Sabunta jagorar kansa zuwa ɓoyayyen faifai a cikin RuNet V0.2.
Dabarar Kaboyi:
[A] Windows 7 tsarin toshe ɓoyayyen tsarin da aka shigar;
[B] GNU/Linux tsarin toshe boye-boye (Debian) shigar da tsarin (ciki har da / takalma);
[C] Tsarin GRUB2, kariyar bootloader tare da sa hannu na dijital / tabbaci / hashing;
[D] tsiri-lalata bayanan da ba a ɓoye ba;
[E] madadin duniya na rufaffiyar OS;
[F] kai hari <akan abu [C6]> manufa - GRUB2 bootloader;
[G] takaddun shaida.
╭─── Tsarin # daki 40# :
├──╼ An shigar da Windows 7 - cikakken ɓoye tsarin, ba ɓoye ba;
├──╼ An shigar da GNU/Linux (Rarrabuwar Debian da na asali) - cikakken ɓoye tsarin, ba ɓoye ba(/, gami da /boot; musanya);
├──╼ bootloaders masu zaman kansu: An shigar da bootloader na VeraCrypt a cikin MBR, an shigar da bootloader GRUB2 a cikin tsawaita bangare;
├──╼babu shigarwa/sake shigar da OS;
└──╼ software na sirri da aka yi amfani da shi: VeraCrypt; Cryptsetup; GnuPG; Seahorse; Hashdeep; GRUB2 kyauta/kyauta ne.
Makircin da ke sama ya ɗan warware matsalar “boot mai nisa zuwa filasha”, yana ba ku damar jin daɗin rufaffiyar OS Windows/Linux da musayar bayanai ta hanyar “tashar rufaffiyar” daga wannan OS zuwa wani.
Tsarin taya PC (ɗayan zaɓuɓɓuka):
- kunna injin;
- Load da VeraCrypt bootloader (shigar da kalmar sirri daidai zai ci gaba da taya Windows 7);
- danna maɓallin "Esc" zai ɗora nauyin GRUB2 bootloader;
- GRUB2 bootloader (zaɓi rarraba/GNU/Linux/CLI), zai buƙaci tabbatarwa na GRUB2 superuser <login/password>;
- bayan nasarar tantancewa da zaɓi na rarraba, kuna buƙatar shigar da kalmar wucewa don buɗe “/boot/initrd.img”;
- bayan shigar da kalmomin sirri marasa kuskure, GRUB2 zai "na buƙatar" shigarwar kalmar sirri (na uku, kalmar sirri ta BIOS ko kalmar sirrin mai amfani GNU/Linux - ba la'akari ba) don buɗewa da taya GNU/Linux OS, ko musanya maɓallin sirri ta atomatik (maɓallin kalmar sirri guda biyu, ko kalmar sirri + maɓalli);
- Kutsawar waje cikin tsarin GRUB2 zai daskare tsarin taya GNU/Linux.
Mai wahala? Ok, bari mu tafi sarrafa kan tafiyar matakai.
Lokacin rarraba rumbun kwamfutarka (MBR tebur) Kwamfuta ba zai iya samun abin da bai wuce manyan ɓangarori guda 4 ba, ko babba guda 3 da tsawo ɗaya, haka kuma wurin da ba a keɓe ba. Sashe mai tsawo, ba kamar na babba ba, zai iya ƙunsar ƙananan sassa (Ma'ana drives=extended partition). A wasu kalmomi, "bangare mai tsawo" akan HDD ya maye gurbin LVM don aikin da ke hannun: cikakken ɓoyayyen tsarin. Idan faifan ku ya kasu kashi 4 babba, kuna buƙatar amfani da lvm, ko canzawa (tare da tsarawa) sashe daga babba zuwa ci gaba, ko kuma a yi amfani da duk sassan hudu cikin hikima kuma a bar komai yadda yake, samun sakamakon da ake so. Ko da kuna da bangare ɗaya akan faifan ku, Gparted zai taimake ku raba HDD ɗin ku (don ƙarin sassa) ba tare da asarar bayanai ba, amma har yanzu tare da ƙaramin hukunci don irin waɗannan ayyuka.
Tsarin shimfidar faifan rumbun kwamfutarka, dangane da abin da za a ba da cikakken bayanin duk labarin, an gabatar da shi a cikin tebur da ke ƙasa.
Tebur (Lamba 1) na sassan 1TB.
Ya kamata ku sami wani abu makamancin haka kuma.
sda1 - babban bangare A'a. 1 NTFS (rufewa);
sda2 - alamar sashe mai tsawo;
sda6 - faifan ma'ana (yana da GRUB2 bootloader shigar);
sda8 - musanya (fayil ɗin musanyawa da aka ɓoye / ba koyaushe ba);
sda9 - gwajin faifan ma'ana;
sda5 - faifan ma'ana ga masu sha'awar;
sda7 - GNU/Linux OS (canja wurin OS zuwa faifan ma'ana da aka ɓoye);
sda3 - babban bangare No. 2 tare da Windows 7 OS (rufewa);
sda4 - babban sashi na 3 (ya ƙunshi GNU/Linux da ba a ɓoye ba, ana amfani da shi don madadin/ba koyaushe).
[A] Windows 7 System Block Encryption
A1. VeraCrypt
Sauke daga , ko daga madubi sigar shigarwa na software na cryptographic VeraCrypt (a lokacin buga labarin v1.24-Update3, sigar VeraCrypt mai ɗaukar hoto bai dace da ɓoyayyen tsarin ba). Duba lissafin da aka sauke software
$ Certutil -hashfile "C:VeraCrypt Setup 1.24.exe" SHA256
kuma kwatanta sakamakon tare da CS da aka buga akan gidan yanar gizon mai haɓaka VeraCrypt.
Idan an shigar da software na HashTab, ya fi sauƙi: RMB (Saiti VeraCrypt 1.24.exe)-Properties - jimlar zanta na fayiloli.
Don tabbatar da sa hannun shirin, dole ne a shigar da software da maɓallin pgp na jama'a na mai haɓakawa akan tsarin ; .
A2. Shigarwa/gudanar da software na VeraCrypt tare da haƙƙin gudanarwa
A3. Zaɓin sigogin ɓoyayyen tsarin don ɓangaren aikiVeraCrypt - Tsarin - Rushe tsarin bangare / faifai - Na al'ada - Encrypt ɓangaren tsarin Windows - Multiboot - (gargadi: "Ba a ba da shawarar masu amfani da ba su da kwarewa don amfani da wannan hanyar" kuma wannan gaskiya ne, mun yarda "Ee") – Boot disk ("eh", ko da ba haka ba, har yanzu "yes") - Adadin faifai na tsarin "2 ko fiye" - Tsarukan da yawa akan faifai ɗaya "Ee" - Mai ɗaukar kaya mara amfani da Windows "A'a" (a zahiri, "Ee," amma masu ɗaukar kaya na VeraCrypt/GRUB2 ba za su raba MBR a tsakanin su ba; mafi daidai, kawai ƙaramin ɓangaren lambar bootloader ana adana shi a cikin MBR/boot track, babban ɓangaren shi shine. yana cikin tsarin fayil) - Multiboot - Saitunan ɓoyewa…
Idan kun kauce daga matakan da ke sama (toshe tsarin ɓoye tsarin), to VeraCrypt zai ba da gargadi kuma ba zai ba ku damar ɓoye ɓoyayyen ɓangaren ba.
A mataki na gaba don kare bayanan da aka yi niyya, gudanar da "Gwaji" kuma zaɓi algorithm na ɓoyewa. Idan kuna da tsohuwar CPU, to tabbas mafi saurin ɓoyayye algorithm zai zama Kifi Biyu. Idan CPU yana da ƙarfi, zaku lura da bambanci: ɓoye AES, bisa ga sakamakon gwajin, zai yi sauri sau da yawa fiye da masu fafatawa na crypto. AES sanannen ɓoyayyen algorithm ne; kayan aikin CPUs na zamani an inganta su musamman don duka "asiri" da "hacking."
VeraCrypt yana goyan bayan ikon ɓoye fayafai a cikin kasidar AES(Kifi biyu)/da sauran haduwa. A kan wani tsohon core Intel CPU daga shekaru goma da suka wuce (ba tare da tallafin hardware don AES ba, A/T cascade boye-boye) Rage aikin da gaske ba shi yiwuwa. (don AMD CPUs na wannan zamani / ~ sigogi, an rage yawan aiki). OS yana aiki da ƙarfi kuma amfani da albarkatu don ɓoyayyen ɓoyewa ba a iya gani. Sabanin haka, alal misali, akwai raguwar aiki mai ban mamaki saboda shigar da mahallin tebur mara ƙarfi Mate v1.20.1 (ko v1.20.2 ban tuna daidai ba) a cikin GNU/Linux, ko kuma saboda aiki na yau da kullun na telemetry a cikin Windows7↑. Yawanci, ƙwararrun masu amfani suna gudanar da gwaje-gwajen aikin hardware kafin ɓoyewa. Misali, a cikin Aida64/Sysbench/systemd-analyze zargi ana kwatanta shi da sakamakon gwaje-gwaje iri ɗaya bayan ɓoye tsarin, ta haka ne suke ƙaryata labarin wa kansu cewa “rufe tsarin yana da illa.” Rashin jinkirin na'ura da rashin jin daɗi ana lura da su lokacin da ake tallafawa / dawo da bayanan da aka ɓoye, saboda aikin "tsarin bayanan bayanan" da kansa ba a auna shi a cikin ms ba, kuma ana ƙara waɗancan <decrypt/encrypt on the tashi>. Daga ƙarshe, kowane mai amfani da aka ba shi izinin yin tinker tare da cryptography yana daidaita ma'auni na ɓoyayyen ɓoyayyen da gamsuwar ayyukan da ke hannunsu, matakin su na rashin tsoro, da sauƙin amfani.
Yana da kyau a bar ma'aunin PIM azaman tsoho, ta yadda lokacin da ake loda OS ba lallai ne ku shigar da madaidaicin ƙimar ƙima ba kowane lokaci. VeraCrypt yana amfani da ɗimbin adadin maimaitawa don ƙirƙirar ainihin "hannun zanta". Hari a kan irin wannan “crypto katantanwa” ta amfani da hanyar tebur mai ƙarfi/bakan gizo yana da ma’ana kawai tare da ɗan gajeren kalmar wucewa ta “sauki” da jerin charset na sirri na wanda aka azabtar. Farashin da za a biya don ƙarfin kalmar wucewa shine jinkirin shigar da kalmar sirri daidai lokacin loda OS. (Hawa kundin VeraCrypt a cikin GNU/Linux yana da sauri sosai).
Software na kyauta don aiwatar da hare-haren ƙarfi (cire kalmar wucewa daga VeraCrypt/LUKS faifan rubutun) Hashcat. John the Ripper bai san yadda ake "karya Veracrypt", kuma lokacin aiki tare da LUKS bai fahimci cryptography biyu ba.
