Aloha i ke ao a me ka pō a pau! He mea pono kēia pou i ka poʻe e hoʻohana ana i ka LUKS data encryption a makemake e wehe i nā disks ma lalo o Linux (Debian, Ubuntu) ma. pae o ka decryption o ke kumu paku. A ʻaʻole hiki iaʻu ke ʻike i kēlā ʻike ma ka Pūnaewele.
I kēia mau lā, me ka hoʻonui ʻana i ka nui o nā disks i loko o nā papa, ua loaʻa iaʻu ka pilikia o ka decrypting disks me ka hoʻohana ʻana i ke ala ʻoi aku ka maikaʻi ma o /etc/crypttab. ʻO wau iho, hōʻike wau i kekahi mau pilikia me ka hoʻohana ʻana i kēia ʻano, ʻo ia hoʻi ka heluhelu ʻana o ka faila ma hope wale nō o ka hoʻouka ʻana (ka hoʻouka ʻana) i ka ʻāpana kumu, ka mea e hoʻopilikia maikaʻi ʻole i ka lawe ʻana mai o ZFS, ʻoiai inā i hōʻiliʻili ʻia lākou mai nā ʻāpana ma kahi *_crypt device, a i ʻole nā mdadm raids i hōʻiliʻili ʻia mai nā ʻāpana. ʻIke mākou a pau hiki iā ʻoe ke hoʻohana i hoʻokaʻawale i nā pahu LUKS, ʻaʻole? A ʻo ka pilikia hoʻi o ka hoʻomaka mua ʻana o nā lawelawe ʻē aʻe, inā ʻaʻohe arrays i kēia manawa, a hoʻohana Makemake au i kekahi mea (Ke hana nei au me Proxmox VE 5.x a me ZFS ma luna o iSCSI).
He wahi liʻiliʻi e pili ana iā ZFSoverISCSIHana ʻo iSCSI iaʻu ma o LIO, a ʻo ka mea ʻoiaʻiʻo, i ka wā e hoʻomaka ai ka pahuhopu iscsi a ʻike ʻole i nā mea ZVOL, hoʻoneʻe wale ia iā lākou mai ka hoʻonohonoho ʻana, ka mea e pale ai i nā ʻōnaehana malihini mai ka booting. No laila, ʻo ka hoʻihoʻi ʻana i ka faila json backup, a i ʻole ka hoʻohui ʻana i nā hāmeʻa me nā mea ʻike o kēlā me kēia VM, he mea weliweli loa ke loaʻa nā mīkini o ia mau mīkini a ʻoi aku ka nui o kēlā me kēia hoʻonohonoho ma mua o 1 disk.
A ʻo ka nīnau ʻelua aʻu e noʻonoʻo ai pehea e decrypt (ʻo ia ke kumu nui o ka ʻatikala). A e kamaʻilio mākou e pili ana i kēia ma lalo, e hele i ka ʻoki!
ʻO ka pinepine ma ka Pūnaewele hoʻohana lākou i kahi faila kī (i hoʻohui ʻia i ka slot me ke kauoha - cryptsetup luksAddKey), a i ʻole ma nā ʻokoʻa ʻokoʻa (he liʻiliʻi loa ka ʻike ma ka Pūnaewele ʻōlelo Lūkini) - ka decrypt_derived script, aia ma /lib/cryptsetup/script/ (ʻoiaʻiʻo, aia kekahi mau ala ʻē aʻe, akā ua hoʻohana wau i kēia mau mea ʻelua, i hoʻokumu i ke kumu o ka ʻatikala). Ua hoʻoikaika pū wau no ka hoʻoulu ʻana i ka autonomous piha ma hope o ka reboots, me ka ʻole o nā kauoha hou i ka console, i mea e "hoʻopau" nā mea āpau iaʻu. No laila, no ke aha e kali ai? —
E hoʻomaka kākou!
Manaʻo mākou i kahi ʻōnaehana, no ka laʻana ʻo Debian, i hoʻokomo ʻia ma ka sda3_crypt crypto partition a me ka ʻumi mau disks mākaukau e hoʻopili a hana i nā mea a kou puʻuwai e makemake ai. Loaʻa iā mākou kahi huaʻōlelo koʻikoʻi (passphrase) e wehe i ka sda3_crypt a mai kēia ʻāpana mākou e wehe i ka "hash" o ka ʻōlelo huna ma kahi ʻōnaehana holo (decrypted) a hoʻohui i nā disks ʻē aʻe. He kula haʻahaʻa nā mea a pau, ma ka console mākou e hana ai:
/lib/cryptsetup/scripts/decrypt_derived sda3_crypt | cryptsetup luksFormat /dev/sdXkahi o X i kā mākou disks, partitions, etc.
