🥇Full disk encryption ntawm Windows Linux nruab tshuab. Encrypted Multiboot

Hloov kho tus kheej cov lus qhia rau tag nrho-disk encryption hauv RuNet V0.2.

Cowboy Strategy:

[A] Windows 7 system thaiv encryption ntawm lub kaw lus nruab;
[B] GNU/Linux system thaiv encryption (Debian) nruab qhov system (nrog rau / khau raj);
[C] GRUB2 configuration, bootloader tiv thaiv nrog digital kos npe / authentication / hashing;
[D] stripping—kev puas tsuaj ntawm cov ntaub ntawv tsis tau encrypted;
[E] universal thaub qab ntawm encrypted OS;
[F] nres < ntawm yam khoom [C6]> phiaj - GRUB2 bootloader;
[G] cov ntaub ntawv muaj txiaj ntsig.

╭─── Scheme of #room 40# :
├──╼ Windows 7 ntsia - tag nrho system encryption, tsis zais;
├──╼ GNU/Linux ntsia (Debian thiab derivative distributions) - tag nrho system encryption, tsis zais(/, suav nrog / khau raj; swap);
├──╼ bootloaders ywj siab: VeraCrypt bootloader yog ntsia rau hauv MBR, GRUB2 bootloader yog ntsia rau hauv qhov txuas ntxiv;
├──╼ tsis muaj OS installation/reinstallation yuav tsum tau;
└──╼cryptographic software siv: VeraCrypt; Cryptsetup; GnuPG; Seahorse; Hashdeep; GRUB2 yog dawb / dawb.

Cov txheej txheem saum toj no ib nrab daws cov teeb meem ntawm "qhov chaw taws teeb khau raj rau lub flash drive", tso cai rau koj txaus siab rau encrypted OS Windows / Linux thiab pauv cov ntaub ntawv ntawm "encrypted channel" los ntawm ib qho OS mus rau lwm qhov.

PC khau raj xaj (ib qho ntawm cov kev xaiv):

tig lub tshuab;
loading lub VeraCrypt bootloader (Kev nkag mus rau tus password kom raug yuav txuas ntxiv rau khau raj Windows 7);
nias tus yuam sij "Esc" yuav thauj khoom GRUB2 khau raj loader;
GRUB2 khau raj loader (xaiv kev faib khoom / GNU / Linux / CLI), yuav xav tau authentication ntawm GRUB2 superuser <login/password>;
Tom qab ua tiav kev lees paub thiab xaiv qhov kev faib tawm, koj yuav tsum nkag mus rau tus lej lej txhawm rau qhib “/boot/initrd.img”;
Tom qab nkag mus rau qhov yuam kev-dawb passwords, GRUB2 yuav "yuav tsum tau" tus password nkag (thib peb, BIOS lo lus zais lossis GNU / Linux tus neeg siv tus lej password - tsis xav txog) txhawm rau qhib thiab khau raj GNU / Linux OS, lossis hloov pauv tsis siv neeg ntawm tus yuam sij zais cia (ob tus password + tus yuam sij, lossis tus password + tus yuam sij);
Kev nkag mus sab nraud rau hauv GRUB2 kev teeb tsa yuav ua rau GNU / Linux khau raj txheej txheem.

Teeb meem? Ok, cia peb mus automate cov txheej txheem.

Thaum partitioning lub hard drive (MBR rooj) Ib lub PC tuaj yeem muaj tsis pub ntau tshaj 4 qhov tseem ceeb, lossis 3 lub ntsiab thiab ib qho txuas ntxiv, nrog rau thaj chaw uas tsis tau faib. Ib ntu txuas ntxiv, tsis zoo li qhov tseem ceeb, tuaj yeem muaj cov ntu ntu (logical drives = txuas ntxiv muab faib). Hauv lwm lo lus, "kev faib tawm txuas ntxiv" ntawm HDD hloov LVM rau txoj haujlwm ntawm tes: tag nrho cov txheej txheem encryption. Yog tias koj lub disk muab faib ua 4 qhov tseem ceeb, koj yuav tsum siv lvm, lossis hloov pauv (nrog formatting) ntu los ntawm lub ntsiab mus rau qib siab, lossis ntse siv tag nrho plaub ntu thiab tawm txhua yam raws li, tau txais qhov xav tau. Txawm hais tias koj muaj ib qho kev faib tawm ntawm koj lub disk, Gparted yuav pab koj faib koj HDD (rau seem ntxiv) tsis muaj cov ntaub ntawv poob, tab sis tseem muaj lub txim me me rau cov kev ua no.

Lub tswv yim ntawm lub hard drive layout, nyob rau hauv kev sib raug zoo rau tag nrho cov kab lus yuav hais lus, yog nthuav tawm nyob rau hauv cov lus hauv qab no.

Table (No. 1) ntawm 1TB partitions.

Koj yuav tsum muaj ib yam dab tsi zoo sib xws thiab.
sda1 - lub ntsiab muab faib No. 1 NTFS (encrypted);
sda2 - txuas ntxiv ntu cim;
sda6 - logical disk (nws muaj GRUB2 bootloader ntsia);
sda8 - swap (encrypted swap file / tsis tas li);
sda9 - xeem logical disk;
sda5 - logical disk rau cov xav paub;
sda7 - GNU/Linux OS (hloov OS mus rau encrypted logical disk);
sda3 - lub ntsiab muab faib No. 2 nrog Windows 7 OS (encrypted);
sda4 - ntu ntu 3 (nws muaj unencrypted GNU / Linux, siv rau thaub qab / tsis tas li).

[A] Windows 7 System Block Encryption

A1. VeraCrypt

Download tau los ntawm official site, los yog los ntawm daim iav Sourceforge installation version ntawm VeraCrypt cryptographic software (thaum lub sijhawm tshaj tawm ntawm tsab xov xwm v1.24-Hloov tshiab3, lub portable version ntawm VeraCrypt tsis haum rau qhov system encryption). Xyuas cov checksum ntawm lub downloaded software

$ Certutil -hashfile "C:VeraCrypt Setup 1.24.exe" SHA256

thiab sib piv cov txiaj ntsig nrog CS tshaj tawm ntawm VeraCrypt tus tsim lub vev xaib.

Yog tias HashTab software raug teeb tsa, nws yooj yim dua: RMB (VeraCrypt Teeb 1.24.exe)-properties - hash sum ntawm cov ntaub ntawv.

Txhawm rau txheeb xyuas qhov program kos npe, software thiab tus tsim tawm pej xeem pgp tus yuam sij yuav tsum tau muab tso rau hauv qhov system gnuPG; gpg4 ua.

A2. Txhim kho / khiav VeraCrypt software nrog cov cai tswj hwm

A3. Xaiv qhov system encryption parameter rau lub active partitionVeraCrypt – System – Encrypt system partition/disk – Li qub – Encrypt Windows system partition – Multiboot – (ceeb toom: "Cov neeg siv tsis paub dhau los tsis pom zoo siv txoj kev no" thiab qhov no yog qhov tseeb, peb pom zoo "Yog") - Boot disk ("yog", txawm tias tsis yog, tseem "yog") - Tus naj npawb ntawm cov disks "2 lossis ntau dua" - Ntau lub tshuab ntawm ib lub disk "Yog" - Tsis yog Windows khau raj khau raj "Tsis yog" (qhov tseeb, "Yog," tab sis VeraCrypt / GRUB2 khau raj khau raj yuav tsis qhia MBR ntawm lawv tus kheej; ntau dua qhov tseeb, tsuas yog qhov tsawg tshaj plaws ntawm cov khau raj khau raj code khaws cia hauv MBR / khau raj, qhov tseem ceeb ntawm nws yog nyob rau hauv cov ntaub ntawv system) - Multiboot - Kev teeb tsa encryption…

Yog tias koj deviate los ntawm cov kauj ruam saum toj no (block system encryption schemes), ces VeraCrypt yuav tshaj tawm lus ceeb toom thiab yuav tsis tso cai rau koj mus encrypt qhov muab faib.

Hauv kauj ruam tom ntej ntawm kev tiv thaiv cov ntaub ntawv, ua "Test" thiab xaiv qhov encryption algorithm. Yog tias koj muaj CPU tsis tu ncua, feem ntau yuav yog qhov ceev tshaj plaws encryption algorithm yuav yog Twofish. Yog tias CPU muaj zog, koj yuav pom qhov txawv: AES encryption, raws li cov txiaj ntsig kev xeem, yuav ua tau ntau zaus dua nws cov neeg sib tw crypto. AES yog qhov nrov encryption algorithm; kho vajtse ntawm CPUs niaj hnub no tshwj xeeb tshaj yog optimized rau ob qho tib si " zais cia" thiab "hacking."

VeraCrypt txhawb nqa lub peev xwm los encrypt disks hauv AES cascade(Ob ntses)/ thiab lwm yam kev sib txuas. Ntawm qhov qub tub ntxhais Intel CPU los ntawm kaum xyoo dhau los (tsis muaj kev txhawb nqa kho vajtse rau AES, A / T cascade encryption) Qhov txo qis hauv kev ua tau zoo yog qhov tseem ceeb imperceptible. (rau AMD CPUs ntawm tib lub sijhawm / ~ qhov ntsuas, kev ua haujlwm tau txo qis me ntsis). Lub OS ua haujlwm dynamically thiab cov peev txheej siv rau pob tshab encryption tsis pom. Hauv qhov sib piv, piv txwv li, muaj qhov pom ntawm qhov ua tau zoo vim qhov kev teeb tsa tsis ruaj khov ntawm qhov chaw kuaj duab ib puag ncig Mate v1.20.1. (los yog v1.20.2 Kuv tsis nco qab tseeb) hauv GNU/Linux, lossis vim yog kev ua haujlwm ntawm telemetry niaj hnub hauv Windows7↑. Feem ntau, cov neeg siv kev paub dhau los ua kev ntsuas kev ua haujlwm kho vajtse ua ntej encryption. Piv txwv li, hauv Aida64 / Sysbench / systemd-analyze liam yog piv nrog cov txiaj ntsig ntawm tib qhov kev sim tom qab encrypting lub kaw lus, yog li refuting cov lus dab neeg rau lawv tus kheej tias "system encryption yog teeb meem." Lub zog qeeb ntawm lub tshuab thiab qhov tsis yooj yim yog pom tau thaum thaub qab / rov qab cov ntaub ntawv encrypted, vim hais tias "system data backup" ua haujlwm nws tus kheej tsis ntsuas hauv ms, thiab cov tib yam <decrypt/encrypt on the fly> ntxiv. Thaum kawg, txhua tus neeg siv uas tau tso cai rau tinker nrog cryptography sib npaug ntawm cov txheej txheem encryption tiv thaiv kev txaus siab ntawm cov dej num ntawm tes, lawv theem ntawm kev tsis txaus siab, thiab kev siv yooj yim.

Nws yog qhov zoo dua los tawm ntawm PIM parameter raws li lub neej ntawd thaum thauj khoom OS koj tsis tas yuav nkag mus rau qhov tseeb iteration qhov tseem ceeb txhua lub sijhawm. VeraCrypt siv ntau qhov kev rov ua dua los tsim qhov "slow hash". Kev tawm tsam ntawm xws li "crypto snail" siv Brute force / zaj sawv cov lus ua rau kev nkag siab tsuas yog nrog luv luv "yooj yim" passphrase thiab tus neeg raug tsim txom cov npe charset. Tus nqi them rau tus password muaj zog yog qhov ncua sij hawm nkag mus rau tus password kom raug thaum thauj khoom OS. (mounting VeraCrypt ntim hauv GNU/Linux yog qhov nrawm dua).
Dawb software rau siv brute quab yuam tawm tsam (extract passphrase los ntawm VeraCrypt/LUKS disk header) Hashcat. John the Ripper tsis paub yuav ua li cas "lov Veracrypt", thiab thaum ua haujlwm nrog LUKS tsis nkag siab Twofish cryptography.

Vim lub zog cryptographic ntawm encryption algorithms, unstoppable cypherpunks yog tsim software nrog ib tug txawv attack vector. Piv txwv li, rho tawm cov metadata/cov yuam sij los ntawm RAM (khaus khau raj / ncaj qha kev nkag mus nres), Muaj cov software tshwj xeeb pub dawb thiab tsis pub dawb rau cov hom phiaj no.