Saboda ƙarfin sirrin sirri na algorithms na ɓoyewa, cypherpunks da ba za a iya tsayawa ba suna haɓaka software tare da wani nau'in harin hari. Misali, cire metadata/maɓallai daga RAM ( harin sanyi boot/kai tsaye harin samun damar ƙwaƙwalwar ajiya), Akwai software na musamman kyauta da mara kyauta don waɗannan dalilai.
Bayan kammala saitin/samar da “keɓaɓɓen metadata” na ɓoyayyen ɓoyayyen ɓoyayyen ɓangaren aiki, VeraCrypt za ta ba da damar sake kunna PC kuma ta gwada aikin mai ɗaukar hoto. Bayan sake kunnawa/fara Windows, VeraCrypt za ta yi lodi a yanayin jiran aiki, abin da ya rage shine tabbatar da tsarin ɓoyewa - Y.
A mataki na ƙarshe na ɓoyayyen tsarin, VeraCrypt zai ba da ƙirƙira kwafin madadin na kan ɓangaren ɓoyayyen ɓoyayyen ɓoyayyen a cikin hanyar "veracrypt ceto disk.iso" - dole ne a yi wannan - a cikin wannan software irin wannan aiki abin bukata ne (a cikin LUKS, a matsayin buƙatu - wannan abin takaici an cire shi, amma an jaddada shi a cikin takaddun). Faifan ceto zai zo da amfani ga kowa da kowa, kuma na wasu fiye da sau ɗaya. Asara (sake rubutawa / MBR rubutu) kwafin kwafin kan zai hana samun dama ga ɓarnar ɓarna tare da OS Windows.
A4. Ƙirƙirar VeraCrypt ceto USB/faifaiTa hanyar tsoho, VeraCrypt yana ba da damar ƙona "~ 2-3MB na metadata" zuwa CD, amma ba duk mutane ba ne ke da fayafai ko faifan DWD-ROM ba, kuma ƙirƙirar filasha mai bootable "VeraCrypt Rescue disk" zai zama abin mamaki na fasaha ga wasu: Rufus / GUIdd-ROSA ImageWriter da sauran software masu kama da wannan aikin ba za su iya jure wa aikin ba, saboda ban da kwafin metadata na kashewa zuwa filasha mai bootable, kuna buƙatar kwafa / liƙa hoton a waje da tsarin fayil na kebul na USB. , a takaice, daidai kwafi MBR/hanyar zuwa maɓalli. Kuna iya ƙirƙirar filasha mai bootable daga GNU/Linux OS ta amfani da “dd” mai amfani, duba wannan alamar.
Ƙirƙirar faifan ceto a cikin yanayin Windows ya bambanta. Mai haɓakawa na VeraCrypt bai haɗa da maganin wannan matsala a cikin hukuma ba ta “faifai ceto”, amma ya ba da shawarar mafita ta wata hanya dabam: ya buga ƙarin software don ƙirƙirar “faifan ceto na USB” don samun damar kyauta akan dandalin VeraCrypt. Ma'aikacin ajiyar wannan software don Windows yana "ƙirƙirar faifan ceto na usb veracrypt". Bayan ajiye ceto disk.iso, aiwatar da toshe tsarin boye-boye na aiki bangare zai fara. A lokacin boye-boye, aikin OS baya tsayawa; ba a buƙatar sake kunna PC. Bayan kammala aikin ɓoyayyen, ɓangaren mai aiki ya zama cikakken rufaffen sirri kuma ana iya amfani dashi. Idan mai ɗaukar boot ɗin VeraCrypt bai bayyana ba lokacin da kuka fara PC ɗin, kuma aikin dawo da kai bai taimaka ba, sannan ku duba tutar “boot”, dole ne a saita shi zuwa ɓangaren inda Windows ke nan. (ko da kuwa boye-boye da sauran OS, duba tebur No. 1).
Wannan ya kammala bayanin toshe tsarin ɓoyewa tare da Windows OS.
[B] LUKS. GNU/Linux boye-boye (~Debian) shigar OS. Algorithm da Matakai
Domin ɓoye ɓoyayyiyar rarrabawar Debian/wanda aka girka, kuna buƙatar taswirar shirin da aka shirya zuwa na'urar toshe mai kama-da-wane, canza shi zuwa faifan GNU/Linux da aka zayyana, sannan shigar/daidaita GRUB2. Idan ba ku da uwar garken ƙarfe mara amfani, kuma kuna darajar lokacinku, to kuna buƙatar amfani da GUI, kuma yawancin umarnin da aka bayyana a ƙasa ana nufin aiwatar da su cikin “Yanayin Chuck-Norris”.
B1. Buga PC daga live usb GNU/Linux
"Yi gwajin crypto don aikin hardware"
lscpu && сryptsetup benchmark
Idan kun kasance mai farin ciki mai mallakar mota mai ƙarfi tare da tallafin kayan aikin AES, to lambobin za su yi kama da gefen dama na tashar; idan kun kasance mai farin ciki mai shi, amma tare da kayan aikin gargajiya, lambobin za su yi kama da gefen hagu.
B2. Rarraba diski. hawa / tsara fs ma'ana diski HDD zuwa Ext4 (Gparted)
B2.1. Ƙirƙirar ɓoyayyen ɓoyayyiyar jigon ɓangaren sda7Zan yi bayanin sunayen ɓangarorin, nan da ƙari, daidai da tebur na ɓangaren da aka buga a sama. Dangane da shimfidar faifan ku, dole ne ku maye gurbin sunayen ɓangaren ku.
Taswirar Sirri na Hankali na Drive (/dev/sda7> /dev/mapper/sda7_crypt).
# Sauƙaƙe ƙirƙirar "ɓangaren LUKS-AES-XTS"
cryptsetup -v -y luksFormat /dev/sda7Zabuka:
* luksFormat - ƙaddamar da taken LUKS;
* -y -passphrase (ba maɓalli/fayil ba);
* -v -verbalization (bayyana bayanai a cikin tasha);
* / dev/sda7 - faifan ku na ma'ana daga tsawaita bangare (inda aka shirya don canja wurin / ɓoye GNU / Linux).
Algorithm na ɓoyayyen ɓoyayyen <LUKS1: aes-xts-plain64, Maɓalli: 256 ragowa, LUKS taken hashing: sha256, RNG: /dev/urandom> (ya dogara da sigar cryptsetup).
#Проверка default-алгоритма шифрования
cryptsetup --help #самая последняя строка в выводе терминала.Idan babu goyon bayan hardware ga AES akan CPU, mafi kyawun zaɓi shine ƙirƙirar "LUKS-Twofish-XTS-partition" mai tsawo.
B2.2. Ƙirƙirar ci gaba na "LUKS-Twofish-XTS-bangare"
cryptsetup luksFormat /dev/sda7 -v -y -c twofish-xts-plain64 -s 512 -h sha512 -i 1500 --use-urandom
Zabuka:
* luksFormat - ƙaddamar da taken LUKS;
* / dev/sda7 shine faifan ma'ana mai ɓoye na gaba;
* -v magana;
* -y kalmar wucewa;
* -c zaɓi algorithm ɓoyayyen bayanai;
* -s girman maɓallin ɓoyewa;
* -h hashing algorithm/aikin crypto, RNG da aka yi amfani da shi (--amfani-urandom) don samar da maɓalli na ɓoyewa / ɓoyewa na musamman don maɓallin faifai na ma'ana, maɓallin taken na biyu (XTS); babban maɓalli na musamman da aka adana a cikin madaidaicin faifan ɓoyayyen, maɓallin XTS na biyu, duk waɗannan metadata da tsarin ɓoyewa wanda, ta amfani da maɓallin maɓalli da maɓallin XTS na biyu, yana ɓoyewa / yana ɓoye duk wani bayanai akan ɓangaren. (banda taken sashe) adana cikin ~ 3MB akan ɓangarorin da aka zaɓa.
* -i maimaitawa a cikin millise seconds, maimakon "adadin" (jinkirin lokaci lokacin sarrafa kalmar wucewa yana rinjayar lodin OS da ƙarfin maɓalli). Don kiyaye ma'auni na ƙarfin sirri, tare da kalmar sirri mai sauƙi kamar "Rashanci" kuna buƙatar ƙara ƙimar -(i); tare da hadadden kalmar sirri kamar "?8dƱob/øfh" ana iya rage darajar.
* — janareta na lambar bazuwar amfani-urandom, yana haifar da maɓalli da gishiri.
Bayan yin taswirar sashin sda7> sda7_crypt (aikin yana da sauri, tunda an ƙirƙiri rubutun da aka ɓoye tare da ~ 3 MB na metadata kuma shi ke nan), kuna buƙatar tsarawa da hawan tsarin fayil ɗin sda7_crypt.
B2.3. Kwatanta
cryptsetup open /dev/sda7 sda7_crypt
#выполнение данной команды запрашивает ввод секретной парольной фразы.
zažužžukan:
* bude - daidaita sashin "tare da suna";
* / dev/sda7 - diski mai ma'ana;
* sda7_crypt - taswirar suna wanda ake amfani da shi don hawa ɓoyayyen ɓoyayyen ɓoyayyen ko fara shi lokacin da OS ɗin ya tashi.
B2.4. Tsara tsarin fayil ɗin sda7_crypt zuwa ext4. Sanya diski a cikin OS(Lura: ba za ku iya aiki tare da ɓoyayyen ɓoyayyen ɓoyayyen ɓoyayyiyar Gparted ba)
#форматирование блочного шифрованного устройства
mkfs.ext4 -v -L DebSHIFR /dev/mapper/sda7_crypt
zažužžukan:
* -v -fadi;
* -L - alamar tuƙi (wanda aka nuna a cikin Explorer tsakanin sauran abubuwan tafiyarwa).
Na gaba, ya kamata ku hau na'urar toshe mai rufaffen asiri / dev/sda7_crypt zuwa tsarin
mount /dev/mapper/sda7_crypt /mntYin aiki tare da fayiloli a cikin /mnt babban fayil zai rufaffen/decrypt bayanai ta atomatik a cikin sda7.
Ya fi dacewa don taswira da ɗaga ɓangaren a cikin Explorer (nautilus/caja GUI), ɓangaren zai riga ya kasance a cikin jerin zaɓin diski, abin da ya rage shi ne shigar da kalmar wucewa don buɗewa / yanke diski. Za a zaɓi sunan da ya dace ta atomatik kuma ba “sda7_crypt” ba, amma wani abu kamar /dev/mapper/Luks-xx-xx...
B2.5. Ajiyayyen diski (~ 3MB metadata)Daya daga cikin mafi muhimmanci ayyukan da ake buƙatar yin ba tare da bata lokaci ba - kwafin madadin na taken "sda7_crypt". Idan ka sake rubutawa/lalata kan taken (misali, shigar da GRUB2 akan sashin sda7, da sauransu), bayanan da aka ɓoye za su ɓace gaba ɗaya ba tare da wata yuwuwar dawo da su ba, saboda ba zai yuwu a sake samar da maɓallai iri ɗaya ba; an ƙirƙiri maɓallan na musamman.
