy,debug-threads=on
4. 性能测试
测试项 性能 对比非 LUKS
大块顺序读 1100+ MB/s 24%
大块顺序写 1100+ MB/s 24%
小块随机读 194 MB/s 69%
小块随机写 212 MB/s 100%
5. 调试方法
5.1 查看 LUKS 信息
sudo cryptsetup status /dev/mapper/my_encrypted_disk
5.2 查看块设备信息(Guest 内)
echo "=== virtio-blk 队列参数 ==="
cat /sys/block/vda/queue/logical_block_size
cat /sys/block/vda/queue/physical_block_size
cat /sys/block/vda/queue/minimum_io_size
cat /sys/block/vda/queue/optimal_io_size
示例:
logical_block_size: 512
physical_block_size: 512
minimum_io_size: 512
optimal_io_size: 0
6. 注意事项
不要开启:
--enable-crypto-afalg
原因:
内核 crypto 性能更差
实测仅为非 LUKS 的 5%