Full disk encryption ya Windows Linux anaika machitidwe. Encrypted multi-boot

Kusinthidwa kalozera wanu wa kubisa kwathunthu kwa disk mu RuNet V0.2.

Njira ya Cowboy:

[A] Windows 7 block block encryption yamakina oyika;
[B] GNU/Linux block block encryption (Wolemba) anaika dongosolo (kuphatikiza / boot);
[C] kasinthidwe ka GRUB2, chitetezo cha bootloader ndi siginecha ya digito / kutsimikizika / hashing;
[D] kuvula—kuwononga deta yosabisika;
[E] zosunga zobwezeretsera zonse za OS yobisidwa;
[F] kuwukira <pa chinthu [C6]> chandamale - GRUB2 bootloader;
[G] zolemba zothandiza.

╭───Scheme ya #room 40# :
├──╼ Windows 7 yayikidwa - kubisa kwathunthu kwadongosolo, kosabisika;
├──╼ GNU/Linux yayikidwa (Kugawa kwa Debian ndi zochokera) - kubisa kwathunthu kwadongosolo, osabisika(/, kuphatikiza / boot; kusinthana);
├──╼ ma bootloader odziyimira pawokha: VeraCrypt bootloader imayikidwa mu MBR, GRUB2 bootloader imayikidwa mu gawo lotalikirapo;
├──╼palibe kukhazikitsa / kuyikanso kwa OS komwe kumafunikira;
└──╼cryptographic mapulogalamu ogwiritsidwa ntchito: VeraCrypt; Kukonzekera kwachinsinsi; GnuPG; Seahorse; Hashdeep; GRUB2 ndi yaulere/yaulere.

Chiwembu chomwe chili pamwambapa chimathetsa vuto la "boot lakutali ku flash drive", limakupatsani mwayi wosangalala ndi encrypted OS Windows/Linux ndikusinthanitsa data kudzera pa "encrypted channel" kuchokera ku OS kupita ku imzake.

Kukonzekera kwa boot ya PC (imodzi mwazosankha):

• kuyatsa makina;
• kutsitsa VeraCrypt bootloader (kulowetsa mawu achinsinsi olondola kudzapitilira Windows 7);
• kukanikiza batani la "Esc" kudzatsegula GRUB2 bootloader;
• GRUB2 bootloader (sankhani kugawa/GNU/Linux/CLI), idzafuna kutsimikizika kwa GRUB2 superuser <login/password>;
• mutatha kutsimikiziridwa bwino ndikusankha kugawa, mudzafunika kulowa mawu achinsinsi kuti mutsegule "/boot/initrd.img";
• mutalowa mawu achinsinsi opanda cholakwika, GRUB2 "idzafuna" kulowa mawu achinsinsi (chachitatu, mawu achinsinsi a BIOS kapena mawu achinsinsi a akaunti ya GNU/Linux - osaganizira) kuti mutsegule ndi kuyambitsa GNU/Linux OS, kapena kulowetsa chinsinsi chachinsinsi (makiyi awiri achinsinsi +, kapena chinsinsi + chinsinsi);
• kulowetsedwa kwakunja mu kasinthidwe ka GRUB2 kudzawumitsa GNU/Linux boot process.

Zovuta? Chabwino, tiyeni tipite ndi automate process.

Pamene partitioning chosungira (MBR tebulo) PC ikhoza kukhala ndi magawo akuluakulu a 4, kapena 3 yaikulu ndi imodzi yowonjezera, komanso malo osagawidwa. Gawo lotalikirapo, mosiyana ndi lalikulu, limatha kukhala ndi tizigawo (magalimoto omveka = magawo owonjezera). Mwa kuyankhula kwina, "gawo lowonjezera" pa HDD limalowa m'malo mwa LVM pa ntchito yomwe ilipo: kubisa kwathunthu. Ngati disk yanu yagawidwa m'magawo anayi akuluakulu, muyenera kugwiritsa ntchito lvm, kapena kusintha (ndi masanjidwe) chigawo kuyambira chachikulu mpaka chapamwamba, kapena gwiritsani ntchito mwanzeru magawo onse anayi ndikusiya zonse momwe zilili, kupeza zotsatira zomwe mukufuna. Ngakhale mutakhala ndi gawo limodzi pa diski yanu, Gparted ikuthandizani kugawa HDD yanu (za zigawo zina) popanda kutayika kwa deta, komabe ndi chilango chaching'ono pazochita zoterezi.

Dongosolo la hard drive masanjidwe, mogwirizana ndi zomwe nkhani yonseyo idzafotokozedwe, ikuwonetsedwa patebulo pansipa.

Table (No. 1) ya magawo a 1TB.

Inunso muyenera kukhala ndi zofanana.
sda1 - gawo lalikulu No. 1 NTFS (zobisika);
sda2 - chikhomo chowonjezera;
sda6 - logic disk (ili ndi GRUB2 bootloader yoyikidwa);
sda8 - kusinthana (fayilo yosinthidwa / osati nthawi zonse);
sda9 - kuyesa zomveka disk;
sda5 - disk zomveka kwa chidwi;
sda7 - GNU/Linux OS (yosamutsa OS kupita ku diski yomveka yosungidwa);
sda3 - gawo lalikulu No. 2 ndi Windows 7 OS (zobisika);
sda4 - gawo lalikulu No (inali ndi GNU/Linux yosalembedwa, yomwe imagwiritsidwa ntchito posunga zosunga zobwezeretsera / osati nthawi zonse).

[A] Windows 7 System Block Encryption

A1. VeraCrypt

Koperani kuchokera malo boma, kapena pagalasi chitukuko kukhazikitsa pulogalamu ya VeraCrypt cryptographic (panthawi yofalitsa nkhaniyo v1.24-Update3, mtundu wonyamula wa VeraCrypt sioyenera kubisa kachitidwe). Onani cheke cha pulogalamu yotsitsidwa

$ Certutil -hashfile "C:VeraCrypt Setup 1.24.exe" SHA256

ndikuyerekeza zotsatira ndi CS yotumizidwa patsamba la VeraCrypt.

Ngati pulogalamu ya HashTab yakhazikitsidwa, ndiyosavuta: RMB (Kukhazikitsa kwa VeraCrypt 1.24.exe)-properties - kuchuluka kwa mafayilo.

Kuti mutsimikizire siginecha ya pulogalamuyo, pulogalamuyo ndi kiyi ya pgp yapagulu iyenera kukhazikitsidwa padongosolo. gnuPG; gpg4win.

A2. Kuyika/kuyendetsa pulogalamu ya VeraCrypt yokhala ndi ufulu woyang'anira

A3. Kusankha magawo a encryption system for the active partitionVeraCrypt - System - Encrypt system partition/disk - Normal - Encrypt Windows system partition - Multiboot - (chenjezo: "Ogwiritsa ntchito osadziwa saloledwa kugwiritsa ntchito njirayi" ndipo izi ndi zoona, tikuvomereza "Inde") - Boot disk (“inde”, ngakhale sichoncho, komabe “inde”) - Chiwerengero cha ma disks "2 kapena kupitilira apo" - Makina angapo pa disk imodzi "Inde" - Non-Windows bootloader "Ayi" (M'malo mwake, "Inde," koma ma bootloaders a VeraCrypt / GRUB2 sangagawane MBR pakati pawo; makamaka, gawo laling'ono kwambiri la code bootloader limasungidwa mu MBR / boot track, gawo lalikulu ndi ili mkati mwa fayilo) - Multiboot - Zokonda za encryption…

Ngati mungapatuke pamasitepe omwe ali pamwambapa (block system encryption schemes), ndiye VeraCrypt ipereka chenjezo ndipo sikukulolani kuti mubisire magawowo.

Mu sitepe yotsatira yopita kuchitetezo cha data chomwe mukufuna, chitani "Mayeso" ndikusankha algorithm ya encryption. Ngati muli ndi CPU yachikale, ndiye kuti njira yofulumira kwambiri yolembera idzakhala Twofish. Ngati CPU ili yamphamvu, mudzawona kusiyana kwake: Kubisa kwa AES, malinga ndi zotsatira zoyesa, kudzakhala mofulumira kangapo kuposa omwe akupikisana nawo a crypto. AES ndi njira yodziwika bwino yolembera; zida zama CPU amakono zimakonzedwa mwapadera pa "chinsinsi" komanso "kubala".

VeraCrypt imathandizira kuthekera kosunga ma disks mu AES cascade(Nsomba ziwiri)/ ndi zosakaniza zina. Pamtundu wakale wa Intel CPU kuyambira zaka khumi zapitazo (popanda thandizo la hardware la AES, A/T cascade encryption) Kuchepa kwa magwiridwe antchito ndikosavuta. (kwa ma AMD CPU anthawi yomweyo/~magawo, magwiridwe antchito amachepetsedwa pang'ono). OS imagwira ntchito mwamphamvu ndipo kugwiritsidwa ntchito kwazinthu pakubisa kowonekera sikuwoneka. Mosiyana ndi izi, mwachitsanzo, kuchepa kwa magwiridwe antchito chifukwa cha mayeso omwe adayikidwa osakhazikika apakompyuta Mate v1.20.1 (kapena v1.20.2 sindikukumbukira ndendende) mu GNU/Linux, kapena chifukwa cha magwiridwe antchito a telemetry mu Windows7↑. Nthawi zambiri, ogwiritsa ntchito odziwa amayesa kuyesa kwa Hardware asanalembe. Mwachitsanzo, mu Aida64/Sysbench/systemd-analyze mlandu amafaniziridwa ndi zotsatira za mayeso omwewo atatha kubisa makinawo, potero akutsutsa zabodza zabodza kuti "kubisa kachitidwe ndikovulaza." Kuchepa kwa makina ndi zovuta zimawonekera pothandizira / kubwezeretsa deta yosungidwa, chifukwa ntchito ya "system data backup" palokha siimayesedwa mu ms, ndipo zomwezo <decrypt/encrypt on the fly> zimawonjezedwa. Pamapeto pake, wogwiritsa ntchito aliyense amene amaloledwa tcheru ndi cryptography amalinganiza ma encryption algorithm motsutsana ndi kukhutitsidwa kwa ntchito zomwe ali nazo, kuchuluka kwawo kwa paranoia, komanso kugwiritsa ntchito mosavuta.

Ndikwabwino kusiya gawo la PIM ngati lachikhazikitso, kuti mukatsitsa OS, simuyenera kuyika zikhalidwe zenizeni nthawi iliyonse. VeraCrypt imagwiritsa ntchito maulendo angapo obwereza kuti apange "hashi yocheperako". Kuukira kwa "crypto nkhono" zotere pogwiritsa ntchito njira ya Brute force / utawaleza kumamveka kokha ndi mawu achidule "osavuta" komanso mndandanda wacharset wa wozunzidwayo. Mtengo wolipirira mphamvu yachinsinsi ndikuchedwa kulowa mawu achinsinsi olondola mukatsitsa OS. (kuyika ma voliyumu a VeraCrypt mu GNU/Linux ndikothamanga kwambiri).
Mapulogalamu aulere ogwiritsira ntchito brute force attack (chotsani mawu achinsinsi kuchokera kumutu wa disk wa VeraCrypt/LUKS) Hashcat. John the Ripper sadziwa "kuswa Veracrypt", ndipo pamene akugwira ntchito ndi LUKS samamvetsa Twofish cryptography.