#Бэкап заголовка раздела
cryptsetup luksHeaderBackup --header-backup-file ~/Бэкап_DebSHIFR /dev/sda7
#Восстановление заголовка раздела
cryptsetup luksHeaderRestore --header-backup-file <file> <device>
zažužžukan:
* luksHeaderBackup - umarni-bayan-baya-fayil -aikin madadin;
* luksHeaderRestore — header-backup-file -mayar da umarnin;
* ~/Ajiyayyen_DebSHIFR - fayil ɗin ajiya;
* / dev/sda7 - bangare wanda za'a adana kwafin buƙatun faifan ɓoye.
A wannan mataki an kammala <ƙirƙira da gyara ɓoyayyen ɓoyayyen ɓangaren.
B3. Canja wurin GNU/Linux OS (sda4) zuwa rufaffen bangare (sda7)
Ƙirƙiri babban fayil /mnt2 (Lura - har yanzu muna aiki tare da live usb, sda7_crypt an saka a /mnt), kuma mu hau GNU/Linux a cikin /mnt2, wanda ke buƙatar ɓoyewa.
mkdir /mnt2
mount /dev/sda4 /mnt2
Muna aiwatar da canjin OS daidai ta amfani da software na Rsync
rsync -avlxhHX --progress /mnt2/ /mntAn bayyana zaɓuɓɓukan Rsync a cikin sakin layi na E1.
Bugu da ari, ya zama dole defragment wani ma'ana faifai bangare
e4defrag -c /mnt/ #после проверки, e4defrag выдаст, что степень дефрагментации раздела~"0", это заблуждение, которое может вам стоить существенной потери производительности!
e4defrag /mnt/ #проводим дефрагментацию шифрованной GNU/Linux
Sanya shi doka: yi e4defrag akan GNU/Linux da aka ɓoye daga lokaci zuwa lokaci idan kuna da HDD.
An kammala canja wuri da aiki tare [GNU/Linux> GNU/Linux-encrypted] a wannan matakin.
AT 4. Saita GNU/Linux akan ɓoyayyen ɓoyayyen ɓoyayyen sda7
Bayan nasarar canja wurin OS / dev/sda4> / dev/sda7, kuna buƙatar shiga cikin GNU/Linux akan ɓoyayyen ɓoyayyen ɓoyayyen kuma aiwatar da ƙarin daidaitawa. (ba tare da sake kunna PC ba) dangane da rufaffen tsarin. Wato, kasance a cikin kebul na live, amma aiwatar da umarni "dangane da tushen rufaffen OS." "Croot" zai kwaikwayi irin wannan yanayin. Don karɓar bayanai da sauri akan wane OS kuke aiki dashi a halin yanzu (an rufaffen ko a'a, tun da bayanan da ke cikin sda4 da sda7 suna aiki tare), cire aiki tare da OS. Ƙirƙiri a cikin tushen kundayen adireshi (sda4/sda7_crypt) Fayilolin alamar komai, misali, /mnt/encryptedOS da /mnt2/decryptedOS. Da sauri duba abin da OS kuke (ciki har da na gaba):
ls /<Tab-Tab>B4.1. "Simulation na shiga cikin wani rufaffiyar OS"
mount --bind /dev /mnt/dev
mount --bind /proc /mnt/proc
mount --bind /sys /mnt/sys
chroot /mnt
B4.2. Tabbatar da cewa an gudanar da aikin akan tsarin rufaffen
ls /mnt<Tab-Tab>
#и видим файл "/шифрованнаяОС"
history
#в выводе терминала должна появиться история команд su рабочей ОС.B4.3. Ƙirƙirar / daidaita ɓoyayyun musanyawa, gyara crypttab/fstabTun da an tsara fayil ɗin musanyawa duk lokacin da OS ya fara, ba shi da ma'ana don ƙirƙira da taswirar musanyawa zuwa faifai mai ma'ana a yanzu, da buga umarni kamar a sakin layi na B2.2. Don Swap, maɓallan ɓoye na ɗan lokaci za a samar da su ta atomatik a kowane farawa. Zagayowar rayuwa na maɓallan musanya: cirewa / cire ɓangaren musanyawa (+ Tsabtace RAM); ko kuma sake kunna OS. Saita musanyawa, buɗe fayil ɗin da ke da alhakin daidaitawa na toshe ɓoyayyen na'urorin (mai kama da fayil fstab, amma alhakin crypto).
nano /etc/crypttab mu gyara
#"sunan manufa" "na'urar tushen" "fayil ɗin maɓalli" "zaɓuɓɓuka"
swap /dev/sda8 /dev/urandom swap,cipher=twofish-xts-plain64,size=512,hash=sha512
Zaɓuɓɓuka
* musanya - sunan taswira lokacin ɓoyewa /dev/mapper/swap.
* /dev/sda8 - Yi amfani da ɓangaren ma'ana don musanya.
* / dev/urandom - janareta na maɓallan ɓoye bazuwar don musanya (tare da kowane sabon taya OS, an ƙirƙiri sabbin maɓalli). Mai amfani da /dev/urandom ba shi da ƙarancin bazuwar fiye da /dev/bazuwar, bayan duk /dev/random ana amfani da shi lokacin aiki a cikin yanayi mara kyau. Lokacin loda OS, /dev/random yana rage ɗaukar nauyi na mintuna ± da yawa (duba tsarin-bincike).
* swap,cipher=biyufish-xts-plain64,size=512,hash=sha512: -bangaren ya san cewa musanya ne kuma an tsara shi “bisa ga haka”; boye-boye algorithm.
#Открываем и правим fstab
nano /etc/fstab
mu gyara
# swap ya kasance akan / dev / sda8 yayin shigarwa
/dev/mapper/swap babu wani musanya sw 0 0
/dev/mapper/swap shine sunan da aka saita a cikin crypttab.
Madadin rufaffen musanya
Idan saboda wasu dalilai ba ku son barin gaba ɗaya bangare don fayil ɗin musanyawa, to zaku iya ɗaukar madadin kuma mafi kyawun hanya: ƙirƙirar fayil ɗin musanyawa a cikin fayil akan ɓoyayyen ɓoyayyen tare da OS.
fallocate -l 3G /swap #создание файла размером 3Гб (почти мгновенная операция)
chmod 600 /swap #настройка прав
mkswap /swap #из файла создаём файл подкачки
swapon /swap #включаем наш swap
free -m #проверяем, что файл подкачки активирован и работает
printf "/swap none swap sw 0 0" >> /etc/fstab #при необходимости после перезагрузки swap будет постоянныйSaitin ɓangaren musanya ya cika.
B4.4. Saita rufaffen GNU/Linux (gyara fayilolin crypttab/fstab)Fayil ɗin /etc/crypttab, kamar yadda aka rubuta a sama, yana bayyana ɓoyayyun na'urorin toshe waɗanda aka saita yayin boot ɗin tsarin.
#правим /etc/crypttab
nano /etc/crypttab
idan kun dace da sashin sda7>sda7_crypt kamar yadda yake cikin sakin layi na B2.1
# "sunan manufa" "na'urar tushe" "fayil ɗin maɓalli" "zaɓuɓɓuka"
sda7_crypt UUID=81048598-5bb9-4a53-af92-f3f9e709e2f2 none luks
idan kun dace da sashin sda7>sda7_crypt kamar yadda yake cikin sakin layi na B2.2
# "sunan manufa" "na'urar tushe" "fayil ɗin maɓalli" "zaɓuɓɓuka"
sda7_crypt UUID=81048598-5bb9-4a53-af92-f3f9e709e2f2 none cipher=twofish-xts-plain64,size=512,hash=sha512
idan kun dace da sashin sda7> sda7_crypt kamar yadda yake cikin sakin layi na B2.1 ko B2.2, amma ba kwa son sake shigar da kalmar wucewa don buɗewa da kunna OS, to maimakon kalmar sirri zaku iya musanya maɓallin sirri / fayil ɗin bazuwar.
# "sunan manufa" "na'urar tushe" "fayil ɗin maɓalli" "zaɓuɓɓuka"
sda7_crypt UUID=81048598-5bb9-4a53-af92-f3f9e709e2f2 /etc/skey luks
Description
* babu ko ɗaya - rahoton cewa lokacin loda OS, ana buƙatar shigar da kalmar wucewa ta sirri don buɗe tushen.
* UUID - mai gano bangare. Don nemo ID ɗin ku, rubuta a cikin tasha (tuna cewa daga wannan lokacin gaba, kuna aiki a cikin tasha a cikin yanayin chroot, kuma ba a cikin wani tashar tashar USB mai rai ba).
fdisk -l #проверка всех разделов
blkid #должно быть что-то подобное
/dev/sda7: UUID=«81048598-5bb9-4a53-af92-f3f9e709e2f2» TYPE=«crypto_LUKS» PARTUUID=«0332d73c-07»
/dev/mapper/sda7_crypt: LABEL=«DebSHIFR» UUID=«382111a2-f993-403c-aa2e-292b5eac4780» TYPE=«ext4»
Ana iya ganin wannan layin lokacin da ake buƙatar blkid daga tashar tashar USB mai rai tare da sda7_crypt sakawa).
Kuna ɗaukar UUID daga sdaX ɗin ku (ba sdaX_crypt!, UUID sdaX_crypt - za a bar ta ta atomatik lokacin samar da tsarin grub.cfg).
* cipher=biyufish-xts-plain64,size=512,hash=sha512 -luks boye-boye a cikin yanayin ci gaba.
* /etc/skey - fayil ɗin maɓallin sirri, wanda aka saka ta atomatik don buɗe boot ɗin OS (maimakon shigar da kalmar sirri ta 3). Kuna iya tantance kowane fayil har zuwa 8MB, amma za a karanta bayanan <1MB.
#Создание "генерация" случайного файла <секретного ключа> размером 691б.
head -c 691 /dev/urandom > /etc/skey
#Добавление секретного ключа (691б) в 7-й слот заголовка luks
cryptsetup luksAddKey --key-slot 7 /dev/sda7 /etc/skey#Проверка слотов "пароли/ключи luks-раздела"
cryptsetup luksDump /dev/sda7
Zai yi kama da wani abu kamar haka:
(ka yi da kanka ka gani da kanka).
cryptsetup luksKillSlot /dev/sda7 7 #удаление ключа/пароля из 7 слота/etc/fstab ya ƙunshi bayanin siffantawa game da tsarin fayil daban-daban.
#Правим /etc/fstab
nano /etc/fstab
# "tsarin fayil" "Mataki na Dutsen" "nau'in" "zaɓuɓɓuka" "juji" "wucewa"
# / ya kasance / dev / sda7 yayin shigarwa
/dev/mapper/sda7_crypt / ext4 kurakurai = remount-ro 0 1
zaɓi
* /dev/mapper/sda7_crypt - sunan taswirar sda7>sda7_crypt, wanda aka ƙayyade a cikin fayil ɗin /etc/crypttab.
Saitin crypttab/fstab ya cika.
B4.5. Gyara fayilolin sanyi. Maɓalli mai mahimmanciB4.5.1. Gyara saitin /etc/initramfs-tools/conf.d/resume
#Если у вас ранее был активирован swap раздел, отключите его.
nano /etc/initramfs-tools/conf.d/resume
kuma kayi sharhi (idan akwai) "#" layi "resume". Dole ne fayil ɗin ya zama fanko.