Tom qab ua tiav ntawm kev teeb tsa / tsim "cov metadata tshwj xeeb" ntawm qhov muab faib ua ke encrypted, VeraCrypt yuav muab rov pib lub PC thiab sim ua haujlwm ntawm nws lub bootloader. Tom qab rebooting / pib Windows, VeraCrypt yuav thauj khoom hauv hom standby, txhua yam uas tseem tshuav yog kom paub meej tias cov txheej txheem encryption - Y.

Ntawm cov kauj ruam kawg ntawm kev encryption system, VeraCrypt yuav muab los tsim ib daim ntawv luam theej ntawm lub hauv paus ntawm kev ua haujlwm encrypted muab faib nyob rau hauv daim ntawv ntawm "veracrypt cawm disk.iso" - qhov no yuav tsum tau ua - nyob rau hauv no software xws li ib tug kev khiav hauj lwm yog ib tug yuav tsum tau (hauv LUKS, raws li qhov yuav tsum tau muaj - qhov no yog hmoov tsis raug tshem tawm, tab sis tseem ceeb hauv cov ntaub ntawv). Kev cawm disk yuav tuaj yeem ua ke rau txhua tus, thiab rau qee qhov ntau dua ib zaug. Poob (header/MBR rov sau dua) ib daim ntawv luam theej ntawm lub header yuav mus tas li tsis kam nkag mus rau qhov muab faib decrypted nrog OS Windows.

A4. Tsim VeraCrypt cawm USB/diskLos ntawm lub neej ntawd, VeraCrypt muab rau hlawv "~ 2-3MB ntawm metadata" rau hauv CD, tab sis tsis yog txhua tus neeg muaj disks lossis DWD-ROM drives, thiab tsim lub bootable flash drive "VeraCrypt Rescue disk" yuav yog ib qho kev xav tsis thoob rau qee qhov: Rufus / GUIdd-ROSA ImageWriter thiab lwm yam software zoo sib xws yuav tsis tuaj yeem tiv nrog txoj haujlwm, vim tias ntxiv rau kev luam cov offset metadata rau lub bootable flash drive, koj yuav tsum luam / paste cov duab sab nraum cov ntaub ntawv kaw lus ntawm usb drive. , hauv luv luv, kom raug luam MBR / txoj kev mus rau keychain. Koj tuaj yeem tsim lub bootable flash drive los ntawm GNU / Linux OS siv cov khoom siv "dd", saib ntawm qhov kos npe no.

Tsim ib tug cawm disk nyob rau hauv lub qhov rais ib puag ncig yog txawv. Tus tsim tawm ntawm VeraCrypt tsis suav nrog kev daws teeb meem rau qhov teeb meem no hauv kev ua haujlwm cov ntaub ntawv los ntawm "rescue disk", tab sis tau thov ib qho kev daws teeb meem nyob rau hauv ib txoj kev sib txawv: nws tshaj tawm software ntxiv rau kev tsim "usb cawm disk" rau kev nkag dawb ntawm nws lub rooj sib tham VeraCrypt. Tus archivist ntawm no software rau Windows yog "tsim usb veracrypt cawm disk". Tom qab txuag cawm disk.iso, cov txheej txheem ntawm thaiv qhov system encryption ntawm cov kev faib ua haujlwm yuav pib. Thaum lub sij hawm encryption, lub lag luam ntawm lub OS tsis nres; lub PC restart tsis tas yuav tsum tau. Tom qab ua tiav ntawm kev ua haujlwm encryption, cov kev faib ua haujlwm tau ua tiav encrypted thiab tuaj yeem siv tau. Yog hais tias lub VeraCrypt khau raj loader tsis tshwm sim thaum koj pib lub PC, thiab lub header rov qab ua hauj lwm tsis pab, ces kos lub "boot" chij, nws yuav tsum tau teem rau lub partition qhov twg Windows yog tam sim no. (tsis hais txog kev encryption thiab lwm yam OS, saib cov lus No. 1).
Qhov no ua tiav cov lus piav qhia ntawm thaiv qhov system encryption nrog Windows OS.

[B]LUKS. GNU/Linux encryption (~ Debian) nruab OS. Algorithm thiab cov kauj ruam

Txhawm rau txhawm rau txhawm rau txhawm rau txhim kho Debian / derivative faib, koj yuav tsum tau daim ntawv qhia kev npaj muab faib rau lub tshuab thaiv virtual, hloov mus rau daim duab qhia GNU / Linux disk, thiab nruab / teeb tsa GRUB2. Yog tias koj tsis muaj cov neeg rau zaub mov liab qab, thiab koj muaj nuj nqis rau koj lub sijhawm, tom qab ntawd koj yuav tsum siv GUI, thiab feem ntau ntawm cov lus txib hauv qab no txhais tau tias yuav tsum tau khiav hauv "Chuck-Norris hom".

B1. Booting PC los ntawm nyob usb GNU/Linux

"Ua ib qho kev sim crypto rau kev ua haujlwm kho vajtse"

lscpu && сryptsetup benchmark

Yog tias koj yog tus tswv zoo siab ntawm lub tsheb muaj zog nrog AES kho vajtse, cov lej yuav zoo li sab xis ntawm lub davhlau ya nyob twg; yog tias koj yog tus tswv zoo siab, tab sis nrog cov khoom qub qub, cov lej yuav zoo li sab laug.

B2. Disk partitioning. mounting/formatting fs logical disk HDD rau Ext4 (Gparted)

B2.1. Tsim ib qho encrypted sda7 muab faib headerKuv yuav piav qhia txog cov npe ntawm cov partitions, ntawm no thiab ntxiv mus, raws li kuv cov lus muab faib saum toj no. Raws li koj daim disk layout, koj yuav tsum hloov koj cov npe muab faib.

Logical Drive Encryption Mapping (/dev/sda7 > /dev/mapper/sda7_crypt).
# Yooj yim tsim ntawm "LUKS-AES-XTS muab faib"

cryptsetup -v -y luksFormat /dev/sda7

Kev xaiv:

* luksFormat - pib ntawm LUKS header;
* -y -passphrase (tsis yog key/file);
* -v -verbalization (tso tawm cov ntaub ntawv hauv lub davhlau ya nyob twg);
* /dev/sda7 - koj lub logical disk los ntawm qhov txuas txuas ntxiv (qhov twg nws tau npaj los hloov / encrypt GNU / Linux).

Default encryption algorithm <LUKS1: aes-xts-plain64, Ntsiab: 256 khoom, LUKS header hashing: sha256, RNG: /dev/urandom> (nyob ntawm qhov cryptsetup version).

#Проверка default-алгоритма шифрования
cryptsetup  --help #самая последняя строка в выводе терминала.

Yog tias tsis muaj kev txhawb nqa kho vajtse rau AES ntawm CPU, qhov kev xaiv zoo tshaj plaws yuav yog los tsim qhov txuas ntxiv "LUKS-Twofish-XTS-partition".

B2.2. Advanced creation ntawm "LUKS-Twofish-XTS-partition"

cryptsetup luksFormat /dev/sda7 -v -y -c twofish-xts-plain64 -s 512 -h sha512 -i 1500 --use-urandom

Kev xaiv:
* luksFormat - pib ntawm LUKS header;
* /dev/sda7 yog koj lub neej yav tom ntej encrypted logical disk;
* -v lus;
* -y passphrase;
* -c xaiv cov ntaub ntawv encryption algorithm;
* -s encryption tus yuam sij loj;
* -h hashing algorithm/crypto muaj nuj nqi, RNG siv (--siv-urandom) los tsim kom muaj qhov tshwj xeeb encryption / decryption tus yuam sij rau lub logical disk header, tus yuam sij thib ob (XTS); tus yuam sij tus tswv tshwj xeeb khaws cia hauv qhov encrypted disk header, tus yuam sij XTS thib ob, tag nrho cov metadata thiab cov txheej txheem encryption uas, siv tus yuam sij tus tswv thiab tus yuam sij thib ob XTS, encrypts / decrypts cov ntaub ntawv ntawm qhov muab faib. (tsuas yog lub npe ntu) khaws cia rau hauv ~ 3MB ntawm qhov xaiv hard disk muab faib.
* -i iterations hauv milliseconds, es tsis txhob "nqi" (lub sijhawm ncua sijhawm thaum ua cov lus hla cuam tshuam rau kev thauj khoom ntawm OS thiab lub zog cryptographic ntawm cov yuam sij). Txhawm rau tswj hwm qhov sib npaug ntawm lub zog cryptographic, nrog tus password yooj yim xws li "Lavxias teb sab" koj yuav tsum tau nce tus nqi -(i); nrog rau lo lus zais nyuaj xws li "?8dƱob/øfh" tus nqi tuaj yeem txo qis.
* -siv-urandom random tooj generator, tsim cov yuam sij thiab ntsev.

Tom qab daim ntawv qhia txog ntu sda7> sda7_crypt (kev khiav hauj lwm yog ceev, txij li thaum ib tug encrypted header yog tsim nrog ~ 3 MB ntawm metadata thiab tag nrho cov), koj yuav tsum format thiab mount lub sda7_crypt cov ntaub ntawv system.

B2.3. Kev sib piv

cryptsetup open /dev/sda7 sda7_crypt
#выполнение данной команды запрашивает ввод секретной парольной фразы.

kev xaiv:
* qhib - phim rau ntu "nrog lub npe";
* /dev/sda7 -logical disk;
* sda7_crypt - lub npe daim ntawv qhia uas yog siv los mount lub encrypted muab faib los yog pib thaum lub OS khau raj.

B2.4. Formatting sda7_crypt cov ntaub ntawv system rau ext4. Mounting lub disk hauv OS(Ceeb Toom: koj yuav tsis tuaj yeem ua haujlwm nrog qhov muab faib encrypted hauv Gparted)

#форматирование блочного шифрованного устройства
mkfs.ext4 -v -L DebSHIFR /dev/mapper/sda7_crypt

kev xaiv:
* -v - hais lus;
* -L - disk daim ntawv lo (uas tshwm sim hauv Explorer ntawm lwm cov disks).

Tom ntej no, koj yuav tsum mount lub virtual-encrypted thaiv ntaus ntawv /dev/sda7_crypt rau lub system

mount /dev/mapper/sda7_crypt /mnt

Ua hauj lwm nrog cov ntaub ntawv nyob rau hauv lub / mnt nplaub tshev yuav cia li encrypt / decrypt cov ntaub ntawv nyob rau hauv sda7.

Nws yooj yim dua rau daim ntawv qhia thiab mount qhov muab faib hauv Explorer (nautilus/caja GUI), qhov muab faib yuav twb nyob rau hauv daim ntawv xaiv disk, tag nrho cov uas tseem tshuav yog nkag mus rau tus password rau qhib / decrypt lub disk. Lub npe sib phim yuav raug xaiv tau thiab tsis yog "sda7_crypt", tab sis qee yam xws li /dev/mapper/Luks-xx-xx...

B2.5. Disc header backup (~ 3MB metadata)Ib qho ntawm feem ntau tseem ceeb cov haujlwm uas yuav tsum tau ua yam tsis muaj ncua sijhawm - ib daim ntawv luam theej ntawm "sda7_crypt" header. Yog hais tias koj overwrite / puas lub header (piv txwv li, txhim kho GRUB2 ntawm sda7 muab faib, thiab lwm yam.), cov ntaub ntawv encrypted yuav ploj tag yam tsis muaj peev xwm rov qab tau nws, vim nws yuav tsis tuaj yeem rov tsim cov yuam sij qub; cov yuam sij raug tsim tshwj xeeb.

#Бэкап заголовка раздела
cryptsetup luksHeaderBackup --header-backup-file ~/Бэкап_DebSHIFR /dev/sda7

#Восстановление заголовка раздела
cryptsetup luksHeaderRestore --header-backup-file <file> <device>

kev xaiv:
* luksHeaderBackup -header-backup-file -backup hais kom ua;
* luksHeaderRestore -header-backup-file -restore hais kom ua;
* ~/Backup_DebSHIFR - cov ntaub ntawv thaub qab;
* /dev/sda7 - muab faib uas nws encrypted disk header backup daim ntawv yuav tsum tau txais kev cawmdim.
Ntawm cov kauj ruam no <tsim thiab kho qhov muab faib encrypted> tiav.

