Kubisa kwa disk yonse Windows Linux makina oyikidwa. Makina ambiri otetezedwa

Kusinthidwa kalozera wanu wa kubisa kwathunthu kwa disk mu RuNet V0.2.

Njira ya Cowboy:

[A] cipher ya dongosolo la block Windows 7 dongosolo lokhazikitsidwa;
[B] Chikhomo cha GNU Block System/Linux (Debian) anaika dongosolo (kuphatikiza / boot);
[C] kasinthidwe ka GRUB2, chitetezo cha bootloader ndi siginecha ya digito / kutsimikizika / hashing;
[D] kuvula—kuwononga deta yosabisika;
[E] zosunga zobwezeretsera zonse za OS yobisidwa;
[F] kuwukira <pa chinthu [C6]> chandamale - GRUB2 bootloader;
[G] zolemba zothandiza.

╭───Scheme ya #room 40# :
├──╼ Windows 7 yaikidwa - kubisa kwathunthu kwa dongosolo, sikubisika;
├──╼ GNU/Linux yakhazikitsidwa (Debian ndi kugawa komwe kunachokera) - kubisa kwathunthu kwadongosolo, osabisika(/, kuphatikiza / boot; kusinthana);
├──╼ ma bootloader odziyimira pawokha: VeraCrypt bootloader imayikidwa mu MBR, GRUB2 bootloader imayikidwa mu gawo lotalikirapo;
├──╼palibe kukhazikitsa / kuyikanso kwa OS komwe kumafunikira;
└──╼cryptographic mapulogalamu ogwiritsidwa ntchito: VeraCrypt; Kukonzekera kwachinsinsi; GnuPG; Seahorse; Hashdeep; GRUB2 ndi yaulere/yaulere.

Ndondomeko yomwe yafotokozedwa pamwambapa imathetsa pang'ono vuto la "remote boot pa flash drive" ndipo imakulolani kusangalala ndi OS yobisika Windows/Linux ndikusinthana deta kudzera mu "njira yobisika" kuchokera ku OS imodzi kupita ku ina.

Kukonzekera kwa boot ya PC (imodzi mwazosankha):

• kuyatsa makina;
• kutsitsa VeraCrypt bootloader (kulowetsa mawu achinsinsi olondola kudzapitiriza kutsitsa Windows 7);
• kukanikiza batani la "Esc" kudzatsegula GRUB2 bootloader;
• GRUB2 bootloader (kusankha kugawa/ GNU/Linux/CLI), idzafuna kutsimikizika kwa GRUB2 superuser <login/password>;
• mutatha kutsimikiziridwa bwino ndikusankha kugawa, mudzafunika kulowa mawu achinsinsi kuti mutsegule "/boot/initrd.img";
• mutalowa mawu achinsinsi opanda cholakwika, GRUB2 "idzafuna" kulowa mawu achinsinsi (lachitatu motsatizana, mawu achinsinsi a BIOS kapena mawu achinsinsi a akaunti ya ogwiritsa ntchito a GNU/Linux – osaganizira) kutsegula ndi kuyambitsa GNU/OSLinux, kapena kusintha kiyi yachinsinsi yokha (makiyi awiri achinsinsi +, kapena chinsinsi + chinsinsi);
• Kulowa kwakunja mu kasinthidwe ka GRUB2 kudzayimitsa GNU/Linux.

Zovuta? Chabwino, tiyeni tipite ndi automate process.

Pamene partitioning chosungira (MBR tebulo) PC ikhoza kukhala ndi magawo akuluakulu a 4, kapena 3 yaikulu ndi imodzi yowonjezera, komanso malo osagawidwa. Gawo lotalikirapo, mosiyana ndi lalikulu, limatha kukhala ndi tizigawo (magalimoto omveka = magawo owonjezera). Mwa kuyankhula kwina, "gawo lowonjezera" pa HDD limalowa m'malo mwa LVM pa ntchito yomwe ilipo: kubisa kwathunthu. Ngati disk yanu yagawidwa m'magawo anayi akuluakulu, muyenera kugwiritsa ntchito lvm, kapena kusintha (ndi masanjidwe) chigawo kuyambira chachikulu mpaka chapamwamba, kapena gwiritsani ntchito mwanzeru magawo onse anayi ndikusiya zonse momwe zilili, kupeza zotsatira zomwe mukufuna. Ngakhale mutakhala ndi gawo limodzi pa diski yanu, Gparted ikuthandizani kugawa HDD yanu (za zigawo zina) popanda kutayika kwa deta, komabe ndi chilango chaching'ono pazochita zoterezi.

Dongosolo la hard drive masanjidwe, mogwirizana ndi zomwe nkhani yonseyo idzafotokozedwe, ikuwonetsedwa patebulo pansipa.

