ProHoster > Π‘Π»ΠΎΠ³ > Kev tswj hwm > Yuav ua li cas yog siloviki tuaj rau koj tus tswv tsev

Yuav ua li cas yog siloviki tuaj rau koj tus tswv tsev

Yuav ua li cas yog siloviki tuaj rau koj tus tswv tsevkdpv - Reuters

Yog tias koj xauj ib lub server, ces koj tsis muaj kev tswj xyuas tag nrho. Qhov no txhais tau hais tias txhua lub sijhawm cov neeg tau txais kev cob qhia tshwj xeeb tuaj yeem tuaj rau tus tswv tsev thiab hais kom koj muab ib qho ntawm koj cov ntaub ntawv. Thiab tus tswv tsev yuav muab lawv rov qab yog tias qhov kev thov tau raug cai raws li txoj cai.

Koj yeej tsis xav kom koj lub vev xaib server lossis cov ntaub ntawv siv los xau rau lwm tus. Nws yog tsis yooj yim sua los tsim ib qho zoo tagnrho tiv thaiv. Nws yuav luag tsis yooj yim sua kom tiv thaiv koj tus kheej los ntawm tus tswv tsev uas yog tus tswv lub hypervisor thiab muab koj lub tshuab virtual. Tab sis tej zaum nws yuav ua tau kom txo tau qhov txaus ntshai me ntsis. Encrypting tsheb xauj tsev tsis yog qhov tsis muaj txiaj ntsig zoo li nws zoo li thaum xub thawj siab ib muag. Nyob rau tib lub sijhawm, cia saib cov kev hem thawj ntawm kev rho tawm cov ntaub ntawv los ntawm lub cev servers.

Kev phem qauv

Raws li txoj cai, tus tswv tsev yuav sim tiv thaiv cov txiaj ntsig ntawm tus neeg siv khoom ntau li ntau tau raws li txoj cai. Yog tias tsab ntawv los ntawm cov tub ceev xwm tsuas yog thov nkag nkag, tus tswv tsev yuav tsis muab tag nrho koj lub tshuab virtual nrog cov ntaub ntawv. Yam tsawg kawg nws yuav tsum tsis txhob. Yog tias lawv thov rau tag nrho cov ntaub ntawv, tus tswv tsev yuav luam cov disks virtual nrog tag nrho cov ntaub ntawv thiab koj yuav tsis paub txog nws.

Txawm li cas los xij, koj lub hom phiaj tseem ceeb yog ua kom qhov kev tawm tsam nyuaj thiab kim heev. Feem ntau muaj peb txoj kev hem thawj loj.

Tus nom

Feem ntau, ib tsab ntawv xa mus rau lub chaw ua haujlwm ntawm tus tswv tsev nrog rau qhov yuav tsum tau muab cov ntaub ntawv tsim nyog raws li cov kev cai cuam tshuam. Yog tias txhua yam ua tiav lawm, tus tswv tsev muab cov ntaub ntawv tsim nyog nkag thiab lwm yam ntaub ntawv rau cov tub ceev xwm. Feem ntau lawv tsuas yog hais kom koj xa cov ntaub ntawv tsim nyog.

Qee lub sij hawm, yog tias tsim nyog, cov neeg sawv cev ntawm cov koom haum tub ceev xwm tuaj rau ntawm qhov chaw khaws ntaub ntawv ntawm tus kheej. Piv txwv li, thaum koj muaj koj tus kheej cov neeg rau zaub mov mob siab rau thiab cov ntaub ntawv los ntawm muaj peev xwm tsuas yog coj mus rau lub cev.

Hauv txhua lub tebchaws, kev nkag mus rau cov khoom ntiag tug, kev tshawb nrhiav thiab lwm yam haujlwm yuav tsum muaj pov thawj tias cov ntaub ntawv yuav muaj cov ntaub ntawv tseem ceeb rau kev tshawb nrhiav kev ua txhaum cai. Tsis tas li ntawd, yuav tsum muaj daim ntawv pov thawj tshawb fawb ua raws li txhua txoj cai. Tej zaum yuav muaj nuances cuam tshuam nrog peculiarities ntawm kev cai lij choj hauv zos. Qhov tseem ceeb uas koj yuav tsum nkag siab yog tias yog txoj hauv kev yog qhov tseeb, cov neeg sawv cev ntawm cov ntaub ntawv yuav tsis cia leej twg dhau qhov nkag.