B3. Porting GNU/Linux OS (sda 4) mus rau qhov muab faib encrypted (sda 7)

Tsim ib daim nplaub tshev /mnt2 (Ceeb toom - peb tseem ua haujlwm nrog usb nyob, sda7_crypt yog mounted ntawm /mnt), thiab mount peb GNU / Linux hauv / mnt2, uas yuav tsum tau encrypted.

mkdir /mnt2
mount /dev/sda4 /mnt2

Peb ua qhov tseeb OS hloov pauv siv Rsync software

rsync -avlxhHX --progress /mnt2/ /mnt

Cov kev xaiv Rsync tau piav qhia hauv kab lus E1.

Tsis tas li ntawd, yog tsim nyog defragment lub logical disk muab faib

e4defrag -c /mnt/ #после проверки, e4defrag выдаст, что степень дефрагментации раздела~"0", это заблуждение, которое может вам стоить существенной потери производительности!
e4defrag /mnt/ #проводим дефрагментацию шифрованной GNU/Linux

Ua nws txoj cai: ua e4defrag ntawm encrypted GNU / LInux ib ntus yog tias koj muaj HDD.
Kev hloov pauv thiab synchronization [GNU/Linux> GNU/Linux-encrypted] ua tiav ntawm cov kauj ruam no.

AT 4. Teeb tsa GNU/Linux ntawm qhov muab faib sda7 encrypted

Tom qab ua tiav kev xa cov OS / dev / sda4 > / dev / sda7, koj yuav tsum nkag mus rau GNU / Linux ntawm qhov muab faib encrypted thiab ua tiav kev teeb tsa ntxiv. (tsis muaj rebooting PC) txheeb ze rau qhov system encrypted. Ntawd yog, yuav tsum nyob hauv usb, tab sis ua kom tiav cov lus txib "txog rau hauv paus ntawm lub encrypted OS." "chroot" yuav simulate qhov xwm txheej zoo sib xws. Txhawm rau kom tau txais cov ntaub ntawv sai sai ntawm OS uas koj tab tom ua haujlwm tam sim no (encrypted lossis tsis, vim cov ntaub ntawv hauv sda4 thiab sda7 yog synchronized), desynchronize OS. Tsim hauv paus directory (sda4/sda7_crypt) cov ntaub ntawv khoob khoob, piv txwv li, /mnt/encryptedOS thiab /mnt2/decryptedOS. Ceev nrooj xyuas seb koj nyob OS dab tsi (nrog rau yav tom ntej):

ls /<Tab-Tab>

B4.1. "Simulation ntawm kev nkag mus rau hauv lub encrypted OS"

mount --bind /dev /mnt/dev
mount --bind /proc /mnt/proc
mount --bind /sys /mnt/sys
chroot /mnt

B4.2. Xyuas kom tseeb tias kev ua haujlwm yog ua tawm tsam qhov system encrypted

ls /mnt<Tab-Tab> 
#и видим файл "/шифрованнаяОС"

history
#в выводе терминала должна появиться история команд su рабочей ОС.

B4.3. Tsim/configuring encrypted swap, kho crypttab/fstabTxij li thaum cov ntaub ntawv swap yog formatted txhua lub sij hawm OS pib, nws tsis muaj kev nkag siab los tsim thiab daim ntawv qhia swap rau lub logical disk tam sim no, thiab ntaus cov lus txib raws li hauv kab lus B2.2. Rau Swap, nws tus kheej cov yuam sij encryption ib ntus yuav raug tsim tawm ntawm txhua qhov pib. Lub neej voj voog ntawm swap yuam sij: unmounting / unmounting swap muab faib (+ ntxuav RAM); los yog rov pib dua OS. Teeb tsa swap, qhib cov ntaub ntawv lub luag haujlwm rau kev teeb tsa ntawm cov khoom siv thaiv encrypted (analogous rau cov ntaub ntawv fstab, tab sis lub luag haujlwm rau crypto).

nano /etc/crypttab

peb kho

#"target name" "source device" "key file" "options"
swap /dev/sda8 /dev/urandom swap,cipher=twofish-xts-plain64, loj=512,hash=sha512

Xaiv
* swap - mapped lub npe thaum encrypting /dev/mapper/swap.
* /dev/sda8 - siv koj qhov kev muab faib rau kev sib pauv.
* / dev / urandom - generator ntawm random encryption yuam sij rau kev sib pauv (nrog txhua OS khau raj tshiab, cov yuam sij tshiab raug tsim). Lub /dev/urandom generator yog tsawg random tshaj /dev/random, tom qab tag nrho /dev/random yog siv thaum ua hauj lwm nyob rau hauv tej yam txaus ntshai paranoid. Thaum loading OS, /dev/random slows down loading rau ob peb ± feeb (saib systemd-analyze).
* swap,cipher=twofish-xts-plain64, loj=512,hash=sha512: -qhov muab faib paub tias nws yog swap thiab yog formatted "raws li"; encryption algorithm.

#Открываем и правим fstab
nano /etc/fstab

peb kho

# sib pauv tau rau / dev / sda8 thaum lub sijhawm nruab
/dev/mapper/swap none swap sw 0 0

/dev/mapper/swap yog lub npe uas tau teem rau hauv crypttab.

Alternative encrypted swap
Yog tias vim qee yam koj tsis xav muab tag nrho cov muab faib rau cov ntaub ntawv sib pauv, ces koj tuaj yeem mus rau lwm txoj hauv kev zoo dua: tsim cov ntaub ntawv sib pauv hauv cov ntaub ntawv ntawm qhov muab faib ua ke nrog OS.

fallocate -l 3G /swap #создание файла размером 3Гб (почти мгновенная операция)
chmod 600 /swap #настройка прав
mkswap /swap #из файла создаём файл подкачки
swapon /swap #включаем наш swap
free -m #проверяем, что файл подкачки активирован и работает
printf "/swap none swap sw 0 0" >> /etc/fstab #при необходимости после перезагрузки swap будет постоянный

Kev teeb tsa swap muab faib ua tiav.

B4.4. Teeb tsa encrypted GNU/Linux (hloov crypttab/fstab cov ntaub ntawv)Cov ntaub ntawv /etc/crypttab, raws li sau los saum toj no, piav qhia txog cov khoom siv thaiv thaiv encrypted uas tau teeb tsa thaum lub kaw lus kaw.

#правим /etc/crypttab 
nano /etc/crypttab

yog tias koj phim sda7>sda7_crypt seem raws li hauv kab lus B2.1

# "lub hom phiaj" "qhov khoom siv" "cov ntaub ntawv tseem ceeb" "kev xaiv"
sda7_crypt UUID=81048598-5bb9-4a53-af92-f3f9e709e2f2 none luks

yog tias koj phim sda7>sda7_crypt seem raws li hauv kab lus B2.2

# "lub hom phiaj" "qhov khoom siv" "cov ntaub ntawv tseem ceeb" "kev xaiv"
sda7_crypt UUID=81048598-5bb9-4a53-af92-f3f9e709e2f2 none cipher=twofish-xts-plain64,size=512,hash=sha512

Yog tias koj phim sda7> sda7_crypt seem raws li hauv kab lus B2.1 lossis B2.2, tab sis tsis xav rov nkag tus password kom qhib thiab khau raj OS, tom qab ntawd hloov tus password koj tuaj yeem hloov pauv tus yuam sij zais cia / random ntaub ntawv

# "lub hom phiaj" "qhov khoom siv" "cov ntaub ntawv tseem ceeb" "kev xaiv"
sda7_crypt UUID=81048598-5bb9-4a53-af92-f3f9e709e2f2 /etc/skey luks

piav qhia
* tsis muaj - tshaj tawm tias thaum thauj khoom OS, nkag mus rau cov lus zais zais yuav tsum tau qhib lub hauv paus.
* UUID - muab faib ID. Txhawm rau paub koj tus ID, ntaus hauv lub davhlau ya nyob twg (nco ntsoov tias txij lub sijhawm no mus tom ntej, koj ua haujlwm hauv lub davhlau ya nyob twg hauv ib puag ncig chroot, thiab tsis nyob hauv lwm qhov chaw nyob usb).

fdisk -l #проверка всех разделов
blkid #должно быть что-то подобное

/dev/sda7: UUID=«81048598-5bb9-4a53-af92-f3f9e709e2f2» TYPE=«crypto_LUKS» PARTUUID=«0332d73c-07»
/dev/mapper/sda7_crypt: LABEL=«DebSHIFR» UUID=«382111a2-f993-403c-aa2e-292b5eac4780» TYPE=«ext4»

kab no pom tau thaum thov blkid los ntawm qhov chaw nyob usb nrog sda7_crypt mounted).
Koj nqa UUID los ntawm koj sdaX (tsis yog sdaX_crypt!, UUID sdaX_crypt - yuav cia li tso tseg thaum tsim cov grub.cfg config).
* cipher = twofish-xts-plain64, loj = 512,hash = sha512 -luks encryption nyob rau hauv hom siab heev.
* /etc/skey - cov ntaub ntawv tseem ceeb zais cia, uas tau muab tso rau kom qhib OS khau raj (es tsis txhob nkag mus rau tus password thib 3). Koj tuaj yeem teev cov ntaub ntawv txog li 8MB, tab sis cov ntaub ntawv yuav raug nyeem <1MB.

#Создание "генерация" случайного файла <секретного ключа> размером 691б.
head -c 691 /dev/urandom > /etc/skey

#Добавление секретного ключа (691б) в 7-й слот заголовка luks
cryptsetup luksAddKey --key-slot 7 /dev/sda7 /etc/skey

#Проверка слотов "пароли/ключи luks-раздела"
cryptsetup luksDump /dev/sda7

Nws yuav zoo li no:

(ua koj tus kheej thiab pom koj tus kheej).

cryptsetup luksKillSlot /dev/sda7 7 #удаление ключа/пароля из 7 слота

/etc/fstab muaj cov lus piav qhia txog ntau yam ntaub ntawv.

#Правим /etc/fstab
nano /etc/fstab

# "file system" "mount point" "type" "options" "dump" "pass"
# / yog nyob / dev / sda7 thaum lub sijhawm teeb tsa
/dev/mapper/sda7_crypt / ext4 yuam kev=remount-ro 0 1

kev xaiv
* /dev/mapper/sda7_crypt - lub npe ntawm sda7> sda7_crypt mapping, uas yog teev nyob rau hauv cov ntaub ntawv /etc/crypttab.
Kev teeb tsa crypttab/fstab tiav.

B4.5. Kho cov ntaub ntawv configuration. Lub sijhawm tseem ceebB4.5.1. Kho qhov config /etc/initramfs-tools/conf.d/resume

#Если у вас ранее был активирован swap раздел, отключите его. 
nano /etc/initramfs-tools/conf.d/resume

thiab tawm tswv yim tawm (yog tias muaj) "#" kab "resume". Cov ntaub ntawv yuav tsum yog tag nrho.

B4.5.2. Kho qhov config /etc/initramfs-tools/conf.d/cryptsetup

nano /etc/initramfs-tools/conf.d/cryptsetup

yuav tsum sib phim

# /etc/initramfs-tools/conf.d/cryptsetup
CRYPTSETUP = yog
export CRYPTSETUP

B4.5.3. Kho qhov /etc/default/grub config (qhov kev teeb tsa no yog lub luag haujlwm rau lub peev xwm los tsim grub.cfg thaum ua haujlwm nrog encrypted / khau raj)

nano /etc/default/grub

ntxiv cov kab “GRUB_ENABLE_CRYPTODISK=y”
tus nqi 'y', grub-mkconfig thiab grub-install yuav tshawb xyuas cov encrypted drives thiab tsim cov lus txib ntxiv uas xav tau los nkag rau lawv thaum lub sijhawm khau raj (insmods ).
yuav tsum muaj qhov sib xws

GRUB_DEFAULT = 0
GRUB_TIMEOUT = 1
GRUB_DISTRIBUTOR=`lsb_release -i -s 2> /dev/null || ncha Debian'
GRUB_CMDLINE_LINUX_DEFAULT = "acpi_backlight = tus neeg muag khoom"
GRUB_CMDLINE_LINUX = "quiet splash noautomount"
GRUB_ENABLE_CRYPTODISK=y

B4.5.4. Kho qhov config /etc/cryptsetup-initramfs/conf-hook

nano /etc/cryptsetup-initramfs/conf-hook

xyuas tias kab commented tawm <#>.
Nyob rau yav tom ntej (thiab txawm tias tam sim no, qhov ntsuas no yuav tsis muaj lub ntsiab lus, tab sis qee zaum nws cuam tshuam nrog kev hloov kho cov duab initrd.img).

