Ezi ụbọchị na abalị onye ọ bụla! Nke a post ga-aba uru maka ndị na-eji LUKS data izo ya ezo ma na-achọ decrypt diski n'okpuru Linux (Debian, Ubuntu) na nkebi nke decrypting mgbọrọgwụ nkebi. Enweghị m ike ịhụ ozi dị otú ahụ na Intanet.
N'oge na-adịbeghị anya, na mmụba nke ọnụọgụ diski na shelves, agbagara m nsogbu nke decrypting disks site na iji usoro a maara nke ọma site na /etc/crypttab. Onwe m, m na-akọwapụta nsogbu ole na ole na iji usoro a, ya bụ na a na-agụ faịlụ ahụ naanị mgbe loading (ugwu) mgbọrọgwụ nkebi, nke na-emetụta mbubata ZFS n'ụzọ na-adịghị mma, karịsịa ma ọ bụrụ na e wuru ha site na nkebi na ngwaọrụ * _crypt, ma ọ bụ mdadm raids wuru site na nkebi. Anyị niile maara na ị nwere ike iji parted na LUKS containers, nri? Nakwa nsogbu nke mmalite mmalite nke ọrụ ndị ọzọ, mgbe enweghị nhazi, ma jiri Achọrọ m ihe (M na-arụ ọrụ na clustered Proxmox VE 5.x na ZFS n'elu iSCSI).
Obere maka ZFSoverISCSIiSCSI na-arụ ọrụ maka m site na LIO, na n'eziokwu, mgbe iscsi lekwasịrị anya na-amalite ma ghara ịhụ ngwaọrụ ZVOL, ọ na-ewepụ ha na nhazi ahụ, nke na-egbochi usoro ndị ọbịa ịmalite. N'ihi ya, ma ọ bụ iweghachi ndabere faịlụ json, ma ọ bụ jiri aka tinye ngwaọrụ nwere njirimara maka VM ọ bụla, nke dị egwu mgbe enwere ọtụtụ igwe dị otú ahụ na nhazi ọ bụla nwere ihe karịrị 1 diski.
Na ajụjụ nke abụọ m ga-atụle bụ otú decrypt (nke a bụ isi ihe nke isiokwu). Ma anyị ga-ekwu maka nke a n'okpuru, banye n'okpuru ịkpụ!
Ọtụtụ mgbe, na ịntanetị, a na-eji faịlụ igodo (agbakwunyere onwe ya na oghere n'ihu nke a site na iwu - cryptsetup luksAddKey), ma ọ bụ n'ụdị dị ụkọ (na ịntanetị na-asụ Russian nwere ntakịrị ozi) - decrypt_derived script. dị na / lib / cryptsetup / script / (n'ezie, e nwere ụzọ ndị ọzọ, ma m na-eji abụọ ndị a, nke kpụrụ ndabere nke isiokwu). Agbalịkwara m maka ntinye aka zuru oke mgbe mweghachichara, na-enweghị iwu agbakwunyere na njikwa ahụ, ka ihe niile wee “efegoro” m ozugbo. Ya mere, gịnị kpatara chere? -
Ka anyi bido!
Ka anyị were sistemụ, dị ka Debian, arụnyere na sda3_crypt nkebi crypto yana diski iri na abụọ dị njikere ezoro ezo wee kee ya ka ọ dị gị mma. Anyị nwere passphrase (passphrase) iji kpọghee sda3_crypt, ọ bụkwa na nkebi a ka anyị ga-ewepụ "hash" na paswọọdụ na sistemụ na-agba ọsọ (decrypted) ma tinye ya na diski ndị ọzọ. Ihe niile bụ elementrị, na console anyị na-eme:
/lib/cryptsetup/scripts/decrypt_derived sda3_crypt | cryptsetup luksFormat /dev/sdXebe X bụ diski anyị, akụkụ, wdg.
Mgbe iji “hash” jiri “hash” zoo diski ahụ, ịkwesịrị ịchọpụta UUID ma ọ bụ ID - dabere na onye ejiri ya mee ihe na ihe. Anyị na-enweta data site na /dev/disk/by-uuid na site-id n'otu n'otu.
