Ntuziaka nke aka emelitere na nzuzo nzuzo zuru oke na RuNet V0.2.
Atụmatụ nke Cowboy:
[A] Windows 7 usoro ngọngọ izo ya ezo nke usoro arụnyere;
[B] GNU/Linux na-egbochi nzuzo nzuzo (Asụsụ Debian) arụnyere usoro (gụnyere / buut);
[C] nhazi GRUB2, nchekwa bootloader na mbinye aka dijitalụ / nkwenye / hashing;
[D] iwepụ—mbibi nke data ezoro ezo;
[E] ndabere ụwa nke OS ezoro ezo;
[F] ọgụ <na ihe [C6]> ebumnuche - GRUB2 bootloader;
[G] akwụkwọ na-enyere aka.
╭─── Atụmatụ nke # ime ụlọ 40 # :
├──╼ Windows 7 arụnyere - ezoro ezo sistemu zuru oke, ọ bụghị ezoro ezo;
├──╼ GNU/Linux arụnyere (nkesa Debian na ewepụtara ya) - ezoro ezo sistemu zuru oke, ọ bụghị ezoro ezo(/, gụnyere / buut; gbanwee);
├──╼ bootloader onwe ya: VeraCrypt bootloader arụnyere na MBR, GRUB2 bootloader arụnyere na nkebi gbatịrị;
├──╼ Enweghị nrụnye/nwụnye OS achọrọ;
└──╼cryptographic ngwanrọ eji: VeraCrypt; cryptsetup; GnuPG; Ịnyịnya mmiri; Hashdeep; GRUB2 bụ n'efu/efu.
Atụmatụ dị n'elu na-edozi nsogbu nke "boot na draịva flash", na-enye gị ohere ịnụ ụtọ OS Windows/Linux ezoro ezo ma gbanwee data site na "ọwa ezoro ezo" site na otu OS gaa na nke ọzọ.
Usoro buut PC (otu n'ime nhọrọ):
- na-atụgharị igwe;
- na-ebu VeraCrypt bootloader (itinye paswọọdụ ziri ezi ga-aga n'ihu na-ebuba Windows 7);
- ịpị igodo "Esc" ga-ebu ibu GRUB2 bootloader;
- GRUB2 bootloader (họrọ nkesa/GNU/Linux/CLI), ga-achọ nyocha nke GRUB2 superuser <nbanye/password>;
- mgbe nyochachara nke ọma na nhọrọ nke nkesa, ị ga-achọ itinye paswọọdụ iji kpọghee "/boot/initrd.img";
- mgbe itinyechara okwuntughe na-enweghị njehie, GRUB2 ga-achọ "nbanye paswọọdụ". (Nke atọ, paswọọdụ BIOS ma ọ bụ GNU/Linux paswọọdụ akaụntụ onye ọrụ - echela ya) imeghe ma buo GNU/Linux OS, ma ọ bụ dochie igodo nzuzo na akpaaka (okwuntughe abụọ + igodo, ma ọ bụ okwuntughe + igodo);
- ntinye nke mpụga n'ime nhazi GRUB2 ga-eme ka usoro buut GNU/Linux kwụsị.
na-enye nsogbu? Ọ dị mma, ka anyị gaa megharịa usoro ahụ.
Mgbe ị na-ekewa draịvụ ike (MBR okpokoro) PC enweghị ike ịnwe ihe karịrị 4 isi nkebi, ma ọ bụ 3 isi na otu gbatịrị, yana mpaghara a na-ekenyeghị. Akụkụ gbatịrị agbatị, n'adịghị ka nke bụ isi, nwere ike ịnwe mpaghara mpaghara draịva ezi uche dị na ya = nkebi gbatịrị agbatị). N'ikwu ya n'ụzọ ọzọ, "nkebi agbatịkwuru" na HDD nọchiri LVM maka ọrụ dị n'aka: izo ya ezo sistemu zuru oke. Ọ bụrụ na ekewa diski gị na akụkụ anọ nke isi, ịkwesịrị iji lvm, ma ọ bụ gbanwee (ya na nhazi) ngalaba site na isi ruo na elu, ma ọ bụ jiri amamihe jiri akụkụ anọ niile wee hapụ ihe niile dị ka ọ dị, nweta nsonaazụ achọrọ. Ọbụlagodi na ị nwere otu akụkụ na diski gị, Gparted ga-enyere gị aka ikewa HDD gị (maka akụkụ ndị ọzọ) na-enweghị data ọnwụ, ma ka na a obere ntaramahụhụ maka ndị dị otú ahụ omume.
Atụmatụ nhazi draịva siri ike, n'ihe gbasara nke a ga-ekwu okwu niile, ka e gosipụtara na tebụl dị n'okpuru.
Tebụl (Mba. 1) nke akụkụ 1TB.
I kwesịkwara inwe ihe yiri ya.
sda1 - isi nkebi Nke 1 NTFS (ezoro ezo);
sda2 - akara nrịbama ngalaba;
sda6 - diski ezi uche (o nwere GRUB2 bootloader arụnyere);
sda8 - swap (faịlụ swap ezoro ezo / ọ bụghị mgbe niile);
sda9 - nwalee diski ezi uche;
sda5 - diski ezi uche maka ndị na-achọ ịmata ihe;
sda7 - GNU/Linux OS (ebufere OS na diski ezi uche ezoro ezo);
sda3 - isi nkebi No. 2 na Windows 7 OS (ezoro ezo);
sda4 - isi ngalaba nke 3 (ọ nwere GNU/Linux ezoro ezo, eji maka ndabere/ọ bụghị mgbe niile).
[A] Windows 7 System Block Encryption
A1. VeraCrypt
Budata si , ma ọ bụ site na enyo ụdị nrụnye nke sọftụwia cryptographic VeraCrypt (n'oge mbipụta nke v1.24-Update3, obere VeraCrypt nke nwere ike ibugharị adịghị mma maka izo ya ezo sistemu). Lelee checksum nke ngwanro ebudatara
$ Certutil -hashfile "C:VeraCrypt Setup 1.24.exe" SHA256
ma tulee nsonaazụ ya na CS ezigara na webụsaịtị onye nrụpụta VeraCrypt.
Ọ bụrụ na arụnyere ngwanrọ HashTab, ọ dị mfe karị: RMB (Ntọala VeraCrypt 1.24.exe)-property - hash nchikota faịlụ.
Iji nyochaa mbinye aka mmemme, software na igodo pgp ọha nke onye nrụpụta ga-etinyerịrị na sistemụ ; .
A2. Ịwụnye/na-agba ọsọ VeraCrypt software nwere ikike onye nchịkwa
A3. Ịhọrọ parampat nzuzo nzuzo maka nkebi nọ n'ọrụVeraCrypt – Sistemu – Encrypt sistemu nkebi/ diski – Nkịtị – Encrypt Windows nkebi nkebi – Multiboot – (ịdọ aka ná ntị: "A naghị atụ aro ndị ọrụ na-enweghị ahụmahụ ka ha jiri usoro a" na nke a bụ eziokwu, anyị kwenyere"Ee") - Boot disk ("ee", ọ bụrụgodị na ọ bụghị otú ahụ, ka "ee") - Ọnụ ọgụgụ nke diski sistemụ "2 ma ọ bụ karịa" - Ọtụtụ sistemụ na otu diski "Ee" - ihe na-ebu ibu na-abụghị Windows "Mba" (n'ezie, "Ee," mana VeraCrypt/GRUB2 bootloaders agaghị ekerịta MBR n'etiti onwe ha; karịa nke ọma, ọ bụ naanị akụkụ kacha nta nke koodu bootloader ka echekwara na MBR/boot track, isi akụkụ ya bụ. dị n'ime sistemụ faịlụ) - Multiboot - ntọala nzuzo…
Ọ bụrụ na ị pụọ na usoro ndị a dị n'elu (igbochi usoro nzuzo nzuzo), mgbe ahụ VeraCrypt ga-enye ịdọ aka ná ntị na ọ gaghị ekwe ka izochi nkebi ahụ.
Na nzọụkwụ na-esote maka nchekwa data ezubere iche, mee “Nnwale” wee họrọ algọridim nzuzo. Ọ bụrụ na ị nwere CPU emechiela, mgbe ahụ o yikarịrị ka algọridim nzuzo kachasị ọsọ ga-abụ Twofish. Ọ bụrụ na CPU dị ike, ị ga-ahụ ihe dị iche: AES izo ya ezo, dị ka ule nyocha, ga-adị ọtụtụ ugboro ngwa ngwa karịa ndị asọmpi crypto ya. AES bụ algọridim nke nzuzo nzuzo na-ewu ewu;
VeraCrypt na-akwado ike izochi diski n'ime oghere AES(Azụ abụọ)/ na ngwakọta ndị ọzọ. Na isi Intel CPU ochie site na afọ iri gara aga (na-enweghị nkwado ngwaike maka AES, A/T cascade encryption) Mbelata arụmọrụ bụ n'ezie enweghị nghọta. (maka AMD CPUs nke otu oge / ~ paramita, arụmọrụ na-ebelata ntakịrị). The OS na-arụ ọrụ dynamically na akụrụngwa oriri maka transperent izo ya ezo bụ-adịghị ahụ anya. N'ụzọ dị iche, dịka ọmụmaatụ, enwere mbelata na arụmọrụ n'ihi arụnyere na-adịghị akwụsi ike ule gburugburu desktọọpụ Mate v1.20.1 (ma ọ bụ v1.20.2 anaghị m echeta nke ọma) na GNU/Linux, ma ọ bụ n'ihi arụ ọrụ nke telemetry na Windows7↑. Ọ na-adịkarị, ndị ọrụ nwere ahụmahụ na-eme ule arụmọrụ ngwaike tupu izo ya ezo. Dịka ọmụmaatụ, na Aida64/Sysbench/systemd-analyze ụta atụnyere nsonaazụ nke otu ule ahụ mgbe izochichara sistemụ ahụ, si otú a na-agbagha akụkọ ifo n'onwe ha na "izo ya ezo sistemu na-emerụ ahụ." Mbelata nke igwe na ihe na-adịghị mma bụ nke a na-ahụ anya mgbe ị na-akwado nkwado / weghachite data ezoro ezo, n'ihi na arụ ọrụ "usoro ndabere data" n'onwe ya adịghị atụle na ms, na ndị ahụ <decrypt/encrypt on the fly> na-agbakwunyere. N'ikpeazụ, onye ọrụ ọ bụla a na-ahapụ ka o jiri cryptography tinker na-edozi algọridim nzuzo megide afọ ojuju nke ọrụ ndị dị n'aka, ọkwa ha nke paranoia, na ịdị mfe iji.
Ọ ka mma ịhapụ paramita PIM dị ka ndabara, nke mere na mgbe ị na-ebu OS, ịkwesighi itinye ụkpụrụ iteration ziri ezi oge ọ bụla. VeraCrypt na-eji ọnụ ọgụgụ dị ukwuu nke iterations iji mepụta "hash dị nwayọọ". Mwakpo a na-ebuso ụdị "crypto snail" dị otú ahụ site na iji usoro tebụl Brute Force/ egwurugwu na-eme ka ọ bụrụ ihe ezi uche dị na ya nanị site na iji okwuntughe dị mkpirikpi "dị mfe" yana ndepụta charset nke onye ahụ metụtara. Ọnụ ego ị ga-akwụ maka ike okwuntughe bụ igbu oge na itinye paswọọdụ ziri ezi mgbe ị na-ebu OS. (ịkwalite mpịakọta VeraCrypt na GNU/Linux na-agba ọsọ ngwa ngwa).
Akụrụngwa efu maka mmejuputa mwakpo ike ọjọọ (wepụ passphrase site na isi okwu diski VeraCrypt/LUKS) Hashcat. John the Ripper amaghị otú e si "gbajie Veracrypt", na mgbe ya na LUKS na-arụ ọrụ anaghị aghọta cryptography Twofish.