B4.5.5. Kho qhov config /etc/cryptsetup-initramfs/conf-hook

nano /etc/cryptsetup-initramfs/conf-hook

ntxiv

KEYFILE_PATTERN = "/etc/skey"
UAS = 0077

Qhov no yuav ntim cov yuam sij zais cia "skey" rau hauv initrd.img, tus yuam sij yog xav tau los qhib lub hauv paus thaum OS khau raj (yog tias koj tsis xav nkag mus rau tus password dua, tus yuam sij "skey" hloov pauv rau lub tsheb).

B4.6. Hloov tshiab /boot/initrd.img [version]Txhawm rau ntim cov yuam sij zais cia rau hauv initrd.img thiab siv cryptsetup kho, hloov kho cov duab

update-initramfs -u -k all

thaum hloov kho initrd.img (raws li lawv hais tias "Nws ua tau, tab sis nws tsis paub tseeb") Cov lus ceeb toom cuam tshuam txog cryptsetup yuav tshwm sim, lossis, piv txwv li, ceeb toom txog kev poob ntawm Nvidia modules - qhov no yog qhov qub. Tom qab hloov kho cov ntaub ntawv, xyuas tias nws tau hloov kho tiag tiag, saib lub sijhawm (kwv yees rau chroot ib puag ncig./boot/initrd.img). Ceev faj ua ntej [hloov-initramfs -u -k tag nrho] nco ntsoov xyuas tias cryptsetup qhib /dev/sda7 sda7_crypt - qhov no yog lub npe uas tshwm nyob rau hauv /etc/crypttab, txwv tsis pub tom qab reboot yuav muaj ib tug busybox yuam kev)
Ntawm cov kauj ruam no, teeb tsa cov ntaub ntawv teeb tsa tiav.

[C] Txhim kho thiab teeb tsa GRUB2/Kev Tiv Thaiv

C1. Yog tias tsim nyog, tsim cov kev faib tshwj xeeb rau bootloader (ib qho kev faib xav tau tsawg kawg 20MB)

mkfs.ext4 -v -L GRUB2 /dev/sda6

C2. Mount /dev/sda6 rau /mntYog li peb ua haujlwm hauv chroot, ces yuav tsis muaj / mnt2 directory hauv paus, thiab / mnt nplaub tshev yuav khoob.
mount GRUB2 muab faib

mount /dev/sda6 /mnt

Yog hais tias koj muaj ib tug laus version ntawm GRUB2 ntsia, nyob rau hauv lub /mnt/boot/grub/i-386-pc directory (lwm lub platform yog ua tau, piv txwv li, tsis yog "i386-pc") tsis muaj crypto modules (hauv luv luv, daim nplaub tshev yuav tsum muaj cov qauv, suav nrog cov .mod: cryptodisk; luks; gcry_twofish; gcry_sha512; signature_test.mod), Hauv qhov no, GRUB2 yuav tsum tau shaken.

apt-get update
apt-get install grub2

Tseem ceeb! Thaum hloov kho GRUB2 pob los ntawm lub chaw cia khoom, thaum nug "txog xaiv" qhov twg rau nruab lub bootloader, koj yuav tsum tsis kam lees lub installation. (yog vim li cas - sim rau nruab GRUB2 - hauv "MBR" lossis ntawm usb nyob). Txwv tsis pub koj yuav ua rau VeraCrypt header/loader puas. Tom qab hloov kho GRUB2 tej pob khoom thiab tshem tawm lub installation, khau raj loader yuav tsum tau ntsia manually ntawm lub logic disk, thiab tsis nyob rau hauv lub MBR. Yog tias koj qhov chaw khaws cia muaj qhov tsis tu ncua ntawm GRUB2, sim hloov tshiab nws yog los ntawm lub vev xaib official - tsis tau kuaj xyuas nws (ua haujlwm nrog qhov tseeb GRUB 2.02 ~ BetaX bootloaders).

C3. Txhim kho GRUB2 rau hauv qhov txuas txuas ntxiv [sda6]Koj yuav tsum muaj qhov muab faib [yam C.2]

grub-install --force --root-directory=/mnt /dev/sda6

xaiv
* -force - kev teeb tsa ntawm lub bootloader, hla tag nrho cov lus ceeb toom uas yuav luag ib txwm muaj thiab thaiv kev teeb tsa (yuav tsum tau chij).
* --root-directory - directory installation rau sda6.
* /dev/sda6 - koj sdaХ muab faib (tsis txhob nco <space> ntawm /mnt /dev/sda6).

C4. Tsim cov ntaub ntawv teeb tsa [grub.cfg]Tsis nco qab txog "hloov-grub2" hais kom ua, thiab siv tag nrho cov ntaub ntawv tsim tawm cov lus txib

grub-mkconfig -o /mnt/boot/grub/grub.cfg

Tom qab ua tiav cov tiam / hloov tshiab ntawm cov ntaub ntawv grub.cfg, cov khoom siv hluav taws xob yuav tsum muaj kab (s) nrog OS pom ntawm lub disk ("grub-mkconfig" tej zaum yuav pom thiab khaws OS los ntawm lub neej nyob usb, yog tias koj muaj multiboot flash drive nrog Windows 10 thiab ib pawg ntawm cov khoom siv nyob - qhov no yog qhov qub). Yog hais tias lub davhlau ya nyob twg yog "tsis muaj" thiab cov ntaub ntawv "grub.cfg" tsis tsim, ces qhov no yog tib yam thaum muaj GRUB kab nyob rau hauv lub system. (thiab feem ntau yuav yog lub loader los ntawm lub xeem ceg ntawm lub repository), rov nruab GRUB2 los ntawm qhov chaw ntseeg siab.
Kev teeb tsa "kev teeb tsa yooj yim" thiab GRUB2 teeb tsa tiav.

C5. Cov ntaub ntawv pov thawj ntawm encrypted GNU/Linux OSPeb ua tiav lub hom phiaj crypto kom raug. Ua tib zoo tso GNU/Linux encrypted (exit chroot ib puag ncig).

umount -a #размонтирование всех смонтированных разделов шифрованной GNU/Linux
Ctrl+d #выход из среды chroot
umount /mnt/dev
umount /mnt/proc
umount /mnt/sys
umount -a #размонтирование всех смонтированных разделов на live usb
reboot

Tom qab rebooting lub PC, VeraCrypt bootloader yuav tsum thauj khoom.

* Nkag mus rau tus password rau qhov kev faib ua haujlwm yuav pib thauj khoom Windows.
* Nias tus yuam sij "Esc" yuav hloov kev tswj rau GRUB2, yog tias koj xaiv encrypted GNU/Linux - tus password (sda7_crypt) yuav tsum tau qhib /boot/initrd.img (yog tias grub2 sau uuid "tsis pom" - qhov no yog ib qho teeb meem nrog lub grub2 bootloader, nws yuav tsum tau reinstalled, piv txwv li, los ntawm kuaj ceg / ruaj khov thiab lwm yam).

* Nyob ntawm seb koj teeb tsa lub kaw lus li cas (saib kab lus B4.4/4.5), tom qab nkag mus rau qhov tseeb lo lus zais kom qhib lub /boot/initrd.img duab, koj yuav xav tau tus password kom thauj khoom OS kernel/root, lossis zais cia tus yuam sij yuav tau txais kev hloov pauv "skey", tshem tawm qhov xav tau rov nkag mus rau lo lus zais.

(screen "automatic hloov pauv ntawm tus yuam sij zais cia").

* Tom qab ntawd cov txheej txheem paub txog kev thauj khoom GNU / Linux nrog cov neeg siv kev lees paub tus lej yuav ua raws.

* Tom qab tus neeg siv tso cai thiab nkag mus rau OS, koj yuav tsum hloov kho /boot/initrd.img dua (saib B4.6).

update-initramfs -u -k all

Thiab yog tias muaj kab ntxiv hauv GRUB2 ntawv qhia zaub mov (los ntawm OS-m tuaj nrog usb nyob) tshem tawm ntawm lawv

mount /dev/sda6 /mnt
grub-mkconfig -o /mnt/boot/grub/grub.cfg

Cov ntsiab lus ceev ceev ntawm GNU / Linux system encryption:

GNU/Linuxinux yog encrypted tag nrho, suav nrog /boot/kernel thiab initrd;
tus yuam sij zais cia tau ntim rau hauv initrd.img;
txoj kev tso cai tam sim no ( nkag mus rau tus password kom qhib lub initrd; lo lus zais / tus yuam sij rau khau raj OS; lo lus zais rau kev tso cai rau Linux account).

"Yooj Yim GRUB2 Configuration" system encryption ntawm qhov thaiv kev faib ua tiav.

C6. Advanced GRUB2 configuration. Kev tiv thaiv Bootloader nrog digital kos npe + kev tiv thaiv kev lees paubGNU / Linux yog encrypted kiag li, tab sis lub bootloader tsis tuaj yeem encrypted - qhov xwm txheej no tau hais los ntawm BIOS. Vim li no, chained encrypted khau raj ntawm GRUB2 yog tsis tau, tab sis ib tug yooj yim chained khau raj yog ua tau / muaj, tab sis los ntawm ib tug kev ruaj ntseg taw tes ntawm view nws tsis tsim nyog [saib P. F].
Rau "qhov tsis yooj yim" GRUB2, cov neeg tsim khoom siv "kos npe / lees paub" bootloader tiv thaiv algorithm.

Thaum lub bootloader tiv thaiv los ntawm "nws tus kheej kos npe digital," kev hloov kho sab nraud ntawm cov ntaub ntawv, lossis kev sim thauj cov modules ntxiv hauv qhov bootloader no, yuav ua rau cov txheej txheem khau raj raug thaiv.
Thaum tiv thaiv lub bootloader nrog authentication, txhawm rau xaiv cov khoom xa tawm, lossis nkag mus rau cov lus txib ntxiv hauv CLI, koj yuav tsum nkag mus rau tus ID nkag mus thiab lo lus zais ntawm superuser-GRUB2.

C6.1. Bootloader authentication tiv thaivTxheeb xyuas tias koj ua haujlwm hauv lub davhlau ya nyob twg ntawm qhov encrypted OS

ls /<Tab-Tab> #обнаружить файл-маркер

tsim tus superuser password rau kev tso cai hauv GRUB2

grub-mkpasswd-pbkdf2 #введите/повторите пароль суперпользователя.

Tau txais tus password hash. Tej yam zoo li no

grub.pbkdf2.sha512.10000.DE10E42B01BB6FEEE46250FC5F9C3756894A8476A7F7661A9FFE9D6CC4D0A168898B98C34EBA210F46FC10985CE28277D0563F74E108FCE3ACBD52B26F8BA04D.27625A4D30E4F1044962D3DD1C2E493EF511C01366909767C3AF9A005E81F4BFC33372B9C041BE9BA904D7C6BB141DE48722ED17D2DF9C560170821F033BCFD8

mount lub GRUB muab faib

mount /dev/sda6 /mnt

kho qhov config

nano -$ /mnt/boot/grub/grub.cfg

tshawb xyuas cov ntaub ntawv tshawb fawb tias tsis muaj tus chij nyob qhov twg hauv "grub.cfg" ("-tsis txwv" "-user",
ntxiv thaum kawg (ua ntej kab ### END /etc/grub.d/41_custom ###)
"set superusers="root"
password_pbkdf2 root hash."