Chifukwa cha mphamvu ya cryptographic ya ma aligorivimu achinsinsi, ma cypherpunks osayimitsa akupanga mapulogalamu okhala ndi vector yosiyana. Mwachitsanzo, kuchotsa metadata/makiyi ku RAM (kuukira kozizira / kuwongolera kukumbukira kukumbukira), Pali mapulogalamu apadera aulere komanso osakhala aulere pazolinga izi.

Mukamaliza kukhazikitsa / kupanga "metadata yapadera" ya gawo losungidwa, VeraCrypt iperekanso kuyambitsanso PC ndikuyesa magwiridwe antchito a bootloader yake. Pambuyo poyambitsanso / kuyambitsa Windows, VeraCrypt idzatsegula mumayendedwe oyimilira, zomwe zatsala ndikutsimikizira ndondomeko ya encryption - Y.

Pa gawo lomaliza la kubisa kwamakina, VeraCrypt ipereka mwayi wopanga zosunga zobwezeretsera zamutu wagawo losungidwa la "veracrypt rescue disk.iso" - izi ziyenera kuchitika - mu pulogalamuyo ntchito yotereyi ndiyofunika (mu LUKS, monga chofunikira - izi sizinasiyidwe mwatsoka, koma zagogomezedwa muzolemba). Rescue disk idzathandiza aliyense, komanso kwa ena kangapo. Kutayika (mutu/MBR lembaninso) kope losunga lamutu lidzakaniratu mwayi wofikira magawo otsekedwa ndi OS Windows.

A4. Kupanga VeraCrypt yopulumutsa USB/diskMwachikhazikitso, VeraCrypt ikupereka kuwotcha "~ 2-3MB ya metadata" ku CD, koma si anthu onse omwe ali ndi ma disks kapena ma DWD-ROM, ndikupanga bootable flash drive "VeraCrypt Rescue disk" zidzakhala zodabwitsa kwa ena: Rufus / GUIdd-ROSA ImageWriter ndi mapulogalamu ena ofanana sangathe kupirira ntchitoyi, chifukwa kuwonjezera pa kukopera metadata yochotsera pa bootable flash drive, muyenera kukopera / kumata chithunzicho kunja kwa fayilo ya USB drive, mwachidule, molondola kukopera MBR/msewu kwa keychain. Mukhoza kupanga bootable flash drive kuchokera ku GNU/Linux OS pogwiritsa ntchito "dd" zofunikira, kuyang'ana chizindikiro ichi.

Kupanga disk yopulumutsa m'malo a Windows ndikosiyana. Wopanga VeraCrypt sanaphatikizepo yankho la vutoli mwalamulo zolemba ndi "rescue disk", koma adapereka yankho mwanjira yosiyana: adayika pulogalamu yowonjezera yopanga "usb rescue disk" kuti apeze mwayi waulere pamwambo wake wa VeraCrypt. Wosunga zakale wa pulogalamuyo wa Windows ndi "kupanga usb veracrypt rescue disk". Pambuyo populumutsa disk.iso yopulumutsira, ndondomeko ya block system encryption ya magawo ogwira ntchito idzayamba. Pakubisa, kugwira ntchito kwa OS sikuyima; kuyambiranso kwa PC sikofunikira. Mukamaliza kubisala, gawo logwira ntchito limakhala losungidwa bwino ndipo lingagwiritsidwe ntchito. Ngati chojambulira cha VeraCrypt sichikuwoneka mukayambitsa PC, ndipo kuchira kwamutu sikuthandiza, ndiye yang'anani mbendera ya "boot", iyenera kukhazikitsidwa kugawa komwe Windows ilipo. (mosasamala kanthu za kubisa ndi OS zina, onani tebulo No. 1).
Izi zimamaliza kufotokozera kwa block system encryption ndi Windows OS.

[B]LUKS. GNU/Linux encryption (~Debian) anaika OS. Algorithm ndi Masitepe

Kuti mulembetse kugawa kwa Debian / zotumphukira, muyenera kujambula magawo okonzekera ku chipangizo chotchinga, kusamutsa ku diski ya GNU/Linux, ndikuyika / kukonza GRUB2. Ngati mulibe seva yachitsulo yopanda kanthu, ndipo mumayamikira nthawi yanu, ndiye kuti muyenera kugwiritsa ntchito GUI, ndipo malamulo ambiri omwe akufotokozedwa pansipa akuyenera kuyendetsedwa mu "Chuck-Norris mode".

B1. Kuyambitsa PC kuchokera ku live usb GNU/Linux

"Chitani mayeso a crypto pakugwira ntchito kwa hardware"

lscpu && сryptsetup benchmark

Ngati ndinu mwiniwake wokondwa wa galimoto yamphamvu yokhala ndi chithandizo cha hardware cha AES, ndiye kuti manambala adzawoneka ngati mbali yamanja ya terminal; ngati ndinu mwiniwake wokondwa, koma ndi zipangizo zakale, manambala adzawoneka ngati kumanzere.

B2. Kugawa kwa disk. kukwera/kupanga fs logical disk HDD to Ext4 (Gparted)

B2.1. Kupanga mutu wobisika wa sda7 partitionNdifotokoza mayina a magawo, apa ndi kupitilira apo, molingana ndi tebulo langa logawa lomwe laikidwa pamwambapa. Malinga ndi mawonekedwe a disk yanu, muyenera kulowetsa mayina ogawa.

Mapu a Logical Drive Encryption (/dev/sda7> /dev/mapper/sda7_crypt).
#Kupanga kosavuta kwa "LUKS-AES-XTS gawo"

cryptsetup -v -y luksFormat /dev/sda7

Zosankha:

* luksFormat - kuyambitsa kwa mutu wa LUKS;
* -y -passphrase (osati fungulo / fayilo);
* -v -verbalization (kuwonetsa zambiri mu terminal);
* /dev/sda7 - diski yanu yomveka kuchokera pamagawo owonjezera (komwe ikukonzekera kusamutsa / kubisa GNU / Linux).

Kusinthitsa kwachinsinsi <LUKS1: aes-xts-plain64, Chinsinsi: 256 bits, LUKS mutu hashing: sha256, RNG: /dev/urandom> (kutengera mtundu wa cryptsetup).

#Проверка default-алгоритма шифрования
cryptsetup  --help #самая последняя строка в выводе терминала.

Ngati palibe chithandizo cha hardware cha AES pa CPU, chisankho chabwino chingakhale kupanga "LUKS-Twofish-XTS-partition" yowonjezera.

B2.2. Kupanga kwapamwamba kwa "LUKS-Twofish-XTS-partition"

cryptsetup luksFormat /dev/sda7 -v -y -c twofish-xts-plain64 -s 512 -h sha512 -i 1500 --use-urandom

Zosankha:
* luksFormat - kuyambitsa kwa mutu wa LUKS;
* /dev/sda7 ndi disk yanu yamtsogolo yobisika;
* -v mawu;
* -y mawu achinsinsi;
* -c sankhani algorithm ya data;
* -s encryption key size;
* -h hashing algorithm/crypto ntchito, RNG yogwiritsidwa ntchito (--use-urandom) kupanga chinsinsi chapadera cha encryption/decryption for the logical disk header, kiyi yachiwiri yamutu (XTS); kiyi yapadera yapadera yosungidwa pamutu wa disk wobisika, kiyi yachiwiri ya XTS, metadata yonseyi ndi kachitidwe kachinsinsi komwe, pogwiritsa ntchito kiyi ya master ndi kiyi yachiwiri ya XTS, kubisa / kubisa chilichonse pagawolo. (kupatula mutu wagawo) kusungidwa mu ~ 3MB pagawo losankhidwa la hard disk.
* -i kubwereza mu milliseconds, m'malo mwa "kuchuluka" (kuchedwa kwa nthawi pokonza mawu achinsinsi kumakhudza kutsitsa kwa OS ndi mphamvu ya cryptographic ya makiyi). Kuti mukhalebe ndi mphamvu zobisika, ndi mawu achinsinsi osavuta ngati "Chirasha" muyenera kuwonjezera -(i) mtengo; ndi mawu achinsinsi ovuta ngati "?8dƱob/øfh" mtengo ukhoza kuchepetsedwa.
* -gwiritsa ntchito-urandom jenereta ya manambala mwachisawawa, imapanga makiyi ndi mchere.

Pambuyo pojambula gawo sda7> sda7_crypt (ntchitoyo ndi yachangu, popeza mutu wobisika umapangidwa ndi ~ 3 MB ya metadata ndipo ndizo zonse), muyenera kupanga ndi kuyika fayilo ya sda7_crypt.

B2.3. Kuyerekezera

cryptsetup open /dev/sda7 sda7_crypt
#выполнение данной команды запрашивает ввод секретной парольной фразы.

zosankha:
* tsegulani - fananizani ndi gawo "ndi dzina";
* / dev/sda7 -logic disk;
* sda7_crypt - kupanga mapu omwe amagwiritsidwa ntchito kuyika magawo obisika kapena kuyiyambitsa OS ikayamba.

B2.4. Kupanga fayilo ya sda7_crypt ku ext4. Kuyika disk mu OS(Zindikirani: simungathe kugwira ntchito ndi gawo losungidwa mu Gparted)

#форматирование блочного шифрованного устройства
mkfs.ext4 -v -L DebSHIFR /dev/mapper/sda7_crypt 

zosankha:
* -v -kunena mawu;
* -L - chizindikiro choyendetsa (chomwe chimawonetsedwa mu Explorer pakati pa ma drive ena).

Kenako, muyenera kuyika chipangizo chotchinga /dev/sda7_crypt kudongosolo

mount /dev/mapper/sda7_crypt /mnt

Kugwira ntchito ndi mafayilo mu chikwatu cha /mnt kumangobisa / kubisa deta mu sda7.

Ndizosavuta kupanga mapu ndikuyika magawo mu Explorer (nautilus/caja GUI), kugawa kudzakhala kale pamndandanda wosankha disk, chomwe chatsalira ndikulowetsa mawu oti mutsegule / kutsitsa disk. Dzina lofananira lidzasankhidwa zokha osati "sda7_crypt", koma zina monga /dev/mapper/Luks-xx-xx...

B2.5. Kusunga mutu wa chimbale (~3MB metadata)Chimodzi mwazambiri zofunika ntchito zomwe ziyenera kuchitika mosazengereza - kopi yosunga zobwezeretsera mutu wa "sda7_crypt". Ngati mulemba / kuwononga mutu (mwachitsanzo, kukhazikitsa GRUB2 pagawo la sda7, etc.), deta yobisidwa idzatayika kwathunthu popanda mwayi uliwonse woyibwezeretsa, chifukwa sikungatheke kupanganso makiyi omwewo; makiyi amapangidwa mwapadera.

#Бэкап заголовка раздела
cryptsetup luksHeaderBackup --header-backup-file ~/Бэкап_DebSHIFR /dev/sda7 

#Восстановление заголовка раздела
cryptsetup luksHeaderRestore --header-backup-file <file> <device>

zosankha:
* luksHeaderBackup —header-backup-file -backup command;
* luksHeaderRestore —header-backup-file -restore command;
* ~/Backup_DebSHIFR - fayilo yosunga zobwezeretsera;
* /dev/sda7 - gawo lomwe kopi yosungira ya mutu wa disk iyenera kusungidwa.
Pa sitepe iyi <kupanga ndi kusintha magawo osungidwa> kwatha.