N'ihi ike cryptographic nke algọridim nzuzo, cypherpunks enweghị nkwụsị na-emepụta ngwanrọ nwere vector ọgụ dị iche. Dịka ọmụmaatụ, wepụ metadata/ igodo na RAM (oyi buut/mwakpo ohere ebe nchekwa ozugbo), Enwere sọftụwia efu na enweghị n'efu maka ebumnuche ndị a.
Mgbe emechara ịtọlite /ịmepụta "metadata pụrụ iche" nke nkebi na-arụ ọrụ ezoro ezo, VeraCrypt ga-enye ịmalitegharị PC wee nwalee arụmọrụ nke bootloader ya. Mgbe ịmalitegharịa / malite Windows, VeraCrypt ga-ebu na ọnọdụ njikere, ihe fọdụrụ bụ iji kwado usoro nzuzo - Y.
Na njedebe ikpeazụ nke izo ya ezo, VeraCrypt ga-enye ịmepụta ndabere ndabere nke nkụnye eji isi mee nke ngalaba ezoro ezo n'ụdị "veracrypt nnapụta disk.iso" - nke a ga-emerịrị - na ngwanrọ a, ọrụ dị otú ahụ bụ ihe achọrọ (na LUKS, dị ka ihe a chọrọ - nke a dị mwute ikwu na ewepụrụ, ma e mesiri ya ike na akwụkwọ). Diski nnapụta ga-abara onye ọ bụla aka, yana ụfọdụ ihe karịrị otu ugboro. Ọnwụ (nkụnye isi/MBR degharịa) Ntugharị ndabere nke nkụnye eji isi mee ga-agọnarị ohere ịnweta nkebi decrypted na OS Windows kpamkpam.
A4. Ịmepụta VeraCrypt nchekwa USB/ diskiSite na ndabara, VeraCrypt na-enye ọkụ "~ 2-3MB nke metadata" na CD, mana ọ bụghị mmadụ niile nwere diski ma ọ bụ draịva DWD-ROM, na ịmepụta draịva bootable "VeraCrypt Rescue disk" ga-abụ ihe ijuanya maka ụfọdụ: Rufus / GUIdd-ROSA ImageWriter na sọftụwia ndị ọzọ yiri ya agaghị enwe ike ịnagide ọrụ ahụ, n'ihi na na mgbakwunye na i copyomi metadata defet na draịvụ draịva bootable, ịkwesịrị idetuo / mado onyonyo na mpụga sistemụ faịlụ nke draịvụ USB. , na nkenke, detuo nke ọma MBR/okporo ụzọ gaa keychain. Ị nwere ike ịmepụta draịva bootable site na GNU/Linux OS site na iji ọrụ "dd", na-elele akara a.
Ịmepụta diski nnapụta na gburugburu Windows dị iche. Onye nrụpụta VeraCrypt etinyeghị ihe ngwọta maka nsogbu a na gọọmentị site na “discue disk”, mana tụpụtara azịza n'ụzọ dị iche: o biputere sọftụwia ọzọ maka imepụta “ diski nnapụta USB” maka ịnweta n'efu na ọgbakọ VeraCrypt ya. Onye na-edebe ihe ndekọ nke sọftụwia a maka Windows na-emepụta diski nnapụta usb veracrypt. Mgbe ịchekwaa nnapụta disk.iso, usoro nke igbochi usoro nzuzo nke akụkụ nọ n'ọrụ ga-amalite. N'oge ezoro ezo, ọrụ nke OS anaghị akwụsị; Mgbe arụchara ọrụ ezoro ezo, nkebi na-arụ ọrụ na-aghọ nke zuru oke ma nwee ike iji ya. Ọ bụrụ na VeraCrypt boot loader egosighi mgbe ịmalitere PC, na ọrụ mgbake nkụnye eji isi mee anaghị enyere aka, wee lelee ọkọlọtọ "boot", ọ ga-edobe ya na nkebi ebe Windows dị. (n'agbanyeghị ezoro ezo na OS ndị ọzọ, lee tebụl No. 1).
Nke a na-emecha nkọwa nke ngọngọ usoro ezoro ezo na Windows OS.
[B]LUKS. GNU/Linux izo ya ezo (~Debian) arụnyere OS. Algorithm na Nzọụkwụ
Iji zoo nkesa Debian/devative arụnyere, ịkwesịrị ịdepụta nkebi a akwadoro na ngwaọrụ ngọngọ mebere, bufee ya na diski GNU/Linux nke nkewapụtara, wee wụnye/hazie GRUB2. Ọ bụrụ na ịnweghị ihe nkesa igwe efu, ma jiri oge gị kpọrọ ihe, mgbe ahụ ịkwesịrị iji GUI, na ọtụtụ n'ime iwu njedebe akọwapụtara n'okpuru bụ ka a ga-agba ọsọ na "Chuck-Norris mode".
B1. Na-ebuli PC site na usb GNU/Linux dị ndụ
"Mee ule crypto maka ịrụ ọrụ ngwaike"
lscpu && сryptsetup benchmark
Ọ bụrụ na ị bụ onye nwe obi ụtọ nke ụgbọ ala dị ike na nkwado ngwaike AES, mgbe ahụ, ọnụọgụgụ ga-adị ka akụkụ aka nri nke ọnụ ọnụ ma ọ bụrụ na ị bụ onye nwe obi ụtọ, ma na ngwaike oge ochie, ọnụọgụ ga-adị ka akụkụ aka ekpe .
B2. Nkewa diski. arịọnụ/ịhazi fs ezi uche diski HDD ka Ext4 (Gparted)
B2.1. Ịmepụta nkụnye eji isi mee akụkụ sda7 ezoro ezoM ga-akọwa aha nke partitions, ebe a na n'ihu, dị ka m nkebi table ezigara n'elu. Dị ka nhazi diski gị si dị, ị ga-eji dochie aha nkebi gị.
Maapụ nzuzo nzuzo mbanye (/dev/sda7> /dev/mapper/sda7_crypt).
# Mfe imepụta nkebi "LUKS-AES-XTS"
cryptsetup -v -y luksFormat /dev/sda7Nhọrọ:
* luksFormat - mmalite nke nkụnye eji isi mee LUKS;
* -y -passphrase (ọ bụghị igodo / faịlụ);
* -v - verbalization (igosi ozi na ọnụ);
* / dev/sda7 - diski ezi uche gị sitere na nkebi agbatịkwuru (ebe a na-eme atụmatụ ịnyefe / encrypt GNU / Linux).
Algọridim nzuzo nzuzo <LUKS1: aes-xts-plain64, Igodo: 256 bits, LUKS nkụnye eji isi mee hashing: sha256, RNG: /dev/urandom> (dabere na ụdị cryptsetup).
#Проверка default-алгоритма шифрования
cryptsetup --help #самая последняя строка в выводе терминала.Ọ bụrụ na enweghị nkwado ngwaike maka AES na CPU, nhọrọ kacha mma ga-abụ ịmepụta “LUKS-Twofish-XTS-partition” gbatịrị agbatị.
B2.2. Ihe okike dị elu nke "LUKS-Twofish-XTS-nkebi"
cryptsetup luksFormat /dev/sda7 -v -y -c twofish-xts-plain64 -s 512 -h sha512 -i 1500 --use-urandom
Nhọrọ:
* luksFormat - mmalite nke nkụnye eji isi mee LUKS;
* / dev/sda7 bụ diski ezi uche ezoro ezo gị n'ọdịnihu;
* -v ikwu okwu;
* -y ngafe okwu;
* -c họrọ algorithm nzuzo nzuzo;
* -s nha igodo ezoro ezo;
* -h hashing algọridim / ọrụ crypto, RNG ejiri (--eji-urandom) iji mepụta igodo nzuzo/decryption pụrụ iche maka nkụnye eji isi mee diski ezi uche, igodo nkụnye eji isi mee nke abụọ (XTS); igodo nna ukwu pụrụ iche echekwara na nkụnye eji isi mee diski ezoro ezo, igodo XTS nke abụọ, metadata niile na usoro ezoro ezo nke na-eji igodo ukwu na igodo XTS nke abụọ, na-ezochi/decrypt data ọ bụla na nkebi ahụ. (ma ewezuga aha ngalaba) echekwara na ~ 3MB na nkebi diski ike ahọpụtara.
* -i iterations na milliseconds, kama "ego" (oge na-egbu oge mgbe ị na-ahazi passphrase na-emetụta nbudata OS na ike cryptographic nke igodo). Iji jikwaa nguzozi nke ike cryptographic, jiri okwuntughe dị mfe dị ka “Russian” ị ga-ebuli uru -(i) jiri okwuntughe dị mgbagwoju anya dị ka “?8dƱob/øfh” uru nwere ike ibelata.
* —-eji-urandom nọmba generator, na-ewepụta igodo na nnu.
Mgbe emechara nkewa ngalaba sda7> sda7_crypt (ọrụ a na-adị ngwa ngwa, ebe ọ bụ na ejiri ~ 3 MB nke metadata na-emepụta isi ezoro ezo na nke ahụ bụ ihe niile), ịkwesịrị ịhazi ma bulie sistemụ faịlụ sda7_crypt.
B2.3. Ntụnyere
cryptsetup open /dev/sda7 sda7_crypt
#выполнение данной команды запрашивает ввод секретной парольной фразы.
nhọrọ:
* mepere - dakọtara na ngalaba "na aha";
* / dev/sda7 - diski ezi uche;
* sda7_crypt - maapụ aha nke a na-eji bulie akụkụ ezoro ezo ma ọ bụ bido ya mgbe akpụkpọ ụkwụ OS.
B2.4. Na-ahazi sistemụ faịlụ sda7_crypt ka ọ bụrụ ext4. Ịwụnye diski na OS(Rịba ama: ịgaghị enwe ike iji akụkụ ezoro ezo rụọ ọrụ na Gparted)
#форматирование блочного шифрованного устройства
mkfs.ext4 -v -L DebSHIFR /dev/mapper/sda7_crypt
nhọrọ:
* -v -okwu ọnụ;
* -L - akara mbanye (nke egosiri na Explorer n'etiti draịva ndị ọzọ).
Na-esote, ị ga-ebugo ngwaọrụ mgbochi ezoro ezo / dev/sda7_crypt na sistemụ
mount /dev/mapper/sda7_crypt /mntIji faịlụ rụọ ọrụ na nchekwa /mnt ga-ezochi/decrypt data na sda7 ozugbo.
Ọ dị mma karịa maapụ ma bulie nkebi ahụ na Explorer (nautilus/caja GUI), nkebi ahụ ga-adịrịrị na listi nhọrọ diski, naanị ihe fọdụrụ bụ itinye passphrase ka imepe / decrypt diski ahụ. A ga-ahọrọ aha dabara na ya na-akpaghị aka ma ọ bụghị "sda7_crypt", mana ihe dị ka /dev/mapper/Luks-xx-xx...
B2.5. Ndabere isi diski (~ metadata ~ 3MB)Otu n'ime ihe ndị kachasị mkpa arụmọrụ kwesịrị ime n'egbughị oge - ndabere ndabere nke nkụnye eji isi mee "sda7_crypt". Ọ bụrụ na ị degharịa/ mebie nkụnye eji isi mee (dịka ọmụmaatụ, ịwụnye GRUB2 na akụkụ sda7, wdg.), data ezoro ezo ga-efunahụ kpamkpam n'enweghị ohere ọ bụla ị nwetaghachi ya, n'ihi na ọ gaghị ekwe omume ịmegharị igodo ndị ahụ n'ụzọ pụrụ iche.