Nws yuav tsum yog ib yam zoo li no

# Cov ntaub ntawv no muab txoj hauv kev yooj yim ntxiv rau cov ntawv qhia zaub mov kev cai. Tsuas ntaus tus
# cov ntawv qhia zaub mov koj xav ntxiv tom qab cov lus pom no. Ceev faj tsis txhob hloov
# tus 'exec Tsov tus tw' kab saum toj no.
### END /etc/grub.d/40_custom ###

### BEGIN /etc/grub.d/41_custom ###
yog [-f ${config_directory}/custom.cfg]; ces
qhov chaw ${config_directory}/custom.cfg
elif [ -z "${config_directory}" -a -f $prefix/custom.cfg ]; ces
qhov chaw $prefix/custom.cfg;
fi
teem superusers = "root"
password_pbkdf2 root grub.pbkdf2.sha512.10000.DE10E42B01BB6FEEE46250FC5F9C3756894A8476A7F7661A9FFE9D6CC4D0A168898B98C34EBA210F46FC10985CE28277D0563F74E108FCE3ACBD52B26F8BA04D.27625A4D30E4F1044962D3DD1C2E493EF511C01366909767C3AF9A005E81F4BFC33372B9C041BE9BA904D7C6BB141DE48722ED17D2DF9C560170821F033BCFD8
### END /etc/grub.d/41_custom ###
#

Yog tias koj nquag siv cov lus txib "grub-mkconfig -o /mnt/boot/grub/grub.cfg" thiab tsis xav hloov pauv rau grub.cfg txhua zaus, nkag mus rau cov kab saum toj no (Tus ID nkag mus: Password) nyob rau hauv GRUB tus neeg siv tsab ntawv nyob rau hauv qab heev

nano /etc/grub.d/41_custom

cat <<EOF
teem superusers = "root"
password_pbkdf2 root grub.pbkdf2.sha512.10000.DE10E42B01BB6FEEE46250FC5F9C3756894A8476A7F7661A9FFE9D6CC4D0A168898B98C34EBA210F46FC10985CE28277D0563F74E108FCE3ACBD52B26F8BA04D.27625A4D30E4F1044962D3DD1C2E493EF511C01366909767C3AF9A005E81F4BFC33372B9C041BE9BA904D7C6BB141DE48722ED17D2DF9C560170821F033BCFD8
EOF

Thaum tsim cov config "grub-mkconfig -o / mnt/boot/grub/grub.cfg", cov kab lub luag haujlwm rau kev lees paub yuav raug ntxiv rau grub.cfg.
Cov kauj ruam no ua kom tiav GRUB2 authentication teeb.

C6.2. Kev tiv thaiv Bootloader nrog kos npe digitalNws yog xav tias koj twb muaj koj tus kheej pgp encryption key (los yog tsim tus yuam sij ntawd). Lub kaw lus yuav tsum muaj software cryptographic ntsia: gnuPG; Kleopatra/GPA; Seahorse. Crypto software yuav ua rau koj lub neej yooj yim dua hauv txhua yam teeb meem. Seahorse - ruaj khov version ntawm pob 3.14.0 (versions siab dua, piv txwv li, V3.20, muaj kev puas tsuaj thiab muaj cov kab mob tseem ceeb).

Tus yuam sij PGP yuav tsum tau tsim / tso tawm / ntxiv rau hauv ib puag ncig su!

Tsim tus yuam sij encryption

gpg - -gen-key

Export koj tus yuam sij

gpg --export -o ~/perskey

Mount lub logical disk hauv OS yog tias nws tsis tau mounted

mount /dev/sda6 /mnt #sda6 – раздел GRUB2

ntxuav GRUB2 muab faib

rm -rf /mnt/

Nruab GRUB2 hauv sda6, muab koj tus kheej tus yuam sij rau hauv lub ntsiab GRUB duab "core.img"

grub-install --force --modules="gcry_sha256 gcry_sha512 signature_test gcry_dsa gcry_rsa" -k ~/perskey --root-directory=/mnt /dev/sda6

xaiv
* --force - nruab lub bootloader, hla tag nrho cov lus ceeb toom uas ib txwm muaj (yuav tsum tau chij).
* —modules="gcry_sha256 gcry_sha512 signature_test gcry_dsa gcry_rsa" - qhia GRUB2 kom preload cov tsim nyog modules thaum lub PC pib.
* -k ~ / perkey -path rau "PGP yuam sij" (tom qab ntim tus yuam sij rau hauv daim duab, nws tuaj yeem raug tshem tawm).
* --root-directory - teem caij khau raj rau hauv paus ntawm sda6
/dev/sda6 - koj sdaX muab faib.

Generating/updating grub.cfg

grub-mkconfig  -o /mnt/boot/grub/grub.cfg

Ntxiv cov kab "trust /boot/grub/perskey" mus rau qhov kawg ntawm cov ntaub ntawv "grub.cfg" (yuav tsum siv pgp key.) Txij li thaum peb tau teeb tsa GRUB2 nrog cov txheej txheem, suav nrog cov ntawv kos npe "signature_test.mod", qhov no tshem tawm qhov xav tau ntxiv cov lus txib xws li "set check_signatures = enforce" rau qhov teeb tsa.

Nws yuav tsum zoo li no (kawg kab hauv grub.cfg file)

### BEGIN /etc/grub.d/41_custom ###
yog [-f ${config_directory}/custom.cfg]; ces
qhov chaw ${config_directory}/custom.cfg
elif [ -z "${config_directory}" -a -f $prefix/custom.cfg ]; ces
qhov chaw $prefix/custom.cfg;
fi
ntseeg /boot/grub/perskey
teem superusers = "root"
password_pbkdf2 root grub.pbkdf2.sha512.10000.DE10E42B01BB6FEEE46250FC5F9C3756894A8476A7F7661A9FFE9D6CC4D0A168898B98C34EBA210F46FC10985CE28277D0563F74E108FCE3ACBD52B26F8BA04D.27625A4D30E4F1044962D3DD1C2E493EF511C01366909767C3AF9A005E81F4BFC33372B9C041BE9BA904D7C6BB141DE48722ED17D2DF9C560170821F033BCFD8
### END /etc/grub.d/41_custom ###
#

Txoj kev mus rau "/boot/grub/perskey" tsis tas yuav tsum tau taw qhia rau ib qho kev faib disk tshwj xeeb, piv txwv li hd0,6; rau lub bootloader nws tus kheej, "hauv paus" yog txoj hauv kev ntawm qhov muab faib uas GRUB2 tau teeb tsa. (saib set rot=..).

Kos npe GRUB2 (tag nrho cov ntaub ntawv nyob rau hauv tag nrho / GRUB directory) nrog koj tus yuam sij "perskey".
Ib qho kev daws teeb meem yooj yim ntawm kev kos npe (rau nautilus/caja explorer): nruab qhov "seahorse" txuas ntxiv rau Explorer los ntawm qhov chaw cia khoom. Koj tus yuam sij yuav tsum tau muab ntxiv rau hauv ib puag ncig su.
Qhib Explorer nrog sudo "/ mnt / boot" - RMB - kos npe. Ntawm qhov screen nws zoo li no

Tus yuam sij nws tus kheej yog "/ mnt/boot/grub/perskey" (copy rau grub directory) yuav tsum tau kos npe nrog koj tus kheej kos npe. Xyuas tias [*.sig] cov ntaub ntawv kos npe tshwm nyob rau hauv cov npe / subdirectories.
Siv cov kev piav qhia saum toj no, kos npe "/ khau raj" (peb cov kernel, initrd). Yog tias koj lub sijhawm muaj nqis dab tsi, ces txoj kev no tshem tawm qhov xav tau sau ntawv bash kos npe rau "ntau cov ntaub ntawv."

Txhawm rau tshem tawm tag nrho cov bootloader kos npe (yog tias muaj qee yam tsis raug)

rm -f $(find /mnt/boot/grub -type f -name '*.sig')

Txhawm rau kom tsis txhob kos npe rau bootloader tom qab hloov kho lub kaw lus, peb khov tag nrho cov pob hloov tshiab cuam tshuam nrog GRUB2.

apt-mark hold grub-common grub-pc grub-pc-bin grub2 grub2-common

Ntawm cov kauj ruam no < tiv thaiv bootloader nrog digital kos npe> kev teeb tsa siab ntawm GRUB2 tiav.

C6.3. Pov thawj-kuaj ntawm GRUB2 bootloader, tiv thaiv los ntawm digital kos npe thiab authenticationGRUB 2. Thaum xaiv ib qho GNU / Linux faib lossis nkag mus rau CLI (command kab) Superuser tso cai yuav tsum tau. Tom qab nkag mus rau qhov tseeb username / password, koj yuav xav tau tus password initrd

Screenshot ntawm kev ua tiav qhov tseeb ntawm GRUB2 superuser.

Yog tias koj tamper nrog ib qho ntawm GRUB2 cov ntaub ntawv / hloov pauv rau grub.cfg, lossis tshem tawm cov ntaub ntawv / kos npe, lossis thauj khoom tsis zoo module.mod, cov lus ceeb toom sib raug yuav tshwm sim. GRUB2 yuav ncua kev thauj khoom.

Screenshot, ib qho kev sim cuam tshuam nrog GRUB2 "los ntawm sab nraud".

Thaum lub sij hawm "ib txwm" booting "tsis muaj intrusion", qhov system tawm code raws li txoj cai yog "0". Yog li ntawd, nws tsis paub tias kev tiv thaiv ua haujlwm lossis tsis ua haujlwm (uas yog, "nrog lossis tsis muaj bootloader kos npe tiv thaiv" thaum lub sijhawm thauj khoom ib txwm yog tib yam "0" - qhov no tsis zoo).

Yuav ua li cas los txheeb xyuas kev tiv thaiv kos npe digital?

Ib txoj hauv kev tsis yooj yim los xyuas: cuav / tshem tawm ib qho qauv siv los ntawm GRUB2, piv txwv li, tshem tawm cov npe luks.mod.sig thiab tau txais qhov yuam kev.

Txoj kev raug: mus rau bootloader CLI thiab ntaus cov lus txib

trust_list

Hauv kev teb, koj yuav tsum tau txais "perskey" ntiv tes; yog tias qhov xwm txheej yog "0," ces kev tiv thaiv kos npe tsis ua haujlwm, kos ob kab lus C6.2.
Ntawm cov kauj ruam no, kev teeb tsa qib siab "Kev Tiv Thaiv GRUB2 nrog kos npe digital thiab kev lees paub tseeb" tiav.

C7 Lwm txoj hauv kev tiv thaiv GRUB2 bootloader siv hashingTxoj kev "CPU Boot Loader Protection/Authentication" txoj kev piav qhia saum toj no yog ib qho classic. Vim yog qhov tsis zoo ntawm GRUB2, nyob rau hauv paranoid tej yam kev mob nws yog raug rau ib tug tiag tiag nres, uas kuv yuav muab hauv qab no nyob rau hauv nqe lus [F]. Ntxiv mus, tom qab hloov kho OS/kernel, lub bootloader yuav tsum tau rov kos npe.

Tiv thaiv GRUB2 bootloader siv hashing

Qhov zoo tshaj ntawm classics:

Kev ntseeg siab dua (hashing / pov thawj tshwm sim tsuas yog los ntawm ib qho chaw encrypted hauv zos. Tag nrho cov kev faib faib nyob rau hauv GRUB2 yog tswj rau ib qho kev hloov, thiab txhua yam yog encrypted; nyob rau hauv lub classic tswvyim nrog CPU loader tiv thaiv / Authentication, tsuas yog cov ntaub ntawv yog tswj, tab sis tsis pub dawb. qhov chaw, uas "ib yam dab tsi" ib yam dab tsi phem" tuaj yeem ntxiv).
Encrypted logging (ib tug tib neeg-nyeem tau tus kheej encrypted cav yog ntxiv rau lub tswv yim).
Ceev (kev tiv thaiv / pov thawj ntawm tag nrho cov faib faib rau GRUB2 tshwm sim yuav luag tam sim ntawd).
Automation ntawm tag nrho cov txheej txheem cryptographic.

Disadvantages ntawm classics.

