Barka da rana da dare kowa! Wannan sakon zai zama da amfani ga waɗanda ke amfani da ɓoyayyen bayanan LUKS kuma suna so su lalata diski a ƙarƙashin Linux (Debian, Ubuntu) akan. matakan decrypting tushen bangare. Kuma ba zan iya samun irin waɗannan bayanai a Intanet ba.
Kwanan nan, tare da karuwar adadin faifai a cikin ɗakunan ajiya, na shiga cikin matsalar ɓata diski ta amfani da hanyar da aka fi sani da /etc/crypttab. Da kaina, na haskaka wasu ƴan matsaloli tare da amfani da wannan hanyar, wato ana karanta fayil ɗin kawai bayan loading (Mount) tushen partition, wanda ke yin illa ga shigo da ZFS, musamman idan an gina su daga ɓangarori akan na'urar *_crypt, ko hare-haren mdadm da aka gina daga ɓangarori kuma. Dukanmu mun san cewa zaku iya amfani da rabe akan kwantena na LUKS, daidai? Da kuma matsalar farkon fara wasu ayyuka, lokacin da babu tsararru tukuna, amma amfani Na riga na buƙaci wani abu (Ina aiki tare da clustered Proxmox VE 5.x da ZFS akan iSCSI).
Kadan game da ZFSoverISCSIiSCSI yana aiki da ni ta hanyar LIO, kuma a zahiri, lokacin da iscsi manufa ta fara kuma baya ganin na'urorin ZVOL, kawai yana cire su daga tsarin, wanda ke hana tsarin baƙi daga booting. Don haka, ko dai maido da ajiyar fayil na json, ko da hannu tare da ƙara na'urori tare da masu ganowa ga kowane VM, wanda ke da muni kawai idan akwai nau'ikan irin waɗannan injina kuma kowane tsari yana da diski sama da 1.
Kuma tambaya ta biyu da zan yi la'akari da ita ita ce yadda za a warware (wannan shine mahimmin batu na labarin). Kuma za mu yi magana game da wannan a kasa, tafi karkashin yanke!
Mafi sau da yawa, akan Intanet, ana amfani da fayil ɗin maɓalli (wanda aka ƙara da kansa zuwa ramin kafin wannan ta hanyar umarnin - cryptsetup luksAddKey), ko kuma a cikin wasu keɓancewa (akan Intanet na harshen Rashanci akwai ƙaramin bayani) - rubutun decrypt_derived. wanda ke cikin /lib/cryptsetup/script/ (ba shakka, akwai wasu hanyoyi, amma na yi amfani da waɗannan biyun, waɗanda suka kafa tushen labarin). Na kuma yi ƙoƙari don samun cikakken haɗin kai bayan sake kunnawa, ba tare da ƙarin umarni a cikin na'ura mai ba da hanya tsakanin hanyoyin sadarwa ba, ta yadda komai zai "tashi" a gare ni lokaci ɗaya. Saboda haka, me ya sa jira? -
Bari mu fara!
Bari mu ɗauka wani tsari, kamar Debian, wanda aka sanya akan ɓangaren crypto sda3_crypt da dozin faifai da aka shirya don ɓoyewa kuma ƙirƙira su ga abun cikin zuciyar ku. Muna da kalmar wucewa (passphrase) don buɗe sda3_crypt, kuma daga wannan ɓangaren ne za mu cire “hash” daga kalmar sirrin da ke kan tsarin aiki (decrypted) sannan mu ƙara shi zuwa sauran diski. Komai na farko ne, a cikin na'ura mai kwakwalwa muna aiwatar da:
/lib/cryptsetup/scripts/decrypt_derived sda3_crypt | cryptsetup luksFormat /dev/sdXinda X yake mu faifai, partitions, da dai sauransu.
Bayan ɓoye fayafai tare da "hash" daga kalmar wucewar mu, kuna buƙatar nemo UUID ko ID - dangane da wanda aka yi amfani da shi ga menene da menene. Muna ɗaukar bayanai daga /dev/disk/by-uuid da by-id bi da bi.
Mataki na gaba shine shirya fayiloli da ƙananan rubutun don ayyukan da muke buƙata, bari mu ci gaba:
cp -p /usr/share/initramfs-tools/hooks/cryptroot /etc/initramfs-tools/hooks/
cp -p /usr/share/initramfs-tools/scripts/local-top/cryptroot /etc/initramfs-tools/scripts/local-top/kara
touch /etc/initramfs-tools/hooks/decrypt && chmod +x /etc/initramfs-tools/hooks/decryptAbubuwan da ke cikin ../decrypt
#!/bin/sh
cp -p /lib/cryptsetup/scripts/decrypt_derived "$DESTDIR/bin/decrypt_derived"kara
touch /etc/initramfs-tools/hooks/partcopy && chmod +x /etc/initramfs-tools/hooks/partcopyAbubuwan da ke cikin ../partcopy
#!/bin/sh
cp -p /sbin/partprobe "$DESTDIR/bin/partprobe"
cp -p /lib/x86_64-linux-gnu/libparted.so.2 "$DESTDIR/lib/x86_64-linux-gnu/libparted.so.2"
cp -p /lib/x86_64-linux-gnu/libreadline.so.7 "$DESTDIR/lib/x86_64-linux-gnu/libreadline.so.7"a bit more
touch /etc/initramfs-tools/scripts/local-bottom/partprobe && chmod +x /etc/initramfs-tools/scripts/local-bottom/partprobeAbun ciki ../partprobe
#!/bin/sh
$DESTDIR/bin/partprobekuma na ƙarshe, kafin sabunta-initramfs, kuna buƙatar shirya / sauransu/initramfs-tools/scripts/local-top/cryptroot file, farawa daga layin ~360, snippet code a ƙasa.
Asali
# decrease $count by 1, apparently last try was successful.
count=$(( $count - 1 ))
message "cryptsetup ($crypttarget): set up successfully"
break
kuma kawo shi ga wannan fom
Gyara
# decrease $count by 1, apparently last try was successful.
count=$(( $count - 1 ))
/bin/decrypt_derived $crypttarget | cryptsetup luksOpen /dev/disk/by-uuid/ *CRYPT_MAP*
/bin/decrypt_derived $crypttarget | cryptsetup luksOpen /dev/disk/by-id/ *CRYPT_MAP*
message "cryptsetup ($crypttarget): set up successfully"
breakLura cewa ana iya amfani da UUID ko ID anan. Babban abu shine cewa ana ƙara masu buƙatar direbobi don na'urorin HDD / SSD zuwa /etc/initramfs-tools/modules. Kuna iya gano ko wane direba ake amfani da umarnin udevadm info -a -n /dev/sdX | egrep 'neman|DRIVER'.
Yanzu da muka gama kuma duk fayilolin suna nan, gudu sabunta-initramfs -u -k duk -v, cikin shiga dole ba kurakuran aiwatar da rubutun mu. Muna sake kunnawa, shigar da kalmar wucewa kuma jira kaɗan, dangane da adadin diski. Na gaba, tsarin zai fara kuma a matakin ƙarshe na ƙaddamarwa, wato bayan "hawan" tushen ɓangaren, za a aiwatar da umarnin partprobe - zai nemo kuma ya karɓi duk sassan da aka ƙirƙira akan na'urorin LUKS da kowane tsararru, zama ZFS ko mdadm, za a taru ba tare da matsala ba! Kuma duk wannan kafin loading ainihin ayyuka da sabis waɗanda ke buƙatar waɗannan faifai/tsari.
sabunta1: Yaya , wannan hanya tana aiki ne kawai don LUKS1.
source: www.habr.com