#Бэкап заголовка раздела
cryptsetup luksHeaderBackup --header-backup-file ~/Бэкап_DebSHIFR /dev/sda7
#Восстановление заголовка раздела
cryptsetup luksHeaderRestore --header-backup-file <file> <device>
nhọrọ:
* luksHeaderBackup — nkụnye eji isi mee-backup-file -ndabere iwu;
* luksHeaderRestore —header-backup-file -weghachi iwu;
* ~/ Backup_DebSHIFR - faịlụ ndabere;
* / dev/sda7 - nkebi nke ezoro ezo nke isi ihe ndabere diski ga-echekwa ya.
Na nzọụkwụ a <ịmepụta na dezie akụkụ ezoro ezo> agwụla.
B3. Na-ebubata GNU/Linux OS (sda4) gaa na nkebi ezoro ezo (sda7)
Mepụta folda /mnt2 (Rịba ama - anyị ka na-arụ ọrụ na usb dị ndụ, sda7_crypt na-agbanye na /mnt), ma bulie GNU/Linux anyị na /mnt2, nke ekwesịrị ezoro ezo.
mkdir /mnt2
mount /dev/sda4 /mnt2
Anyị na-ebufe OS ziri ezi site na iji ngwanrọ Rsync
rsync -avlxhHX --progress /mnt2/ /mntA kọwara nhọrọ Rsync na paragraf E1.
Ọzọkwa, dị mkpa defragment a ezi uche disk nkebi
e4defrag -c /mnt/ #после проверки, e4defrag выдаст, что степень дефрагментации раздела~"0", это заблуждение, которое может вам стоить существенной потери производительности!
e4defrag /mnt/ #проводим дефрагментацию шифрованной GNU/Linux
Mee ya iwu: mee e4defrag na GNU/Linux ezoro ezo site n'oge ruo n'oge ma ọ bụrụ na ị nwere HDD.
Nyefe na mmekọrịta [GNU/Linux> GNU/Linux-ezoro ezo] na-emecha na usoro a.
NA 4. Ịtọlite GNU/Linux na akụkụ sda7 ezoro ezo
Mgbe ebufe OS / dev / sda4> / dev/sda7 nke ọma, ịkwesịrị ịbanye na GNU/Linux na nkebi ezoro ezo wee mee nhazi ọzọ. (na-enweghị reboot PC) gbasara usoro ezoro ezo. Ya bụ, nọrọ na usb dị ndụ, mana mebie iwu "ihe metụtara mgbọrọgwụ nke OS ezoro ezo." "chroot" ga-eme ka ọnọdụ yiri ya. Iji nweta ozi ngwa ngwa nke OS ị na-arụ ọrụ ugbu a (ezoro ezo ma ọ bụ na ọ bụghị, ebe ọ bụ na emekọrịtara data dị na sda4 na sda7), mebie OS. Mepụta na ndekọ ndekọ aha (sda4/sda7_crypt) faịlụ akara efu, dịka ọmụmaatụ, /mnt/encryptedOS na /mnt2/decryptedOS. Lelee ngwa ngwa OS ị nọ na ya (gụnyere maka ọdịnihu):
ls /<Tab-Tab>B4.1. "Ntugharị nke ịbanye n'ime OS ezoro ezo"
mount --bind /dev /mnt/dev
mount --bind /proc /mnt/proc
mount --bind /sys /mnt/sys
chroot /mnt
B4.2. Nyochaa na arụrụ ọrụ ahụ megide sistemu ezoro ezo
ls /mnt<Tab-Tab>
#и видим файл "/шифрованнаяОС"
history
#в выводе терминала должна появиться история команд su рабочей ОС.B4.3. Ịmepụta/ịhazi swap ezoro ezo, na-edezi crypttab/fstabEbe ọ bụ na a na-ahazi faịlụ swap ahụ oge ọ bụla OS malitere, ọ dịghị ezi uche ịmepụta na maapụ gbanwee na diski ezi uche ugbu a, ma pịnye iwu dịka na paragraf B2.2. Maka Swap, igodo nzuzo nwa oge ga-ewepụta ya na-akpaghị aka na mmalite ọ bụla. Usoro ndụ nke igodo mgbanwe: nkebi na-ebuli/na-ebuli swap (+ RAM dị ọcha); ma ọ bụ malitegharịa OS. Ịtọlite swap, imepe faịlụ maka nhazi nke ngọngọ ngwaọrụ ezoro ezo (n'otu aka ahụ na faịlụ fstab, mana ọ bụ maka crypto).
nano /etc/crypttab anyị dezie
#"aha ebumnuche" "ngwaọrụ isi mmalite" "faịlụ igodo" "nhọrọ"
swap /dev/sda8 /dev/urandom swap,cipher=twofish-xts-plain64,size=512,hash=sha512
Nhọrọ
* swap - aha mapụtara mgbe ị na-ezochi /dev/mapper/swap.
* /dev/sda8 - jiri nkebi ezi uche dị na ya mee mgbanwe.
* / dev/urandom - onye na-emepụta igodo nzuzo nzuzo maka swap (na akpụkpọ ụkwụ OS ọ bụla, a na-emepụta igodo ọhụrụ). The / dev/urandom generator bụ obere random karịa / dev/random, mgbe niile / dev / random na-eji mgbe na-arụ ọrụ na ize ndụ paranoid ọnọdụ. Mgbe ị na-ebunye OS, / dev/random na-ebelata nbudata ahụ ruo ọtụtụ ± nkeji (lee usoro nyocha-nyochaa).
* swap,cipher=twofish-xts-plain64,size=512,hash=sha512: -nkebi mara na ọ bụ swap na a haziri ya “dị ka”; algọridim nzuzo.
#Открываем и правим fstab
nano /etc/fstab
anyị dezie
# swap dị / dev / sda8 n'oge nrụnye
/dev/mapper/swap ọ dịghị swap sw 0 0
/dev/mapper/swap bụ aha edobere na crypttab.
Nhọrọ ezoro ezo ọzọ
Ọ bụrụ n'ihi ihe ụfọdụ ị chọghị ịhapụ akụkụ dum maka faịlụ swap, ị nwere ike ịga n'ụzọ ọzọ na nke ka mma: ịmepụta faịlụ swap na faịlụ na nkebi ezoro ezo na OS.
fallocate -l 3G /swap #создание файла размером 3Гб (почти мгновенная операция)
chmod 600 /swap #настройка прав
mkswap /swap #из файла создаём файл подкачки
swapon /swap #включаем наш swap
free -m #проверяем, что файл подкачки активирован и работает
printf "/swap none swap sw 0 0" >> /etc/fstab #при необходимости после перезагрузки swap будет постоянныйNhazi nkebi ngbanwe agwụla.
B4.4. Ịtọlite GNU/Linux ezoro ezo (na-edezi faịlụ crypttab/fstab)Faịlụ /etc/crypttab, dị ka edere n'elu, na-akọwa ngwaọrụ ngọngọ ezoro ezo nke ahaziri n'oge buut sistemụ.
#правим /etc/crypttab
nano /etc/crypttab
Ọ bụrụ na ị dabara na ngalaba sda7> sda7_crypt dị na paragraf B2.1
# "aha ebumnuche" "ngwaọrụ isi mmalite" "faịlụ igodo" "nhọrọ"
sda7_crypt UUID=81048598-5bb9-4a53-af92-f3f9e709e2f2 none luks
Ọ bụrụ na ị dabara na ngalaba sda7> sda7_crypt dị na paragraf B2.2
# "aha ebumnuche" "ngwaọrụ isi mmalite" "faịlụ igodo" "nhọrọ"
sda7_crypt UUID=81048598-5bb9-4a53-af92-f3f9e709e2f2 none cipher=twofish-xts-plain64,size=512,hash=sha512
Ọ bụrụ na ị dakọtara na sda7> sda7_crypt ngalaba dị na paragraf B2.1 ma ọ bụ B2.2, mana achọghị ịbanye paswọọdụ iji kpọghee ma buo OS, yabụ kama paswọọdụ ị nwere ike dochie igodo nzuzo / faịlụ random.
# "aha ebumnuche" "ngwaọrụ isi mmalite" "faịlụ igodo" "nhọrọ"
sda7_crypt UUID=81048598-5bb9-4a53-af92-f3f9e709e2f2 /etc/skey luks
Nkowasi
* Ọ dịghị onye - na-akọ na mgbe ị na-ebu OS, a chọrọ ịbanye passphrase nzuzo iji kpọghee mgbọrọgwụ.
* UUID - njirimara nkebi. Iji chọpụta ID gị, pịnye n'ọnụ ọnụ (chetara na site n'oge a gaa n'ihu, ị na-arụ ọrụ na njedebe na gburugburu chroot, ọ bụghị na ọdụ USB ọzọ dị ndụ).
fdisk -l #проверка всех разделов
blkid #должно быть что-то подобное
/dev/sda7: UUID=«81048598-5bb9-4a53-af92-f3f9e709e2f2» TYPE=«crypto_LUKS» PARTUUID=«0332d73c-07»
/dev/mapper/sda7_crypt: LABEL=«DebSHIFR» UUID=«382111a2-f993-403c-aa2e-292b5eac4780» TYPE=«ext4»
A na-ahụ ahịrị a mgbe ị na-arịọ blkid site na ọdụ USB dị ndụ nwere sda7_crypt mounted).
Ị na-ewere UUID na sdaX gị (ọ bụghị sdaX_crypt!, UUID sdaX_crypt - ga-ahapụ ya ozugbo mgbe ị na-emepụta nhazi grub.cfg).
* cipher = twofish-xts-plain64,size=512,hash=sha512 -luks izo ya ezo na ọnọdụ dị elu.
* /etc/skey - faịlụ igodo nzuzo, nke etinyere na akpaghị aka iji kpọghee buut OS (kama itinye paswọọdụ nke atọ). Ị nwere ike ịkọwa faịlụ ọ bụla ruru 8MB, mana data a ga-agụ <1MB.
#Создание "генерация" случайного файла <секретного ключа> размером 691б.
head -c 691 /dev/urandom > /etc/skey
#Добавление секретного ключа (691б) в 7-й слот заголовка luks
cryptsetup luksAddKey --key-slot 7 /dev/sda7 /etc/skey#Проверка слотов "пароли/ключи luks-раздела"
cryptsetup luksDump /dev/sda7
Ọ ga-adị ka nke a:
(mee ya n'onwe gị wee hụ onwe gị).
cryptsetup luksKillSlot /dev/sda7 7 #удаление ключа/пароля из 7 слота/etc/fstab nwere ozi nkọwa gbasara sistemụ faịlụ dị iche iche.
#Правим /etc/fstab
nano /etc/fstab
# "Sistemụ faịlụ" "ntụgharị ugwu" "ụdị" "nhọrọ" "tupu" "gafe"
# / nọ na / dev / sda7 n'oge echichi
/dev/mapper/sda7_crypt / ext4 errors=remount-ro 0 1
nhọrọ
* /dev/mapper/sda7_crypt - aha nke sda7>sda7_crypt mapping, nke akọwapụtara na faịlụ /etc/crypttab.
Ntọala crypttab/fstab ezuola.
B4.5. Na-edezi faịlụ nhazi. Oge igodoB4.5.1. Na-edezi config /etc/initramfs-tools/conf.d/resume
#Если у вас ранее был активирован swap раздел, отключите его.
nano /etc/initramfs-tools/conf.d/resume
ma kwuo okwu (ọ bụrụ na ọ dị) "#" ahịrị "resume". Faịlụ ga-abụ nke tọgbọ chakoo.