Kev kos npe (theoretically, nws muaj peev xwm mus nrhiav tau ib tug muab hash muaj nuj nqi sib tsoo).
Nce qib nyuaj (piv rau classic, me ntsis kev txawj ntse hauv GNU / Linux OS yog xav tau).

Yuav ua li cas GRUB2 / muab faib hashing tswv yim ua haujlwm

GRUB2 muab faib yog "kos npe"; thaum OS khau boots, khau raj loader muab faib raug kuaj xyuas rau kev hloov tsis tau, ua raws li kev nkag rau hauv qhov chaw ruaj ntseg (encrypted) ib puag ncig. Yog tias lub bootloader lossis nws cov kev faib tawm raug cuam tshuam, ntxiv rau lub cav nkag, cov hauv qab no tau pib:

Yam.

Ib qho kev txheeb xyuas zoo sib xws tshwm sim plaub zaug hauv ib hnub, uas tsis thauj khoom cov peev txheej.
Siv cov lus txib "-$ check_GRUB", ib qho kev kuaj tam sim ntawd tshwm sim txhua lub sijhawm yam tsis muaj kev nkag, tab sis nrog cov ntaub ntawv tawm mus rau CLI.
Siv cov lus txib "-$ sudo kos npe_GRUB", GRUB2 khau raj loader / muab faib yog tam sim rov kos npe thiab nws cov kev hloov kho tshiab (yuav tsum tau tom qab OS / khau raj hloov tshiab), thiab lub neej mus ntxiv.

Kev siv tus txheej txheem hashing rau lub bootloader thiab nws seem

0) Cia peb kos npe rau GRUB bootloader / muab faib los ntawm thawj mounting nws hauv / media / username

-$ hashdeep -c md5 -r /media/username/GRUB > /podpis.txt

1) Peb tsim ib tsab ntawv uas tsis muaj qhov txuas ntxiv hauv lub hauv paus ntawm lub encrypted OS ~ / podpis, siv qhov tsim nyog 744 kev ruaj ntseg txoj cai thiab kev tiv thaiv tsis zoo rau nws.

Sau nws cov ntsiab lus

#!/bin/bash

#Проверка всего раздела выделенного под загрузчик GRUB2 на неизменность.
#Ведется лог "о вторжении/успешной проверке каталога", короче говоря ведется полный лог с тройной вербализацией. Внимание! обратить взор на пути: хранить ЦП GRUB2 только на зашифрованном разделе OS GNU/Linux. 
echo -e "******************************************************************n" >> '/var/log/podpis.txt' && date >> '/var/log/podpis.txt' && hashdeep -vvv -a -k '/podpis.txt' -r '/media/username/GRUB' >> '/var/log/podpis.txt'

a=`tail '/var/log/podpis.txt' | grep failed` #не использовать "cat"!! 
b="hashdeep: Audit failed"

#Условие: в случае любых каких-либо изменений в разделе выделенном под GRUB2 к полному логу пишется второй отдельный краткий лог "только о вторжении" и выводится на монитор мигание gif-ки "warning".
if [[ "$a" = "$b" ]] 
then
echo -e "****n" >> '/var/log/vtorjenie.txt' && echo "vtorjenie" >> '/var/log/vtorjenie.txt' && date >> '/var/log/vtorjenie.txt' & sudo -u username DISPLAY=:0 eom '/warning.gif' 
fi

Khiav tsab ntawv los ntawm su, qhov hashing ntawm GRUB muab faib thiab nws cov bootloader yuav raug kuaj xyuas, txuag lub cav.

Cia peb tsim lossis luam, piv txwv li, "cov ntaub ntawv tsis zoo" [virus.mod] rau GRUB2 muab faib thiab khiav ib ntus scan/test:

-$ hashdeep -vvv -a -k '/podpis.txt' -r '/media/username/GRUB

Lub CLI yuav tsum pom qhov ntxeem tau ntawm peb -citadel-#Txoj kev nkag rau hauv CLI

Ср янв  2 11::41 MSK 2020
/media/username/GRUB/boot/grub/virus.mod: Moved from /media/username/GRUB/1nononoshifr
/media/username/GRUB/boot/grub/i386-pc/mda_text.mod: Ok
/media/username/GRUB/boot/grub/grub.cfg: Ok
hashdeep: Audit failed
   Input files examined: 0
  Known files expecting: 0
          Files matched: 325
Files partially matched: 0
            Files moved: 1
        New files found: 0
  Known files not found: 0

#Raws li koj tuaj yeem pom, "Cov ntaub ntawv txav mus: 1 thiab Kev Tshawb Fawb tsis ua tiav" tshwm sim, uas txhais tau tias daim tshev ua tsis tiav.
Vim qhov xwm txheej ntawm qhov muab faib raug sim, es tsis txhob "Cov ntaub ntawv tshiab pom" > "Cov ntaub ntawv tsiv"

2) Muab gif ntawm no > ~/warning.gif, teeb tsa kev tso cai rau 744.

3) Configuring fstab rau automount GRUB muab faib ntawm khau raj

-$ sudo nano /etc/fstab

LABEL=GRUB /media/username/GRUB ext4 defaults 0 0

4) Rotating lub cav

-$ sudo nano /etc/logrotate.d/podpis

/var/log/podpis.txt {
txhua hnub
tig 50
loj 5M
cov ntaub ntawv
compress
delaycompress
olddir /var/log/old
}

/var/log/vtorjenie.txt {
txhua hli
tig 5
loj 5M
cov ntaub ntawv
olddir /var/log/old
}

5) Ntxiv ib txoj hauj lwm rau cron

-$ sudo crontab -e

Reboot '/subscribe'
0 */6 * * * '/podpis

6) Tsim cov npe nyob ruaj khov

-$ sudo su
-$ echo "alias подпись_GRUB='hashdeep -c md5 -r /media/username/GRUB > /podpis.txt'" >> /root/.bashrc && bash
-$ echo "alias проверка_GRUB='hashdeep -vvv -a -k '/podpis.txt' -r /media/username/GRUB'" >> .bashrc && bash

Tom qab hloov kho OS -$ apt-get upgrade rov kos npe rau peb GRUB muab faib
-$ подпись_GRUB
Lub sijhawm no, hashing tiv thaiv ntawm GRUB muab faib ua tiav.

[D] So - kev puas tsuaj ntawm cov ntaub ntawv tsis tau encrypted

Rho tawm koj cov ntaub ntawv ntiag tug kom tiav "tsis yog Vajtswv tuaj yeem nyeem tau," raws li South Carolina tus kws tshaj lij Trey Gowdy.

Raws li ib txwm muaj, muaj ntau yam "myths thiab dab neeg", hais txog kev rov kho cov ntaub ntawv tom qab nws tau raug tshem tawm ntawm lub hard drive. Yog tias koj ntseeg hauv cyberwitchcraft, lossis yog tus tswv cuab ntawm Dr web zej zog thiab tsis tau sim cov ntaub ntawv rov qab tom qab nws raug tshem tawm / sau dua. (piv txwv li, rov qab siv R-studio), tom qab ntawd txoj kev npaj yuav tsis zoo li haum rau koj, siv qhov ze tshaj plaws rau koj.

Tom qab ua tiav kev hloov GNU/Linux rau qhov muab faib encrypted, cov ntawv qub yuav tsum raug muab tshem tawm yam tsis muaj peev xwm rov qab tau cov ntaub ntawv. Universal tu txoj kev: software rau Windows / Linux dawb GUI software BleachBit.
Ceev ceev format lub seem, cov ntaub ntawv uas yuav tsum tau muab pov tseg (ntawm Gparted) tso BleachBit, xaiv "Xaiv qhov chaw dawb" - xaiv qhov muab faib (koj sdaX nrog ib daim qauv dhau los ntawm GNU / Linux), cov txheej txheem stripping yuav pib. BleachBit - so lub disk hauv ib qho dhau los - qhov no yog qhov "peb xav tau", Tab sis! Qhov no tsuas yog ua haujlwm hauv kev xav yog tias koj formatted disk thiab ntxuav nws hauv BB v2.0 software.

Nco ntsoov! BB so lub disk, tawm hauv metadata; cov ntaub ntawv npe raug khaws cia thaum cov ntaub ntawv raug tshem tawm (Ccleaner - tsis tawm metadata).

Thiab cov lus dab neeg hais txog qhov ua tau ntawm cov ntaub ntawv rov qab tsis yog ib qho lus dab neeg nkaus xwb.Bleachbit V2.0-2 yav dhau los tsis ruaj khov OS Debian pob (thiab lwm yam software zoo sib xws: sfill; so-Nautilus - kuj tau pom hauv kev lag luam qias neeg no) tiag tiag muaj kab mob tseem ceeb: qhov "free space clearing" function nws ua haujlwm tsis raug ntawm HDD/Flash drives (ntfs/ext4). Software ntawm hom no, thaum tshem qhov chaw dawb, tsis sau tag nrho disk, raws li ntau tus neeg siv xav. Thiab ib txhia (ntau heev) deleted cov ntaub ntawv OS/software txiav txim siab cov ntaub ntawv no yog tsis-deleted/neeg siv cov ntaub ntawv thiab thaum tu "OSP" nws hla cov ntaub ntawv no. Qhov teeb meem yog tias tom qab lub sijhawm ntev, tu lub disk "Deleted ntaub ntawv" yuav zoo tu qab tso txawm tias tom qab 3+ dhau ntawm so lub disc.
Ntawm GNU/Linux ntawm Bleachbit 2.0-2 Cov haujlwm ntawm kev tshem tawm cov ntaub ntawv mus tas li thiab cov npe ua haujlwm tau ntseeg tau, tab sis tsis tshem qhov chaw dawb. Rau kev sib piv: ntawm Windows hauv CCleaner qhov "OSP rau ntfs" ua haujlwm tau zoo, thiab Vajtswv yeej yuav tsis tuaj yeem nyeem cov ntaub ntawv tshem tawm.

Thiab yog li ntawd, kom huv si tshem tawm "kev sib haum xeeb" qub unencrypted cov ntaub ntawv, Bleachbit xav tau kev nkag ncaj qha rau cov ntaub ntawv no, tom qab ntawd, siv qhov "nrawm rho tawm cov ntaub ntawv / directory" ua haujlwm.
Txhawm rau tshem tawm "cov ntaub ntawv tshem tawm siv cov cuab yeej OS" hauv Windows, siv CCleaner / BB nrog "OSP" ua haujlwm. Hauv GNU/Linux dhau qhov teeb meem no (Deleted ntaub ntawv) koj yuav tsum tau txais kev xyaum ntawm koj tus kheej (rho tawm cov ntaub ntawv + kev ywj pheej sim rov qab los thiab koj yuav tsum tsis txhob cia siab rau software version (yog tias tsis yog bookmark, ces kab laum)), tsuas yog nyob rau hauv cov ntaub ntawv no koj yuav to taub lub mechanism ntawm qhov teeb meem no thiab tshem tawm cov deleted cov ntaub ntawv kiag li.

Kuv tsis tau sim Bleachbit v3.0, qhov teeb meem tej zaum twb tau kho lawm.
Bleachbit v2.0 ua haujlwm ncaj ncees.

Ntawm cov kauj ruam no, disk wiping tiav.

[E] Universal thaub qab ntawm encrypted OS

Txhua tus neeg siv muaj lawv tus kheej txoj kev thaub qab cov ntaub ntawv, tab sis encrypted System OS cov ntaub ntawv yuav tsum muaj ib tug sib txawv me ntsis rau txoj hauj lwm. Unified software, xws li Clonezilla thiab cov software zoo sib xws, tsis tuaj yeem ua haujlwm ncaj qha nrog cov ntaub ntawv encrypted.

Nqe lus hais txog qhov teeb meem ntawm thaub qab encrypted thaiv cov cuab yeej:

universality - tib thaub qab algorithm / software rau Windows / Linux;
muaj peev xwm ua hauj lwm hauv lub console nrog ib qho chaw nyob usb GNU / Linux yam tsis tas yuav rub tawm software ntxiv (tab sis tseem pom zoo GUI);
kev ruaj ntseg ntawm cov ntaub ntawv thaub qab - khaws "duab" yuav tsum tau encrypted/password-tiv thaiv;
qhov loj ntawm cov ntaub ntawv encrypted yuav tsum sib haum rau qhov loj ntawm cov ntaub ntawv tiag tiag raug theej;
yooj yim rho tawm cov ntaub ntawv tsim nyog los ntawm daim ntawv theej thaub qab (tsis muaj qhov yuav tsum tau decrypt tag nrho ntu ua ntej).