Ntxiv mus, nyob rau hauv ntau lub teb chaws koj tsis tuaj yeem rub tawm cov cuab yeej khiav. Piv txwv li, nyob rau hauv Russia, mus txog rau thaum xaus ntawm 2018, raws li tsab xov xwm 183 ntawm lub Code of Criminal Procedure ntawm Lavxias teb sab Federation, ib feem 3.1, nws tau lees tias thaum lub sij hawm ib tug qaug dab peg, qaug dab peg ntawm hluav taws xob cia xov xwm yog nqa tawm nrog kev koom tes. ntawm tus kws tshaj lij. Raws li qhov kev thov ntawm tus tswv raws li txoj cai ntawm seized electronic storage media los yog tus tswv ntawm cov ntaub ntawv uas muaj nyob rau hauv lawv, tus kws tshwj xeeb koom nyob rau hauv lub ntes, nyob rau hauv lub xub ntiag ntawm cov neeg tim khawv, luam cov ntaub ntawv los ntawm lub seized electronic storage media mus rau lwm yam electronic storage media.

Tom qab ntawd, hmoov tsis, cov ntsiab lus no tau raug tshem tawm ntawm tsab xov xwm.

zais cia thiab tsis raug cai

Qhov no twb yog thaj chaw ntawm kev ua haujlwm ntawm cov tub rog tshwj xeeb uas tau kawm los ntawm NSA, FBI, MI5 thiab lwm lub koom haum peb tsab ntawv. Feem ntau, txoj cai lij choj ntawm lub teb chaws muab lub zog dav dav rau cov qauv zoo li no. Tsis tas li ntawd, yuav luag ib txwm muaj kev cai lij choj txwv tsis pub tshaj tawm ncaj qha lossis tsis ncaj qha ntawm qhov tseeb ntawm kev koom tes nrog cov koom haum tub ceev xwm. Muaj cov zoo sib xws hauv Russia kev cai lij choj.

Nyob rau hauv cov kev tshwm sim ntawm xws li ib tug kev hem thawj rau koj cov ntaub ntawv, lawv yuav luag yeej yuav raug muab tshem tawm. Ntxiv rau, ntxiv rau qhov yooj yim qaug dab peg, tag nrho cov arsenal tsis raug cai ntawm backdoors, xoom-hnub vulnerabilities, cov ntaub ntawv rho tawm ntawm RAM ntawm koj lub tshuab virtual, thiab lwm yam kev xyiv fab tuaj yeem siv tau. Hauv qhov no, tus tswv tsev yuav tsum tau pab cov tub ceev xwm tshwj xeeb kom ntau li ntau tau.

Cov neeg ua haujlwm tsis ncaj ncees

Tsis yog txhua tus neeg zoo sib npaug. Ib tus thawj coj ntawm cov chaw zov me nyuam yuav txiav txim siab kom tau nyiaj ntxiv thiab muag koj cov ntaub ntawv. Kev txhim kho ntxiv nyob ntawm nws lub hwj chim thiab kev nkag mus. Qhov kev ntxhov siab tshaj plaws yog tus thawj coj uas nkag mus rau lub virtualization console tau ua tiav kev tswj hwm koj lub tshuab. Koj tuaj yeem nqa ib qho snapshot nrog rau tag nrho cov ntsiab lus ntawm RAM thiab maj mam kawm nws.

Vds

Yog li koj muaj lub tshuab virtual uas tus tswv tsev muab rau koj. Koj tuaj yeem siv encryption los tiv thaiv koj tus kheej li cas? Qhov tseeb, xyaum tsis muaj dab tsi. Tsis tas li ntawd, txawm tias lwm tus neeg siv lub siab xav tuaj yeem ua lub tshuab virtual uas cov cuab yeej tsim nyog tau muab tso rau.