Nzọụkwụ ọzọ bụ ịkwadebe faịlụ na obere edemede maka ọrụ anyị chọrọ, ka anyị gaa n'ihu:
cp -p /usr/share/initramfs-tools/hooks/cryptroot /etc/initramfs-tools/hooks/
cp -p /usr/share/initramfs-tools/scripts/local-top/cryptroot /etc/initramfs-tools/scripts/local-top/ọzọ
touch /etc/initramfs-tools/hooks/decrypt && chmod +x /etc/initramfs-tools/hooks/decryptỌdịnaya nke ../decrypt
#!/bin/sh
cp -p /lib/cryptsetup/scripts/decrypt_derived "$DESTDIR/bin/decrypt_derived"ọzọ
touch /etc/initramfs-tools/hooks/partcopy && chmod +x /etc/initramfs-tools/hooks/partcopyIhe dị na ../partcopy
#!/bin/sh
cp -p /sbin/partprobe "$DESTDIR/bin/partprobe"
cp -p /lib/x86_64-linux-gnu/libparted.so.2 "$DESTDIR/lib/x86_64-linux-gnu/libparted.so.2"
cp -p /lib/x86_64-linux-gnu/libreadline.so.7 "$DESTDIR/lib/x86_64-linux-gnu/libreadline.so.7"ntakịrị ihe
touch /etc/initramfs-tools/scripts/local-bottom/partprobe && chmod +x /etc/initramfs-tools/scripts/local-bottom/partprobeỌdịnaya ../partprobe
#!/bin/sh
$DESTDIR/bin/partprobena nke ikpeazụ, tupu mmelite-initramfs, ịkwesịrị idezi faịlụ /etc/initramfs-tools/scripts/local-top/cryptroot file, malite na ahịrị ~360, koodu snippet n'okpuru.
Mbụ
# decrease $count by 1, apparently last try was successful.
count=$(( $count - 1 ))
message "cryptsetup ($crypttarget): set up successfully"
break
ma weta ya n'ụdị a
Edeziri
# decrease $count by 1, apparently last try was successful.
count=$(( $count - 1 ))
/bin/decrypt_derived $crypttarget | cryptsetup luksOpen /dev/disk/by-uuid/ *CRYPT_MAP*
/bin/decrypt_derived $crypttarget | cryptsetup luksOpen /dev/disk/by-id/ *CRYPT_MAP*
message "cryptsetup ($crypttarget): set up successfully"
breakMara na enwere ike iji UUID ma ọ bụ ID ebe a. Isi ihe bụ na a na-agbakwunye ndị ọkwọ ụgbọala dị mkpa maka ngwaọrụ HDD / SSD na /etc/initramfs-tools/modules. Ị nwere ike chọpụta onye ọkwọ ụgbọala na-eji iwu ahụ udevadm ozi -a -n /dev/sdX | egrep 'na-achọ|Ọkwọ ụgbọala'.
Ugbu a ka emechara na faịlụ niile dị, gbaa ọsọ update-initramfs -u -k niile -v, n'ịgba osisi ekwesịghị ịbụ mmejọ ogbugbu nke edemede anyị. Anyị na-amaliteghachi, tinye passphrase wee chere ntakịrị, dabere na ọnụọgụ diski. Na-esote, usoro ahụ ga-amalite na n'oge ikpeazụ nke igba egbe, ya bụ mgbe "ịtinye" mgbọrọgwụ nkebi, a ga-emezu iwu partprobe - ọ ga-ahụ ma bulie akụkụ niile kere na ngwaọrụ LUKS na ụdị ọ bụla, ọ bụrụ ZFS ma ọ bụ mdadm, a ga-agbakọta n'enweghị nsogbu! Na ihe a niile tupu loading isi ọrụ na ọrụ chọrọ disks/array ndị a.
Ogbogu1: Kedu , usoro a na-arụ ọrụ naanị maka LUKS1.
isi: www.habr.com