B3. Kuyika GNU/Linux OS (sda4) ku gawo lobisika (sda7)

Pangani chikwatu /mnt2 (Dziwani - tikugwirabe ntchito ndi live usb, sda7_crypt imayikidwa pa /mnt), ndikuyika GNU/Linux yathu mu /mnt2, yomwe ikufunika kubisidwa.

mkdir /mnt2
mount /dev/sda4 /mnt2

Timachita kusamutsa kolondola kwa OS pogwiritsa ntchito pulogalamu ya Rsync

rsync -avlxhHX --progress /mnt2/ /mnt

Zosankha za Rsync zafotokozedwa mu ndime E1.

Komanso, ndikofunikira kusokoneza gawo la logic disk

e4defrag -c /mnt/ #после проверки, e4defrag выдаст, что степень дефрагментации раздела~"0", это заблуждение, которое может вам стоить существенной потери производительности!
e4defrag /mnt/ #проводим дефрагментацию шифрованной GNU/Linux

Pangani lamulo: chitani e4defrag pa encrypted GNU/LINux nthawi ndi nthawi ngati muli ndi HDD.
Kusamutsa ndi kulunzanitsa [GNU/Linux > GNU/Linux-encrypted] kwatsirizidwa pa sitepe iyi.

PA 4. Kukhazikitsa GNU/Linux pagawo la encrypted sda7

Mukasamutsa bwino OS / dev/sda4> /dev/sda7, muyenera kulowa mu GNU/Linux pagawo lobisika ndikukonza zina. (popanda kuyambitsanso PC) mogwirizana ndi encrypted system. Ndiye kuti, khalani mu usb wamoyo, koma perekani malamulo "okhudzana ndi muzu wa OS yosungidwa." "chroot" idzatengera zomwezo. Kuti mulandire mwachangu zambiri za OS yomwe mukugwira nayo ntchito pano (zobisika kapena ayi, popeza deta mu sda4 ndi sda7 ndi yolumikizidwa), sinthani OS. Pangani ma root directory (sda4/sda7_crypt) mafayilo opanda kanthu, mwachitsanzo, /mnt/encryptedOS ndi /mnt2/decryptedOS. Yang'anani mwachangu zomwe OS muli (kuphatikiza zamtsogolo):

ls /<Tab-Tab>

B4.1. "Kuyerekeza kulowa mu OS yobisika"

mount --bind /dev /mnt/dev
mount --bind /proc /mnt/proc
mount --bind /sys /mnt/sys
chroot /mnt

B4.2. Kutsimikizira kuti ntchito ikuchitika motsutsana ndi encrypted system

ls /mnt<Tab-Tab> 
#и видим файл "/шифрованнаяОС"

history
#в выводе терминала должна появиться история команд su рабочей ОС.

B4.3. Kupanga / kukonza kusinthana kwa encrypted, kusintha crypttab/fstabPopeza fayilo yosinthana imasinthidwa nthawi iliyonse OS ikayamba, sizomveka kupanga ndikusintha mapu ku diski yomveka tsopano, ndikulowetsa malamulo monga mundime B2.2. Kwa Kusinthana, makiyi ake osakhalitsa obisala adzapangidwa pa chiyambi chilichonse. Kuzungulira kwa moyo wa makiyi osinthana: kutsika / kutsika magawo osinthira (+kuyeretsa RAM); kapena kuyambitsanso OS. Kukhazikitsa kusinthana, kutsegula fayilo yomwe imayang'anira kasinthidwe ka zida za block encrypted (zofanana ndi fayilo ya fstab, koma yomwe ili ndi crypto).

nano /etc/crypttab 

timakonza

#"dzina lofuna" "chida choyambira" "fayilo yayikulu" "zosankha"
swap /dev/sda8 /dev/urandom swap,cipher=twofish-xts-plain64,size=512,hash=sha512

Zosankha
* kusinthana - dzina lojambulidwa mukabisa /dev/mapper/swap.
* /dev/sda8 - gwiritsani ntchito magawo anu oyenera kusinthana.
* /dev/urandom - jenereta wa makiyi osasinthika osinthana (ndi boot iliyonse yatsopano ya OS, makiyi atsopano amapangidwa). Jenereta ya / dev/urandom imakhala yocheperako kuposa / dev/mwachisawawa, pambuyo pake / dev/random imagwiritsidwa ntchito pogwira ntchito m'malo oopsa. Mukatsitsa OS, /dev/random imachepetsa kutsitsa kwa mphindi zingapo ± (onani systemd-analyze).
* swap,cipher=twofish-xts-plain64,size=512,hash=sha512: -gawo likudziwa kuti likusintha ndipo limapangidwa "mogwirizana"; encryption algorithm.

#Открываем и правим fstab
nano /etc/fstab

timakonza

# kusinthana kunali pa / dev / sda8 panthawi yoyika
/dev/mapper/kusinthana palibe sw 0 0

/dev/mapper/swap ndi dzina lomwe linayikidwa mu crypttab.

Kusinthana kwa encrypted
Ngati pazifukwa zina simukufuna kusiya gawo lonse la fayilo yosinthira, ndiye kuti mutha kutenga njira ina komanso yabwinoko: kupanga fayilo yosinthira mufayilo pagawo losungidwa ndi OS.

fallocate -l 3G /swap #создание файла размером 3Гб (почти мгновенная операция)
chmod 600 /swap #настройка прав
mkswap /swap #из файла создаём файл подкачки
swapon /swap #включаем наш swap
free -m #проверяем, что файл подкачки активирован и работает
printf "/swap none swap sw 0 0" >> /etc/fstab #при необходимости после перезагрузки swap будет постоянный

Kukhazikitsa kwa magawo osinthana kwatha.

B4.4. Kukhazikitsa GNU/Linux (kusintha mafayilo a crypttab/fstab)Fayilo ya /etc/crypttab, monga yalembedwera pamwambapa, ikufotokoza zida zobisika zomwe zimakonzedwa panthawi ya boot.

#правим /etc/crypttab 
nano /etc/crypttab 

ngati mudafananiza ndime sda7>sda7_crypt monga mundime B2.1

# "dzina lofuna" "chida choyambira" "fayilo yayikulu" "zosankha"
sda7_crypt UUID=81048598-5bb9-4a53-af92-f3f9e709e2f2 none luks

ngati mudafananiza ndime sda7>sda7_crypt monga mundime B2.2

# "dzina lofuna" "chida choyambira" "fayilo yayikulu" "zosankha"
sda7_crypt UUID=81048598-5bb9-4a53-af92-f3f9e709e2f2 none cipher=twofish-xts-plain64,size=512,hash=sha512

ngati mudafanana ndi gawo la sda7>sda7_crypt monga mundime B2.1 kapena B2.2, koma simukufuna kulowanso mawu achinsinsi kuti mutsegule ndi kuyambitsa OS, ndiye m'malo mwa mawu achinsinsi mutha kusintha fayilo yachinsinsi/chisawawa.

# "dzina lofuna" "chida choyambira" "fayilo yayikulu" "zosankha"
sda7_crypt UUID=81048598-5bb9-4a53-af92-f3f9e709e2f2 /etc/skey luks

mafotokozedwe
* palibe - imati mukatsitsa OS, kulowa mawu achinsinsi ndikofunikira kuti mutsegule muzu.
* UUID - chizindikiritso cha magawo. Kuti mudziwe ID yanu, lembani pa terminal (kumbukirani kuti kuyambira pano kupita mtsogolo, mukugwira ntchito pamalo ochezera a chroot, osati mu terminal ina ya usb).

fdisk -l #проверка всех разделов
blkid #должно быть что-то подобное 

/dev/sda7: UUID=«81048598-5bb9-4a53-af92-f3f9e709e2f2» TYPE=«crypto_LUKS» PARTUUID=«0332d73c-07»
/dev/mapper/sda7_crypt: LABEL=«DebSHIFR» UUID=«382111a2-f993-403c-aa2e-292b5eac4780» TYPE=«ext4»

mzerewu umawonekera mukapempha blkid kuchokera pamtundu wa usb wokhala ndi sda7_crypt wokwera).
Mumatenga UUID kuchokera ku sdaX yanu (osati sdaX_crypt!, UUID sdaX_crypt - idzasiyidwa yokha pamene ikupanga grub.cfg config).
* cipher=twofish-xts-plain64,size=512,hash=sha512 -luks encryption in advanced mode.
* /etc/skey - fayilo yachinsinsi, yomwe imalowetsedwa kuti mutsegule OS (m'malo molowetsa mawu achinsinsi a 3rd). Mutha kufotokoza fayilo iliyonse mpaka 8MB, koma deta idzawerengedwa <1MB.

#Создание "генерация" случайного файла <секретного ключа> размером 691б.
head -c 691 /dev/urandom > /etc/skey

#Добавление секретного ключа (691б) в 7-й слот заголовка luks
cryptsetup luksAddKey --key-slot 7 /dev/sda7 /etc/skey

#Проверка слотов "пароли/ключи luks-раздела"
cryptsetup luksDump /dev/sda7 

Idzawoneka motere:

(chitani nokha ndikudziwonera nokha).

cryptsetup luksKillSlot /dev/sda7 7 #удаление ключа/пароля из 7 слота

/etc/fstab ili ndi chidziwitso chofotokozera zamafayilo osiyanasiyana.

#Правим /etc/fstab
nano /etc/fstab

# "mafayilo" "malo okwera" "mtundu" "zosankha" "taya" "kupita"
# / anali pa / dev / sda7 panthawi yakukhazikitsa
/dev/mapper/sda7_crypt / ext4 errors=remount-ro 0 1

mwina
* /dev/mapper/sda7_crypt - dzina la sda7> sda7_crypt mapu, lomwe limatchulidwa mu fayilo /etc/crypttab.
Kukonzekera kwa crypttab/fstab kwatha.

B4.5. Kusintha mafayilo osinthira. Mphindi yofunikaB4.5.1. Kusintha config /etc/initramfs-tools/conf.d/resume

#Если у вас ранее был активирован swap раздел, отключите его. 
nano /etc/initramfs-tools/conf.d/resume

ndi comment out (ngati alipo) "#" mzere "yambiranso". Fayiloyo iyenera kukhala yopanda kanthu.