Table (No. 1) ya magawo a 1TB.

Inunso muyenera kukhala ndi zofanana.
sda1 - gawo lalikulu No. 1 NTFS (zobisika);
sda2 - chikhomo chowonjezera;
sda6 - logic disk (ili ndi GRUB2 bootloader yoyikidwa);
sda8 - kusinthana (fayilo yosinthidwa / osati nthawi zonse);
sda9 - kuyesa zomveka disk;
sda5 - disk zomveka kwa chidwi;
sda7 — GNU OS/Linux (kusamukira ku OS kupita ku disk yolondola yobisika);
sda3 — gawo lalikulu #2 ndi OS Windows 7 (zobisika);
sda4 - gawo lalikulu No (inali ndi GNU/ yosatetezedwaLinux, imagwiritsidwa ntchito posunga zobwezeretsera/osati nthawi zonse).

[A] Kubisa kwa dongosolo la block Windows 7

A1. VeraCrypt

Koperani kuchokera malo boma, kapena pagalasi chitukuko kukhazikitsa pulogalamu ya VeraCrypt cryptographic (panthawi yofalitsa nkhaniyo v1.24-Update3, mtundu wonyamula wa VeraCrypt sioyenera kubisa kachitidwe). Onani cheke cha pulogalamu yotsitsidwa

$ Certutil -hashfile "C:VeraCrypt Setup 1.24.exe" SHA256

ndikuyerekeza zotsatira ndi CS yotumizidwa patsamba la VeraCrypt.

Ngati pulogalamu ya HashTab yakhazikitsidwa, ndiyosavuta: RMB (Kukhazikitsa kwa VeraCrypt 1.24.exe)-properties - kuchuluka kwa mafayilo.

Kuti mutsimikizire siginecha ya pulogalamuyo, pulogalamuyo ndi kiyi ya pgp yapagulu iyenera kukhazikitsidwa padongosolo. gnuPG; gpg4win.

A2. Kuyika/kuyendetsa pulogalamu ya VeraCrypt yokhala ndi ufulu woyang'anira

A3. Kusankha magawo a encryption system for the active partitionVeraCrypt – Dongosolo – Encrypt system partition/drive – Wamba – Encrypt system partition Windows - Kutsegula zinthu zambiri - (chenjezo: "Ogwiritsa ntchito osadziwa saloledwa kugwiritsa ntchito njirayi" ndipo izi ndi zoona, tikuvomereza "Inde") - Boot disk (“inde”, ngakhale sichoncho, komabe “inde”) – Chiwerengero cha ma disk a system “2 kapena kuposerapo” – Ma system angapo pa disk imodzi “Inde” – Ayi Windows bootloader "Ayi" (M'malo mwake, "Inde," koma ma bootloaders a VeraCrypt / GRUB2 sangagawane MBR pakati pawo; makamaka, gawo laling'ono kwambiri la code bootloader limasungidwa mu MBR / boot track, gawo lalikulu ndi ili mkati mwa fayilo) - Multiboot - Zokonda za encryption…

Ngati mungapatuke pamasitepe omwe ali pamwambapa (block system encryption schemes), ndiye VeraCrypt ipereka chenjezo ndipo sikukulolani kuti mubisire magawowo.

Mu sitepe yotsatira yopita kuchitetezo cha data chomwe mukufuna, chitani "Mayeso" ndikusankha algorithm ya encryption. Ngati muli ndi CPU yachikale, ndiye kuti njira yofulumira kwambiri yolembera idzakhala Twofish. Ngati CPU ili yamphamvu, mudzawona kusiyana kwake: Kubisa kwa AES, malinga ndi zotsatira zoyesa, kudzakhala mofulumira kangapo kuposa omwe akupikisana nawo a crypto. AES ndi njira yodziwika bwino yolembera; zida zama CPU amakono zimakonzedwa mwapadera pa "chinsinsi" komanso "kubala".