Yog tias txoj haujlwm ntawm cov chaw taws teeb tswj tsis yog tsuas yog khaws cov ntaub ntawv xwb, tab sis ua qee qhov kev suav, ces tsuas yog kev xaiv rau kev ua haujlwm nrog lub tshuab tsis ntseeg siab yuav yog los siv. homomorphic encryption. Nyob rau hauv rooj plaub no, lub kaw lus yuav ua tiav cov kev suav tsis muaj peev xwm nkag siab tias nws ua dab tsi. Hmoov tsis zoo, cov nqi nyiaj siv ua haujlwm rau kev siv cov encryption no siab heev uas lawv siv tau tam sim no txwv rau cov haujlwm nqaim heev.

Ntxiv rau, lub sijhawm thaum lub tshuab virtual tab tom khiav thiab ua qee yam ua, tag nrho cov ntim ntim tau nkag mus rau hauv lub xeev siv tau, txwv tsis pub OS tsuas yog tsis tuaj yeem ua haujlwm nrog lawv. Qhov no txhais tau hais tias muaj kev nkag mus rau lub console virtualization, koj tuaj yeem nqa ib qho snapshot ntawm lub tshuab khiav thiab rho tawm tag nrho cov yuam sij ntawm RAM.

Ntau tus neeg muag khoom tau sim npaj kho vajtse encryption ntawm RAM kom txawm tias tus tswv tsev tsis muaj kev nkag mus rau cov ntaub ntawv no. Piv txwv li, Intel Software Guard Extensions thev naus laus zis, uas npaj cov chaw nyob hauv qhov chaw nyob virtual uas muaj kev tiv thaiv los ntawm kev nyeem ntawv thiab sau ntawv los ntawm sab nraud ntawm cheeb tsam no los ntawm lwm cov txheej txheem, suav nrog cov ntsiav tshuaj ua haujlwm. Hmoov tsis zoo, koj yuav tsis tuaj yeem tso siab rau cov thev naus laus zis no, vim tias koj yuav raug txwv rau koj lub tshuab virtual. Tsis tas li ntawd, npaj ua piv txwv twb muaj lawm kev ua tau zoo nres rau cov tshuab no. Txawm li cas los xij, encrypting virtual tshuab tsis yog qhov tseem ceeb raws li nws yuav zoo li.

Peb encrypt cov ntaub ntawv ntawm VDS

Cia kuv ua qhov tshwj xeeb tam sim ntawd tias txhua yam peb ua hauv qab no tsis suav nrog kev tiv thaiv tag nrho. Lub hypervisor yuav tso cai rau koj ua cov ntawv luam uas tsim nyog yam tsis muaj kev cuam tshuam kev pabcuam thiab yam tsis muaj koj qhia.

  • Yog tias, raws li kev thov, tus tswv tsev hloov cov duab "txias" ntawm koj lub tshuab virtual, ces koj muaj kev nyab xeeb. Qhov no yog qhov scenario tshaj plaws.
  • Yog hais tias tus tswv tsev muab rau koj tag nrho snapshot ntawm lub tshuab khiav, ces txhua yam zoo nkauj heev. Txhua cov ntaub ntawv yuav raug muab tso rau hauv qhov system hauv daim ntawv ntshiab. Tsis tas li ntawd, nws yuav muaj peev xwm rummage los ntawm RAM hauv kev tshawb nrhiav cov yuam sij ntiag tug thiab cov ntaub ntawv zoo sib xws.

Los ntawm lub neej ntawd, yog tias koj siv OS los ntawm cov duab vanilla, tus tswv tsev tsis muaj lub hauv paus nkag. Koj tuaj yeem nruab ib lub xov xwm nrog cov duab cawm thiab hloov lub hauv paus lo lus zais los ntawm chrooting lub virtual tshuab ib puag ncig. Tab sis qhov no yuav xav tau reboot, uas yuav pom. Ntxiv rau, tag nrho cov mounted encrypted partitions yuav raug kaw.

Txawm li cas los xij, yog tias kev xa tawm ntawm lub tshuab virtual tsis yog los ntawm cov duab vanilla, tab sis los ntawm ib qho kev npaj ua ntej, ces tus tswv tsev feem ntau tuaj yeem ntxiv ib tus account muaj cai los pab rau qhov xwm txheej kub ntxhov ntawm tus neeg siv khoom. Piv txwv li, hloov tus password hauv paus tsis nco qab.