B4.5.2. Kusintha config /etc/initramfs-tools/conf.d/cryptsetup

nano /etc/initramfs-tools/conf.d/cryptsetup

ziyenera kufanana

# /etc/initramfs-tools/conf.d/cryptsetup
CRYPTSETUP=inde
kutumiza kunja CRYPTSETUP

B4.5.3. Kusintha /etc/default/grub config (chikhazikitso ichi chimakhala ndi kuthekera kopanga grub.cfg mukamagwira ntchito ndi encrypted /boot)

nano /etc/default/grub

onjezani mzere "GRUB_ENABLE_CRYPTODISK=y"
value 'y', grub-mkconfig ndi grub-install adzayang'ana ma drive osungidwa ndi kupanga malamulo owonjezera ofunikira kuti awapeze pa nthawi yoyambira. (insmods ).
payenera kukhala kufanana

GRUB_DEFAULT = 0
GRUB_TIMEOUT = 1
GRUB_DISTRIBUTOR=`lsb_kutulutsa -i -s 2> /dev/null || echo Debian`
GRUB_CMDLINE_LINUX_DEFAULT="acpi_backlight=vendor"
GRUB_CMDLINE_LINUX="kuwaza kwachete noautomount"
GRUB_ENABLE_CRYPTODISK=y

B4.5.4. Kusintha config /etc/cryptsetup-initramfs/conf-hook

nano /etc/cryptsetup-initramfs/conf-hook

fufuzani kuti mzerewo ndemanga <#>.
M'tsogolo (ndipo ngakhale tsopano, parameter iyi sidzakhala ndi tanthauzo, koma nthawi zina imasokoneza kukonzanso chithunzi cha initrd.img).

B4.5.5. Kusintha config /etc/cryptsetup-initramfs/conf-hook

nano /etc/cryptsetup-initramfs/conf-hook

onjezerani

KEYFILE_PATTERN=”/etc/skey”
UMASK=0077

Izi zidzanyamula kiyi yachinsinsi "skey" mu initrd.img, fungulo likufunika kuti mutsegule muzu pamene OS ikuyambira. (ngati simukufuna kuyikanso mawu achinsinsi, kiyi ya "skey" imalowetsedwa m'malo mwagalimoto).

B4.6. Sinthani /boot/initrd.img [mtundu]Kuti munyamule kiyi yachinsinsi mu initrd.img ndikugwiritsa ntchito cryptsetup fixes, sinthani chithunzicho

update-initramfs -u -k all

pamene mukukonzekera initrd.img (monga iwo amati "Ndizotheka, koma sizotsimikizika") machenjezo okhudzana ndi cryptsetup adzawonekera, kapena, mwachitsanzo, chidziwitso cha kutayika kwa ma module a Nvidia - izi ndi zachilendo. Pambuyo pokonzanso fayilo, onetsetsani kuti yasinthidwa, onani nthawi (zogwirizana ndi chilengedwe cha chroot./boot/initrd.img). Chonde chonde! pamaso [update-initramfs -u -k all] onetsetsani kuti cryptsetup yatsegulidwa /dev/sda7 sda7_crypt - ili ndi dzina lomwe limapezeka mu /etc/crypttab, apo ayi mukayambiranso padzakhala vuto la bokosi lotanganidwa)
Pa sitepe iyi, kukhazikitsa owona kasinthidwe watha.

[C] Kuyika ndi kukonza GRUB2/Protection

C1. Ngati ndi kotheka, sinthani magawo odzipereka a bootloader (gawo likufunika osachepera 20MB)

mkfs.ext4 -v -L GRUB2 /dev/sda6

C2. Phiri /dev/sda6 ku /mntChifukwa chake timagwira ntchito mu chroot, ndiye kuti sipadzakhala / mnt2 chikwatu muzu, ndipo chikwatu cha /mnt chidzakhala chopanda kanthu.
khazikitsani gawo la GRUB2

mount /dev/sda6 /mnt

Ngati muli ndi mtundu wakale wa GRUB2 woyikidwa, mu /mnt/boot/grub/i-386-pc directory (pulatifomu ina ndiyotheka, mwachitsanzo, osati "i386-pc") palibe ma module a crypto (mwachidule, chikwatucho chiyenera kukhala ndi zigawo, kuphatikizapo .mod: cryptodisk; luks; gcry_twofish; gcry_sha512; signature_test.mod), Pankhaniyi, GRUB2 iyenera kugwedezeka.

apt-get update
apt-get install grub2 

Zofunika! Mukakonza phukusi la GRUB2 kuchokera kumalo osungirako, mutafunsidwa "za kusankha" komwe mungayikitsire bootloader, muyenera kukana kukhazikitsa. (chifukwa - kuyesa kukhazikitsa GRUB2 - mu "MBR" kapena pa usb yamoyo). Kupanda kutero mudzawononga VeraCrypt mutu/loader. Pambuyo pokonzanso phukusi la GRUB2 ndikuletsa kuyika, chojambulira cha boot chiyenera kukhazikitsidwa pamanja pa disk yomveka, osati mu MBR. Ngati malo anu ali ndi mtundu wakale wa GRUB2, yesani sinthani zachokera patsamba lovomerezeka - sindinaziwone (inagwira ntchito ndi ma bootloaders aposachedwa a GRUB 2.02 ~BetaX).

C3. Kuyika GRUB2 mugawo lalitali [sda6]Muyenera kukhala ndi gawo lokwezedwa [chinthu C.2]

grub-install --force --root-directory=/mnt /dev/sda6

zosankha
* -force - kukhazikitsa bootloader, kunyalanyaza machenjezo onse omwe amakhalapo nthawi zonse ndikutsekereza kukhazikitsa (mbendera yofunikira).
* --root-directory - kukhazikitsa chikwatu ku muzu wa sda6.
* /dev/sda6 - gawo lanu la sdaХ (musaphonye <space> pakati pa /mnt /dev/sda6).

C4. Kupanga fayilo yosinthira [grub.cfg]Iwalani za lamulo la "update-grub2", ndipo gwiritsani ntchito lamulo lakusintha mafayilo onse

grub-mkconfig -o /mnt/boot/grub/grub.cfg

Mukamaliza kupanga / kukonzanso fayilo ya grub.cfg, zotuluka ziyenera kukhala ndi mizere ndi OS yopezeka pa disk. ("grub-mkconfig" mwina apeza ndikutenga OS kuchokera pa usb yamoyo, ngati muli ndi multiboot flash drive ndi Windows 10 ndi gulu la magawo amoyo - izi ndizabwinobwino). Ngati terminal ilibe "chopanda" ndipo fayilo ya "grub.cfg" sinapangidwe, ndiye kuti izi ndi zomwezo pomwe pali nsikidzi za GRUB mu dongosolo. (ndipo mwina ndiye wonyamula kuchokera kunthambi yoyeserera yankhokwe), khazikitsaninso GRUB2 kuchokera ku magwero odalirika.
Kukhazikitsa "kosavuta" ndikukhazikitsa GRUB2 kwatha.

C5. Kuyesa kwaumboni kwa GNU/Linux OS yosungidwaTimamaliza ntchito ya crypto molondola. Kusiya mosamala GNU/Linux yosungidwa (tulukani chilengedwe cha chroot).

umount -a #размонтирование всех смонтированных разделов шифрованной GNU/Linux
Ctrl+d #выход из среды chroot
umount /mnt/dev
umount /mnt/proc
umount /mnt/sys
umount -a #размонтирование всех смонтированных разделов на live usb
reboot

Pambuyo poyambitsanso PC, bootloader ya VeraCrypt iyenera kutsegula.


* Kulowetsa mawu achinsinsi pagawo logwira ntchito kumayamba kutsitsa Windows.
*Kukanikiza fungulo la "Esc" kudzasamutsa ku GRUB2, ngati mutasankha GNU/Linux yosungidwa - mawu achinsinsi (sda7_crypt) adzafunika kuti mutsegule /boot/initrd.img (ngati grub2 ilemba uuid "sanapezeke" - ichi ndi vuto ndi grub2 bootloader, iyenera kubwezeretsedwanso, mwachitsanzo, kuchokera ku nthambi yoyesa / khola etc.).


* Malingana ndi momwe mudakonzera dongosolo (onani ndime B4.4/4.5), mutalowa mawu achinsinsi olondola kuti mutsegule chithunzi /boot/initrd.img, mudzafunika mawu achinsinsi kuti mutenge OS kernel/root, kapena chinsinsi. key idzalowetsedwa m'malo " skey ", kuchotsa kufunika kolowetsanso mawu achinsinsi.

(chithunzi cha "kulowetsa m'malo mwachinsinsi").

*Kenako njira yodziwika bwino yotsitsa GNU/Linux ndi kutsimikizika kwa akaunti ya ogwiritsa itsatira.


* Pambuyo pa chilolezo cha ogwiritsa ntchito ndikulowa ku OS, muyenera kusinthanso /boot/initrd.img kachiwiri (onani B4.6).

update-initramfs -u -k all

Ndipo pakakhala mizere yowonjezera pamenyu ya GRUB2 (kuchokera ku chithunzi cha OS-m chokhala ndi usb) achotseni

mount /dev/sda6 /mnt
grub-mkconfig -o /mnt/boot/grub/grub.cfg

Chidule chachangu cha GNU/Linux encryption system:

• GNU/Linuxinux imasungidwa bwino, kuphatikiza /boot/kernel ndi initrd;
• kiyi yachinsinsi imayikidwa mu initrd.img;
• dongosolo lovomerezeka (kulowetsa mawu achinsinsi kuti mutsegule initrd; password/key kuti muyambitse OS; password yololeza akaunti ya Linux).

"Simple GRUB2 Configuration" kubisa kachitidwe ka block partition kwatha.

C6. Kusintha kwapamwamba kwa GRUB2. Chitetezo cha bootloader chokhala ndi siginecha ya digito + chitetezo chotsimikizikaGNU/Linux ndi encrypted kwathunthu, koma bootloader sangathe encrypted - chikhalidwe ichi amalamulidwa ndi BIOS. Pachifukwa ichi, boot yotetezedwa ndi unyolo ya GRUB2 sizingatheke, koma boot yosavuta yokhala ndi unyolo ndi yotheka / ilipo, koma kuchokera kumbali ya chitetezo sikofunikira [onani. P. F].
Kwa "chiwopsezo" GRUB2, opanga adakhazikitsa "siginecha/kutsimikizira" chitetezo cha bootloader.

• Pamene bootloader imatetezedwa ndi "siginecha yake ya digito," kusintha kwakunja kwa mafayilo, kapena kuyesa kuyika ma modules owonjezera mu bootloader iyi, zidzachititsa kuti ntchito yotsegula ikhale yotsekedwa.
• Mukateteza bootloader ndi kutsimikizika, kuti musankhe kutsitsa kugawa, kapena kuyika malamulo owonjezera mu CLI, muyenera kulowetsa malowedwe ndi mawu achinsinsi a superuser-GRUB2.

C6.1. Chitetezo chotsimikizika cha BootloaderOnetsetsani kuti mukugwira ntchito mu terminal pa OS yosungidwa

ls /<Tab-Tab> #обнаружить файл-маркер

pangani mawu achinsinsi a superuser kuti muvomereze ku GRUB2

grub-mkpasswd-pbkdf2 #введите/повторите пароль суперпользователя. 

Pezani mawu achinsinsi. Chinachake chonga ichi

grub.pbkdf2.sha512.10000.DE10E42B01BB6FEEE46250FC5F9C3756894A8476A7F7661A9FFE9D6CC4D0A168898B98C34EBA210F46FC10985CE28277D0563F74E108FCE3ACBD52B26F8BA04D.27625A4D30E4F1044962D3DD1C2E493EF511C01366909767C3AF9A005E81F4BFC33372B9C041BE9BA904D7C6BB141DE48722ED17D2DF9C560170821F033BCFD8

onjezerani gawo la GRUB

mount /dev/sda6 /mnt 

sinthani config

nano -$ /mnt/boot/grub/grub.cfg 

onani kusaka kwamafayilo kuti palibe mbendera paliponse mu "grub.cfg" ("-unrestricted" "-user",
onjezani kumapeto kwenikweni (mzerewu usanachitike ### END /etc/grub.d/41_custom ###)
"khazikitsani superusers = "root"
password_pbkdf2 root hash."