B4.5.2. Gyara saitin /etc/initramfs-tools/conf.d/cryptsetup
nano /etc/initramfs-tools/conf.d/cryptsetupyakamata yayi daidai
# /etc/initramfs-tools/conf.d/cryptsetup
CRYPTSETUP= eh
fitarwa CRYPTSETUP
B4.5.3. Gyara /etc/default/grub config (wannan saitin yana da alhakin ikon samar da grub.cfg lokacin aiki tare da rufaffen /boot)
nano /etc/default/grub
ƙara layin "GRUB_ENABLE_CRYPTODISK=y"
darajar 'y', grub-mkconfig da grub-install za su bincika rufaffiyar fayafai kuma su samar da ƙarin umarni da ake buƙata don samun damar su a lokacin taya. (insmods ).
dole ne a sami kamanceceniya
GRUB_DEFAULT = 0
GRUB_TIMEOUT = 1
GRUB_DISTRIBUTOR=`lsb_release -i -s 2> /dev/null || amsa Debian'
GRUB_CMDLINE_LINUX_DEFAULT = "acpi_backlight=mai sayarwa"
GRUB_CMDLINE_LINUX = "shuru splash noautomount"
GRUB_ENABLE_CRYPTODISK=y
B4.5.4. Gyara saitin /etc/cryptsetup-initramfs/conf-hook
nano /etc/cryptsetup-initramfs/conf-hook
duba cewa layin sharhi <#>.
Nan gaba (har ma a yanzu, wannan siga ba zai sami wata ma'ana ba, amma wani lokacin yana tsoma baki tare da sabunta hoton initrd.img).
B4.5.5. Gyara saitin /etc/cryptsetup-initramfs/conf-hook
nano /etc/cryptsetup-initramfs/conf-hookkara
KEYFILE_PATTERN=”/etc/skey”
UMASK=0077
Wannan zai shigar da maɓallin sirrin "skey" cikin initrd.img, ana buƙatar maɓallin don buɗe tushen lokacin da OS ɗin ya tashi. (idan ba kwa son sake shigar da kalmar wucewa, an maye gurbin maɓallin “skey” don motar).
B4.6. Sabunta /boot/initrd.img [version]Don shirya maɓallin sirri cikin initrd.img kuma a yi amfani da gyaran cryptsetup, sabunta hoton
update-initramfs -u -k all
lokacin sabunta initrd.img (kamar yadda suke cewa "Yana yiwuwa, amma ba tabbas") gargadin da ke da alaƙa da cryptsetup zai bayyana, ko, alal misali, sanarwa game da asarar samfuran Nvidia - wannan al'ada ce. Bayan sabunta fayil ɗin, duba cewa an sabunta shi a zahiri, duba lokacin (dangane da yanayin chroot./boot/initrd.img). Tsanaki kafin [update-initramfs -u -k all] tabbatar da duba cewa cryptsetup yana buɗe / dev/sda7 sda7_crypt - wannan shine sunan da ya bayyana a /etc/crypttab, in ba haka ba bayan sake kunnawa za a sami kuskuren busybox)
A wannan mataki, saitin fayilolin sanyi ya cika.
[C] Shigarwa da daidaitawa GRUB2/Kariya
C1. Idan ya cancanta, tsara sashin da aka keɓe don bootloader (bangaren yana buƙatar aƙalla 20MB)
mkfs.ext4 -v -L GRUB2 /dev/sda6C2. Dutsen /dev/sda6 zuwa /mntDon haka muna aiki a cikin chroot, sannan babu /mnt2 directory a cikin tushen, kuma babban fayil /mnt zai zama fanko.
Haɗa GRUB2 partition
mount /dev/sda6 /mntIdan kana da tsohuwar sigar GRUB2 da aka shigar, a cikin /mnt/boot/grub/i-386-pc directory (wani dandamali yana yiwuwa, misali, ba “i386-pc”) babu crypto modules (a takaice, babban fayil ya kamata ya ƙunshi kayayyaki, gami da waɗannan .mod: cryptodisk; luks; gcry_twofish; gcry_sha512; signature_test.mod), a wannan yanayin, GRUB2 yana buƙatar girgiza.
apt-get update
apt-get install grub2
Muhimmanci! Lokacin sabunta kunshin GRUB2 daga ma'ajiyar, lokacin da aka tambaye shi "game da zabar" inda za a shigar da bootloader, dole ne ku ƙi shigarwa. (dalilin - ƙoƙarin shigar da GRUB2 - a cikin "MBR" ko akan kebul na rayuwa). In ba haka ba za ku lalata kai/loader na VeraCrypt. Bayan an sabunta fakitin GRUB2 da soke shigarwa, dole ne a shigar da mai ɗaukar kaya da hannu akan faifan ma'ana, kuma ba cikin MBR ba. Idan ma'ajiyar ku tana da tsohuwar sigar GRUB2, gwada yana daga gidan yanar gizon hukuma - ba a bincika ba (aiki tare da sabuwar GRUB 2.02 ~BetaX bootloaders).
C3. Shigar da GRUB2 cikin wani tsawaita bangare [sda6]Dole ne ku sami bangare mai hawa [abu C.2]
grub-install --force --root-directory=/mnt /dev/sda6
zaɓuɓɓuka
* -ƙarfi - shigar da bootloader, ketare duk gargaɗin da kusan koyaushe suke da toshe shigarwa (tutar da ake bukata).
* --tushen-directory - shigarwar directory zuwa tushen sda6.
* /dev/sda6 - ɓangaren sdaХ ku (kar a rasa <space> tsakanin /mnt /dev/sda6).
C4. Ƙirƙirar fayil ɗin sanyi [grub.cfg]Manta game da umarnin "update-grub2", kuma yi amfani da cikakken umarnin tsara fayil ɗin sanyi
grub-mkconfig -o /mnt/boot/grub/grub.cfg
bayan kammala tsara / sabunta fayil ɗin grub.cfg, tashar fitarwa yakamata ya ƙunshi layi (s) tare da OS da aka samo akan faifai. ("grub-mkconfig" tabbas zai samo kuma ya karɓi OS daga kebul na rayuwa, idan kuna da faifan multiboot tare da Windows 10 da tarin rarrabawar rayuwa - wannan al'ada ce). Idan tashar ta kasance "ba komai" kuma fayil ɗin "grub.cfg" ba a samar da shi ba, to wannan shine yanayin idan akwai kurakuran GRUB a cikin tsarin. (kuma mai yuwuwa mai ɗaukar kaya daga reshen gwaji na ma'aji), sake shigar da GRUB2 daga amintattun tushe.
Shigar da "sauƙaƙi mai sauƙi" da saitin GRUB2 ya cika.
C5. Tabbacin-gwajin GNU/Linux OS mai rufaffenMun kammala aikin crypto daidai. A hankali barin rufaffen GNU/Linux (fita muhallin chroot).
umount -a #размонтирование всех смонтированных разделов шифрованной GNU/Linux
Ctrl+d #выход из среды chroot
umount /mnt/dev
umount /mnt/proc
umount /mnt/sys
umount -a #размонтирование всех смонтированных разделов на live usb
reboot
Bayan sake kunna PC, VeraCrypt bootloader ya kamata ya ɗauka.
* Shigar da kalmar sirri don bangare mai aiki zai fara loda Windows.
* Danna maɓallin "Esc" zai canja wurin sarrafawa zuwa GRUB2, idan kun zaɓi GNU/Linux da aka ɓoye - za a buƙaci kalmar sirri (sda7_crypt) don buɗe /boot/initrd.img (idan grub2 ya rubuta uuid "ba a samo" ba - wannan shine matsala tare da grub2 bootloader, ya kamata a sake shigar da shi, misali, daga reshen gwaji / barga da sauransu).
*Ya danganta da yadda kuka tsara tsarin (duba sakin layi na B4.4/4.5), bayan shigar da kalmar sirri daidai don buɗe hoton /boot/initrd.img, kuna buƙatar kalmar sirri don loda OS kernel/root, ko sirrin. za a musanya maɓalli ta atomatik "skey", yana kawar da buƙatar sake shigar da kalmar wucewa.
(allon "musanya maɓalli ta atomatik").
*Na gaba shine tsarin saba na loda GNU/Linux tare da tantance asusun mai amfani.
* Bayan izinin mai amfani da shiga cikin OS, kuna buƙatar sabunta /boot/initrd.img again (duba B4.6).
update-initramfs -u -k allKuma idan akwai ƙarin layi a cikin menu na GRUB2 (daga OS-m karba tare da live usb) kawar da su
mount /dev/sda6 /mnt
grub-mkconfig -o /mnt/boot/grub/grub.cfg
Takaitaccen taƙaitaccen bayanin sirrin tsarin GNU/Linux:
- GNU/Linuxinux cikakken rufaffe ne, gami da /boot/kernel da initrd;
- maɓallin sirrin yana kunshe a cikin initrd.img;
- tsarin ba da izini na yanzu (shigar da kalmar wucewa don buɗe initrd; kalmar sirri / maɓalli don taya OS; kalmar sirri don ba da izini ga asusun Linux).
"Simple GRUB2 Kanfigareshan" ɓoyayyen tsarin ɓangaren toshe ya cika.
C6. Tsarin GRUB2 na ci gaba. Kariyar bootloader tare da sa hannu na dijital + kariyar tabbatarwaGNU/Linux an rufaffen rufaffiyar, amma ba za a iya rufaffen bootloader ba - BIOS ne ya tsara wannan yanayin. Don haka, takalmin GRUB2 mai rufaffen sarka ba zai yiwu ba, amma ana iya samun takalmi mai sarkar sarka mai sauƙi/samuwa, amma ta fuskar tsaro ba lallai ba ne. P. F.
Don "mai rauni" GRUB2, masu haɓakawa sun aiwatar da algorithm na kariya na bootloader "sa hannu / tabbatarwa".
- Lokacin da bootloader ya sami kariya ta "sa hannu na dijital," gyare-gyaren fayiloli na waje, ko ƙoƙari na loda ƙarin kayayyaki a cikin wannan bootloader, zai haifar da toshe tsarin taya.
- Lokacin kare bootloader tare da tantancewa, don zaɓar loda rarraba, ko shigar da ƙarin umarni a cikin CLI, kuna buƙatar shigar da shiga da kalmar wucewa ta superuser-GRUB2.
C6.1. Kariyar tabbatar da bootloaderDuba cewa kuna aiki a cikin tasha akan rufaffen OS
ls /<Tab-Tab> #обнаружить файл-маркерƙirƙirar kalmar sirri ta superuser don izini a cikin GRUB2
grub-mkpasswd-pbkdf2 #введите/повторите пароль суперпользователя. Samu kalmar sirri hash. Wani abu kamar wannan
grub.pbkdf2.sha512.10000.DE10E42B01BB6FEEE46250FC5F9C3756894A8476A7F7661A9FFE9D6CC4D0A168898B98C34EBA210F46FC10985CE28277D0563F74E108FCE3ACBD52B26F8BA04D.27625A4D30E4F1044962D3DD1C2E493EF511C01366909767C3AF9A005E81F4BFC33372B9C041BE9BA904D7C6BB141DE48722ED17D2DF9C560170821F033BCFD8
Haɗa sashin GRUB
mount /dev/sda6 /mnt gyara saitin
nano -$ /mnt/boot/grub/grub.cfg
duba binciken fayil cewa babu tutoci a ko'ina a cikin "grub.cfg" ("-unretricted" "-user",
ƙara a ƙarshe (kafin layi ### END /etc/grub.d/41_custom ###)
"saitin superusers = "tushen"
kalmar sirri_pbkdf2 tushen hash."