B4.5.2. Na-edezi nhazi /etc/initramfs-tools/conf.d/cryptsetup
nano /etc/initramfs-tools/conf.d/cryptsetupkwesịrị dakọtara
# /etc/initramfs-tools/conf.d/cryptsetup
CRYPTSETUP=ee
mbupụ CRYPTSETUP
B4.5.3. Na-edezi /etc/default/grub config (Nhazi a bụ maka ikike ịmepụta grub.cfg mgbe ị na-arụ ọrụ ezoro ezo / buut)
nano /etc/default/grub
tinye ahịrị "GRUB_ENABLE_CRYPTODISK=y"
uru 'y', grub-mkconfig na grub-install ga-elele maka draịva ezoro ezo wee mepụta iwu ndị ọzọ achọrọ iji nweta ha n'oge buut. (insmods ).
a ga-enwe myiri
GRUB_DEFAULT = 0
GRUB_TIMEOUT = 1
GRUB_DISTRIBUTOR=`lsb_release -i -s 2> /dev/null || okwu Debian'
GRUB_CMDLINE_LINUX_DEFAULT = "acpi_backlight=onye na-ere"
GRUB_CMDLINE_LINUX = "dị jụụ splash noautomount"
GRUB_ENABLE_CRYPTODISK=y
B4.5.4. Na-edezi config /etc/cryptsetup-initramfs/conf-hook
nano /etc/cryptsetup-initramfs/conf-hook
lelee na ahịrị kwuru <#>.
N’ọdịnihu (na ọbụlagodi ugbu a, oke a agaghị enwe ihe ọ pụtara, mana mgbe ụfọdụ ọ na-egbochi imelite onyonyo initrd.img).
B4.5.5. Na-edezi config /etc/cryptsetup-initramfs/conf-hook
nano /etc/cryptsetup-initramfs/conf-hooktinye
KEYFILE_PATTERN=”/etc/skey”
UMASK=0077
Nke a ga-ebuba igodo nzuzo "skey" n'ime initrd.img, igodo dị mkpa iji kpọghee mgbọrọgwụ mgbe akpụkpọ ụkwụ OS. (ọ bụrụ na ịchọghị itinye paswọọdụ ọzọ, a na-anọchi igodo "skey" maka ụgbọ ala).
B4.6. Mmelite /boot/initrd.img [ụdị]Ka ịkwanye igodo nzuzo n'ime initrd.img ma tinye ndozi cryptsetup, melite onyonyo a
update-initramfs -u -k all
mgbe ị na-emelite initrd.img (dị ka ha na-ekwu "Ọ ga-ekwe omume, mana ọ bụghị nke doro anya") ịdọ aka ná ntị metụtara cryptsetup ga-apụta, ma ọ bụ, dịka ọmụmaatụ, ngosi banyere mfu nke modul Nvidia - nke a bụ ihe nkịtị. Mgbe emelitechara faịlụ ahụ, lelee na emelitere ya n'ezie, hụ oge (ihe metụtara gburugburu chroot./boot/initrd.img). Ịkpachara anya tupu [update-initramfs -u -k all] jide n'aka na ị ga-elele na cryptsetup mepere / dev/sda7 sda7_crypt - nke a bụ aha na-egosi na /etc/crypttab, ma ọ bụghị mgbe reboot, a ga-enwe a busybox njehie)
Na nzọụkwụ a, ịtọlite faịlụ nhazi zuru ezu.
[C] Ịwụnye na ịhazi GRUB2/Nchekwa
C1. Ọ bụrụ na ọ dị mkpa, hazie nkebi raara onwe ya nye maka bootloader (nkebi chọrọ opekata mpe 20MB)
mkfs.ext4 -v -L GRUB2 /dev/sda6C2. Ugwu /dev/sda6 ruo /mntYa mere, anyị na-arụ ọrụ na chroot, mgbe ahụ, a gaghị enwe / mnt2 ndekọ na mgbọrọgwụ, na / mnt nchekwa ga-abụ ihe efu.
bulie akụkụ GRUB2
mount /dev/sda6 /mntỌ bụrụ na ị nwere ụdị ochie nke GRUB2 arụnyere, na /mnt/boot/grub/i-386-pc directory. (Ikpo okwu ndị ọzọ ga-ekwe omume, dịka ọmụmaatụ, ọ bụghị "i386-pc") enweghị modul crypto (na nkenke, nchekwa ahụ kwesịrị ịnwe modul, gụnyere .mod ndị a: cryptodisk; luks; gcry_twofish; gcry_sha512; signature_test.mod), N'okwu a, GRUB2 kwesịrị ịma jijiji.
apt-get update
apt-get install grub2
Ihe dị mkpa! Mgbe ị na-emelite ngwugwu GRUB2 site na ebe nchekwa, mgbe a jụrụ ya "banyere ịhọrọ" ebe ị ga-etinye bootloader, ị ga-ajụ nrụnye ahụ. (ihe kpatara - nwaa ịwụnye GRUB2 - na "MBR" ma ọ bụ na usb dị ndụ). Ma ọ bụghị ya, ị ga-emebi nkụnye eji isi mee/loader VeraCrypt. Mgbe emelitechara ngwugwu GRUB2 wee kagbuo nrụnye, a ga-etinyerịrị bootloader na aka na diski ezi uche, ọ bụghị na MBR. Ọ bụrụ na ebe nchekwa gị nwere ụdị GRUB2 emechiela, nwaa o sitere na webụsaịtị gọọmentị - enyochabeghị ya (jiri ndị GRUB 2.02 ~BetaX bootloaders rụọ ọrụ).
C3. Ịwụnye GRUB2 n'ime akụkụ agbatịkwu [sda6]Ị ga-enwerịrị nkebi etinyegoro [ihe C.2]
grub-install --force --root-directory=/mnt /dev/sda6
nhọrọ
* —force - ntinye nke bootloader, na-agafe ịdọ aka ná ntị niile na-adịkarị adị ma gbochie nrụnye (ọkọlọtọ achọrọ).
* --mgbọrọgwụ-akwụkwọ ndekọ aha - ndekọ ndekọ ruo mgbọrọgwụ nke sda6.
* / dev/sda6 - nkebi sdaХ gị ( echefula <ohere> n'etiti /mnt /dev/sda6).
C4. Ịmepụta faịlụ nhazi [grub.cfg]Chezọ maka iwu “update-grub2” wee jiri iwu ọgbọ faịlụ nhazi zuru oke
grub-mkconfig -o /mnt/boot/grub/grub.cfg
Mgbe emechara ọgbọ / imelite faịlụ grub.cfg, njedebe mmepụta kwesịrị ịnwe ahịrị (s) na OS achọtara na diski. ("grub-mkconfig" nwere ike ịchọta ma bulie OS site na usb dị ndụ, ọ bụrụ na ị nwere draịva multiboot na Windows 10 na ụyọkọ nkesa ndụ - nke a bụ ihe nkịtị). Ọ bụrụ na ọnụ ala ahụ bụ "efu" na faịlụ "grub.cfg" adịghị emepụta, mgbe ahụ nke a bụ otu ikpe ahụ mgbe enwere ahụhụ GRUB na sistemụ. (ma yikarịrị ka onye na-ebu ibu sitere na ngalaba nnwale nke ebe nchekwa), tinyegharịa GRUB2 site na isi mmalite ntụkwasị obi.
Nhazi "dị mfe" na nhazi GRUB2 ezuola.
C5. Nnwale nke GNU/Linux OS ezoro ezoAnyị mezue ọrụ crypto nke ọma. Jiri nlezianya hapụ GNU/Linux ezoro ezo (wepụ gburugburu ebe obibi chroot).
umount -a #размонтирование всех смонтированных разделов шифрованной GNU/Linux
Ctrl+d #выход из среды chroot
umount /mnt/dev
umount /mnt/proc
umount /mnt/sys
umount -a #размонтирование всех смонтированных разделов на live usb
reboot
Mgbe ịmaliteghachi PC, VeraCrypt bootloader kwesịrị ibu.
* Itinye paswọọdụ maka nkebi nọ n'ọrụ ga-amalite itinye Windows.
* Ịpị igodo "Esc" ga-ebufe njikwa na GRUB2, ma ọ bụrụ na ịhọrọ GNU/Linux ezoro ezo - a ga-achọrọ paswọọdụ (sda7_crypt) iji kpọghee /boot/initrd.img (ọ bụrụ grub2 dere uuid" ahụghị" - nke a bụ a nsogbu na grub2 bootloader, a ga-etinyeghachi ya, dịka ọmụmaatụ, site na ngalaba ule/stable wdg).
* Dabere na otu i si hazie sistemụ ahụ (lee paragraf B4.4/4.5), mgbe itinyechara paswọọdụ ziri ezi iji kpọghee onyonyo /boot/initrd.img, ị ga-achọ paswọọdụ iji buo kernel OS, ma ọ bụ ihe nzuzo. a ga-edochichi igodo na-akpaghị aka na "skey", na-ewepụ mkpa ọ dị ịbanye ọzọ passphrase.
(ihuenyo "ngbanwe akpaaka nke igodo nzuzo").
* Mgbe ahụ usoro a maara nke ọma nke itinye GNU/Linux na njirimara akaụntụ onye ọrụ ga-eso.
* Mgbe ikike onye ọrụ wee banye na OS, ịkwesịrị imelite /boot/initrd.img ọzọ (lee B4.6).
update-initramfs -u -k allMa ọ bụrụ na enwere ahịrị ndị ọzọ na menu GRUB2 (nke sitere na OS-m pickup nwere usb dị ndụ) tufuo ha
mount /dev/sda6 /mnt
grub-mkconfig -o /mnt/boot/grub/grub.cfg
Nchịkọta ngwa ngwa nke nzuzo GNU/Linux:
- GNU/Linuxinux ezoro ezo nke ọma, gụnyere /boot/kernel na initrd;
- A na-akwakọba igodo nzuzo na initrd.img;
- atụmatụ ikike ugbu a (itinye paswọọdụ iji kpọghee initrd; paswọọdụ / igodo iji buo OS; paswọọdụ maka inye ikike akaụntụ Linux).
"Mfe GRUB2 Nhazi" nzuzo nke nkebi ngọngọ ezuola.
C6. Nhazi GRUB2 dị elu. Nchedo bootloader nwere mbinye aka dijitalụ + nchedo nyochaGNU/Linux ezoro ezo kpamkpam, mana enweghị ike izobe bootloader - BIOS na-ekpebi ọnọdụ a. N'ihi nke a, akpụkpọ ụkwụ GRUB2 nwere eriri ezoro ezo agaghị ekwe omume, mana akpụkpọ ụkwụ nwere eriri dị mfe ga-ekwe omume / dị, ma site n'echiche nchekwa ọ dịghị mkpa [lee. P.F.
Maka GRUB2 “adịghị ike”, ndị mmepe mebere usoro nchebe bootloader “mbinye aka / nkwenye”.
- Mgbe bootloader na-echebe site na "mbinye aka dijitalụ nke ya," mgbanwe mgbanwe nke faịlụ, ma ọ bụ mgbalị iji buo modul ndị ọzọ na bootloader a, ga-eduga na-egbochi usoro buut.
- Mgbe ị na-echekwa bootloader na nyocha, ka ịhọrọ nbudata nkesa, ma ọ bụ tinye iwu ndị ọzọ na CLI, ị ga-achọ itinye nbanye na paswọọdụ nke superuser-GRUB2.
C6.1. Nchedo nyocha bootloaderLelee na ị na-arụ ọrụ na ọdụ na OS ezoro ezo
ls /<Tab-Tab> #обнаружить файл-маркерmepụta paswọọdụ superuser maka ikike na GRUB2
grub-mkpasswd-pbkdf2 #введите/повторите пароль суперпользователя. Nweta hash paswọọdụ. Ihe dị ka nke a
grub.pbkdf2.sha512.10000.DE10E42B01BB6FEEE46250FC5F9C3756894A8476A7F7661A9FFE9D6CC4D0A168898B98C34EBA210F46FC10985CE28277D0563F74E108FCE3ACBD52B26F8BA04D.27625A4D30E4F1044962D3DD1C2E493EF511C01366909767C3AF9A005E81F4BFC33372B9C041BE9BA904D7C6BB141DE48722ED17D2DF9C560170821F033BCFD8
bulie akụkụ GRUB
mount /dev/sda6 /mnt dezie nhazi
nano -$ /mnt/boot/grub/grub.cfg
lelee faịlụ ọchụchọ na enweghị ọkọlọtọ ebe ọ bụla na "grub.cfg" ("-unrestricted" "-user",
tinye na njedebe (tupu ahịrị ### END /etc/grub.d/41_custom ###)
"set superusers = "mgbọrọgwụ"
password_pbkdf2 mgbọrọgwụ hash."