Piv txwv li, thaub qab / rov qab los ntawm "dd" qhov hluav taws xob

dd if=/dev/sda7 of=/путь/sda7.img bs=7M conv=sync,noerror
dd if=/путь/sda7.img of=/dev/sda7 bs=7M conv=sync,noerror

Nws sib haum mus rau yuav luag tag nrho cov ntsiab lus ntawm txoj hauj lwm, tab sis raws li cov ntsiab lus 4 nws tsis sawv los thuam, vim nws luam tag nrho disk muab faib, nrog rau qhov chaw dawb - tsis nthuav.

Piv txwv li, GNU / Linux thaub qab ntawm archiver [tar" | gpg] yooj yim, tab sis rau Windows thaub qab koj yuav tsum nrhiav lwm txoj hauv kev - nws tsis nthuav.

E1. Universal Windows / Linux thaub qab. Txuas rsync (Grsync) + VeraCrypt ntimAlgorithm rau tsim ib daim ntawv thaub qab:

tsim ib lub thawv encrypted ( ntim / ntaub ntawv) VeraCrypt rau OS;
hloov / synchronize OS siv Rsync software rau hauv VeraCrypt crypto thawv;
yog tias tsim nyog, upload lub ntim VeraCrypt rau www.

Tsim ib lub thawv encrypted VeraCrypt muaj nws tus yam ntxwv:
tsim kom muaj dynamic ntim (tsim DT tsuas yog muaj nyob hauv Windows, kuj tuaj yeem siv hauv GNU / Linux);
tsim ib lub ntim tsis tu ncua, tab sis muaj qhov yuav tsum tau ntawm "tus cwj pwm tsis txaus ntseeg" (raws li tus tsim tawm) - thawv formatting.

Lub ntim ntim tau tsim yuav luag tam sim hauv Windows, tab sis thaum luam cov ntaub ntawv los ntawm GNU / Linux> VeraCrypt DT, tag nrho cov kev ua haujlwm ntawm kev ua haujlwm thaub qab poob qis heev.

Ib txwm 70 GB Twofish ntim yog tsim (cia li hais, ntawm nruab nrab lub zog PC) rau HDD ~ hauv ib nrab teev (overwriting lub qub thawv cov ntaub ntawv nyob rau hauv ib tug pass yog vim kev ruaj ntseg yuav tsum). Kev ua haujlwm ntawm kev hloov pauv sai sai ntawm lub ntim thaum tsim nws tau raug tshem tawm ntawm VeraCrypt Windows / Linux, yog li tsim lub thawv tsuas yog ua tau los ntawm "ib-pass rewriting" lossis tsim kom muaj qhov ua haujlwm qis qis.

Tsim ib lub ntim VeraCrypt li niaj zaus (tsis yog dynamic/ntfs), yuav tsum tsis muaj teeb meem.

Configure / tsim / qhib lub thawv hauv VeraCrypt GUI> GNU / Linux nyob usb (lub ntim yuav automounted rau /media/veracrypt2, lub qhov rais OS ntim yuav mounted rau /media/veracrypt1). Tsim ib qho encrypted thaub qab ntawm Windows OS siv GUI rsync (grsync)los ntawm kev txheeb xyuas lub thawv.

Tos kom tiav cov txheej txheem. Thaum cov thaub qab tiav lawm, peb yuav muaj ib cov ntaub ntawv encrypted.

Ib yam li ntawd, tsim cov ntawv thaub qab ntawm GNU / Linux OS los ntawm kev tshem tawm "Windows compatibility" checkbox hauv rsync GUI.

Nco ntsoov! tsim ib lub thawv Veracrypt rau "GNU/Linux thaub qab" hauv cov ntaub ntawv kaw lus ext4. Yog tias koj ua ib qho thaub qab rau lub thawv ntfs, tom qab ntawd thaum koj rov qab zoo li no, koj yuav poob tag nrho cov cai / pawg rau tag nrho koj cov ntaub ntawv.

Koj tuaj yeem ua txhua yam haujlwm hauv lub davhlau ya nyob twg. Cov kev xaiv yooj yim rau rsync:
* -g -txuag pab pawg;
* -P - kev vam meej - xwm txheej ntawm lub sijhawm siv ua haujlwm ntawm cov ntaub ntawv;
* -H - luam hardlinks raws li yog;
* -a -archive hom (ntau tus rlptgoD chij);
* -v - lus.

Yog tias koj xav mount lub "Windows VeraCrypt ntim" ntawm lub console hauv cryptsetup software, koj tuaj yeem tsim ib qho alias (su)

echo "alias veramount='cryptsetup open --veracrypt --tcrypt-system --type tcrypt /dev/sdaX Windows_crypt && mount /dev/mapper/ Windows_crypt /media/veracrypt1'" >> .bashrc && bash

Tam sim no cov lus txib "veramount pictures" yuav hais kom koj nkag mus rau ib lo lus zais, thiab qhov encrypted Windows system ntim yuav raug teeb tsa hauv OS.

Daim ntawv qhia / Mount VeraCrypt system ntim hauv cryptsetup hais kom ua

cryptsetup open --veracrypt --tcrypt-system --type tcrypt /dev/sdaX Windows_crypt
mount /dev/mapper/Windows_crypt /mnt

Daim ntawv qhia / Mount VeraCrypt muab faib / ntim hauv cryptsetup hais kom ua

cryptsetup open --veracrypt --type tcrypt /dev/sdaY test_crypt
mount /dev/mapper/test_crypt /mnt

Es tsis txhob alias, peb yuav ntxiv (ib tsab ntawv rau kev pib) lub kaw lus ntim nrog Windows OS thiab cov laj thawj encrypted ntfs disk rau GNU / Linux startup

Tsim ib tsab ntawv thiab txuag nws hauv ~/VeraOpen.sh

printf 'Ym9i' | base64 -d | cryptsetup open --veracrypt --tcrypt-system --type tcrypt /dev/sda3 Windows_crypt && mount /dev/mapper/Windows_crypt /media/Winda7 #декодируем пароль из base64 (bob) и отправляем его на запрос ввода пароля при монтировании системного диска ОС Windows.
printf 'Ym9i' | base64 -d | cryptsetup open --veracrypt --type tcrypt /dev/sda1 ntfscrypt && mount /dev/mapper/ntfscrypt /media/КонтейнерНтфс #аналогично, но монтируем логический диск ntfs.

Peb faib cov cai "yog":

sudo chmod 100 /VeraOpen.sh

Tsim ob cov ntaub ntawv zoo ib yam (tib lub npe!) hauv /etc/rc.local thiab ~/etc/init.d/rc.local
Sau cov ntaub ntawv

#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will «exit 0» on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.

sh -c "sleep 1 && '/VeraOpen.sh'" #после загрузки ОС, ждём ~ 1с и только потом монтируем диски.
exit 0

Peb faib cov cai "yog":

sudo chmod 100 /etc/rc.local && sudo chmod 100 /etc/init.d/rc.local

Ntawd yog nws, tam sim no thaum thauj GNU / Linux peb tsis tas yuav nkag mus rau lo lus zais rau mount encrypted ntfs disks, cov disks tau teeb tsa tau.

Ib daim ntawv luv luv txog qhov tau piav qhia saum toj no hauv kab lus E1 kauj ruam yog kauj ruam (tab sis tam sim no rau OS GNU / Linux)
1) Tsim ib lub ntim hauv fs ext4 > 4gb (rau cov ntaub ntawv) Linux hauv Veracrypt [Cryptbox].
2) Reboot rau nyob usb.
3) ~$ cryptsetup qhib /dev/sda7 Lunux #mapping encrypted muab faib.
4) ~$ mount /dev/mapper/Linux /mnt #mount lub encrypted muab faib rau /mnt.
5) ~ $ mkdir mnt2 #tsim cov npe rau yav tom ntej thaub qab.
6) ~ $ cryptsetup qhib —veracrypt — hom tcrypt ~/CryptoBox CryptoBox && mount /dev/mapper/CryptoBox /mnt2 #Map ib Veracrypt ntim npe hu ua "CryptoBox" thiab mount CryptoBox rau /mnt2.
7) ~ $ rsync -avlxhHX —kev vam meej / mnt / mnt2 / # thaub qab ua haujlwm ntawm qhov muab faib encrypted rau qhov ntim Veracrypted.

(p/s/ Nco ntsoov! Yog tias koj tab tom hloov encrypted GNU/Linux los ntawm ib lub tuam tsev / lub tshuab mus rau lwm qhov, piv txwv li, Intel> AMD (uas yog, xa cov thaub qab los ntawm ib qho kev faib tawm mus rau lwm qhov encrypted Intel> AMD muab faib), Tsis txhob hnov qab Tom qab hloov lub encrypted OS, kho qhov zais zais hloov yuam sij es tsis txhob lo lus zais, tej zaum. tus yuam sij yav dhau los ~/etc/skey - yuav tsis haum rau lwm qhov kev muab faib encrypted lawm, thiab nws tsis pom zoo los tsim tus yuam sij tshiab "cryptsetup luksAddKey" los ntawm hauv qab chroot - glitch yog ua tau, tsuas yog nyob rau hauv ~ / etc / crypttab qhia es tsis txhob "/etc/skey" ib ntus "tsis muaj" ", tom qab rebot thiab nkag mus rau hauv OS, rov tsim koj tus lej zais zais zais dua).

Raws li IT qub tub rog, nco ntsoov cais ua cov thaub qab ntawm cov headers ntawm encrypted Windows/Linux OS partitions, lossis cov encryption yuav tig tawm tsam koj.
Hauv cov kauj ruam no, qhov thaub qab ntawm lub encrypted OS tiav.

[F] Tawm tsam ntawm GRUB2 bootloader

Saib cov ntsiab lusYog tias koj tau tiv thaiv koj lub bootloader nrog kos npe digital thiab / lossis authentication (saib point C6.), ces qhov no yuav tsis tiv thaiv kev nkag mus rau lub cev. Cov ntaub ntawv encrypted tseem yuav siv tsis tau, tab sis kev tiv thaiv yuav hla dhau (rov pib dua kev tiv thaiv kos npe digital) GRUB2 tso cai rau cyber-villain txhaj nws cov cai rau hauv bootloader yam tsis muaj kev xav tsis thoob (tshwj tsis yog tus neeg siv manually saib xyuas lub xeev bootloader, los yog tuaj nrog lawv tus kheej arbitrary-script code rau grub.cfg).