Iyenera kukhala chinthu chonga ichi

# Fayilo iyi imapereka njira yosavuta yowonjezerera zolembera zamamenyu. Mwachidule lembani
# zolemba zomwe mukufuna kuwonjezera pambuyo pa ndemangayi. Samalani kuti musasinthe
# mzere wa 'exec mchira' pamwambapa.
### END /etc/grub.d/40_custom ###

### YAMBA /etc/grub.d/41_custom ###
ngati [ -f ${config_directory}/custom.cfg ]; ndiye
gwero ${config_directory}/custom.cfg
elif [ -z "${config_directory}" -a -f $prefix/custom.cfg ]; ndiye
gwero $prefix/custom.cfg;
fi
set superusers = "root"
password_pbkdf2 root grub.pbkdf2.sha512.10000.DE10E42B01BB6FEEE46250FC5F9C3756894A8476A7F7661A9FFE9D6CC4D0A168898B98C34EBA210F46FC10985CE28277D0563F74E108FCE3ACBD52B26F8BA04D.27625A4D30E4F1044962D3DD1C2E493EF511C01366909767C3AF9A005E81F4BFC33372B9C041BE9BA904D7C6BB141DE48722ED17D2DF9C560170821F033BCFD8
### END /etc/grub.d/41_custom ###
#

Ngati nthawi zambiri mumagwiritsa ntchito lamulo loti "grub-mkconfig -o /mnt/boot/grub/grub.cfg" ndipo simukufuna kusintha grub.cfg nthawi iliyonse, lowetsani mizere yomwe ili pamwambapa. (Login: Password) muzolemba za GRUB pansi kwambiri

nano /etc/grub.d/41_custom 

mphaka <<EOF
set superusers = "root"
password_pbkdf2 root grub.pbkdf2.sha512.10000.DE10E42B01BB6FEEE46250FC5F9C3756894A8476A7F7661A9FFE9D6CC4D0A168898B98C34EBA210F46FC10985CE28277D0563F74E108FCE3ACBD52B26F8BA04D.27625A4D30E4F1044962D3DD1C2E493EF511C01366909767C3AF9A005E81F4BFC33372B9C041BE9BA904D7C6BB141DE48722ED17D2DF9C560170821F033BCFD8
EOF

Mukapanga config "grub-mkconfig -o /mnt/boot/grub/grub.cfg", mizere yotsimikizira idzawonjezedwa ku grub.cfg.
Izi zimamaliza kukhazikitsidwa kwa kutsimikizika kwa GRUB2.

C6.2. Chitetezo cha bootloader chokhala ndi siginecha ya digitoZimaganiziridwa kuti muli kale ndi kiyi yanu ya pgp encryption (kapena pangani kiyi yotere). Dongosololi liyenera kukhala ndi pulogalamu yachinsinsi yoyika: gnuPG; kleopatra/GPA; Seahorse. Mapulogalamu a Crypto apangitsa moyo wanu kukhala wosavuta pazinthu zonsezi. Seahorse - mtundu wokhazikika wa phukusi 3.14.0 (mabaibulo apamwamba, mwachitsanzo, V3.20, ndi opanda pake ndipo ali ndi nsikidzi).

Kiyi ya PGP iyenera kupangidwa / kukhazikitsidwa / kuonjezedwa m'malo a su!

Pangani kiyi yachinsinsi

gpg - -gen-key

Tumizani kiyi yanu

gpg --export -o ~/perskey

Ikani disk yomveka mu OS ngati siyinayike kale

mount /dev/sda6 /mnt #sda6 – раздел GRUB2

yeretsani gawo la GRUB2

rm -rf /mnt/

Ikani GRUB2 mu sda6, kuyika kiyi yanu yachinsinsi pa chithunzi chachikulu cha GRUB "core.img"

grub-install --force --modules="gcry_sha256 gcry_sha512 signature_test gcry_dsa gcry_rsa" -k ~/perskey --root-directory=/mnt /dev/sda6

zosankha
* --force - khazikitsani bootloader, kudutsa machenjezo onse omwe amakhalapo nthawi zonse (mbendera yofunikira).
* —modules="gcry_sha256 gcry_sha512 signature_test gcry_dsa gcry_rsa" - amalangiza GRUB2 kuti ayambe kudzaza ma modules ofunikira pamene PC iyamba.
* -k ~/perskey -njira yopita ku "PGP key" (mutatha kulongedza fungulo mu fano, likhoza kuchotsedwa).
* --root-directory -ikani chikwatu cha boot pamizu ya sda6
/dev/sda6 - gawo lanu la sdaX.

Kupanga/kusintha grub.cfg

grub-mkconfig  -o /mnt/boot/grub/grub.cfg

Onjezani mzere "trust / boot/grub/perskey" mpaka kumapeto kwa fayilo ya "grub.cfg" (kakamizani kugwiritsa ntchito kiyi ya pgp.) Popeza tinayika GRUB2 ndi ma modules, kuphatikizapo siginecha module "signature_test.mod", izi zimathetsa kufunika kowonjezera malamulo monga "set check_signatures=enforce" ku config.

Iyenera kuwoneka chonchi (mizere yomaliza mu fayilo ya grub.cfg)

### YAMBA /etc/grub.d/41_custom ###
ngati [ -f ${config_directory}/custom.cfg ]; ndiye
gwero ${config_directory}/custom.cfg
elif [ -z "${config_directory}" -a -f $prefix/custom.cfg ]; ndiye
gwero $prefix/custom.cfg;
fi
trust /boot/grub/perskey
set superusers = "root"
password_pbkdf2 root grub.pbkdf2.sha512.10000.DE10E42B01BB6FEEE46250FC5F9C3756894A8476A7F7661A9FFE9D6CC4D0A168898B98C34EBA210F46FC10985CE28277D0563F74E108FCE3ACBD52B26F8BA04D.27625A4D30E4F1044962D3DD1C2E493EF511C01366909767C3AF9A005E81F4BFC33372B9C041BE9BA904D7C6BB141DE48722ED17D2DF9C560170821F033BCFD8
### END /etc/grub.d/41_custom ###
#

Njira yopita ku "/ boot/grub/perskey" sikuyenera kuloza ku gawo lina la disk, mwachitsanzo hd0,6; pa bootloader yokha, "muzu" ndiye njira yokhazikika ya magawo omwe GRUB2 yayikidwa. (onani set rot=..).

Kusaina GRUB2 (mafayilo onse muzolemba zonse / GRUB) ndi kiyi yanu "perskey".
Yankho losavuta la momwe mungasaina (kwa nautilus/caja explorer): yonjezerani "seahorse" yowonjezera kwa Explorer kuchokera kumalo osungirako. Kiyi yanu iyenera kuwonjezeredwa ku chilengedwe cha su.
Tsegulani Explorer ndi sudo "/ mnt/boot" - RMB - chizindikiro. Pazenera zikuwoneka motere

Mfungulo palokha ndi "/mnt/boot/grub/perskey" (koperani ku grub directory) iyeneranso kusaina ndi siginecha yanu. Onetsetsani kuti [*.sig] siginecha yamafayilo ikuwonekera m'ndandanda/magawo ang'onoang'ono.
Pogwiritsa ntchito njira yomwe tafotokozayi, sankhani "/ boot" (nkhokwe yathu, initrd). Ngati nthawi yanu ndiyofunika chilichonse, ndiye kuti njirayi imathetsa kufunika kolemba bash script kuti musayine "mafayilo ambiri."

Kuchotsa siginecha zonse za bootloader (ngati china chake chalakwika)

rm -f $(find /mnt/boot/grub -type f -name '*.sig')

Kuti tisasainire bootloader pambuyo pokonzanso dongosolo, timayimitsa ma phukusi onse okhudzana ndi GRUB2.

apt-mark hold grub-common grub-pc grub-pc-bin grub2 grub2-common

Gawo ili <tetezani bootloader ndi siginecha ya digito> kasinthidwe kapamwamba ka GRUB2 kwatha.

C6.3. Kuyesa kwaumboni kwa bootloader ya GRUB2, yotetezedwa ndi siginecha ya digito ndi kutsimikizikaGRUB2. Mukasankha kugawa kwa GNU/Linux kapena kulowa CLI (mzere wamalamulo) Chilolezo cha Superuser chidzafunika. Mukalowetsa dzina lolowera / mawu achinsinsi, mudzafunika initrd password

Chithunzi chotsimikizira bwino cha GRUB2 superuser.

Ngati musokoneza mafayilo aliwonse a GRUB2 / kusintha kwa grub.cfg, kapena kuchotsani fayilo / siginecha, kapena kukweza module.mod yoyipa, chenjezo lofanana lidzawonekera. GRUB2 isiya kutsitsa.

Screenshot, kuyesa kusokoneza GRUB2 "kuchokera kunja".

Panthawi yoyambira "yabwinobwino" "popanda kulowerera", ma code otuluka ndi "0". Chifukwa chake, sizikudziwika ngati chitetezo chimagwira ntchito kapena ayi (ndiko kuti, "ndi kapena popanda chitetezo cha siginecha ya bootloader" panthawi yomwe mukutsitsa, ndiye kuti "0" - izi ndizoyipa).

Momwe mungayang'anire chitetezo cha signature ya digito?

Njira yolakwika yowonera: yabodza / chotsani gawo logwiritsidwa ntchito ndi GRUB2, mwachitsanzo, chotsani siginecha luks.mod.sig ndikupeza cholakwika.

Njira yolondola: pitani ku bootloader CLI ndikulemba lamulo

trust_list

Poyankha, muyenera kulandira chala cha "perskey"; ngati udindo ndi "0," ndiye kuti chitetezo cha signature sichikugwira ntchito, onaninso ndime C6.2.
Pa sitepe iyi, kasinthidwe kapamwamba "Kuteteza GRUB2 ndi siginecha ya digito ndi kutsimikizika" kwatsirizidwa.

C7 Njira ina yotetezera GRUB2 bootloader pogwiritsa ntchito hashingNjira ya "CPU Boot Loader Protection/Authentication" yofotokozedwa pamwambapa ndi yachikale. Chifukwa cha kupanda ungwiro kwa GRUB2, m'mikhalidwe ya paranoid imatha kuukira kwenikweni, yomwe ndipereka pansipa ndime [F]. Kuphatikiza apo, mutatha kukonzanso OS/kernel, bootloader iyenera kusainanso.

Kuteteza GRUB2 bootloader pogwiritsa ntchito hashing

Ubwino kuposa classics:

• Mlingo wapamwamba wodalirika (hashing / verification imachitika kokha kuchokera kuzinthu zobisika za komweko. Gawo lonse lomwe lagawidwa pansi pa GRUB2 limawongoleredwa pakusintha kulikonse, ndipo china chilichonse chimasungidwa; mu dongosolo lakale ndi chitetezo cha CPU loader / Authentication, mafayilo okha amawongoleredwa, koma osati kwaulere. danga, momwemo "chinachake" choyipa" chitha kuwonjezeredwa).
• Kudula mitengo mwachinsinsi (lolemba lolembedwa ndi munthu lowerengeka lawonjezedwa pachiwembu).
• Kuthamanga (chitetezo / kutsimikizira gawo lonse lomwe laperekedwa kwa GRUB2 limachitika nthawi yomweyo).
• Automation ya njira zonse za cryptographic.