Ọ kwesịrị ịbụ ihe dị ka nke a
# Faịlụ a na-enye ụzọ dị mfe iji tinye ndenye menu omenala. Naanị pịnye ya
# ndenye menu nke ịchọrọ ịgbakwunye mgbe okwu a gasịrị. Kpachara anya ka ị ghara ịgbanwe
# akara 'exec tail' n'elu.
### Ọgwụgwụ /etc/grub.d/40_custom ###### malite /etc/grub.d/41_custom ###
ọ bụrụ [-f ${config_directory}/custom.cfg]; mgbe ahụ
isi mmalite ${config_directory}/custom.cfg
elif [-z "${config_directory}" -a -f $prefix/custom.cfg ]; mgbe ahụ
isi mmalite $prefix/custom.cfg;
fi
set superusers = "mgbọrọgwụ"
password_pbkdf2 root grub.pbkdf2.sha512.10000.DE10E42B01BB6FEEE46250FC5F9C3756894A8476A7F7661A9FFE9D6CC4D0A168898B98C34EBA210F46FC10985CE28277D0563F74E108FCE3ACBD52B26F8BA04D.27625A4D30E4F1044962D3DD1C2E493EF511C01366909767C3AF9A005E81F4BFC33372B9C041BE9BA904D7C6BB141DE48722ED17D2DF9C560170821F033BCFD8
### Ọgwụgwụ /etc/grub.d/41_custom ###
#
Ọ bụrụ na ị na-ejikarị iwu "grub-mkconfig -o /mnt/boot/grub/grub.cfg" ma achọghị ịme mgbanwe na grub.cfg oge ọ bụla, tinye ahịrị ndị dị n'elu. (Nbanye: Paswọdu) na edemede onye ọrụ GRUB dị na ala
nano /etc/grub.d/41_custom pusi <<EOF
set superusers = "mgbọrọgwụ"
password_pbkdf2 root grub.pbkdf2.sha512.10000.DE10E42B01BB6FEEE46250FC5F9C3756894A8476A7F7661A9FFE9D6CC4D0A168898B98C34EBA210F46FC10985CE28277D0563F74E108FCE3ACBD52B26F8BA04D.27625A4D30E4F1044962D3DD1C2E493EF511C01366909767C3AF9A005E81F4BFC33372B9C041BE9BA904D7C6BB141DE48722ED17D2DF9C560170821F033BCFD8
EOF
Mgbe ị na-emepụta nhazi “grub-mkconfig -o /mnt/boot/grub/grub.cfg”, a ga-agbakwunye ahịrị maka nyocha na grub.cfg na-akpaghị aka.
Nzọụkwụ a mezuru ntọlite nyocha GRUB2.
C6.2. Nchedo bootloader nwere mbinye aka dijitalụA na-eche na ị nwelarị igodo nzuzo pgp nke gị (ma ọ bụ mepụta igodo dị otú ahụ). Sistemu ga-enwerịrị sọftụwia cryptographic arụnyere: gnuPG; kleopatra/GPA; Ịnyịnya mmiri. Akụrụngwa Crypto ga-eme ka ndụ gị dịkwuo mfe n'okwu niile dị otú ahụ. Seahorse - ụdị ngwugwu kwụsiri ike 3.14.0 (ụdị dị elu, dịka ọmụmaatụ, V3.20, nwere ntụpọ ma nwee nnukwu ahụhụ).
Ekwesịrị imepụta igodo PGP / ibipụta / gbakwunye naanị na mpaghara su!
Mepụta igodo nzuzo nkeonwe
gpg - -gen-keyBupụ igodo gị
gpg --export -o ~/perskeyWụnye diski ezi uche dị na OS ma ọ bụrụ na etinyebeghị ya
mount /dev/sda6 /mnt #sda6 – раздел GRUB2hichaa akụkụ GRUB2
rm -rf /mnt/Wụnye GRUB2 na sda6, na-etinye igodo nzuzo gị na isi foto GRUB "core.img"
grub-install --force --modules="gcry_sha256 gcry_sha512 signature_test gcry_dsa gcry_rsa" -k ~/perskey --root-directory=/mnt /dev/sda6
nhọrọ
* - Force - wụnye bootloader, na-agafe ịdọ aka ná ntị niile na-adị mgbe niile (ọkọlọtọ achọrọ).
* —modules = "gcry_sha256 gcry_sha512 signature_test gcry_dsa gcry_rsa" - na-agwa GRUB2 ka ọ buo ụzọ buo modul ndị dị mkpa mgbe PC malitere.
* -k ~/perskey - ụzọ na-aga "PGP igodo" (mgbe i tinyechara igodo n'ime onyonyo a, enwere ike ihichapụ ya).
* --root-directory-dobe ndekọ ndekọ buut na mgbọrọgwụ nke sda6
/ dev/sda6 - akụkụ sdaX gị.
Na-emepụta/imelite grub.cfg
grub-mkconfig -o /mnt/boot/grub/grub.cfgTinye ahịrị "trust /boot/grub/perskey" na njedebe nke faịlụ "grub.cfg" (ike iji pgp igodo.) Ebe anyị tinyere GRUB2 na usoro modulu, gụnyere modul mbinye aka "signature_test.mod", nke a na-ewepụ mkpa itinye iwu dịka "set check_signatures=enforce" na nhazi.
O kwesịrị ịdị ka nke a (akara njedebe na faịlụ grub.cfg)
### malite /etc/grub.d/41_custom ###
ọ bụrụ [-f ${config_directory}/custom.cfg]; mgbe ahụ
isi mmalite ${config_directory}/custom.cfg
elif [-z "${config_directory}" -a -f $prefix/custom.cfg ]; mgbe ahụ
isi mmalite $prefix/custom.cfg;
fi
ntụkwasị obi /boot/grub/perskey
set superusers = "mgbọrọgwụ"
password_pbkdf2 root grub.pbkdf2.sha512.10000.DE10E42B01BB6FEEE46250FC5F9C3756894A8476A7F7661A9FFE9D6CC4D0A168898B98C34EBA210F46FC10985CE28277D0563F74E108FCE3ACBD52B26F8BA04D.27625A4D30E4F1044962D3DD1C2E493EF511C01366909767C3AF9A005E81F4BFC33372B9C041BE9BA904D7C6BB141DE48722ED17D2DF9C560170821F033BCFD8
### Ọgwụgwụ /etc/grub.d/41_custom ###
#
Ụzọ na "/ buut / grub / perskey" adịghị mkpa ka a kọwaa ya na nkebi diski a kapịrị ọnụ, dịka ọmụmaatụ hd0,6; maka bootloader n'onwe ya, "mgbọrọgwụ" bụ ụzọ ndabara nke nkebi nke etinyere GRUB2 (lee set ire ure =...).
Ịbanye GRUB2 (faịlụ niile na akwụkwọ ndekọ aha / GRUB niile) na igodo gị "perskey".
A mfe ngwọta na-esi banye (maka nautilus/caja Explorer): tinye ndọtị nke “seahorse” maka Explorer site na ebe nchekwa. Ekwesịrị ịgbakwunye igodo gị na gburugburu su.
Mepee Explorer na sudo “/mnt/boot” – RMB – akara. Na ihuenyo ọ dị ka nke a
Igodo n'onwe ya bụ "/mnt/boot/grub/perskey" (detuo na ndekọ ndekọ) a ga-ejikwa mbinye aka nke gị binye aka. Lelee na mbinye aka faịlụ [*.sig] na-apụta na ndekọ aha/akwụkwọ ndekọ aha.
Iji usoro akọwara n'elu, bịanye aka na "/ buut" (Kernel anyị, initrd). Ọ bụrụ na oge gị bara ihe ọ bụla, usoro a na-ewepụ mkpa ịde ederede bash ịbanye "ọtụtụ faịlụ."
Ka iwepu mbinye aka bootloader niile (Ọ bụrụ na ihe na-aga nke ọma)
rm -f $(find /mnt/boot/grub -type f -name '*.sig')Ka ị ghara ịbanye na bootloader ka emelitechara sistemu ahụ, anyị na-ewepụ ngwugwu mmelite niile metụtara GRUB2.
apt-mark hold grub-common grub-pc grub-pc-bin grub2 grub2-commonNa nzọụkwụ a <chebe bootloader na mbinye aka dijitalụ> nhazi dị elu nke GRUB2 agwụla.
C6.3. Nnwale nke GRUB2 bootloader, nke mbinye aka dijitalụ na nyocha echekwaraGRUB2. Mgbe ị na-ahọrọ nkesa GNU/Linux ọ bụla ma ọ bụ na-abanye CLI (akara iwu) A ga-achọrọ ikike nke superuser. Mgbe itinyechara aha njirimara/paswọọdụ ziri ezi, ị ga-achọ paswọọdụ initrd
nseta ihuenyo nke nyocha nke ọma nke GRUB2 superuser.
Ọ bụrụ na ị mebie nke ọ bụla n'ime faịlụ GRUB2/ime mgbanwe na grub.cfg, ma ọ bụ hichapụ faịlụ/mbinye aka, ma ọ bụ buo modul.mod ọjọọ, ịdọ aka ná ntị kwekọrọ ga-apụta. GRUB2 ga-akwụsịtụ nbudata.
Nseta ihuenyo, mbọ iji gbochie GRUB2 "sitere n'èzí".
N'oge ịgba ọsọ "nkịtị" na-enweghị mbuso agha, koodu ọpụpụ sistemụ bụ "0". Ya mere, amabeghị ma nchekwa ahụ na-arụ ọrụ ma ọ bụ na ọ bụghị (ya bụ, "na ma ọ bụ na-enweghị bootloader mbinye aka nchedo" n'oge nkịtị loading ọnọdụ bụ otu "0" - nke a dị njọ).
Otu esi elele nchedo mbinye aka dijitalụ?
Ụzọ na-adịghị mma iji lelee: adịgboroja/wepụ modul nke GRUB2 na-eji, dịka ọmụmaatụ, wepụ mbinye aka luks.mod.sig wee nweta njehie.
Ụzọ ziri ezi: gaa na bootloader CLI wee pịnye iwu ahụ
trust_list
Na nzaghachi, ị ga-enweta akara mkpịsị aka "perskey" ma ọ bụrụ na ọkwa ahụ bụ "0," mgbe ahụ nchebe mbinye aka anaghị arụ ọrụ, lelee nkeji abụọ C6.2.
N'ebe a, nhazi dị elu "Chebe GRUB2 na mbinye aka dijitalụ na nyocha" emechaala.
Ụzọ ọzọ nke C7 iji chekwaa GRUB2 bootloader site na iji hashingUsoro "CPU Boot Loader Protection/Authentication" nke akọwara n'elu bụ ihe ama ama. N'ihi ezughị okè nke GRUB2, na ọnọdụ paranoid ọ na-enwe ike ịnweta ezigbo ọgụ, nke m ga-enye n'okpuru ebe a na paragraf [F]. Na mgbakwunye, ka emelitechara OS/kernel, bootloader ga-abanyerịrị aka ọzọ.