Ya kamata ya zama wani abu kamar wannan
# Wannan fayil ɗin yana ba da hanya mai sauƙi don ƙara shigarwar menu na al'ada. Kawai rubuta
# shigarwar menu da kuke son ƙarawa bayan wannan sharhi. Yi hankali kada ku canza
# layin 'exec tail' a sama.
### KARSHE /etc/grub.d/40_custom ###### BEGIN /etc/grub.d/41_custom ###
idan [-f ${config_directory}/custom.cfg]; sannan
tushen ${config_directory}/custom.cfg
elif [-z "${config_directory}" -a -f $prefix/custom.cfg]; sannan
tushen $prefix/custom.cfg;
fi
saita superusers = "tushen"
password_pbkdf2 root grub.pbkdf2.sha512.10000.DE10E42B01BB6FEEE46250FC5F9C3756894A8476A7F7661A9FFE9D6CC4D0A168898B98C34EBA210F46FC10985CE28277D0563F74E108FCE3ACBD52B26F8BA04D.27625A4D30E4F1044962D3DD1C2E493EF511C01366909767C3AF9A005E81F4BFC33372B9C041BE9BA904D7C6BB141DE48722ED17D2DF9C560170821F033BCFD8
### KARSHE /etc/grub.d/41_custom ###
#
Idan sau da yawa kuna amfani da umarnin "grub-mkconfig -o /mnt/boot/grub/grub.cfg" kuma ba sa son yin canje-canje zuwa grub.cfg kowane lokaci, shigar da layin da ke sama. (Login: Password) a cikin rubutun mai amfani na GRUB a ƙasa
nano /etc/grub.d/41_custom cat <<EOF
saita superusers = "tushen"
password_pbkdf2 root grub.pbkdf2.sha512.10000.DE10E42B01BB6FEEE46250FC5F9C3756894A8476A7F7661A9FFE9D6CC4D0A168898B98C34EBA210F46FC10985CE28277D0563F74E108FCE3ACBD52B26F8BA04D.27625A4D30E4F1044962D3DD1C2E493EF511C01366909767C3AF9A005E81F4BFC33372B9C041BE9BA904D7C6BB141DE48722ED17D2DF9C560170821F033BCFD8
EOF
Lokacin samar da saitin “grub-mkconfig -o /mnt/boot/grub/grub.cfg”, layin da ke da alhakin tantancewa za a ƙara ta atomatik zuwa grub.cfg.
Wannan matakin yana kammala saitin tantancewar GRUB2.
C6.2. Kariyar bootloader tare da sa hannun dijitalAna ɗauka cewa kun riga kuna da maɓallin ɓoyayyen pgp naku na sirri (ko ƙirƙirar irin wannan maɓalli). Dole ne tsarin ya shigar da software na sirri: gnuPG; kleopatra/GPA; Seahorse. Software na Crypto zai sauƙaƙe rayuwar ku a duk irin waɗannan batutuwa. Seahorse - ingantaccen sigar fakitin 3.14.0 (Sigar mafi girma, misali, V3.20, suna da lahani kuma suna da manyan kwari).
Maɓallin PGP yana buƙatar ƙirƙira / ƙaddamar da / ƙara kawai a cikin yanayin su!
Ƙirƙirar maɓallin ɓoyewa na sirri
gpg - -gen-keyFitar da maɓallin ku
gpg --export -o ~/perskeyHana faifan ma'ana a cikin OS idan ba a riga an saka shi ba
mount /dev/sda6 /mnt #sda6 – раздел GRUB2tsaftace sashin GRUB2
rm -rf /mnt/Sanya GRUB2 a cikin sda6, sanya maɓallin keɓaɓɓen ku a cikin babban hoton GRUB "core.img"
grub-install --force --modules="gcry_sha256 gcry_sha512 signature_test gcry_dsa gcry_rsa" -k ~/perskey --root-directory=/mnt /dev/sda6
zaɓuɓɓuka
* --force - shigar da bootloader, ketare duk gargadin da koyaushe suke wanzuwa (tutar da ake bukata).
* —modules = "gcry_sha256 gcry_sha512 signature_test gcry_dsa gcry_rsa" - yana umurtar GRUB2 don fara loda abubuwan da suka dace lokacin da PC ya fara.
* -k ~/perskey -hanyar zuwa "maɓallin PGP" (bayan tattara maɓallin a cikin hoton, ana iya share shi).
* --tushen-directory-saita kundin adireshin taya zuwa tushen sda6
/dev/sda6 - ɓangaren sdaX ɗin ku.
Samar da/sabuntawa grub.cfg
grub-mkconfig -o /mnt/boot/grub/grub.cfgƘara layin "trust /boot/grub/perskey" zuwa ƙarshen fayil ɗin "grub.cfg" (Yin amfani da maɓallin pgp.) Tun da mun shigar da GRUB2 tare da saitin kayayyaki, gami da tsarin sa hannu "signature_test.mod", wannan yana kawar da buƙatar ƙara umarni kamar "saitin check_signatures= tilasta" zuwa saitin.
Ya kamata yayi kama da wani abu kamar wannan (layin ƙarshe a cikin fayil ɗin grub.cfg)
### BEGIN /etc/grub.d/41_custom ###
idan [-f ${config_directory}/custom.cfg]; sannan
tushen ${config_directory}/custom.cfg
elif [-z "${config_directory}" -a -f $prefix/custom.cfg]; sannan
tushen $prefix/custom.cfg;
fi
dogara /boot/grub/perskey
saita superusers = "tushen"
password_pbkdf2 root grub.pbkdf2.sha512.10000.DE10E42B01BB6FEEE46250FC5F9C3756894A8476A7F7661A9FFE9D6CC4D0A168898B98C34EBA210F46FC10985CE28277D0563F74E108FCE3ACBD52B26F8BA04D.27625A4D30E4F1044962D3DD1C2E493EF511C01366909767C3AF9A005E81F4BFC33372B9C041BE9BA904D7C6BB141DE48722ED17D2DF9C560170821F033BCFD8
### KARSHE /etc/grub.d/41_custom ###
#
Hanyar zuwa "/boot/grub/perskey" baya buƙatar nunawa zuwa takamaiman ɓangaren faifai, misali hd0,6; don bootloader kanta, "tushen" shine tsohuwar hanyar ɓangaren da aka shigar da GRUB2 akan shi. (duba saitin rot=...).
Shiga GRUB2 (duk fayiloli a duk / GRUB kundayen adireshi) tare da maɓallin "perskey".
Magani mai sauƙi kan yadda ake sa hannu (na nautilus/caja explorer): shigar da tsawo na "seahorse" don Explorer daga ma'ajiyar. Dole ne a ƙara maɓallin ku zuwa yanayin su.
Bude Explorer tare da sudo "/mnt/boot" - RMB - alamar. Akan allon yana kama da wannan
Makullin kanta shine "/mnt/boot/grub/perskey" (kwafi zuwa ga kundin adireshi) dole ne kuma a sanya hannu tare da sa hannun ku. Bincika cewa sa hannun fayil ɗin [*.sig] ya bayyana a cikin kundin adireshi/ƙarshen kundin adireshi.
Yin amfani da hanyar da aka bayyana a sama, sanya hannu "/boot" (kwayar mu, initrd). Idan lokacinku ya cancanci wani abu, to wannan hanyar tana kawar da buƙatar rubuta rubutun bash don sanya hannu kan "fayiloli da yawa."
Don cire duk sa hannun bootloader (idan wani abu ya faru)
rm -f $(find /mnt/boot/grub -type f -name '*.sig')Domin kada ku shiga bootloader bayan sabunta tsarin, muna daskare duk fakitin sabuntawa masu alaƙa da GRUB2.
apt-mark hold grub-common grub-pc grub-pc-bin grub2 grub2-commonWannan matakin <kare bootloader tare da sa hannun dijital> ingantaccen tsarin GRUB2 ya ƙare.
C6.3. Tabbacin-gwajin bootloader na GRUB2, an kiyaye shi ta sa hannun dijital da tabbatarwaGRUB2. Lokacin zabar kowane rarraba GNU/Linux ko shigar da CLI (layin umarni) Za a buƙaci izinin mai amfani. Bayan shigar da sunan mai amfani / kalmar sirri daidai, zaku buƙaci kalmar sirri ta initrd
Hoton hoto na ingantaccen ingantaccen mai amfani da GRUB2.
Idan kun ɓata kowane fayilolin GRUB2/yi canje-canje zuwa grub.cfg, ko share fayil/sa hannu, ko loda malicious module.mod, gargadin da ya dace zai bayyana. GRUB2 zai dakatar da lodawa.
Screenshot, ƙoƙari na tsoma baki tare da GRUB2 "daga waje".
A lokacin booting na al'ada "ba tare da kutsawa ba", matsayin lambar ficewar tsarin shine "0". Don haka, ba a sani ba ko kariyar tana aiki ko a'a (wato, "tare da ko ba tare da kariyar sa hannu na bootloader" yayin lodawa na yau da kullun matsayin "0" iri ɗaya ne - wannan ba shi da kyau).
Yadda ake bincika kariyar sa hannu na dijital?
Hanyar da ba ta dace ba don bincika: karya/cire samfurin da GRUB2 ke amfani da shi, alal misali, cire sa hannun luks.mod.sig kuma sami kuskure.
Hanyar da ta dace: je zuwa bootloader CLI kuma rubuta umarnin
trust_list
Don amsawa, ya kamata ka karɓi sawun yatsa na “perskey”; idan matsayin “0” ne, to kariyar sa hannu ba ta aiki, duba sakin layi na C6.2 sau biyu.
A wannan matakin, an kammala ingantaccen tsarin "Kare GRUB2 tare da sa hannu na dijital da ingantaccen aiki".
C7 madadin hanyar kare GRUB2 bootloader ta amfani da hashingHanyar "CPU Boot Loader Protection/Authentication" da aka kwatanta a sama na gargajiya ce. Saboda rashin daidaituwa na GRUB2, a cikin yanayi mara kyau yana da saukin kamuwa da kai hari na gaske, wanda zan ba da ƙasa a cikin sakin layi [F]. Bugu da kari, bayan sabunta OS/kernel, bootloader dole ne a sake sa hannu.
Kare bootloader na GRUB2 ta amfani da hashing
Abvantbuwan amfãni a kan classic:
- Babban matakin dogaro (hashing/ tabbatarwa yana faruwa ne kawai daga ɓoyayyen albarkatun gida. Dukan ɓangaren da aka ware a ƙarƙashin GRUB2 ana sarrafa shi don kowane canje-canje, kuma duk abin da aka ɓoye an ɓoye shi; a cikin tsari na yau da kullun tare da kariyar lodin CPU / Tabbatarwa, fayiloli kawai ana sarrafa su, amma ba kyauta ba. sarari, wanda a cikinsa za a iya ƙara "wani abu" wani abu mai banƙyama).