Zoyipa pazakale.

• Kunyenga kwa signature (mwachidziwitso, ndizotheka kupeza kugunda kwa ntchito kwa hashi).
• Kuwonjezeka kwa zovuta (poyerekeza ndi zachikale, maluso ochulukirapo mu GNU/Linux OS amafunikira).

Momwe lingaliro la GRUB2 / partition hashing limagwirira ntchito

Gawo la GRUB2 "lidasainidwa"; boti la OS likayamba, gawo la bootloader limayang'aniridwa kuti silingasinthe, ndikutsata malo otetezedwa (obisika). Ngati bootloader kapena kugawa kwake kwasokonezedwa, kuwonjezera pa chipika cholowera, zotsatirazi zimayambitsidwa:

Chinthu.

Cheke chofananacho chimapezeka kanayi patsiku, zomwe sizimatsitsa zida zadongosolo.
Pogwiritsa ntchito lamulo la "-$ check_GRUB", cheke pompopompo chimachitika nthawi iliyonse osadula mitengo, koma ndi chidziwitso ku CLI.
Pogwiritsa ntchito lamulo la "-$ sudo signature_GRUB", GRUB2 bootloader / partition imasainanso nthawi yomweyo ndikudula mitengo yake. (zofunikira pambuyo pakusintha kwa OS/boot), ndipo moyo umapitilira.

Kukhazikitsa njira ya hashing ya bootloader ndi gawo lake

0) Tiyeni tisayine GRUB bootloader/gawo poyiyika koyamba mu /media/username

-$ hashdeep -c md5 -r /media/username/GRUB > /podpis.txt

1) Timapanga script popanda chowonjezera muzu wa encrypted OS ~/podpis, timagwiritsa ntchito zofunikira zachitetezo cha 744 ndi chitetezo chopanda pake.

Kudzaza nkhani zake

#!/bin/bash

#Проверка всего раздела выделенного под загрузчик GRUB2 на неизменность.
#Ведется лог "о вторжении/успешной проверке каталога", короче говоря ведется полный лог с тройной вербализацией. Внимание! обратить взор на пути: хранить ЦП GRUB2 только на зашифрованном разделе OS GNU/Linux. 
echo -e "******************************************************************n" >> '/var/log/podpis.txt' && date >> '/var/log/podpis.txt' && hashdeep -vvv -a -k '/podpis.txt' -r '/media/username/GRUB' >> '/var/log/podpis.txt'

a=`tail '/var/log/podpis.txt' | grep failed` #не использовать "cat"!! 
b="hashdeep: Audit failed"

#Условие: в случае любых каких-либо изменений в разделе выделенном под GRUB2 к полному логу пишется второй отдельный краткий лог "только о вторжении" и выводится на монитор мигание gif-ки "warning".
if [[ "$a" = "$b" ]] 
then
echo -e "****n" >> '/var/log/vtorjenie.txt' && echo "vtorjenie" >> '/var/log/vtorjenie.txt' && date >> '/var/log/vtorjenie.txt' & sudo -u username DISPLAY=:0 eom '/warning.gif' 
fi

Yambitsani script kuchokera su, hashing ya gawo la GRUB ndi bootloader yake idzayang'aniridwa, sungani chipikacho.

Tiyeni tipange kapena kukopera, mwachitsanzo, "fayilo yoyipa" [virus.mod] kugawo la GRUB2 ndikuyesa sikani / kuyesa kwakanthawi:

-$ hashdeep -vvv -a -k '/podpis.txt' -r '/media/username/GRUB

CLI iyenera kuwona kuwukiridwa kwa nyumba yathu.# Lolemba lokhazikika mu CLI

Ср янв  2 11::41 MSK 2020
/media/username/GRUB/boot/grub/virus.mod: Moved from /media/username/GRUB/1nononoshifr
/media/username/GRUB/boot/grub/i386-pc/mda_text.mod: Ok
/media/username/GRUB/boot/grub/grub.cfg: Ok
hashdeep: Audit failed
   Input files examined: 0
  Known files expecting: 0
          Files matched: 325
Files partially matched: 0
            Files moved: 1
        New files found: 0
  Known files not found: 0

#Monga mukuwonera, "Mafayilo adasunthika: 1 ndipo Audit yalephera" ikuwonekera, zomwe zikutanthauza kuti chekeyo idalephera.
Chifukwa cha mtundu wa magawo omwe akuyesedwa, m'malo mwa "Mafayilo atsopano adapezeka"> "Mafayilo asunthidwa"

2) Ikani gif apa> ~/warning.gif, ikani zilolezo ku 744.

3) Kukonza fstab kuti ikhazikitse gawo la GRUB pa boot

-$ sudo nano /etc/fstab

LABEL=GRUB /media/username/GRUB ext4 zosasintha 0 0

4) Kuzungulira chipika

-$ sudo nano /etc/logrotate.d/podpis 

/var/log/podpis.txt {
tsiku ndi tsiku
tembenuza 50
kukula 5M
tsiku
compress
kuletsa
olddir /var/log/old
}

/var/log/vtorjenie.txt {
pamwezi
tembenuza 5
kukula 5M
tsiku
olddir /var/log/old
}

5) Onjezani ntchito ku cron

-$ sudo crontab -e

kuyambiransoko '/kulembetsa'
0 */6 * * * '/podpis

6) Kupanga ma aliase okhazikika

-$ sudo su
-$ echo "alias подпись_GRUB='hashdeep -c md5 -r /media/username/GRUB > /podpis.txt'" >> /root/.bashrc && bash
-$ echo "alias проверка_GRUB='hashdeep -vvv -a -k '/podpis.txt' -r /media/username/GRUB'" >> .bashrc && bash

Pambuyo pakusintha kwa OS -$ apt-get upgrade lembaninso gawo lathu la GRUB
-$ подпись_GRUB
Pakadali pano, chitetezo cha hashing cha gawo la GRUB chatha.

[D] Kupukuta - kuwononga deta yosasungidwa

Chotsani mafayilo anu aumwini kwathunthu kotero kuti “ngakhale Mulungu sangaŵerenge,” malinga ndi mneneri wa ku South Carolina, Trey Gowdy.

Monga mwachizolowezi, pali "nthano ndi nthano". nthano", za kubwezeretsa deta itatha kuchotsedwa pa hard drive. Ngati mumakhulupirira za cyberwitchcraft, kapena ndinu membala wa gulu la Dr ndipo simunayesepo kubwezeretsa deta itatha kuchotsedwa / kulembedwanso. (mwachitsanzo, kuchira pogwiritsa ntchito R-studio), ndiye njira yomwe ikufunsidwayo siyingagwirizane ndi inu, gwiritsani ntchito zomwe zili pafupi kwambiri ndi inu.

Pambuyo posamutsa GNU/Linux bwinobwino kugawo lobisidwa, kope lakale liyenera kuchotsedwa popanda mwayi wobwezeretsa deta. Njira yoyeretsera padziko lonse lapansi: pulogalamu ya Windows/Linux yaulere ya GUI BleachBit.
Mwamsanga sinthani gawo, deta yomwe iyenera kuwonongedwa (kudzera Gparted) yambitsani BleachBit, sankhani "Yeretsani malo aulere" - sankhani magawowo (sdaX yanu yokhala ndi kopi yam'mbuyo ya GNU/Linux), ntchito yovula idzayamba. BleachBit - amapukuta disk mu chiphaso chimodzi - izi ndi zomwe "tikufuna", Koma! Izi zimangogwira ntchito mwachidziwitso ngati mudapanga disk ndikuyiyeretsa mu pulogalamu ya BB v2.0.

Chenjerani! BB imapukuta diski, kusiya metadata; mayina a fayilo amasungidwa pamene deta yachotsedwa (Ccleaner - samasiya metadata).

Ndipo nthano za kuthekera kwa kuchira kwa data si nthano chabe.Bleachbit V2.0-2 phukusi lakale la OS Debian losakhazikika (ndi mapulogalamu ena aliwonse ofanana: sfill; pukuta-Nautilus - adawonedwanso mubizinesi yonyansayi) kwenikweni anali ndi cholakwika chovuta: ntchito ya "free space clearing". zimagwira ntchito molakwika pa HDD/Flash drives (ntfs/ext4). Mapulogalamu amtunduwu, pochotsa malo aulere, samalemba diski yonse, monga momwe ogwiritsa ntchito ambiri amaganizira. Ndipo ena (zambiri) fufutidwa deta Os/pulogalamu amaona kuti deta imeneyi si zichotsedwa / wosuta deta ndipo pamene kuyeretsa "OSP" ndi kulumpha owona awa. Vuto ndiloti patapita nthawi yaitali, kuyeretsa disk "zichotsedwa owona" akhoza anachira ngakhale pambuyo pa 3+ kupita kupukuta chimbale.
Pa GNU/Linux ku Bleachbit 2.0-2 Ntchito zochotseratu mafayilo ndi zolemba zimagwira ntchito modalirika, koma osachotsa malo aulere. Poyerekeza: pa Windows mu CCleaner ntchito ya "OSP ya ntfs" imagwira ntchito bwino, ndipo Mulungu sangathe kuwerenga zomwe zachotsedwa.

Ndipo kotero, kuti bwinobwino kuchotsa "kunyengerera" data yakale yosabisika, Bleachbit ikufunika mwayi wofikira ku datayi, ndiye, gwiritsani ntchito "kufufutani mafayilo/akalozera" ntchito.
Kuti muchotse "mafayilo ochotsedwa pogwiritsa ntchito zida za OS" mu Windows, gwiritsani ntchito CCleaner/BB ndi ntchito ya "OSP". Mu GNU/Linux pa vutoli (chotsani mafayilo ochotsedwa) muyenera kuyeserera nokha (kuchotsa deta + kuyesa kodziyimira pawokha kuyibwezeretsa ndipo simuyenera kudalira mtundu wa pulogalamuyo (ngati sichosungira, ndiye cholakwika)), kokha mu nkhani iyi mudzatha kumvetsa limagwirira wa vutoli ndi kuchotsa deta zichotsedwa kwathunthu.

Sindinayese Bleachbit v3.0, vuto likhoza kukhala litakonzedwa kale.
Bleachbit v2.0 imagwira ntchito moona mtima.

Pa sitepe iyi, kupukuta litayamba kwatha.

[E] Kusunga kwapadziko lonse kwa OS yobisidwa

Wogwiritsa ntchito aliyense ali ndi njira yake yosungira deta, koma deta yosungidwa ya System OS imafuna njira yosiyana pang'ono ndi ntchitoyi. Mapulogalamu ogwirizana, monga Clonezilla ndi mapulogalamu ofanana, sangathe kugwira ntchito mwachindunji ndi deta yobisika.