Attack algorithm. Intruder

* khau raj PC los ntawm usb nyob. Txhua yam kev hloov (tus ua txhaum) cov ntaub ntawv yuav ceeb toom rau tus tswv tiag tiag ntawm PC txog kev nkag mus rau hauv bootloader. Tab sis ib qho yooj yim reinstallation ntawm GRUB2 khaws grub.cfg (thiab lub peev xwm tom qab los kho nws) yuav tso cai rau tus neeg tawm tsam los kho cov ntaub ntawv (hauv qhov xwm txheej no, thaum thauj GRUB2, tus neeg siv tiag tiag yuav tsis raug ceeb toom. Cov xwm txheej yog tib yam <0>)
* Mounts qhov kev faib tsis pub nkag, khw muag khoom "/ mnt/boot/grub/grub.cfg".
* Reinstalls lub bootloader (tshem tawm "perskey" los ntawm core.img duab)

grub-install --force --root-directory=/mnt /dev/sda6

* Rov qab “grub.cfg”> “/mnt/boot/grub/grub.cfg”, kho nws yog tias tsim nyog, piv txwv li, ntxiv koj lub module “keylogger.mod” rau hauv daim nplaub tshev nrog loader modules, hauv “grub.cfg” > kab "insmod keylogger". Los yog, piv txwv li, yog tus yeeb ncuab cunning, ces tom qab reinstall GRUB2 (tag nrho cov kos npe tseem nyob hauv qhov chaw) nws tsim lub ntsiab GRUB2 duab siv "grub-mkimage nrog kev xaiv (-c)." Qhov kev xaiv "-c" yuav tso cai rau koj thauj koj cov teeb tsa ua ntej thauj khoom lub ntsiab "grub.cfg". Lub config tuaj yeem muaj tsuas yog ib kab: hloov mus rau ib qho "modern.cfg", sib xyaw, piv txwv li, nrog ~ 400 cov ntaub ntawv (modules + kos npe) hauv daim nplaub tshev "/boot/grub/i386-pc". Nyob rau hauv rooj plaub no, tus neeg tawm tsam tuaj yeem ntxig cov cai txiav txim siab thiab thauj cov qauv yam tsis muaj kev cuam tshuam "/boot/grub/grub.cfg", txawm tias tus neeg siv siv "hashsum" rau cov ntaub ntawv thiab tso tawm ib ntus ntawm qhov screen.
Tus neeg tawm tsam yuav tsis tas yuav hack GRUB2 superuser tus ID nkag mus / lo lus zais; nws tsuas yog yuav tsum luam cov kab (lub luag haujlwm rau kev lees paub) "/boot/grub/grub.cfg" rau koj "modern.cfg"

teem superusers = "root"
password_pbkdf2 root grub.pbkdf2.sha512.10000.DE10E42B01BB6FEEE46250FC5F9C3756894A8476A7F7661A9FFE9D6CC4D0A168898B98C34EBA210F46FC10985CE28277D0563F74E108FCE3ACBD52B26F8BA04D.27625A4D30E4F1044962D3DD1C2E493EF511C01366909767C3AF9A005E81F4BFC33372B9C041BE9BA904D7C6BB141DE48722ED17D2DF9C560170821F033BCFD8

Thiab tus tswv PC tseem yuav raug lees paub raws li GRUB2 superuser.

Chain loading (bootloader loads lwm bootloader), raws li kuv sau saum toj no, tsis muaj kev nkag siab (nws yog npaj rau lwm lub hom phiaj). Encrypted bootloader tsis tuaj yeem thauj khoom vim BIOS (chain boot restarts GRUB2> encrypted GRUB2, yuam kev!). Txawm li cas los xij, yog tias koj tseem siv lub tswv yim ntawm cov saw hlau thauj khoom, koj tuaj yeem paub tseeb tias nws yog qhov encrypted uas tau thauj khoom. (tsis modernized) "grub.cfg" los ntawm qhov muab faib encrypted. Thiab qhov no kuj yog qhov tsis tseeb ntawm kev ruaj ntseg, vim tias txhua yam uas tau qhia hauv qhov encrypted "grub.cfg" (module loading) ntxiv rau cov modules uas tau thauj khoom los ntawm unencrypted GRUB2.

Yog tias koj xav kuaj qhov no, ces faib / encrypt lwm qhov muab faib sdaY, luam GRUB2 rau nws (grub-install lag luam ntawm qhov muab faib encrypted tsis tau) thiab hauv "grub.cfg" (unencrypted config) hloov kab zoo li no

menuentry 'GRUBx2' --class parrot --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-simple-382111a2-f993-403c-aa2e-292b5eac4780' {
load_video
siv gzio
if [ x$grub_platform = xxen ]; ces insmod xzio; insmod lus; fi ua
insmod part_msdos
insmod cryptodisk
lus lux
insmod gcry_twofish
insmod gcry_twofish
insmod gcry_sha512
npe ext2
cryptomount -u 15c47d1c4bd34e5289df77bcf60ee838
set root=’cryptouuid/15c47d1c4bd34e5289df77bcf60ee838′
normal /boot/grub/grub.cfg
}

cov hlua
* insmod - thauj cov modules tsim nyog rau kev ua haujlwm nrog ib qho disk encrypted;
* GRUBx2 - lub npe ntawm kab tso tawm hauv GRUB2 khau raj ntawv qhia zaub mov;
* cryptomount -u 15c47d1c4bd34e5289df77bcf60ee838 -saib. fdisk -l (sda9);
* teeb hauv paus - nruab hauv paus;
* ib txwm /boot/grub/grub.cfg - executable configuration ntaub ntawv ntawm ib tug encrypted muab faib.

Kev ntseeg siab tias nws yog qhov encrypted "grub.cfg" uas tau thauj khoom yog cov lus teb zoo rau kev nkag mus rau lo lus zais / xauv "sdaY" thaum xaiv kab "GRUBx2" hauv GRUB ntawv qhia zaub mov.

Thaum ua haujlwm hauv CLI, kom tsis txhob muaj kev ntxhov siab (thiab xyuas seb qhov "set root" ib puag ncig hloov pauv tau ua haujlwm), tsim cov ntaub ntawv tsis muaj token, piv txwv li, hauv seem encrypted “/shifr_grub”, hauv seem unencrypted “/noshifr_grub”. Tshawb xyuas hauv CLI

cat /Tab-Tab

Raws li tau sau tseg saum toj no, qhov no yuav tsis pab tiv thaiv kev rub tawm cov teeb meem tsis zoo yog tias cov qauv no xaus rau hauv koj lub PC. Piv txwv li, tus keylogger uas yuav txuag tau keystrokes rau ib cov ntaub ntawv thiab sib tov nrog lwm cov ntaub ntawv nyob rau hauv "~/i386" kom txog rau thaum nws yog downloaded los ntawm ib tug attacker nrog lub cev nkag mus rau lub PC.

Qhov yooj yim tshaj plaws los xyuas kom meej tias kev tiv thaiv kev kos npe digital yog ua haujlwm zoo (tsis rov pib dua), thiab tsis muaj leej twg tau txeeb lub bootloader, nkag mus rau cov lus txib hauv CLI

list_trusted

Hauv kev teb peb tau txais ib daim qauv ntawm peb "perskey", lossis peb tsis tau txais dab tsi yog tias peb raug tawm tsam (koj kuj yuav tsum tau xyuas "set check_signatures = enforce").
Ib qho tsis zoo ntawm cov kauj ruam no yog nkag mus rau cov lus txib manually. Yog tias koj ntxiv cov lus txib no rau "grub.cfg" thiab tiv thaiv lub config nrog tus lej kos npe, tom qab ntawd qhov kev tso tawm ua ntej ntawm qhov tseem ceeb snapshot ntawm lub vijtsam yog luv luv rau lub sijhawm, thiab koj yuav tsis muaj sijhawm pom cov zis tom qab thauj khoom GRUB2. .
Tsis muaj leej twg tshwj xeeb los thov rau: tus tsim tawm hauv nws cov ntaub ntawv clause 18.2 officially tshaj tawm

"Nco ntsoov tias txawm tias muaj kev tiv thaiv GRUB lo lus zais, GRUB nws tus kheej tsis tuaj yeem tiv thaiv ib tus neeg uas muaj lub cev nkag mus rau lub tshuab los ntawm kev hloov kho lub tshuab lub firmware (xws li Coreboot lossis BIOS) kev teeb tsa ua rau lub tshuab khau raj los ntawm qhov sib txawv (tus neeg tua neeg tswj hwm) ntaus ntawv. GRUB yog qhov zoo tshaj plaws tsuas yog ib qhov txuas hauv kev ruaj ntseg khau raj. "

GRUB2 yog overloaded nrog kev ua haujlwm uas tuaj yeem muab qhov kev nkag siab ntawm kev ruaj ntseg tsis tseeb, thiab nws txoj kev loj hlob twb dhau los ntawm MS-DOS ntawm kev ua haujlwm, tab sis nws tsuas yog bootloader xwb. Nws yog funny tias GRUB2 - "tag kis" tuaj yeem dhau los ua OS, thiab bootable GNU / Linux virtual tshuab rau nws.

Daim vis dis aus luv luv hais txog yuav ua li cas kuv rov pib dua GRUB2 digital kos npe tiv thaiv thiab tshaj tawm tias kuv nkag mus rau tus neeg siv tiag (Kuv ntshai koj, tab sis es tsis txhob ntawm qhov uas tau pom hauv video, koj tuaj yeem sau tsis muaj teeb meem arbitrary code / .mod).

Cov lus xaus:

1) Block system encryption rau Windows yooj yim dua rau kev siv, thiab kev tiv thaiv nrog ib lo lus zais yooj yim dua li kev tiv thaiv nrog ob peb lo lus zais nrog GNU / Linux thaiv qhov system encryption, kom ncaj ncees: tom kawg yog automated.

2) Kuv tau sau tsab xov xwm raws li qhov cuam tshuam thiab nthuav dav yooj yim daim ntawv qhia rau tag nrho-disk encryption VeraCrypt/LUKS ntawm ib lub tsev lub tshuab, uas yog nyob deb ntawm qhov zoo tshaj plaws hauv RuNet (IMHO). Cov lus qhia yog> 50k cov cim ntev, yog li nws tsis npog qee tshooj nthuav dav: cryptographers uas ploj lawm / khaws cia hauv qhov ntxoov ntxoo; hais txog qhov tseeb tias nyob rau hauv ntau yam GNU / Linux cov phau ntawv lawv sau me ntsis / tsis txhob sau txog cryptography; hais txog Tshooj 51 ntawm tsab cai lij choj ntawm Lavxias Federation; O kev tso cai/ban encryption nyob rau hauv Russia, txog vim li cas koj yuav tsum tau encrypt "hauv paus / khau raj". Cov lus qhia tau muab nthuav dav heev, tab sis nthuav dav. (pib piav txawm tias cov kauj ruam yooj yim), nyob rau hauv lem, qhov no yuav txuag koj ntau lub sij hawm thaum koj mus rau "tiag tiag encryption".

3) Tag nrho disk encryption tau ua tiav ntawm Windows 7 64; GNU/Linux Parrot 4x; GNU/Debian 9.0/9.5.

4) Ua tiav kev tawm tsam rau koj GRUB2 bootloader.

5) Kev cob qhia tau tsim los pab txhua tus neeg tsis txaus siab hauv CIS, qhov chaw ua haujlwm nrog kev nkag mus tau tso cai nyob rau theem kev cai lij choj. Thiab feem ntau yog rau cov neeg uas xav dov tawm tag nrho-disk encryption yam tsis muaj demolishing lawv configured systems.

6) Rov ua dua thiab hloov kho kuv phau ntawv qhia, uas cuam tshuam rau xyoo 2020.

[G] Cov ntaub ntawv siv tau

TrueCrypt User Guide (Lub Ob Hlis 2012 RU)
VeraCrypt Cov ntaub ntawv
/usr/share/doc/cryptsetup(-run) [local resource] (Cov ntaub ntawv ntxaws ntxaws ntawm kev teeb tsa GNU / Linux encryption siv cryptsetup)
Official FAQ cryptsetup (Cov ntaub ntawv luv luv ntawm kev teeb tsa GNU / Linux encryption siv cryptsetup)
LUKS ntaus ntawv encryption (archlinux cov ntaub ntawv)
Cov lus piav qhia ntxaws ntawm cryptsetup syntax (arch man page)
Cov lus piav qhia ntxaws ntawm crypttab (arch man page)
Cov ntaub ntawv GRUB2 Official.

Tags: tag nrho disk encryption, muab faib encryption, Linux tag nrho disk encryption, LUKS1 tag nrho system encryption.

Tsuas yog cov neeg siv sau npe tuaj yeem koom nrog hauv daim ntawv ntsuam xyuas. Kos npe rau hauvthov.

Koj puas encrypting?

17,1%Kuv encrypt txhua yam kuv ua tau. Kuv yog paranoid.14
34,2%Kuv tsuas encrypt cov ntaub ntawv tseem ceeb.28
14,6%Qee zaum kuv encrypt, qee zaum kuv tsis nco qab.12
34,2%Tsis yog, kuv tsis encrypt, nws tsis yooj yim thiab kim.28

82 cov neeg siv pov npav. 22 cov neeg siv tau txwv.

Tau qhov twg los: www.hab.com

Tag nrho disk encryption ntawm Windows Linux nruab tshuab. Encrypted ntau khau raj