- Rufaffen shiga (ana ƙara bayanan sirri na sirri wanda za'a iya karantawa a cikin tsarin).
- Speed (kariya/tabbatar da duk wani bangare da aka ware don GRUB2 yana faruwa kusan nan take).
- Yin aiki da kai na duk hanyoyin ɓoye bayanan.
Rashin hasara akan kayan gargajiya.
- Jarumin sa hannu (a bisa ka'ida, yana yiwuwa a sami karon aikin hash da aka bayar).
- Ƙara matakin wahala (idan aka kwatanta da na gargajiya, ana buƙatar ƙarin ƙwarewa a cikin GNU/Linux OS).
Yadda ra'ayin hashing na GRUB2/bangare ke aiki
Bangaren GRUB2 yana “sa hannu”; lokacin da OS ɗin ya tashi, ana bincika ɓangaren bootloader don rashin iya canzawa, sannan shiga cikin amintaccen yanayi (rufe). Idan bootloader ko sashinsa ya lalace, ban da rajistan kutse, ana ƙaddamar da mai zuwa:
Abu.
Irin wannan rajistan yana faruwa sau hudu a rana, wanda baya ɗaukar albarkatun tsarin.
Yin amfani da umarnin "-$ check_GRUB", dubawa nan take yana faruwa a kowane lokaci ba tare da shiga ba, amma tare da fitar da bayanai zuwa CLI.
Yin amfani da umarni "-$ sudo signature_GRUB", GRUB2 boot loader/partition an sake sa hannu nan take kuma an sabunta rajistar sa. (wajibi bayan sabunta OS / boot), kuma rayuwa ta ci gaba.
Aiwatar da hanyar hashing don bootloader da sashinsa
0) Bari mu sanya hannu kan bootloader/bangaren GRUB ta hanyar fara saka shi a /media/username
-$ hashdeep -c md5 -r /media/username/GRUB > /podpis.txt1) Mun ƙirƙiri rubutun ba tare da tsawaita ba a tushen rufaffen OS ~/podpis, yi amfani da haƙƙin tsaro na 744 da suka dace da kariya mai kariya zuwa gare shi.
Cike abinda ke ciki
#!/bin/bash
#Проверка всего раздела выделенного под загрузчик GRUB2 на неизменность.
#Ведется лог "о вторжении/успешной проверке каталога", короче говоря ведется полный лог с тройной вербализацией. Внимание! обратить взор на пути: хранить ЦП GRUB2 только на зашифрованном разделе OS GNU/Linux.
echo -e "******************************************************************n" >> '/var/log/podpis.txt' && date >> '/var/log/podpis.txt' && hashdeep -vvv -a -k '/podpis.txt' -r '/media/username/GRUB' >> '/var/log/podpis.txt'
a=`tail '/var/log/podpis.txt' | grep failed` #не использовать "cat"!!
b="hashdeep: Audit failed"
#Условие: в случае любых каких-либо изменений в разделе выделенном под GRUB2 к полному логу пишется второй отдельный краткий лог "только о вторжении" и выводится на монитор мигание gif-ки "warning".
if [[ "$a" = "$b" ]]
then
echo -e "****n" >> '/var/log/vtorjenie.txt' && echo "vtorjenie" >> '/var/log/vtorjenie.txt' && date >> '/var/log/vtorjenie.txt' & sudo -u username DISPLAY=:0 eom '/warning.gif'
fiGudun rubutun daga su, za a duba hashing na GRUB partition da bootloader, ajiye log ɗin.
Bari mu ƙirƙira ko kwafi, alal misali, “fayil ɗin ɓarna” [virus.mod] zuwa ɓangaren GRUB2 kuma mu gudanar da bincike/gwaji na ɗan lokaci:
-$ hashdeep -vvv -a -k '/podpis.txt' -r '/media/username/GRUBDole ne CLI ta ga wani hari na babban ginin mu.#Trimmed log in CLI
Ср янв 2 11::41 MSK 2020
/media/username/GRUB/boot/grub/virus.mod: Moved from /media/username/GRUB/1nononoshifr
/media/username/GRUB/boot/grub/i386-pc/mda_text.mod: Ok
/media/username/GRUB/boot/grub/grub.cfg: Ok
hashdeep: Audit failed
Input files examined: 0
Known files expecting: 0
Files matched: 325
Files partially matched: 0
Files moved: 1
New files found: 0
Known files not found: 0
#Kamar yadda kuke gani, "Files move: 1 and Audit failed" ya bayyana, wanda ke nufin cak din ya gaza.
Saboda yanayin ɓangarorin da ake gwadawa, maimakon “Sabbin fayilolin da aka samo”> “An matsar da fayilolin”
2) Sanya gif anan> ~/warning.gif, saita izini zuwa 744.
3) Ana saita fstab don kunna ɓangaren GRUB ta atomatik a taya
-$ sudo nano /etc/fstabLABEL=GRUB/media/sunan mai amfani/GRUB ext4 0 0
4) Juyawa log ɗin
-$ sudo nano /etc/logrotate.d/podpis /var/log/podpis.txt {
kullum
juya 50
girman 5M
kwanan wata
damfara
jinkirtawa
olddir /var/log/old
}/var/log/vtorjenie.txt {
wata-wata
juya 5
girman 5M
kwanan wata
olddir /var/log/old
}
5) Ƙara aiki zuwa cron
-$ sudo crontab -e'/ biyan kuɗi'
0 */6**
6) Ƙirƙirar laƙabi na dindindin
-$ sudo su
-$ echo "alias подпись_GRUB='hashdeep -c md5 -r /media/username/GRUB > /podpis.txt'" >> /root/.bashrc && bash
-$ echo "alias проверка_GRUB='hashdeep -vvv -a -k '/podpis.txt' -r /media/username/GRUB'" >> .bashrc && bash
Bayan sabunta OS -$ apt-get upgrade sake sanya hannu kan sashin GRUB ɗin mu
-$ подпись_GRUB
A wannan gaba, kare hashing na ɓangaren GRUB ya cika.
[D] Shafa - lalata bayanan da ba a ɓoye ba
Share fayilolinku na sirri gaba ɗaya ta yadda "Allah ma ba zai iya karanta su ba," a cewar kakakin South Carolina Trey Gowdy.
Kamar yadda aka saba, akwai nau'ikan "tatsuniyoyi da ", game da maido da bayanai bayan an goge su daga rumbun kwamfutarka. Idan kun yi imani da sihirin yanar gizo, ko kuma memba ne na jama'ar gidan yanar gizo na Dr kuma ba ku taɓa gwada dawo da bayanan ba bayan an share / sake rubutawa. (misali, murmurewa ta amfani da R-studio), to, hanyar da aka tsara ba zai yiwu ba ta dace da ku, yi amfani da abin da ke kusa da ku.
Bayan nasarar canja wurin GNU/Linux zuwa ɓoyayyen ɓoyayyen ɓoyayyen, dole ne a goge tsohon kwafin ba tare da yuwuwar dawo da bayanai ba. Hanyar tsaftacewa ta duniya: software don software na GUI na kyauta na Windows/Linux .
Mai sauri tsara sashin, bayanan da ake buƙatar lalata (ta hanyar Gparted) kaddamar da BleachBit, zaɓi "Tsaftace sarari kyauta" - zaɓi ɓangaren (sdaX ɗinku tare da kwafin GNU/Linux na baya), tsarin cirewa zai fara. BleachBit - yana goge faifai a cikin wucewa ɗaya - wannan shine "muna buƙata", Amma! Wannan kawai yana aiki ne kawai idan kun tsara faifai kuma ku tsaftace shi a cikin software na BB v2.0.
Tsanaki! BB yana goge faifai, yana barin metadata; ana adana sunayen fayil lokacin da aka cire bayanai (Ccleaner - baya barin metadata).
Kuma tatsuniya game da yiwuwar dawo da bayanai ba tatsuniya ce gaba ɗaya ba.Bleachbit V2.0-2 tsohon fakitin Debian OS mara ƙarfi (da duk wani software mai kama da: sfill; goge-Nautilus - kuma an lura da su a cikin wannan ƙazantaccen kasuwancin) haƙiƙa yana da bug mai mahimmanci: aikin " share sarari kyauta " yana aiki ba daidai ba a kan HDD/Flash tafiyarwa (ntfs/ext4). Irin wannan software, lokacin share sarari kyauta, ba ya sake rubuta dukkan faifai, kamar yadda yawancin masu amfani ke tunani. Wasu kuma (mai yawa) OS/software da aka goge suna ɗaukar wannan bayanan azaman bayanan da ba a goge/bayan mai amfani kuma lokacin tsaftace “OSP” yana tsallake waɗannan fayilolin. Matsalar ita ce bayan irin wannan lokaci mai tsawo, tsaftace faifai "Deleted files" za a iya dawo dasu koda bayan wucewa 3+ na goge diski.
A kan GNU/Linux a Bleachbit 2.0-2 Ayyukan share fayiloli da kundayen adireshi na dindindin suna aiki da dogaro, amma ba share sarari kyauta ba. Don kwatanta: akan Windows a cikin CCleaner aikin "OSP don ntfs" yana aiki yadda ya kamata, kuma da gaske Allah ba zai iya karanta bayanan da aka goge ba.
Sabili da haka, don cirewa sosai "concompromising" tsoffin bayanan da ba a ɓoye ba, Bleachbit yana buƙatar samun dama ga wannan bayanan kai tsaye, to, yi amfani da aikin "share fayiloli/ kundayen adireshi na dindindin".
Don cire "fayilolin da aka goge ta amfani da daidaitattun kayan aikin OS" a cikin Windows, yi amfani da CCleaner/BB tare da aikin "OSP". A cikin GNU/Linux akan wannan matsalar (share fayilolin da aka goge) kuna buƙatar yin aiki da kanku (share bayanai + ƙoƙari mai zaman kansa na maido da su kuma bai kamata ku dogara da sigar software ba (idan ba alamar shafi ba, to bug))), kawai a cikin wannan yanayin za ku iya fahimtar tsarin wannan matsala kuma ku kawar da bayanan da aka goge gaba daya.
Ban gwada Bleachbit v3.0 ba, watakila an riga an gyara matsalar.
Bleachbit v2.0 yana aiki da gaskiya.
A wannan mataki, goge diski ya ƙare.
[E] Universal madadin na rufaffiyar OS
Kowane mai amfani yana da nasu hanyar yin ajiyar bayanai, amma rufaffen bayanan tsarin OS yana buƙatar ɗan ɗan bambanta tsarin aiki. Haɗin software, kamar Clonezilla da makamantan software, ba za su iya aiki kai tsaye tare da ɓoyayyen bayanai ba.