Chidziwitso chavuto lakusunga zida zobisika:

1. university - algorithm yosunga zobwezeretsera / mapulogalamu a Windows / Linux;
2. Kutha kugwira ntchito mu kontrakitala ndi ma usb amoyo GNU/Linux popanda kufunikira kotsitsa pulogalamu yowonjezera (koma ndikulimbikitsabe GUI);
3. chitetezo cha zosunga zobwezeretsera - "zithunzi" zosungidwa ziyenera kusungidwa / kutetezedwa ndi mawu achinsinsi;
4. kukula kwa deta yobisika kuyenera kufanana ndi kukula kwa deta yeniyeni yomwe ikukopera;
5. kutulutsa kosavuta kwa mafayilo ofunikira kuchokera ku kopi yosunga zobwezeretsera (palibe chifukwa chofotokozera gawo lonselo poyamba).

Mwachitsanzo, zosunga zobwezeretsera / kubwezeretsa kudzera pa "dd" zofunikira

dd if=/dev/sda7 of=/путь/sda7.img bs=7M conv=sync,noerror
dd if=/путь/sda7.img of=/dev/sda7 bs=7M conv=sync,noerror

Zimafanana ndi pafupifupi mfundo zonse za ntchitoyi, koma malinga ndi mfundo 4 sizimatsutsidwa, chifukwa zimakopera gawo lonse la disk, kuphatikizapo malo aulere - osasangalatsa.

Mwachitsanzo, zosunga zobwezeretsera za GNU/Linux kudzera pankhokwe [tar" | gpg] ndiyosavuta, koma pa zosunga zobwezeretsera za Windows muyenera kuyang'ana njira ina - sizosangalatsa.

E1. Universal Windows/Linux zosunga zobwezeretsera. Lumikizani rsync (Grsync)+VeraCrypt voliyumuAlgorithm yopanga kopi yosunga zobwezeretsera:

1. kupanga chotengera encrypted (chiwerengero / fayilo) VeraCrypt kwa Os;
2. kusamutsa/kulunzanitsa OS pogwiritsa ntchito pulogalamu ya Rsync mu chidebe cha VeraCrypt crypto;
3. ngati kuli kofunikira, kukweza voliyumu ya VeraCrypt ku www.

Kupanga chotengera cha VeraCrypt chobisika chili ndi mawonekedwe ake:
kupanga voliyumu yamphamvu (kupanga kwa DT kumapezeka mu Windows kokha, kutha kugwiritsidwanso ntchito mu GNU/Linux);
kupanga voliyumu yokhazikika, koma pamafunika kukhala ndi "khalidwe lopanda pake" (malinga ndi wopanga) - masanjidwe a chidebe.

Voliyumu yosunthika imapangidwa pafupifupi nthawi yomweyo mu Windows, koma mukakopera deta kuchokera ku GNU/Linux> VeraCrypt DT, ntchito yonse yosunga zobwezeretsera imachepa kwambiri.

Voliyumu yokhazikika ya 70 GB Twofish imapangidwa (tingonena, pafupifupi mphamvu ya PC) ku HDD ~ mu theka la ola (kulembanso zomwe kale zidasungidwa mu chiphaso chimodzi ndi chifukwa cha chitetezo). Ntchito yokonza voliyumu mwachangu mukaipanga yachotsedwa ku VeraCrypt Windows/Linux, kotero kupanga chidebe kumatheka kudzera "kulembanso pasipoti imodzi" kapena kupanga voliyumu yotsika kwambiri.

Pangani voliyumu ya VeraCrypt yokhazikika (osati dynamic/ntfs), sipayenera kukhala vuto lililonse.

Konzani/kupanga/tsegulani chidebe mu VeraCrypt GUI> GNU/Linux live usb (voliyumuyo idzasinthidwa kukhala /media/veracrypt2, voliyumu ya Windows OS idzakwezedwa ku /media/veracrypt1). Kupanga zosunga zobwezeretsera za Windows OS pogwiritsa ntchito GUI rsync (grsync)poyang'ana mabokosi.

Yembekezerani kuti ntchitoyi ithe. Kusungako kukamalizidwa, tidzakhala ndi fayilo imodzi yosungidwa.

Mofananamo, pangani zosunga zobwezeretsera za GNU/Linux OS mwa kusayang'ana bokosi la "Windows compatibility" mu rsync GUI.

Chenjerani! pangani chidebe cha Veracrypt cha "zosunga zobwezeretsera za GNU/Linux" pamafayilo ext4. Ngati mupanga zosunga zobwezeretsera ku chidebe cha ntfs, ndiye mukabwezeretsa kopi yoteroyo, mudzataya ufulu / magulu onse ku data yanu yonse.

Mutha kuchita ntchito zonse mu terminal. Zosankha zoyambirira za rsync:
* -g -sunga magulu;
* -P -kupita patsogolo - udindo wa nthawi yogwiritsidwa ntchito pa fayilo;
* -H - koperani zolimba monga ziliri;
* -a -archive mode (mbiri rlptgoD mbendera);
* -v -kunena mawu.

Ngati mukufuna kuyika "Windows VeraCrypt voliyumu" kudzera pakompyuta mu pulogalamu ya cryptsetup, mutha kupanga dzina (su)

echo "alias veramount='cryptsetup open --veracrypt --tcrypt-system --type tcrypt /dev/sdaX Windows_crypt && mount /dev/mapper/ Windows_crypt /media/veracrypt1'" >> .bashrc && bash

Tsopano lamulo la "zithunzi zambiri" lidzakupangitsani kuti mulowetse mawu achinsinsi, ndipo voliyumu yosungidwa ya Windows idzayikidwa mu OS.

Map/mount VeraCrypt system volume mu cryptsetup command

cryptsetup open --veracrypt --tcrypt-system --type tcrypt /dev/sdaX Windows_crypt
mount /dev/mapper/Windows_crypt /mnt

Mapu / phiri la VeraCrypt gawo / chotengera mu lamulo la cryptsetup

cryptsetup open --veracrypt --type tcrypt /dev/sdaY test_crypt
mount /dev/mapper/test_crypt /mnt

M'malo mwa mawu, tidzawonjezera (chilemba choyambira) voliyumu ya Windows OS ndi diski yomveka yosungidwa ya ntfs ku GNU/Linux poyambira.

Pangani script ndikusunga mu ~/VeraOpen.sh

printf 'Ym9i' | base64 -d | cryptsetup open --veracrypt --tcrypt-system --type tcrypt /dev/sda3 Windows_crypt && mount /dev/mapper/Windows_crypt /media/Winda7 #декодируем пароль из base64 (bob) и отправляем его на запрос ввода пароля при монтировании системного диска ОС Windows.
printf 'Ym9i' | base64 -d | cryptsetup open --veracrypt --type tcrypt /dev/sda1 ntfscrypt && mount /dev/mapper/ntfscrypt /media/КонтейнерНтфс #аналогично, но монтируем логический диск ntfs.

Timagawa maufulu "olondola":

sudo chmod 100 /VeraOpen.sh

Pangani mafayilo awiri ofanana (dzina lomwelo!) mu /etc/rc.local ndi ~/etc/init.d/rc.local
Kudzaza mafayilo

#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will «exit 0» on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.

sh -c "sleep 1 && '/VeraOpen.sh'" #после загрузки ОС, ждём ~ 1с и только потом монтируем диски.
exit 0

Timagawa maufulu "olondola":

sudo chmod 100 /etc/rc.local && sudo chmod 100 /etc/init.d/rc.local 

Ndi momwemo, tsopano potsegula GNU / Linux sitifunika kuyika mapasiwedi kuti tiyike ma disks osungidwa a ntfs, ma disks amangokhazikitsidwa okha.

Ndemanga mwachidule pazomwe zafotokozedwa pamwambapa mu ndime E1 sitepe ndi sitepe (koma tsopano za OS GNU/Linux)
1) Pangani voliyumu mu fs ext4> 4gb (ya fayilo) Linux mu Veracrypt [Cryptbox].
2) Yambitsaninso kuti mukhale ndi usb.
3) ~$ cryptsetup tsegulani /dev/sda7 Lunux #mapping partition encrypted.
4) ~$ phiri /dev/mapper/Linux /mnt #mount gawo losungidwa ku /mnt.
5) ~$ mkdir mnt2 #kupanga chikwatu kuti musunge mtsogolo.
6) ~$ cryptsetup open —veracrypt —type tcrypt ~/CryptoBox CryptoBox && mount /dev/mapper/CryptoBox /mnt2 #Map voliyumu ya Veracrypt yotchedwa "CryptoBox" ndikukweza CryptoBox ku /mnt2.
7) ~$ rsync -avlxhHX -kupita patsogolo /mnt /mnt2/ #kusunga zosunga zobwezeretsera gawo losungidwa ku voliyumu ya Veracrypt.

(p/s/ Chenjerani! Ngati mukusamutsa GNU/Linux yosungidwa kuchokera kumamangidwe/makina kupita ku inzake, mwachitsanzo, Intel> AMD (ndiko kuti, kutumiza zosunga zobwezeretsera kuchokera kugawo lobisika kupita ku gawo lina lobisika la Intel> AMD), Osayiwala Mukasamutsa OS yosungidwa, sinthani chinsinsi choloweza m'malo mwachinsinsi, mwina. kiyi yapitayo ~/etc/skey - sichidzakwaniranso gawo lina lobisika, ndipo sikoyenera kupanga kiyi yatsopano "cryptsetup luksAddKey" kuchokera pansi pa chroot - glitch ndizotheka, mu ~/etc/crypttab tchulani m'malo mwa "/ etc/skey" kwakanthawi "palibe" ", mutatha kuyambiranso ndikulowa mu OS, panganinso kiyi yanu yachinsinsi yamtchire).

Monga omenyera nkhondo a IT, kumbukirani kupanga padera zosunga zobwezeretsera za mitu ya Windows/Linux OS yobisika, kapena kubisako kukutembenukirani.
Pa sitepe iyi, zosunga zobwezeretsera za OS encrypted zatha.

[F] Kuukira pa GRUB2 bootloader

Onani zambiriNgati mwateteza bootloader yanu ndi siginecha ya digito ndi/kapena kutsimikizika (Onani mfundo C6.), ndiye izi sizingateteze ku mwayi wakuthupi. Deta yobisika ikadali yosafikirika, koma chitetezo chidzalambalalitsidwa (sinthaninso chitetezo cha siginecha ya digito) GRUB2 imalola munthu wa cyber-villain kubaya code yake mu bootloader popanda kudzutsa kukayikira. (pokhapokha ngati wogwiritsa ntchitoyo ayang'anira pamanja momwe bootloader ikuyendera, kapena abwere ndi code yawo yolimba ya grub.cfg).