Txawm nyob rau hauv cov ntaub ntawv ntawm ib tug tag nrho snapshot, tsis yog txhua yam yog li ntawd tu siab. Tus neeg tawm tsam yuav tsis tau txais cov ntaub ntawv encrypted yog tias koj mounted lawv los ntawm cov chaw taws teeb ntaub ntawv ntawm lwm lub tshuab. Yog lawm, hauv txoj kev xav, koj tuaj yeem xaiv RAM pov tseg thiab rho tawm cov yuam sij encryption los ntawm qhov ntawd. Tab sis nyob rau hauv kev xyaum qhov no tsis yog ib qho tseem ceeb heev thiab nws yog heev tsis zoo li hais tias cov txheej txheem yuav mus dhau yooj yim cov ntaub ntawv.

Order ib lub tsheb

Yuav ua li cas yog siloviki tuaj rau koj tus tswv tsev

Rau peb lub hom phiaj kev xeem, peb siv lub tshuab yooj yim hauv seem rau xaj servers. Peb tsis xav tau ntau cov peev txheej, yog li peb yuav xaiv qhov kev them nyiaj rau megahertz thiab kev siv tsheb tiag tiag. Tsuas yog txaus ua si nrog.

Classic dm-crypt rau tag nrho muab faib tsis tau tawm. Los ntawm lub neej ntawd, lub disk tau muab rau hauv ib thooj, nrog cov hauv paus rau tag nrho cov muab faib. Shrinking ib qho ext4 muab faib rau ntawm lub hauv paus-mounted ib qho yog xyaum ua ib lub cib lav tsis yog cov ntaub ntawv. Kuv sim) Lub tambourine tsis pab.

Tsim ib lub thawv crypto

Yog li ntawd, peb yuav tsis encrypt tag nrho cov muab faib, tab sis yuav siv cov ntaub ntawv crypto ntim, uas yog audited thiab txhim khu kev qha VeraCrypt. Rau peb lub hom phiaj no yog txaus. Ua ntej, peb rub tawm thiab nruab lub pob nrog CLI version los ntawm lub vev xaib raug cai. Koj tuaj yeem tshawb xyuas qhov kos npe tib lub sijhawm.

wget https://launchpad.net/veracrypt/trunk/1.24-update4/+download/veracrypt-console-1.24-Update4-Ubuntu-18.04-amd64.deb
dpkg -i veracrypt-console-1.24-Update4-Ubuntu-18.04-amd64.deb

Tam sim no peb yuav tsim lub thawv nws tus kheej qhov chaw hauv peb lub tsev kom peb tuaj yeem mount nws manually thaum reboot. Hauv qhov kev xaiv sib tham sib, teeb tsa lub thawv loj, lo lus zais thiab encryption algorithms. Koj tuaj yeem xaiv cov neeg nyiam cipher Grasshopper thiab Stribog hash muaj nuj nqi.

veracrypt -t -c ~/my_super_secret

Tam sim no cia peb nruab nginx, mount lub thawv thiab sau nws nrog cov ntaub ntawv zais cia.

mkdir /var/www/html/images
veracrypt ~/my_super_secret /var/www/html/images/
wget https://upload.wikimedia.org/wikipedia/ru/2/24/Lenna.png

Cia me ntsis kho /var/www/html/index.nginx-debian.html kom tau cov nplooj ntawv xav tau thiab koj tuaj yeem tshawb xyuas nws.

Txuas thiab xyuas

Yuav ua li cas yog siloviki tuaj rau koj tus tswv tsev
Lub thawv yog mounted, cov ntaub ntawv yog siv tau thiab xa mus.

Yuav ua li cas yog siloviki tuaj rau koj tus tswv tsev
Thiab ntawm no yog lub tshuab tom qab reboot. Cov ntaub ntawv tau ruaj ntseg khaws cia hauv ~/my_super_secret.

Yog tias koj xav tau tiag tiag thiab xav kom nws nyuaj, ces koj tuaj yeem nkag mus rau tag nrho OS kom thaum koj rov pib dua nws yuav tsum tau txuas ntawm ssh thiab nkag mus rau tus password. Qhov no kuj tseem yuav txaus nyob rau hauv qhov xwm txheej ntawm kev tshem tawm "cov ntaub ntawv txias". Ntawm no cov lus qhia rau kev siv dropbear thiab tej thaj chaw deb disk encryption. Txawm tias nyob rau hauv cov ntaub ntawv ntawm VDS nws yog ib qho nyuaj thiab redundant.