Bayanin matsalar tallafawa rufaffiyar na'urorin toshewa:
- universality - wannan madadin algorithm / software don Windows / Linux;
- da ikon yin aiki a cikin na'ura wasan bidiyo tare da kowane live usb GNU/Linux ba tare da buƙatar ƙarin zazzagewar software ba (amma har yanzu yana ba da shawarar GUI);
- tsaro na kwafin madadin - “hotunan” da aka adana dole ne a rufaffen su/kare kalmar sirri;
- Girman rufaffiyar bayanan dole ne ya dace da girman ainihin bayanan da ake kwafi;
- dacewa da hakar fayiloli masu mahimmanci daga kwafin madadin (babu buƙatun da za a fara rusa sashe gaba ɗaya).
Misali, wariyar ajiya/dawowa ta hanyar “dd” mai amfani
dd if=/dev/sda7 of=/путь/sda7.img bs=7M conv=sync,noerror
dd if=/путь/sda7.img of=/dev/sda7 bs=7M conv=sync,noerrorYa dace da kusan dukkanin maki na aikin, amma bisa ga aya na 4 bai tsaya ga zargi ba, tun da yake ya kwafi dukan ɓangaren faifai, ciki har da sarari kyauta - ba mai ban sha'awa ba.
Misali, madadin GNU/Linux ta wurin ajiyar kayan tarihi [tar" | gpg] ya dace, amma don madadin Windows kuna buƙatar neman wata mafita - ba abin sha'awa bane.
E1. Universal Windows/Linux madadin. Link rsync (Grsync)+VeraCrypt girmaAlgorithm don ƙirƙirar kwafin madadin:
- ƙirƙirar rumbun rufaffiyar (girma/fayil) VeraCrypt don OS;
- canja wurin / aiki tare da OS ta amfani da software na Rsync a cikin VeraCrypt crypto akwati;
- idan ya cancanta, loda ƙarar VeraCrypt zuwa www.
Ƙirƙirar rumbun ɓoye na VeraCrypt yana da nasa halaye:
ƙirƙirar ƙara mai ƙarfi (ƙirƙirar DT yana samuwa ne kawai a cikin Windows, kuma ana iya amfani dashi a GNU/Linux);
ƙirƙirar ƙarar yau da kullun, amma akwai buƙatu na “halayen paranoid” (a cewar mai haɓakawa) – ganga Tsarin.
Ana ƙirƙirar ƙara mai ƙarfi kusan nan take a cikin Windows, amma lokacin yin kwafin bayanai daga GNU/Linux> VeraCrypt DT, gabaɗayan aikin ajiyar ajiyar yana raguwa sosai.
An ƙirƙiri ƙarar kifin biyu na 70 GB na yau da kullun (bari kawai mu ce, akan matsakaicin ikon PC) zuwa HDD ~ a cikin rabin sa'a (sake rubuta tsoffin bayanan kwantena a cikin wucewa ɗaya saboda buƙatun tsaro). An cire aikin da sauri tsara ƙarar lokacin ƙirƙirar shi daga VeraCrypt Windows/Linux, don haka ƙirƙirar akwati yana yiwuwa ne kawai ta hanyar "sake rubutawa ta hanyar wucewa" ko ƙirƙirar ƙarar ƙararrawa mai ƙarfi.
Ƙirƙiri ƙarar VeraCrypt na yau da kullun (ba mai ƙarfi/ntfs), bai kamata a sami matsala ba.
Sanya / ƙirƙira / buɗe akwati a cikin VeraCrypt GUI> GNU/Linux live usb (za a sanya ƙarar ta atomatik zuwa /media/veracrypt2, za a saka ƙarar Windows OS zuwa /media/veracrypt1). Ƙirƙirar rufaffen madadin Windows OS ta amfani da GUI rsync (grsync)ta hanyar duba akwatunan.
Jira tsari don kammala. Da zarar madadin ya cika, za mu sami rufaffen fayil guda ɗaya.
Hakazalika, ƙirƙiri kwafin madadin GNU/Linux OS ta hanyar cire alamar akwati "daidaituwar Windows" a cikin rsync GUI.
Tsanaki! ƙirƙirar akwati na Veracrypt don "GNU/Linux madadin" a cikin tsarin fayil ext4. Idan kun yi wariyar ajiya zuwa akwati ntfs, to, lokacin da kuka dawo da irin wannan kwafin, zaku rasa duk haƙƙoƙin / ƙungiyoyi zuwa duk bayanan ku.
Kuna iya aiwatar da duk ayyuka a cikin tashar. Zaɓuɓɓukan asali don rsync:
* -g -ajiye ƙungiyoyi;
* -P — ci gaba - matsayin lokacin da aka kashe aiki akan fayil ɗin;
* -H - kwafi hardlinks kamar yadda yake;
* -a - yanayin ajiya (tutocin rlptgoD da yawa);
* -v - magana.
Idan kana son hawan “Windows VeraCrypt volume” ta hanyar na'ura wasan bidiyo a cikin software na cryptsetup, zaku iya ƙirƙirar laƙabi (su)
echo "alias veramount='cryptsetup open --veracrypt --tcrypt-system --type tcrypt /dev/sdaX Windows_crypt && mount /dev/mapper/ Windows_crypt /media/veracrypt1'" >> .bashrc && bash
Yanzu umurnin “veramount pictures” zai sa ka shigar da kalmar wucewa, kuma za a shigar da ƙarar tsarin Windows da aka ɓoye a cikin OS.
Ƙarar tsarin taswira/Dutsen VeraCrypt a cikin umarnin cryptsetup
cryptsetup open --veracrypt --tcrypt-system --type tcrypt /dev/sdaX Windows_crypt
mount /dev/mapper/Windows_crypt /mntTaswira/Dutsen VeraCrypt bangare/kwantena a cikin umarnin cryptsetup
cryptsetup open --veracrypt --type tcrypt /dev/sdaY test_crypt
mount /dev/mapper/test_crypt /mntMaimakon laƙabi, za mu ƙara (rubutun don farawa) ƙarar tsarin tare da Windows OS da faifan ntfs mai ma'ana mai rufaffen zuwa GNU/Linux farawa.
Ƙirƙiri rubutun kuma ajiye shi a ~/VeraOpen.sh
printf 'Ym9i' | base64 -d | cryptsetup open --veracrypt --tcrypt-system --type tcrypt /dev/sda3 Windows_crypt && mount /dev/mapper/Windows_crypt /media/Winda7 #декодируем пароль из base64 (bob) и отправляем его на запрос ввода пароля при монтировании системного диска ОС Windows.
printf 'Ym9i' | base64 -d | cryptsetup open --veracrypt --type tcrypt /dev/sda1 ntfscrypt && mount /dev/mapper/ntfscrypt /media/КонтейнерНтфс #аналогично, но монтируем логический диск ntfs.
Muna rarraba haƙƙoƙin "daidai":
sudo chmod 100 /VeraOpen.shƘirƙirar fayiloli iri ɗaya guda biyu (suna ɗaya!) a /etc/rc.local da ~/etc/init.d/rc.local
Cika fayilolin
#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will «exit 0» on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.
sh -c "sleep 1 && '/VeraOpen.sh'" #после загрузки ОС, ждём ~ 1с и только потом монтируем диски.
exit 0Muna rarraba haƙƙoƙin "daidai":
sudo chmod 100 /etc/rc.local && sudo chmod 100 /etc/init.d/rc.local Shi ke nan, yanzu lokacin da ake loda GNU/Linux ba ma buƙatar shigar da kalmomin shiga don sanya ɓoyayyiyar diski ntfs, faifai suna hawa ta atomatik.
Bayanin taƙaitaccen bayani game da abin da aka bayyana a sama a cikin sakin layi na E1 mataki-mataki (amma yanzu don OS GNU/Linux)
1) Ƙirƙiri ƙara a fs ext4> 4gb (don fayil) Linux a cikin Veracrypt [Cryptbox].
2) Sake yi don rayuwa ta USB.
3) ~$ cryptsetup bude /dev/sda7 Lunux #incrypted partition.
4) ~$ Dutsen /dev/mapper/Linux /mnt #Duba ɓoyayyen ɓoyayyen ɓoyayyen zuwa /mnt.
5) ~$ mkdir mnt2 # ƙirƙirar directory don madadin gaba.
6) ~$ cryptsetup bude — veracrypt — nau'in tcrypt ~/CryptoBox CryptoBox && mount /dev/mapper/CryptoBox /mnt2 #Taswirar Veracrypt ƙarar mai suna “CryptoBox” kuma saka CryptoBox zuwa /mnt2.
7) ~$ rsync -avlxhHX —progress /mnt /mnt2/ #aiki na ajiyar ɓoyayyen ɓoyayyen ɓoyayyen ɓoyayyen ƙarar Veracrypt.
(p/s/ Tsanaki! Idan kana canja wurin rufaffiyar GNU/Linux daga gine-gine / inji zuwa wani, misali, Intel> AMD (wato, tura madadin daga ɓoyayyen ɓoyayyen ɓoyayyiyar zuwa wani ɓoyayyen Intel> ɓangaren AMD), Kar ka manta Bayan canja wurin rufaffiyar OS, gyara maɓallin madadin sirri maimakon kalmar sirri, watakila. maɓallin da ya gabata ~/ sauransu/skey - ba zai ƙara dacewa da wani ɓoyayyen ɓoyayyen ɓoyayyen ba, kuma ba shi da kyau a ƙirƙiri sabon maɓalli "cryptsetup luksAddKey" daga ƙarƙashin chroot - glitch yana yiwuwa, kawai a cikin ~/ sauransu/crypttab ƙayyade maimakon "/etc/skey" na dan lokaci "babu" ", bayan sake kunnawa da shiga cikin OS, sake ƙirƙirar maɓalli na ɓoye na sirri).
A matsayin tsohon sojan IT, tabbatar da yin keɓancewa daban na kan rufaffiyar ɓoyayyen ɓoyayyen ɓoyayyen Windows/Linux OS, ko ɓoyayyen zai juya muku.
A wannan mataki, an kammala wariyar ajiya na rufaffiyar OS.
[F] Harin kan GRUB2 bootloader
Duba cikakkun bayanaiIdan kun kare mai ɗaukar boot ɗin ku tare da sa hannu na dijital da/ko tabbaci (duba batu C6.), to wannan ba zai kare kariya daga shiga jiki ba. Har yanzu bayanan da aka rufaffen ba za su iya isa ba, amma za a ketare kariyar (sake saita kariyar sa hannu na dijital) GRUB2 yana ba da damar cyber-villain don shigar da lambar sa a cikin bootloader ba tare da tayar da tuhuma ba. (sai dai idan mai amfani ya sa ido kan yanayin bootloader da hannu, ko kuma ya fito da nasu ƙaƙƙarfan lambar rubutun sabani don grub.cfg).
Attack algorithm. Mai kutse
* Boots PC daga kebul na live. Duk wani canji (mai keta) fayiloli za su sanar da ainihin mai PC game da kutsawa cikin bootloader. Amma sauƙi mai sauƙi na GRUB2 kiyaye grub.cfg (da ikon gyara shi na gaba) zai ƙyale maharin ya gyara kowane fayiloli (a wannan yanayin, lokacin loda GRUB2, ba za a sanar da ainihin mai amfani ba. Matsayi ɗaya ne <0>)
* Yana hawa ɓangaren ɓoyayyen ɓoyayyiyar, yana adana “/mnt/boot/grub/grub.cfg”.