Chekwaa bootloader GRUB2 site na iji hashing
Uru dị n'okirikiri:
- Ọkwa dị elu nke ntụkwasị obi (hashing / nkwenye na-ewere ọnọdụ naanị site na akụrụngwa mpaghara ezoro ezo. A na-achịkwa nkebi niile ekenyela n'okpuru GRUB2 maka mgbanwe ọ bụla, yana ihe ọ bụla ọzọ ezoro ezo; na atụmatụ kpochapụrụ na nchekwa CPU loader / Nyocha, naanị faịlụ na-achịkwa, mana ọ bụghị n'efu. oghere, nke enwere ike ịgbakwunye "ihe" ihe ọjọọ).
- Ndekọ ezoro ezo (A na-agbakwunye ndekọ ezoro ezo nke mmadụ nwere ike ịgụ na atụmatụ ahụ).
- Ngwa ọsọ (nchebe / nkwenye nke akụkụ dum ekenyere maka GRUB2 na-eme ihe fọrọ nke nta ka ọ bụrụ ozugbo).
- Akpaaka nke usoro cryptographic niile.
Ọdịmma karịa oge ochie.
- Ụgha nke mbinye aka (n'ụzọ doro anya, ọ ga-ekwe omume ịchọta nkwekọrịta ọrụ hash nyere).
- Ọkwa isi ike na-abawanye (tụnyere kpochapụwo, a chọrọ ntakịrị nkà na GNU/Linux OS).
Kedu ka echiche GRUB2/partition hashing si arụ ọrụ
Nkebi GRUB2 “binyere aka” mgbe akpụkpọ ụkwụ OS, a na-enyocha akụkụ bootloader maka enweghị ike ịgbanwe, wee banye na gburugburu ebe nchekwa (ezoro ezo). Ọ bụrụ na emebie bootloader ma ọ bụ nkebi ya, na mgbakwunye na ndekọ ntinye, a na-ewepụta ihe ndị a:
Ihe.
Ihe nlele yiri nke a na-eme ugboro anọ n'ụbọchị, nke na-adịghị ebu ihe onwunwe sistemụ.
N'iji iwu "-$ check_GRUB", nlele ngwa ngwa na-eme n'oge ọ bụla na-enweghị ndekọ, ma na-eji ozi mmepụta na CLI.
N'iji iwu "-$ sudo signature_GRUB", GRUB2 boot loader/partition na-edebanye aha ozugbo na ndekọ ndekọ ya emelitere. (dị mkpa ka emelite OS / buut), na ndụ na-aga n'ihu.
Mmejuputa usoro hashing maka bootloader na ngalaba ya
0) Ka anyị bịanye aka na GRUB bootloader/partition site na ibu ụzọ tinye ya na /media/aha njirimara
-$ hashdeep -c md5 -r /media/username/GRUB > /podpis.txt1) Anyị na-emepụta edemede na-enweghị ndọtị na mgbọrọgwụ nke OS ~/podpis ezoro ezo, tinye ikike nchekwa 744 dị mkpa na nchebe nzuzu na ya.
Na-ejuputa ọdịnaya ya
#!/bin/bash
#Проверка всего раздела выделенного под загрузчик GRUB2 на неизменность.
#Ведется лог "о вторжении/успешной проверке каталога", короче говоря ведется полный лог с тройной вербализацией. Внимание! обратить взор на пути: хранить ЦП GRUB2 только на зашифрованном разделе OS GNU/Linux.
echo -e "******************************************************************n" >> '/var/log/podpis.txt' && date >> '/var/log/podpis.txt' && hashdeep -vvv -a -k '/podpis.txt' -r '/media/username/GRUB' >> '/var/log/podpis.txt'
a=`tail '/var/log/podpis.txt' | grep failed` #не использовать "cat"!!
b="hashdeep: Audit failed"
#Условие: в случае любых каких-либо изменений в разделе выделенном под GRUB2 к полному логу пишется второй отдельный краткий лог "только о вторжении" и выводится на монитор мигание gif-ки "warning".
if [[ "$a" = "$b" ]]
then
echo -e "****n" >> '/var/log/vtorjenie.txt' && echo "vtorjenie" >> '/var/log/vtorjenie.txt' && date >> '/var/log/vtorjenie.txt' & sudo -u username DISPLAY=:0 eom '/warning.gif'
fiGbaa script si su, A ga-enyocha hashing nke ngalaba GRUB na bootloader ya, chekwaa ndekọ ahụ.
Ka anyị mepụta ma ọ bụ detuo, dịka ọmụmaatụ, "faịlụ ọjọọ" [virus.mod] na nkebi GRUB2 wee mee nyocha nwa oge:
-$ hashdeep -vvv -a -k '/podpis.txt' -r '/media/username/GRUBNdị CLI ga-ahụrịrị mbuso agha nke ụlọ anyị.# Etinyere abanye na CLI
Ср янв 2 11::41 MSK 2020
/media/username/GRUB/boot/grub/virus.mod: Moved from /media/username/GRUB/1nononoshifr
/media/username/GRUB/boot/grub/i386-pc/mda_text.mod: Ok
/media/username/GRUB/boot/grub/grub.cfg: Ok
hashdeep: Audit failed
Input files examined: 0
Known files expecting: 0
Files matched: 325
Files partially matched: 0
Files moved: 1
New files found: 0
Known files not found: 0
# Dịka ị na-ahụ, "faịlụ ebugharị: 1 na Audit dara" pụtara, nke pụtara na nlele ahụ dara.
N'ihi ọdịdị nke nkebi a na-anwale, kama "Fịlụ ọhụrụ achọtara"> "Faịlụ ebugharị"
2) Tinye gif ebe a > ~/warning.gif, tọọ ikike na 744.
3) Na-ahazi fstab iji bulie akụkụ GRUB akpaaka na buut
-$ sudo nano /etc/fstabLABEL=GRUB/media/aha njirimara/GRUB ext4 ndabara 0 0
4) Na-atụgharị ndekọ
-$ sudo nano /etc/logrotate.d/podpis /var/log/podpis.txt {
kwa
bugharia 50
ogo 5M
ụbọchị
mpikota onu
igbu oge
olddir /var/log/old
}/var/log/vtorjenie.txt {
kwa ọnwa
bugharia 5
ogo 5M
ụbọchị
olddir /var/log/old
}
5) Tinye ọrụ na cron
-$ sudo crontab -e'/ ndebanye aha'
0 */6 * * * '/ podpis
6) Ịmepụta aha aha na-adịgide adịgide
-$ sudo su
-$ echo "alias подпись_GRUB='hashdeep -c md5 -r /media/username/GRUB > /podpis.txt'" >> /root/.bashrc && bash
-$ echo "alias проверка_GRUB='hashdeep -vvv -a -k '/podpis.txt' -r /media/username/GRUB'" >> .bashrc && bash
Mgbe emelitere OS -$ apt-get upgrade debanye aha ọzọ nkebi GRUB anyị
-$ подпись_GRUB
N'oge a, nchebe hashing nke akụkụ GRUB zuru ezu.
[D] ihichapụ - mbibi nke data ezoro ezo
Hichapụ faịlụ nkeonwe gị kpamkpam nke na "ọbụna Chineke enweghị ike ịgụ ha," dịka onye na-ekwuchitere South Carolina Trey Gowdy siri kwuo.
Dị ka ọ dị na mbụ, enwere “akụkọ ifo na ", gbasara iweghachi data mgbe ehichapụchara ya na draịvụ ike. Ọ bụrụ na ị kwenyere na cyberwitchcraft, ma ọ bụ bụrụ onye otu Dr web obodo ma ọ dịbeghị mgbe ị nwara mgbake data mgbe ehichapụchara / degharịa ya. (dịka ọmụmaatụ, mgbake site na iji R-studio), mgbe ahụ, usoro a chọrọ ka ọ gaghị adabara gị, jiri ihe kacha dịrị gị nso.
Mgbe ebufechara GNU/Linux nke ọma na nkebi ezoro ezo, a ga-ehichapụrịrị ochie ochie na-enweghị ike nwetaghachi data. Usoro nhicha zuru ụwa ọnụ: ngwanrọ maka ngwanrọ GUI na-efu Windows/Linux .
Ngwa ngwa hazie ngalaba, data nke kwesịrị ibibi (site na Gparted) malite BleachBit, họrọ "Hichapụ oghere efu" - họrọ nkebi ahụ (sdaX gị nwere akwụkwọ GNU/Linux gara aga), usoro iwepụ ga-amalite. BleachBit - na-ehichapụ diski n'otu ngafe - nke a bụ "anyị chọrọ", mana! Nke a na-arụ ọrụ naanị na tiori ma ọ bụrụ na ị haziri diski ahụ wee hichaa ya na ngwa BB v2.0.
Ịkpachara anya! BB na-ehichapụ diski ahụ, na-ahapụ metadata aha faịlụ mgbe ewepụsịrị data (Ccleaner - anaghị ahapụ metadata).
Na akụkọ ifo banyere ekwe omume nke data mgbake abụghị kpamkpam a akụkọ ifo.Bleachbit V2.0-2 ngwungwu Debian OS na-adịghị akwụsi ike (na ngwa ngwa ọ bụla ọzọ yiri ya: sfill; ehichapụ-Nautilus - a hụkwara na azụmahịa a ruru unyi) N'ezie nwere ahụhụ dị egwu: ọrụ "ikpochapụ oghere efu". ọ na-arụ ọrụ ezighi ezi na HDD/Flash draịva (ntfs/ext4). Ngwanrọ nke ụdị a, mgbe ị na-ekpochapụ ohere efu, anaghị edegharị diski dum, dịka ọtụtụ ndị ọrụ na-eche. Na ụfọdụ (ọtụtụ n'ime) OS/software data ehichapụrụ na-ewere data a dị ka ndị anaghị ehichapụ / data onye ọrụ na mgbe ị na-ehicha "OSP" ọ na-amapụ faịlụ ndị a. Nsogbu bụ na mgbe ogologo oge dị otú ahụ gasịrị, hichaa diski ahụ Enwere ike nwetaghachi "faịlụ ehichapụ". ọbụlagodi mgbe 3+ gafere ihichapụ diski ahụ.
Na GNU/Linux na Bleachbit 2.0-2 Ọrụ nke ihichapụ faịlụ na akwụkwọ ndekọ aha na-adịgide adịgide na-arụ ọrụ ntụkwasị obi, mana ọ bụghị ikpochapụ oghere efu. Maka ntụnyere: na Windows na CCleaner ọrụ "OSP maka ntfs" na-arụ ọrụ nke ọma, na Chineke agaghị enwe ike ịgụ data ehichapụ.
Ya mere, ka juputara wepụ "na-ekwekọrịta" data ezoro ezo ochie, Bleachbit chọrọ ịnweta data a ozugbo, mgbe ahụ, jiri ọrụ "ehichapụ faịlụ / akwụkwọ ndekọ aha na-adịgide adịgide".
Iji wepu “faịlụ ehichapụrụ site na iji ngwaọrụ OS ọkọlọtọ” na Windows, jiri CCleaner/BB jiri ọrụ “OSP”. Na GNU/Linux maka nsogbu a (Hichapụ faịlụ ndị ehichapụrụ) mkpa ka ị nweta omume n'onwe gị (ihichapụ data + mgbalị onwe ya iji weghachi ya na ịkwesighi ịdabere na ụdị ngwanrọ (ọ bụrụ na ọ bụghị ibe edokọbara, yabụ ahụhụ)), naanị na nke a, ị ga-enwe ike ịghọta usoro nke nsogbu a ma kpochapụ data ehichapụ kpamkpam.
Anwalebeghị m Bleachbit v3.0, enwere ike idozi nsogbu ahụ.
Bleachbit v2.0 na-arụ ọrụ n'eziokwu.
Na nzọụkwụ a, ihichapụ diski ezuola.
[E] ndabere zuru ụwa ọnụ nke OS ezoro ezo
Onye ọrụ ọ bụla nwere usoro nke ya iji kwado data, mana data Sistemụ OS ezoro ezo chọrọ ụzọ dịtụ iche maka ọrụ ahụ. Akụrụngwa ejikọtara ọnụ, dị ka Clonezilla na sọftụwia yiri ya, enweghị ike iji data ezoro ezo rụọ ọrụ ozugbo.