Liab qab hlau

Nws tsis yooj yim rau nruab koj tus kheej server hauv cov ntaub ntawv chaw. Lwm tus neeg txoj kev mob siab tuaj yeem dhau los ua lub tshuab virtual uas txhua yam khoom siv raug xa mus. Tab sis ib yam dab tsi nthuav txog kev tiv thaiv pib thaum koj muaj sijhawm los tso koj lub cev neeg rau zaub mov ntseeg siab hauv cov ntaub ntawv chaw. Ntawm no koj tuaj yeem siv tag nrho cov tsoos dm-crypt, VeraCrypt lossis lwm yam kev nkag siab ntawm koj xaiv.

Koj yuav tsum nkag siab tias yog tias tag nrho encryption raug siv, tus neeg rau zaub mov yuav tsis tuaj yeem rov qab los ntawm nws tus kheej tom qab reboot. Nws yuav tsim nyog los tsa qhov kev sib txuas mus rau lub zos IP-KVM, IPMI lossis lwm yam zoo sib xws. Tom qab ntawd peb manually nkag mus rau tus yuam sij master. Lub tswv yim zoo li-yog li nyob rau hauv cov nqe lus ntawm kev txuas ntxiv thiab kev ua txhaum cai, tab sis tsis muaj lwm txoj hauv kev tshwj xeeb yog tias cov ntaub ntawv tseem ceeb heev.

Yuav ua li cas yog siloviki tuaj rau koj tus tswv tsev
NCipher nShield F3 Hardware Security Module

Ib qho kev xaiv softer xav tias cov ntaub ntawv yog encrypted thiab tus yuam sij yog nyob ncaj qha rau ntawm tus neeg rau zaub mov nws tus kheej hauv HSM tshwj xeeb (Hardware Security Module). Raws li txoj cai, cov no yog cov cuab yeej siv tau zoo uas tsis yog tsuas yog muab kho vajtse crypto txiaj xwb, tab sis kuj muaj cov txheej txheem rau kev kuaj xyuas lub cev kev sim nyiag. Yog hais tias ib tug neeg pib poking nyob ib ncig ntawm koj lub server nrog lub kaum sab xis grinder, HSM nrog lub hwj chim ywj pheej yuav rov pib dua cov yuam sij uas nws khaws cia hauv nws lub cim xeeb. Tus neeg tawm tsam yuav tau txais cov mincemeat encrypted. Hauv qhov no, qhov rov pib dua tuaj yeem tshwm sim tau.

Tshem cov yuam sij yog qhov kev xaiv sai dua thiab muaj txiaj ntsig ntau dua li kev ua kom lub foob pob hluav taws xob lossis hluav taws xob ntes. Rau cov khoom siv zoo li no, koj yuav raug ntaus ntev heev los ntawm koj cov neeg nyob ze ntawm lub khib hauv cov ntaub ntawv chaw. Ntxiv mus, nyob rau hauv cov ntaub ntawv ntawm kev siv TCG Opal 2 encryption ntawm cov xov xwm nws tus kheej, koj muaj kev zoo li tsis muaj nyiaj siv ua haujlwm. Tag nrho cov no tshwm sim pob tshab rau OS. Tseeb, nyob rau hauv cov ntaub ntawv no koj yuav tsum tso siab rau lub conditional Samsung thiab cia siab tias nws muaj siab ncaj AES256, thiab tsis yog banal XOR.

Nyob rau tib lub sijhawm, peb yuav tsum tsis txhob hnov ​​​​qab tias tag nrho cov chaw nres nkoj tsis tsim nyog yuav tsum muaj lub cev tsis taus lossis tsuas yog sau nrog cov khoom sib xyaw. Txwv tsis pub, koj muab sijhawm rau cov neeg tawm tsam los ua DMA tawm tsam. Yog tias koj muaj PCI Express lossis Thunderbolt tawm, suav nrog USB nrog nws cov kev txhawb nqa, koj yog qhov yooj yim. Tus neeg tawm tsam yuav tuaj yeem ua qhov kev tawm tsam los ntawm cov chaw nres nkoj no thiab tau txais kev nkag ncaj qha rau lub cim xeeb nrog cov yuam sij.