* Sake shigar da bootloader (cire "perskey" daga hoton core.img)
grub-install --force --root-directory=/mnt /dev/sda6
* Yana dawo da “grub.cfg” > “/mnt/boot/grub/grub.cfg”, yana gyara shi idan ya cancanta, alal misali, ƙara “keylogger.mod” naku zuwa babban fayil tare da na'urori masu ɗaukar nauyi, a cikin “grub.cfg” > layi "insmod keylogger". Ko, alal misali, idan abokan gaba suna da wayo, to bayan sake shigar da GRUB2 (duk sa hannu sun kasance a wurin) yana gina babban hoton GRUB2 ta amfani da "grub-mkimage tare da zaɓi (-c)." Zaɓin "-c" zai baka damar loda saitinka kafin loda babban "grub.cfg". Tsarin na iya ƙunshi layi ɗaya kawai: turawa zuwa kowane "modern.cfg", gauraye, misali, tare da fayiloli ~400 (modules+ sa hannu) a cikin babban fayil "/boot/grub/i386-pc". A wannan yanayin, maharin na iya shigar da lambar sabani da kayayyaki masu kaya ba tare da shafar "/boot/grub/grub.cfg", ko da mai amfani ya yi amfani da "hashsum" zuwa fayil ɗin kuma ya nuna shi na ɗan lokaci akan allon.
Mai hari ba zai buƙaci yin hacking na GRUB2 superuser login/password ba; kawai zai buƙaci kwafi layin. (mai alhakin tabbatarwa) "/boot/grub/grub.cfg" zuwa ga "modern.cfg"
saita superusers = "tushen"
password_pbkdf2 root grub.pbkdf2.sha512.10000.DE10E42B01BB6FEEE46250FC5F9C3756894A8476A7F7661A9FFE9D6CC4D0A168898B98C34EBA210F46FC10985CE28277D0563F74E108FCE3ACBD52B26F8BA04D.27625A4D30E4F1044962D3DD1C2E493EF511C01366909767C3AF9A005E81F4BFC33372B9C041BE9BA904D7C6BB141DE48722ED17D2DF9C560170821F033BCFD8
Kuma har yanzu mai PC ɗin za a inganta shi azaman GRUB2 superuser.
Loda sarkar (Bootloader yana ɗaukar wani bootloader), kamar yadda na rubuta a sama, ba shi da ma'ana (an yi nufin wata manufa ta daban). Rufaffen bootloader ba za a iya loda shi ba saboda BIOS (takardar sarkar ta sake farawa GRUB2> rufaffen GRUB2, kuskure!). Duk da haka, idan har yanzu kuna amfani da ra'ayin loading sarkar, za ku iya tabbatar da cewa rufaffen ne wanda ake lodawa. (ba a sabunta shi ba) "grub.cfg" daga ɓoyayyen ɓangaren. Kuma wannan ma ma'anar tsaro ce ta ƙarya, saboda duk abin da aka nuna a cikin ɓoyayyen "grub.cfg" (Module Loading) yana ƙara har zuwa na'urori waɗanda aka ɗora su daga GRUB2 mara ɓoyewa.
Idan kana so ka duba wannan, to sai ka ware/encrypt wani bangare sdayY, kwafi GRUB2 zuwa gare shi. (aikin shigar-grub akan ɓoyayyen ɓoyayyen ɓoyayyen ba zai yiwu ba) kuma a cikin "grub.cfg" (uncrypted config) canza layi kamar waɗannan
menuentry 'GRUBx2' --class parrot --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-simple-382111a2-f993-403c-aa2e-292b5eac4780' {
load_bidiyo
zuci gzio
idan [x$grub_platform = xxen]; sannan insmod xzio; rashin lafiya; fi
insmod kashi_msdos
Cryptodisk
zafi lux
insmod gcry_twofish
insmod gcry_twofish
insmod gcry_sha512
fitarwa
cryptomount -u 15c47d1c4bd34e5289df77bcf60ee838
set root=’cryptouuid/15c47d1c4bd34e5289df77bcf60ee838′
al'ada /boot/grub/grub.cfg
}
kirtani
* insmod - loda abubuwan da ake buƙata don aiki tare da ɓoyayyen faifai;
* GRUBx2 - sunan layin da aka nuna a cikin menu na taya GRUB2;
* cryptomount -u 15c47d1c4bd34e5289df77bcf60ee838 -duba. fdisk -l (sda9);
* saita tushen - shigar da tushen;
* al'ada /boot/grub/grub.cfg - fayil ɗin daidaitawa mai aiwatarwa akan ɓoyayyen ɓoyayyen ɓoyayyen.
Amincewa da cewa shine "grub.cfg" da aka ɗora shi shine amsa mai kyau don shigar da kalmar wucewa / buɗe "sdaY" lokacin zabar layin "GRUBx2" a cikin menu na GRUB.
Lokacin aiki a cikin CLI, don kada ku rikice (kuma duba idan canjin yanayin “saitin tushen” ya yi aiki), ƙirƙiri fayilolin alama mara komai, alal misali, a cikin ɓoyayyen sashin "/ shifr_grub", a cikin ɓangaren da ba a ɓoye "/ noshifr_grub". Dubawa a cikin CLI
cat /Tab-TabKamar yadda aka ambata a sama, wannan ba zai taimaka a kan zazzage nau'ikan ɓarna ba idan irin waɗannan samfuran sun ƙare akan PC ɗin ku. Misali, maɓallin maɓalli wanda zai iya adana maɓallan maɓalli zuwa fayil kuma ya haɗa shi da wasu fayiloli a cikin "~/i386" har sai wani maharin ya zazzage shi tare da damar jiki zuwa PC.
Hanya mafi sauƙi don tabbatar da cewa kariyar sa hannu na dijital tana aiki sosai (ba a sake saitawa ba), kuma babu wanda ya mamaye bootloader, shigar da umarni a cikin CLI
list_trusted
a mayar da martani muna samun kwafin “perskey” ɗin mu, ko kuma ba mu sami komai ba idan an kai mana hari (kuna kuma buƙatar duba "set check_signatures=enforce").
Babban rashin lahani na wannan mataki shine shigar da umarni da hannu. Idan kun ƙara wannan umarni zuwa "grub.cfg" kuma ku kare tsarin tare da sa hannu na dijital, to farkon fitowar maɓalli na hoton allon yana da ɗan gajeren lokaci, kuma ƙila ba ku da lokacin ganin fitarwa bayan loda GRUB2 .
Babu wani musamman da zai yi da'awar: mai haɓakawa a cikin nasa Sashe na 18.2 ya bayyana a hukumance
“A lura cewa ko da tare da kariyar kalmar sirri ta GRUB, GRUB da kanta ba zai iya hana wanda ke da damar yin amfani da na'ura ta zahiri canza tsarin na'urar (misali, Coreboot ko BIOS) don sanya na'urar ta tashi daga na'urar daban (mai sarrafa maharan). GRUB shine mafi kyawun hanyar haɗi guda ɗaya kawai a cikin amintaccen sarkar taya."
GRUB2 yana da yawa da ayyuka waɗanda zasu iya ba da ma'anar tsaro na ƙarya, kuma ci gabanta ya riga ya wuce MS-DOS dangane da ayyuka, amma kawai bootloader. Abin ban dariya ne cewa GRUB2 - "gobe" na iya zama OS, da kuma injunan kama-da-wane na GNU/Linux don sa.
Wani ɗan gajeren bidiyo game da yadda na sake saita kariyar sa hannun dijital ta GRUB2 kuma na ayyana kutsawa na ga mai amfani na gaske. (Na tsorata ku, amma maimakon abin da aka nuna a cikin bidiyon, kuna iya rubuta lambar sabani mara lahani / .mod).
Ƙarshe:
1) Toshe tsarin boye-boye don Windows yana da sauƙin aiwatarwa, kuma kariya tare da kalmar sirri ɗaya ya fi dacewa fiye da kariya tare da kalmomin shiga da yawa tare da ɓoyayyen tsarin toshe GNU/Linux, don zama gaskiya: na ƙarshen yana sarrafa kansa.
2) Na rubuta labarin kamar yadda ya dace kuma dalla-dalla sauki jagora zuwa boye-boye na cikakken faifai VeraCrypt/LUKS akan gida ɗaya injin, wanda shine mafi nisa a RuNet (IMHO). Jagoran yana da tsayin haruffa 50k, don haka bai rufe wasu surori masu ban sha'awa ba: masu zane-zane waɗanda suka ɓace / kiyaye a cikin inuwa; game da gaskiyar cewa a cikin littattafan GNU/Linux daban-daban suna rubuta kaɗan / ba su rubuta game da cryptography; game da Mataki na 51 na Kundin Tsarin Mulki na Tarayyar Rasha; O /ban , game da dalilin da yasa kake buƙatar ɓoye "tushen/boot". Jagoran ya juya ya zama mai faɗi sosai, amma daki-daki. (yana kwatanta matakai masu sauƙi ma), bi da bi, wannan zai cece ku da yawa lokaci lokacin da ka isa ga "ainihin boye-boye".
3) An yi ɓoyayyen ɓoyayyen faifai akan Windows 7 64; GNU/Linux Parrot 4x; GNU/Debian 9.0/9.5.
4) An aiwatar da nasarar kai hari ya GRUB2 bootloader.
5) An ƙirƙiri koyawa don taimakawa duk mutanen da ke cikin CIS, inda aka ba da izinin yin aiki tare da ɓoyewa a matakin majalisa. Kuma da farko ga waɗanda suke so su fitar da bayanan sirrin cikakken diski ba tare da rusa na'urorin da aka tsara ba.
6) Sake aiki da sabunta littafina, wanda ya dace a cikin 2020.
[G] Takardu masu amfani
- (Fabrairu 2012 RU)
- /usr/share/doc/cryptsetup(-run) [albarkatun gida] (takaddun bayanai na hukuma akan kafa GNU/Linux boye-boye ta amfani da cryptsetup)
- (takaitaccen bayani akan kafa GNU/Linux boye-boye ta amfani da cryptsetup)
- (takardun archlinux)
- (babban shafi)
- (babban shafi)
- .
Tags: cikakken ɓoyayyen faifai, ɓoyayyen ɓangarori, ɓoyayyen ɓoyayyen faifan Linux, cikakken ɓoyayyen tsarin LUKS1.
Masu amfani da rajista kawai za su iya shiga cikin binciken. don Allah.
Kuna ɓoyewa?
-
17,1%Ina ɓoye duk abin da zan iya. Ina jin tsoro.14
-
34,2%Ina rufawa muhimman bayanai kawai.28
-
14,6%Wani lokaci ina boyewa, wani lokacin kuma na manta.12
-
34,2%A’a, ba na rufa-rufa ba, ba shi da daɗi da tsada.28
Masu amfani 82 sun kada kuri'a. Masu amfani 22 sun ƙi.
source: www.habr.com