Nkwupụta nsogbu nke ịkwado ngwaọrụ ngọngọ ezoro ezo:
- eluigwe na ala - otu ndabere algorithm / ngwanrọ maka Windows / Linux;
- ike iji usb GNU/Linux ọ bụla dị ndụ rụọ ọrụ na njikwa na-enweghị mkpa nbudata ngwanrọ ọzọ (mana ka na-akwado GUI);
- nchekwa nke mbipụta ndabere - “onyinyo” echekwara ga-enwerịrị ezoro ezo/echekwabara paswọọdụ;
- nha data ezoro ezo ga-adaba na nha nke data a na-e copyomi;
- dị mma mmịpụta faịlụ ndị dị mkpa site na nnomi ndabere (ọ dịghị ihe a chọrọ iji decrypt akụkụ ahụ dum).
Dịka ọmụmaatụ, ndabere/weghachi site na ngwa “dd”.
dd if=/dev/sda7 of=/путь/sda7.img bs=7M conv=sync,noerror
dd if=/путь/sda7.img of=/dev/sda7 bs=7M conv=sync,noerrorỌ dabara na ihe fọrọ nke nta ka ọ bụrụ isi ihe niile nke ọrụ ahụ, ma dị ka isi 4 si kwuo, ọ naghị adabere na nkatọ, ebe ọ bụ na ọ na-edepụta akụkụ diski dum, gụnyere ohere efu - ọ bụghị mmasị.
Dịka ọmụmaatụ, ndabere GNU/Linux site na ebe nchekwa [tar" | gpg] dị mma, mana maka nkwado ndabere na mpaghara Windows ịkwesịrị ịchọ ngwọta ọzọ - ọ bụghị ihe na-atọ ụtọ.
E1. Nkwado Windows/Linux Universal. Njikọ rsync (Grsync)+VeraCrypt oluAlgorithm maka ịmepụta nnomi ndabere:
- ịmepụta akpa ezoro ezo (olu/faịlụ) VeraCrypt maka OS;
- nyefee / mekọrịta OS site na iji ngwanrọ Rsync n'ime VeraCrypt crypto akpa;
- ọ bụrụ na ọ dị mkpa, na-ebugo VeraCrypt olu na www.
Ịmepụta akpa VeraCrypt ezoro ezo nwere njirimara nke ya:
na-eke ụda ike (mmepụta DT dị naanị na Windows, enwere ike iji ya na GNU/Linux);
na-eke ụda oge niile, mana enwere ihe achọrọ maka “agwa paranoid” (dị ka onye nrụpụta si kwuo) – akpa formatting.
A na-emepụta olu dị ike ihe fọrọ nke nta ka ọ bụrụ ozugbo na Windows, mana mgbe ị na-edegharị data sitere na GNU/Linux> VeraCrypt DT, ọrụ nkwado ndabere na mpaghara na-ebelata nke ukwuu.
A na-emepụta olu azụ̀ abụọ 70 GB mgbe niile (ka anyị kwuo, na nkezi ike PC) na HDD ~ n'ime ọkara elekere (ịdegharịa data akpa mbụ n'otu ngafe bụ n'ihi ihe nchekwa chọrọ). Ọrụ nke ịhazi ụda ngwa ngwa mgbe ị na-eke ya ewepụla na VeraCrypt Windows/Linux, yabụ ịmepụta akpa ga-ekwe omume naanị site na "ịdegharị otu ngafe" ma ọ bụ ịmepụta ụda ike dị ala.
Mepụta olu VeraCrypt mgbe niile (adịghị ike / ntfs), e kwesịghị inwe nsogbu ọ bụla.
Hazie/mepụta/mepee akpa na VeraCrypt GUI> GNU/Linux live usb (a ga-etinye olu ahụ na-akpaghị aka na /media/veracrypt2, a ga-etinye olu Windows OS na /media/veracrypt1). Ịmepụta ndabere ezoro ezo nke Windows OS site na iji GUI rsync (grsync)site na ịlele igbe.
Chere ka usoro a mezue. Ozugbo ndabere ahụ zuru, anyị ga-enwe otu faịlụ ezoro ezo.
N'otu aka ahụ, mepụta nnomi ndabere nke GNU/Linux OS site na ịpịpụ igbe nlele "Windows ndakọrịta" na rsync GUI.
Ịkpachara anya! mepụta akpa Veracrypt maka “ndabere GNU/Linux” na sistemụ faịlụ ext4. Ọ bụrụ na ị na-eme nkwado ndabere na mpaghara ntfs, mgbe ahụ, mgbe ị weghachiri ụdịdị a, ị ga-atụfu ikike / otu niile na data gị niile.
Ị nwere ike ịrụ ọrụ niile na njedebe. Nhọrọ ndị bụ isi maka rsync:
* -g - zọpụta otu;
* -P — ọganihu — ọnọdụ nke oge etinyere na-arụ ọrụ na faịlụ;
* -H - detuo hardlinks dị ka ọ dị;
* -a - ọnọdụ nchekwa (ọkọlọtọ rlptgoD ọtụtụ);
* -v -okwu ọnụ.
Ọ bụrụ n’ịchọrọ ibuli “Windows VeraCrypt volume” site na console na ngwanrọ cryptsetup, ị nwere ike mepụta utu aha (su)
echo "alias veramount='cryptsetup open --veracrypt --tcrypt-system --type tcrypt /dev/sdaX Windows_crypt && mount /dev/mapper/ Windows_crypt /media/veracrypt1'" >> .bashrc && bash
Ugbu a, iwu "veramount pictures" ga-akpali gị itinye passphrase, na ezoro ezo olu Windows usoro ga-n'ịnyịnya na OS.
Map/mount VeraCrypt olu sistemụ na iwu cryptsetup
cryptsetup open --veracrypt --tcrypt-system --type tcrypt /dev/sdaX Windows_crypt
mount /dev/mapper/Windows_crypt /mntMap/ Ugwu VeraCrypt partition/container na iwu cryptsetup
cryptsetup open --veracrypt --type tcrypt /dev/sdaY test_crypt
mount /dev/mapper/test_crypt /mntKama utu aha, anyị ga-agbakwunye (edemede ka ịmalite) olu sistemụ na Windows OS yana ntfs diski ezi uche ezoro ezo na mmalite GNU/Linux.
Mepụta edemede wee chekwaa ya na ~/VeraOpen.sh
printf 'Ym9i' | base64 -d | cryptsetup open --veracrypt --tcrypt-system --type tcrypt /dev/sda3 Windows_crypt && mount /dev/mapper/Windows_crypt /media/Winda7 #декодируем пароль из base64 (bob) и отправляем его на запрос ввода пароля при монтировании системного диска ОС Windows.
printf 'Ym9i' | base64 -d | cryptsetup open --veracrypt --type tcrypt /dev/sda1 ntfscrypt && mount /dev/mapper/ntfscrypt /media/КонтейнерНтфс #аналогично, но монтируем логический диск ntfs.
Anyị na-ekesa ikike “ziri ezi”:
sudo chmod 100 /VeraOpen.shMepụta faịlụ abụọ yiri ya (otu aha!) na /etc/rc.local na ~/etc/init.d/rc.local
Na-ejuputa faịlụ
#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will «exit 0» on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.
sh -c "sleep 1 && '/VeraOpen.sh'" #после загрузки ОС, ждём ~ 1с и только потом монтируем диски.
exit 0Anyị na-ekesa ikike “ziri ezi”:
sudo chmod 100 /etc/rc.local && sudo chmod 100 /etc/init.d/rc.local Nke ahụ bụ ya, ugbu a mgbe ị na-ebu GNU/Linux, anyị ekwesịghị itinye okwuntughe iji bulie diski ntfs ezoro ezo, a na-agbanye diski ahụ na-akpaghị aka.
Ihe ndetu nkenke banyere ihe akọwara n'elu na paragraf E1 nzọụkwụ site nzọụkwụ (ma ugbu a maka OS GNU/Linux)
1) Mepụta olu na fs ext4> 4gb (maka faịlụ) Linux na Veracrypt [Cryptbox].
2) Malitegharịa ekwentị na-ebi ndụ usb.
3) ~$ cryptsetup mepere /dev/sda7 Lunux #nkebi ezoro ezo.
4) ~ $ mount /dev/mapper/Linux /mnt #bulie nkebi ezoro ezo na /mnt.
5) ~$ mkdir mnt2 # na-emepụta ndekọ maka ndabere n'ọdịnihu.
6) ~$ cryptsetup mepere — veracrypt — ụdị tcrypt ~/CryptoBox CryptoBox && mount /dev/mapper/CryptoBox /mnt2 #Map a Veracrypt olu aha ya bụ “CryptoBox” wee bulie CryptoBox ka /mnt2.
7) ~$ rsync -avlxhHX —progress /mnt /mnt2/ #ndabere ọrụ nke akụkụ ezoro ezo na olu Veracrypt ezoro ezo.
(p/s/ Ịkpachara anya! Ọ bụrụ na ị na-ebufe GNU/Linux ezoro ezo site n'otu ụlọ / igwe gaa na nke ọzọ, dịka ọmụmaatụ, Intel> AMD (ya bụ, na-ebuga nkwado ndabere na mpaghara otu ezoro ezo gaa na nke ọzọ ezoro ezo Intel> AMD partition), Echefukwala Mgbe ịnyefe OS ezoro ezo, dezie igodo nnọchi nzuzo kama paswọọdụ, ikekwe. igodo gara aga ~/etc/skey - agakwaghị adaba na akụkụ ọzọ ezoro ezo, ọ bụghịkwa ihe amamihe dị na ya ịmepụta igodo ọhụrụ "cryptsetup luksAddKey" n'okpuru chroot - enwere ike ị nweta glitch, naanị na ~/etc/crypttab ezipụta kama ịbụ "/etc/skey" nwa oge "ọ dịghị onye" ", mgbe rebot na ịbanye na OS, megharịa igodo nzuzo nzuzo gị ọzọ).
Dịka ndị agha IT, cheta na ị ga-eme nkwado ndabere nke isi nke akụkụ Windows/Linux OS ezoro ezo, ma ọ bụ na nzuzo ga-atụgharị megide gị.
Na nzọụkwụ a, ndabere nke OS ezoro ezo na-agwụcha.
[F] Mwakpo na GRUB2 bootloader
Lee nkọwaỌ bụrụ na ị jiri mbinye aka dijitalụ na/ma ọ bụ nyocha chekwaba bootloader gị (lee isi ihe C6.), mgbe ahụ nke a agaghị echebe megide ịnweta anụ ahụ. Data ezoro ezo ka agaghị enwe ike ịnweta, mana nchebe ga-agafe (tọgharịa nchedo mbinye aka dijitalụ) GRUB2 na-enye ohere ka onye cyber-villain tinye koodu ya n'ime bootloader n'ebulighị enyo. (ọ gwụla ma onye ọrụ ejiri aka nyochaa steeti bootloader, ma ọ bụ wepụta koodu ederede aka ike siri ike maka grub.cfg).
Algọridim ọgụ. Onye wakporo
* Akpụkpọ ụkwụ PC sitere na usb dị ndụ. Mgbanwe ọ bụla (onye na-emebi iwu) faịlụ ga-agwa onye nwe PC n'ezie gbasara ntinye n'ime bootloader. Mana nrụnye dị mfe nke GRUB2 na-edebe grub.cfg (na ike na-esote iji dezie ya) ga-ekwe ka onye mwakpo dezie faịlụ ọ bụla (n'ọnọdụ a, mgbe ị na-ebu GRUB2, a gaghị agwa onye ọrụ n'ezie. Ọkwa ahụ bụ otu <0>)
* Na-ebuli akụkụ ezoro ezo, na-echekwa "/mnt/boot/grub/grub.cfg".