Nyob rau hauv ib tug heev sophisticated version, tus attacker yuav ua tau ib tug txias khau raj nres. Nyob rau tib lub sijhawm, nws tsuas yog nchuav ib feem zoo ntawm cov kua nitrogen rau hauv koj cov neeg rau zaub mov, kwv yees tshem tawm cov cim cia khov thiab siv cov pob tseg los ntawm lawv nrog txhua tus yuam sij. Feem ntau, cov tshuaj tsuag txias tsis tu ncua thiab qhov kub ntawm ib puag ncig -50 degrees yog txaus los tua tawm. Kuj tseem muaj qhov kev xaiv raug dua. Yog tias koj tsis tau xiam kev thauj khoom los ntawm cov khoom siv sab nraud, ces tus neeg tawm tsam lub algorithm yuav yooj yim dua:

  1. Cia lub cim xeeb sticks tsis qhib rooj plaub
  2. Txuas koj lub bootable USB flash drive
  3. Siv cov khoom siv tshwj xeeb kom tshem tawm cov ntaub ntawv los ntawm RAM uas muaj sia nyob ntawm kev rov pib dua vim khov.

Faib thiab kov yeej

Ok, peb tsuas muaj cov tshuab virtual xwb, tab sis kuv xav kom txo qis kev pheej hmoo ntawm cov ntaub ntawv to.
Koj tuaj yeem, hauv paus ntsiab lus, sim kho cov qauv tsim thiab faib cov ntaub ntawv khaws cia thiab ua tiav nyob rau hauv ntau qhov chaw. Piv txwv li, lub frontend nrog encryption yuam sij yog los ntawm hoster nyob rau hauv Czech koom pheej, thiab lub backend nrog encrypted cov ntaub ntawv nyob rau hauv Russia. Nyob rau hauv cov ntaub ntawv ntawm ib tug standard seizure sim, nws yog tsis tshua muaj tsis zoo li hais tias cov tub ceev xwm cov koom haum yuav muaj peev xwm ua tau qhov no ib txhij nyob rau hauv txawv jurisdictions. Tsis tas li ntawd, qhov no ib nrab pov hwm peb tawm tsam qhov xwm txheej ntawm kev thaij duab.

Zoo, lossis koj tuaj yeem xav txog qhov kev xaiv dawb huv - Xaus-rau-End encryption. Tau kawg, qhov no dhau mus dhau qhov kev qhia tshwj xeeb thiab tsis hais txog kev ua lej ntawm sab ntawm lub tshuab tej thaj chaw deb. Txawm li cas los xij, qhov no yog qhov kev xaiv zoo kawg nkaus thaum nws los txog rau khaws cia thiab synchronizing cov ntaub ntawv. Piv txwv li, qhov no tau yooj yim siv hauv Nextcloud. Nyob rau tib lub sijhawm, synchronization, versioning thiab lwm yam server-sab goodies yuav tsis ploj mus.

Tag nrho

Tsis muaj kev ruaj ntseg zoo kawg nkaus. Lub hom phiaj tsuas yog ua kom muaj kev tawm tsam ntau dua li qhov muaj peev xwm nce.

Qee qhov kev txo qis hauv kev pheej hmoo ntawm kev nkag mus rau cov ntaub ntawv ntawm lub vev xaib virtual tuaj yeem ua tiav los ntawm kev sib txuas encryption thiab cais cia nrog cov hosters sib txawv.

Ib qho kev xaiv ntau dua lossis tsawg dua kev ntseeg siab yog siv koj tus kheej hardware server.

Tab sis tus tswv tsev tseem yuav tsum tau ntseeg ib txoj kev lossis lwm qhov. Tag nrho kev lag luam so ntawm qhov no.

Yuav ua li cas yog siloviki tuaj rau koj tus tswv tsev

Yuav ua li cas yog siloviki tuaj rau koj tus tswv tsev

Tau qhov twg los: www.hab.com

Ntxiv ib saib