Attack algorithm. Wolowerera

* Boot PC kuchokera ku usb yamoyo. Kusintha kulikonse (wophwanya malamulo) mafayilo adzadziwitsa mwiniwake wa PC za kulowetsedwa mu bootloader. Koma kuyikanso kosavuta kwa GRUB2 kusunga grub.cfg (ndi kuthekera kotsatira kusintha) idzalola wowukira kusintha mafayilo aliwonse (pamenepa, potsegula GRUB2, wogwiritsa ntchito weniweni sadzadziwitsidwa. Momwemo ndi chimodzimodzi <0>)
* Imayika gawo losalembetsedwa, sungani "/mnt/boot/grub/grub.cfg".
* Kukhazikitsanso bootloader (kuchotsa "perskey" pachithunzi cha core.img)

grub-install --force --root-directory=/mnt /dev/sda6

* Ikubweza "grub.cfg"> "/mnt/boot/grub/grub.cfg", sinthani ngati kuli kofunikira, mwachitsanzo, kuwonjezera gawo lanu la "keylogger.mod" kufoda yokhala ndi ma module odzaza, mu "grub.cfg" > mzere "insmod keylogger". Kapena, mwachitsanzo, ngati mdaniyo ali wochenjera, ndiye kuti akhazikitsanso GRUB2 (ma signature onse amakhalabe m'malo mwake) imapanga chithunzi chachikulu cha GRUB2 pogwiritsa ntchito "grub-mkimage ndi njira (-c)." Njira ya "-c" ikulolani kuti mukweze zosintha zanu musanalowetse "grub.cfg" yayikulu. Kukonzekera kumatha kukhala ndi mzere umodzi wokha: kuwongolera ku "modern.cfg" iliyonse, yosakanikirana, mwachitsanzo, ndi ~ 400 mafayilo. (ma module + siginecha) mu chikwatu "/boot/grub/i386-pc". Pachifukwa ichi, wowukira akhoza kuyika ma code osagwirizana ndi kutsegula ma modules popanda kukhudza "/boot/grub/grub.cfg", ngakhale wogwiritsa ntchito "hashsum" pa fayilo ndikuwonetsa kwakanthawi pazenera.
Wowukira sadzafunika kuthyola GRUB2 superuser lolowera / mawu achinsinsi; amangofunika kukopera mizere (yoyenera kutsimikizira) "/boot/grub/grub.cfg" ku "modern.cfg" yanu

set superusers = "root"
password_pbkdf2 root grub.pbkdf2.sha512.10000.DE10E42B01BB6FEEE46250FC5F9C3756894A8476A7F7661A9FFE9D6CC4D0A168898B98C34EBA210F46FC10985CE28277D0563F74E108FCE3ACBD52B26F8BA04D.27625A4D30E4F1044962D3DD1C2E493EF511C01366909767C3AF9A005E81F4BFC33372B9C041BE9BA904D7C6BB141DE48722ED17D2DF9C560170821F033BCFD8

Ndipo mwiniwake wa PC adzatsimikiziridwabe ngati GRUB2 superuser.

Kutsegula unyolo (bootloader imatsegula bootloader ina), monga ndalemba pamwambapa, sizomveka (ndi cholinga china). Bootloader yosungidwa siyingakwezedwe chifukwa cha BIOS (boot boot restarts GRUB2> encrypted GRUB2, zolakwika!). Komabe, ngati mukugwiritsabe ntchito lingaliro la kutsitsa kwa unyolo, mutha kukhala otsimikiza kuti ndizomwe zimasungidwa. (osasintha) "grub.cfg" kuchokera kugawo lobisika. Ndipo ichinso ndi lingaliro labodza lachitetezo, chifukwa chilichonse chomwe chawonetsedwa mu "grub.cfg" (kutsitsa kwa ma module) kumawonjezera ma module omwe amatsitsidwa kuchokera ku GRUB2 yosalembetsedwa.

Ngati mukufuna kuwona izi, perekani / sungani magawo ena sdaY, lembani GRUB2 kwa izo (ntchito yoyika grub pagawo losungidwa sizotheka) ndi "grub.cfg" (zosintha zosasinthika) kusintha mizere monga iyi

menyu 'GRUBx2' --class parrot --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-simple-382111a2-f993-403-2c-aa292e-5b4780eacXNUMX' {
load_kanema
mu gzio
ngati [ x$grub_platform = xxen]; ndiye insmod xzio; matenda oopsa; fi
insmod gawo_msdos
insmod cryptodisk
insmod lux
insmod gcry_twofish
insmod gcry_twofish
insmod gcry_sha512
insmod ext2
cryptomount -u 15c47d1c4bd34e5289df77bcf60ee838
set root=’cryptouuid/15c47d1c4bd34e5289df77bcf60ee838′
zachilendo /boot/grub/grub.cfg
}

mizere
* insmod - kutsitsa ma module ofunikira kuti mugwiritse ntchito ndi disk encrypted;
* GRUBx2 - dzina la mzere womwe ukuwonetsedwa mumenyu yoyambira ya GRUB2;
* cryptomount -u 15c47d1c4bd34e5289df77bcf60ee838 -onani. fdisk -l (sda9);
* set root - kukhazikitsa mizu;
* yachibadwa /boot/grub/grub.cfg - fayilo yosinthika yokhazikika pamagawo obisika.

Chidaliro chakuti ndi "grub.cfg" yosungidwa yomwe yapakidwa ndi yankho labwino lolowetsa mawu achinsinsi / kutsegula "sdaY" posankha mzere "GRUBx2" mu menyu ya GRUB.

Mukamagwira ntchito mu CLI, kuti musasokonezedwe (ndipo onani ngati kusintha kwa "set root" kwagwira ntchito), pangani mafayilo opanda kanthu, mwachitsanzo, mu gawo lobisika "/shifr_grub", mugawo losasindikizidwa "/noshifr_grub". Kufufuza mu CLI

cat /Tab-Tab

Monga tafotokozera pamwambapa, izi sizingathandize kutsitsa ma module oyipa ngati ma module otere atha pa PC yanu. Mwachitsanzo, keylogger yomwe imatha kusunga makiyi ku fayilo ndikuyisakaniza ndi mafayilo ena mu "~/i386" mpaka itatsitsidwa ndi wowukira wokhala ndi PC.

Njira yosavuta yotsimikizira kuti chitetezo cha siginecha ya digito chikugwira ntchito mwachangu (osakonzanso), ndipo palibe amene adawukira bootloader, lowetsani lamulo mu CLI

list_trusted

poyankha timalandira kopi ya "perskey" yathu, kapena sitilandira kalikonse ngati tikuwukiridwa (muyeneranso kuyang'ana "set check_signatures=enforce").
Choyipa chachikulu cha sitepe iyi ndikulowetsa malamulo pamanja. Ngati muwonjezera lamulo ili ku "grub.cfg" ndikuteteza kasinthidwe ndi siginecha ya digito, ndiye kuti kutulutsa koyambirira kwa chithunzithunzi chachinsinsi pawindo ndi chachifupi kwambiri pa nthawi, ndipo simungakhale ndi nthawi yowona zotsatira mutakweza GRUB2. .
Palibe amene anganene kuti: wopanga mapulogalamu ake zolemba ndime 18.2 ikulengeza mwalamulo

"Zindikirani kuti ngakhale ndi chitetezo chachinsinsi cha GRUB, GRUB palokha siyingalepheretse munthu yemwe ali ndi mwayi wogwiritsa ntchito makinawo kuti asasinthe kasinthidwe ka firmware ya makinawo (mwachitsanzo, Coreboot kapena BIOS) kuti makinawo ayambike kuchokera ku chipangizo china (cholamulidwa ndi owukira). GRUB ndi ulalo umodzi wokha pamakina otetezeka a boot. "

GRUB2 yodzaza kwambiri ndi ntchito zomwe zingapereke chidziwitso cha chitetezo chabodza, ndipo chitukuko chake chadutsa kale MS-DOS ponena za ntchito, koma ndi bootloader chabe. Ndizoseketsa kuti GRUB2 - "mawa" ikhoza kukhala OS, ndi makina osinthika a GNU/Linux ake.

Kanema wachidule wamomwe ndidakhazikitsiranso chitetezo cha siginecha ya digito ya GRUB2 ndikulengeza kulowerera kwanga kwa wosuta weniweni (Ndinakuopani, koma mmalo mwa zomwe zikuwonetsedwa muvidiyoyi, mukhoza kulemba code / .mod yopanda vuto).

Zotsatira:

1) Kubisa kwa block system kwa Windows ndikosavuta kukhazikitsa, ndipo kutetezedwa ndi mawu achinsinsi amodzi ndikosavuta kuposa kutetezedwa ndi mapasiwedi angapo okhala ndi GNU/Linux block system encryption, kunena chilungamo: yomalizayo ndi yodzichitira.

2) Ndinalemba nkhaniyi kuti ndi yofunikira komanso mwatsatanetsatane zosavuta chiwongolero cha kubisa kwathunthu kwa disk VeraCrypt/LUKS panyumba imodzi makina, omwe ali abwino kwambiri mu RuNet (IMHO). Bukuli ndi> zilembo za 50k zazitali, kotero silinafotokoze mitu yosangalatsa: olemba ma cryptographer omwe amasowa / amakhala mumthunzi; za mfundo yakuti m'mabuku osiyanasiyana a GNU/Linux amalemba pang'ono / samalemba za cryptography; za Gawo 51 la Constitution of the Russian Federation; O kupereka chilolezo/kuletsa encryption mu Russian Federation, chifukwa chake muyenera kubisa "root / boot". Kalozerayo adakhala wamkulu, koma mwatsatanetsatane. (pofotokoza ngakhale zosavuta), nayenso, izi zidzakupulumutsirani nthawi yochuluka mukafika "kubisa kwenikweni".

3) Kubisa kwathunthu kwa disk kunachitika pa Windows 7 64; GNU/Linux Parrot 4x; GNU/Debian 9.0/9.5.

4) Anakhazikitsa kuukira bwino pa wanu GRUB2 bootloader.

5) Maphunziro adalengedwa kuti athandize anthu onse osokonezeka mu CIS, kumene kugwira ntchito ndi kubisa kumaloledwa pamalamulo. Ndipo makamaka kwa iwo omwe akufuna kutulutsa kubisa kwa disk-disk popanda kuwononga machitidwe awo okhazikika.

6) Ndinakonzanso ndikuwongolera buku langa, lomwe ndi lofunikira mu 2020.

[G] Zolemba zothandiza

1. TrueCrypt User Guide (February 2012 RU)
2. VeraCrypt Documentation
3. /usr/share/doc/cryptsetup(-run) [zako] (zolemba zatsatanetsatane za kukhazikitsa GNU/Linux encryption pogwiritsa ntchito cryptsetup)
4. Official FAQ cryptsetup (zolemba zazifupi pakukhazikitsa GNU/Linux encryption pogwiritsa ntchito cryptsetup)
5. Kubisa kwa chipangizo cha LUKS (zolemba za archlinux)
6. Kufotokozera mwatsatanetsatane za cryptsetup syntax (tsamba la munthu wamkulu)
7. Kufotokozera mwatsatanetsatane kwa crypttab (tsamba la munthu wamkulu)
8. Zolemba zovomerezeka za GRUB2.

Tags: kubisa kwathunthu kwa disk, kubisa kwa magawo, Linux full disk encryption, LUKS1 full system encryption.

Ogwiritsa ntchito olembetsedwa okha ndi omwe angatenge nawo gawo pa kafukufukuyu. Lowani muakauntichonde.

Kodi mukubisa?

• 17,1%Ndimabisa chilichonse chomwe ndingathe. Ndine wonjenjemera.14

• 34,2%Ndimangobisa deta yofunika.28

• 14,6%Nthawi zina ndimabisa, nthawi zina ndimayiwala.12

• 34,2%Ayi, sindimabisa, ndizovuta komanso zodula.28

Ogwiritsa 82 adavota. Ogwiritsa 22 adakana.

Source: www.habr.com