Ma hope o ka hoʻopili ʻana i nā disks me kahi hash mai kā mākou huaʻōlelo koʻikoʻi, pono ʻoe e ʻike i ka UUID a i ʻole ID - ma muli o ka mea i maʻa i ka mea. Lawe mākou i ka ʻikepili mai /dev/disk/by-uuid a me by-id, kēlā me kēia.
ʻO ka pae aʻe e hoʻomākaukau ana i nā faila a me nā mini-scripts no nā hana e pono ai mākou e hana, e hoʻomau mākou:
cp -p /usr/share/initramfs-tools/hooks/cryptroot /etc/initramfs-tools/hooks/
cp -p /usr/share/initramfs-tools/scripts/local-top/cryptroot /etc/initramfs-tools/scripts/local-top/ma mua
touch /etc/initramfs-tools/hooks/decrypt && chmod +x /etc/initramfs-tools/hooks/decryptNā mea i loko o ../decrypt
#!/bin/sh
cp -p /lib/cryptsetup/scripts/decrypt_derived "$DESTDIR/bin/decrypt_derived"ma mua
touch /etc/initramfs-tools/hooks/partcopy && chmod +x /etc/initramfs-tools/hooks/partcopyNā maʻiʻo ../partcopy
#!/bin/sh
cp -p /sbin/partprobe "$DESTDIR/bin/partprobe"
cp -p /lib/x86_64-linux-gnu/libparted.so.2 "$DESTDIR/lib/x86_64-linux-gnu/libparted.so.2"
cp -p /lib/x86_64-linux-gnu/libreadline.so.7 "$DESTDIR/lib/x86_64-linux-gnu/libreadline.so.7"iki hou aku
touch /etc/initramfs-tools/scripts/local-bottom/partprobe && chmod +x /etc/initramfs-tools/scripts/local-bottom/partprobeNā maʻiʻo ../partprobe
#!/bin/sh
$DESTDIR/bin/partprobea ʻo ka hope, ma mua o ka update-initramfs, pono ʻoe e hoʻoponopono i ka faila /etc/initramfs-tools/scripts/local-top/cryptroot, e hoʻomaka ana mai ka laina ~ 360, kahi ʻāpana code ma lalo.
Nā kumu
# decrease $count by 1, apparently last try was successful.
count=$(( $count - 1 ))
message "cryptsetup ($crypttarget): set up successfully"
break
a lawe mai i keia palapala
Hoʻoponopono ʻia
# decrease $count by 1, apparently last try was successful.
count=$(( $count - 1 ))
/bin/decrypt_derived $crypttarget | cryptsetup luksOpen /dev/disk/by-uuid/ *CRYPT_MAP*
/bin/decrypt_derived $crypttarget | cryptsetup luksOpen /dev/disk/by-id/ *CRYPT_MAP*
message "cryptsetup ($crypttarget): set up successfully"
breakE hoʻomaopopo he hiki ke hoʻohana ʻia ʻo UUID a i ʻole ID ma aneʻi. ʻO ka mea nui e hoʻohui ʻia nā mea hoʻokele pono no nā polokalamu HDD/SSD i /etc/initramfs-tools/modules. Hiki iā ʻoe ke ʻike i ka mea hoʻokele i hoʻohana ʻia me ke kauoha udevadm ʻike -a -n /dev/sdX | egrep 'nānā|KEKAUKA'.
I kēia manawa ua pau mākou a paʻa nā faila a pau, holo mākou update-initramfs -u -k all -v, ma ke kakau ana ʻaʻole pono nā hewa i ka hoʻokō ʻana i kā mākou palapala. Hoʻomaka hou mākou, hoʻokomo i ka huaʻōlelo kī a kali iki, ma muli o ka helu o nā disks. A laila, e hoʻomaka ka ʻōnaehana a i ka pae hope loa o ka hoʻomaka ʻana, ʻo ia hoʻi ma hope o ka "kau ʻana" i ka pā aʻa, e hoʻokō ʻia ke kauoha partprobe - e ʻike a ʻohi i nā ʻāpana āpau i hana ʻia ma nā polokalamu LUKS a me nā ʻāpana, ʻo ia ʻo ZFS a i ʻole. mdadm, e hui pu me ka pilikia ole! A ʻo kēia mau mea a pau ma mua o ka hoʻouka ʻana nā lawelawe nui e pono ai kēia mau disks / arrays.
hōʻano1: Pehea , hana wale kēia ala no LUKS1.
Source: www.habr.com