* Tinyegharịa bootloader (wepu "perskey" na core.img oyiyi)
grub-install --force --root-directory=/mnt /dev/sda6
* Weghachite “grub.cfg"> “/mnt/boot/grub/grub.cfg”, dezie ya ma ọ bụrụ na ọ dị mkpa, dịka ọmụmaatụ, na-agbakwunye modul gị “keylogger.mod” na folda nwere modul loader, na “grub.cfg” > ahịrị "insmod keylogger". Ma ọ bụ, dịka ọmụmaatụ, ọ bụrụ na onye iro ahụ dị aghụghọ, mgbe ahụ mgbe ị wụnyeghachiri GRUB2 (mbinye aka niile dị n'ebe) ọ na-ewu ihe oyiyi GRUB2 bụ isi site na iji "grub-mkimage with option (-c)." Nhọrọ "-c" ga-enye gị ohere ịkwanye nhazi gị tupu ị wụnye "grub.cfg" isi. Nhazi ahụ nwere ike ịnwe naanị otu ahịrị: redirection gaa na “modern.cfg” ọ bụla, agwakọta, dịka ọmụmaatụ, yana faịlụ ~ 400. (modul+ mbinye aka) na nchekwa "/boot/grub/i386-pc". N'okwu a, onye na-awakpo nwere ike itinye koodu aka ike na modul na-ebu ibu na-enweghị emetụta "/boot/grub/grub.cfg", ọ bụrụgodị na onye ọrụ tinye "hashsum" na faịlụ ahụ wee gosipụta ya na ihuenyo nwa oge.
Onye na-awakpo agaghị achọ mbanye GRUB2 superuser nbanye / okwuntughe; ọ ga-achọ naanị idetu ahịrị (ahụ maka nyocha) "/boot/grub/grub.cfg" gaa na "modern.cfg" gị
set superusers = "mgbọrọgwụ"
password_pbkdf2 root grub.pbkdf2.sha512.10000.DE10E42B01BB6FEEE46250FC5F9C3756894A8476A7F7661A9FFE9D6CC4D0A168898B98C34EBA210F46FC10985CE28277D0563F74E108FCE3ACBD52B26F8BA04D.27625A4D30E4F1044962D3DD1C2E493EF511C01366909767C3AF9A005E81F4BFC33372B9C041BE9BA904D7C6BB141DE48722ED17D2DF9C560170821F033BCFD8
A ka ga-enyocha onye nwe PC dị ka GRUB2 superuser.
Ịkwanye ụgbụ (bootloader na-ebu bootloader ọzọ), dị ka m dere n'elu, enweghị uche (Ezubere ya maka ebumnuche dị iche). Enweghị ike ịkwanye bootloader ezoro ezo n'ihi BIOS ( buut yinye malitegharịa GRUB2> GRUB2 ezoro ezo, njehie!). Otú ọ dị, ọ bụrụ na ị ka na-eji echiche nke ịwụnye agbụ, ị nwere ike ijide n'aka na ọ bụ nke ezoro ezo ka a na-ebu. (anaghị emezigharị ya) "grub.cfg" site na nkebi ezoro ezo. Ma nke a bụkwa echiche nchekwa ụgha, n'ihi na ihe niile egosipụtara na "grub.cfg" ezoro ezo. (Module loading) na-agbakwunye na modul ebugoro na GRUB2 ezoro ezo.
Ọ bụrụ na ịchọrọ ịlele nke a, kenye / zoo sday nkebi ọzọ, detuo GRUB2 na ya. (ọrụ grub-wụnye na nkebi ezoro ezo agaghị ekwe omume) na na "grub.cfg" (Nhazi ezoro ezo) gbanwee ahịrị dị ka ndị a
menuentry 'GRUBx2' --class parrot --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-simple-382111a2-f993-403c-aa2e-292b5eac4780' {
ihe nkiri vidiyo
ziri ezi
ọ bụrụ [x$grub_platform = xxen]; mgbe ahụ insmod xzio; insmod lzopio; fi
adighi__ndd
ụdị cryptdisk
insmod lux
insmod gcry_twofish
insmod gcry_twofish
insmod gcry_sha512
agbatị2
cryptomount -u 15c47d1c4bd34e5289df77bcf60ee838
set root=’cryptouuid/15c47d1c4bd34e5289df77bcf60ee838′
normal /boot/grub/grub.cfg
}
ndido urụk
* insmod - na-ebunye modul dị mkpa maka ịrụ ọrụ na diski ezoro ezo;
* GRUBx2 - aha ahịrị egosipụtara na menu buut GRUB2;
* cryptomount -u 15c47d1c4bd34e5289df77bcf60ee838 -lee. fdisk -l (sda9);
* ntọala mgbọrọgwụ - wụnye mgbọrọgwụ;
* normal /boot/grub/grub.cfg - faịlụ nhazi arụ ọrụ na nkebi ezoro ezo.
Nkwenye na ọ bụ "grub.cfg" ezoro ezo bụ nzaghachi dị mma maka ịbanye paswọọdụ / imeghe "sdaY" mgbe ị na-ahọrọ ahịrị "GRUBx2" na menu GRUB.
Mgbe ị na-arụ ọrụ na CLI, ka ọ ghara inwe mgbagwoju anya (ma lelee ma ọ bụrụ na mgbanwe gburugburu ebe obibi "set mgbọrọgwụ" arụrụ ọrụ), mepụta faịlụ token efu, dịka ọmụmaatụ, na mpaghara ezoro ezo "/ shifr_grub", na ngalaba ezoro ezo "/ noshifr_grub". Lelee na CLI
cat /Tab-TabDị ka e kwuru n'elu, nke a agaghị enyere aka megide nbudata modul ọjọọ ma ọ bụrụ na ụdị modul dị na PC gị. Dịka ọmụmaatụ, keylogger nke ga-enwe ike ịchekwa mkpịsị ugodi na faịlụ wee gwakọta ya na faịlụ ndị ọzọ na "~/i386" ruo mgbe onye na-awakpo nwere ohere anụ ahụ budata ya na PC.
Ụzọ kachasị mfe iji nyochaa na nchedo mbinye aka dijitalụ na-arụ ọrụ nke ọma (adịghị tọgharịa), ma ọ nweghị onye wakporo bootloader, tinye iwu na CLI
list_trusted
na nzaghachi anyị na-enweta otu “perskey” anyị, ma ọ bụ na anyị anaghị enweta ihe ọ bụla ma ọ bụrụ na a wakporo anyị (ịkwesịrị ịlele "set check_signatures=enforce").
Mwepu dị ukwuu nke nzọụkwụ a bụ iji aka tinye iwu. Ọ bụrụ na ị gbakwunye iwu a na "grub.cfg" wee chebe nhazi ahụ na mbinye aka dijitalụ, mgbe ahụ, mmepụta mmalite nke isi ihe na ihuenyo dị mkpụmkpụ na oge, ma ị nwere ike ọ gaghị enwe oge ịhụ mmepụta mgbe ị wụnye GRUB2. .
Ọ dịghị onye ọ bụla ga-aza ajụjụ maka: onye mmepụta na nke ya Nkeji edemede 18.2 na-ekwupụta n'ihu ọha
“Rịba ama na ọbụlagodi na nchekwa okwuntughe GRUB, GRUB n'onwe ya enweghị ike igbochi onye nwere ike ịbanye na igwe ahụ ịgbanwe ngwa ngwa igwe (dịka ọmụmaatụ, Coreboot ma ọ bụ BIOS) iji mee ka igwe ahụ buo site na ngwaọrụ dị iche (nke onye mwakpo na-achịkwa). GRUB kacha mma naanị otu njikọ na yinye buut echedoro. "
GRUB2 juputara na ọrụ nwere ike inye echiche nke nchekwa ụgha, mmepe ya agafeelarị MS-DOS n'ihe gbasara ọrụ, mana ọ bụ naanị bootloader. Ọ bụ ihe ọchị na GRUB2 - "echi" nwere ike ịghọ OS, yana igwe GNU/Linux mebere maka ya.
Vidiyo dị mkpirikpi banyere otu m ga-esi tọgharịa nchedo mbinye aka dijitalụ GRUB2 wee kwupụta ntinye m n'ime onye ọrụ n'ezie. (A tụrụ m gị egwu, mana kama ihe egosiri na vidiyo, ị nwere ike dee koodu aka ike na-enweghị mmerụ ahụ / .mod).
Mkpebi:
1) Mgbochi usoro ezoro ezo maka Windows dị mfe iji mejuputa, yana nchebe na otu paswọọdụ dị mfe karịa nchebe na ọtụtụ okwuntughe na GNU/Linux block system encryption, dị mma: nke ikpeazụ na-akpaghị aka.
2) M dere akụkọ ahụ dị ka ihe kwesịrị ekwesị na nkọwa zuru ezu mfe ntuziaka maka izo ya ezo VeraCrypt/LUKS n'otu ụlọ igwe, nke kacha mma na RuNet (IMHO). Ntuziaka ahụ bụ> mkpụrụedemede 50k ogologo, ya mere, ọ naghị ekpuchi isiakwụkwọ ndị na-adọrọ mmasị: ndị na-ese ihe na-apụ n'anya / na-edebe na ndò; banyere eziokwu na n'ime akwụkwọ GNU / Linux dị iche iche ha na-ede obere / adịghị ede banyere cryptography; banyere Nkeji edemede 51 nke Iwu nke Russian Federation; O /mmachibido iwu , banyere ihe mere ị ga-eji zoo "mgbọrọgwụ / buut". Ntuziaka ahụ tụgharịrị buru oke ibu, mana nkọwa zuru oke. (na-akọwa ọbụna usoro dị mfe), N'aka nke ya, nke a ga-azọpụta gị ọtụtụ oge mgbe ị rutere na "ezigbo nzuzo".
3) Emere ezoro ezo diski zuru oke na Windows 7 64; GNU/Linux Parrot 4x; GNU/Debian 9.0/9.5.
4) Mezue mbuso agha na-aga nke ọma nke ya GRUB2 bootloader.
5) E mepụtara nkuzi iji nyere ndị niile na-eme ihe ike aka na CIS, ebe a na-anabata ọrụ na nzuzo na ọkwa omebe iwu. Na nke mbụ maka ndị chọrọ iwepụta nzuzo nzuzo zuru oke na-emebighị sistemụ ha ahaziri.
6) Arụgharịrị ma melite akwụkwọ ntuziaka m, nke dabara na 2020.
[G] Akwụkwọ bara uru
- (February 2012 RU)
- /usr/share/doc/cryptsetup(-run) [ihe enyemaka mpaghara] (akwụkwọ nkọwa zuru ezu na ịtọlite izo ya ezo GNU/Linux site na iji cryptsetup)
- (akwụkwọ dị nkenke maka ịmepụta GNU/Linux izo ya ezo site na iji cryptsetup)
- (akwụkwọ archlinux)
- ( arch man page)
- ( arch man page)
- .
Tags: izo ya ezo diski zuru oke, izo ya ezo nkebi, Linux zuru diski izo ya ezo, LUKS1 zuru sistemu.
Naanị ndị ọrụ edebanyere aha nwere ike isonye na nyocha a. , Biko.
Ị na-ezoro ezo?
-
17,1%Ana m ezochi ihe niile m nwere ike. a na m aru.14
-
34,2%Ana m ezoro naanị data dị mkpa.28
-
14,6%Mgbe ụfọdụ ana m ezoro ezo, mgbe ụfọdụ ana m echezọ.12
-
34,2%Mba, Anaghị m ezoro ezo, ọ dịghị mma na ọnụ.28
Ndị ọrụ 82 họpụtara. Ndị ọrụ 22 anabataghị.
isi: www.habr.com