VeraCrypt imathandizira kuthekera kosunga ma disks mu AES cascade(Nsomba ziwiri)/ ndi zosakaniza zina. Pamtundu wakale wa Intel CPU kuyambira zaka khumi zapitazo (popanda thandizo la hardware la AES, A/T cascade encryption) Kuchepa kwa magwiridwe antchito ndikosavuta. (kwa ma AMD CPU anthawi yomweyo/~magawo, magwiridwe antchito amachepetsedwa pang'ono). OS imagwira ntchito mwamphamvu ndipo kugwiritsidwa ntchito kwazinthu pakubisa kowonekera sikuwoneka. Mosiyana ndi izi, mwachitsanzo, kuchepa kwa magwiridwe antchito chifukwa cha mayeso omwe adayikidwa osakhazikika apakompyuta Mate v1.20.1 (kapena v1.20.2 sindikukumbukira ndendende) mu GNU/Linux, kapena chifukwa cha ntchito ya telemetry subroutine mu Windows7↑. Ogwiritsa ntchito odziwa zambiri nthawi zambiri amachita mayeso a magwiridwe antchito a hardware asanabise. Mwachitsanzo, mu Aida64/Sysbench/systemd-analyze, amayerekeza zotsatira ndi mayeso omwewo pambuyo pa kubisa kwa dongosolo, motero amatsutsa bodza lakuti "kubisa kwa dongosolo ndi koopsa." Kuchepa kwa makina ndi zovuta zimaonekera posunga/kubwezeretsa deta yobisika, chifukwa ntchito ya "kusunga deta ya dongosolo" yokha siimayesedwa mu mamilisekondi, ndipo ntchito zomwezo za "kubisa/kubisa" zimawonjezedwa. Pamapeto pake, wogwiritsa ntchito aliyense wololedwa kusintha ndi kubisa kumagwirizanitsa njira yobisa pakati pa zosowa zawo, kuchuluka kwa mantha awo, ndi kugwiritsa ntchito mosavuta.

Ndikwabwino kusiya gawo la PIM ngati lachikhazikitso, kuti mukatsitsa OS, simuyenera kuyika zikhalidwe zenizeni nthawi iliyonse. VeraCrypt imagwiritsa ntchito maulendo angapo obwereza kuti apange "hashi yocheperako". Kuukira kwa "crypto nkhono" zotere pogwiritsa ntchito njira ya Brute force / utawaleza kumamveka kokha ndi mawu achidule "osavuta" komanso mndandanda wacharset wa wozunzidwayo. Mtengo wolipirira mphamvu yachinsinsi ndikuchedwa kulowa mawu achinsinsi olondola mukatsitsa OS. (kuyika mavoliyumu a VeraCrypt mu GNU/Linux — mofulumira kwambiri).
Mapulogalamu aulere ogwiritsira ntchito brute force attack (chotsani mawu achinsinsi kuchokera kumutu wa disk wa VeraCrypt/LUKS) Hashcat. John the Ripper sadziwa "kuswa Veracrypt", ndipo pamene akugwira ntchito ndi LUKS samamvetsa Twofish cryptography.

Chifukwa cha mphamvu ya cryptographic ya ma aligorivimu achinsinsi, ma cypherpunks osayimitsa akupanga mapulogalamu okhala ndi vector yosiyana. Mwachitsanzo, kuchotsa metadata/makiyi ku RAM (kuukira kozizira / kuwongolera kukumbukira kukumbukira), Pali mapulogalamu apadera aulere komanso osakhala aulere pazolinga izi.

VeraCrypt ikamaliza kukonza/kupanga "metadata yapadera" ya gawo logwira ntchito lobisika, idzakulimbikitsani kuti muyambitsenso PC yanu ndikuyesa momwe bootloader yake imagwirira ntchito. Mukayayambitsanso/kuyambanso Windows, VeraCrypt idzatsegulidwa mu standby mode, chomwe chatsala ndikutsimikizira njira yobisa - Y.

Pa gawo lomaliza la kubisa kwamakina, VeraCrypt ipereka mwayi wopanga zosunga zobwezeretsera zamutu wagawo losungidwa la "veracrypt rescue disk.iso" - izi ziyenera kuchitika - mu pulogalamuyo ntchito yotereyi ndiyofunika (mu LUKS, monga chofunikira - izi sizinasiyidwe mwatsoka, koma zagogomezedwa muzolemba). Rescue disk idzathandiza aliyense, komanso kwa ena kangapo. Kutayika (mutu/MBR lembaninso) Kopi yosunga zobwezeretsera ya mutu idzaletsa kwamuyaya kulowa mu gawo lochotsedwa ndi OS Windows.

A4. Kupanga VeraCrypt yopulumutsa USB/diskMwachisawawa, VeraCrypt ikupereka mwayi wowotcha "~2-3MB ya metadata" ku CD, koma si aliyense amene ali ndi ma CD kapena ma DVD-ROM drive, ndipo kupanga bootable flash drive ya "VeraCrypt Rescue Disk" kudzakhala kodabwitsa kwa ena: Rufus/GUIdd-ROSA ImageWriter ndi mapulogalamu ena ofanana sadzatha kugwira ntchitoyi, chifukwa kuwonjezera pa kukopera metadata yosinthidwa ku bootable flash drive, muyenera kukopera/kuyika chithunzicho kunja kwa dongosolo la mafayilo la USB drive—mwachidule, muyenera kukopera bwino MBR/njira yopita ku flash drive. Kuchokera pansi pa GNU/Linux OSLinux Mukhoza kupanga bootable flash drive pogwiritsa ntchito chida cha "dd", poyang'ana tebulo ili.

Kupanga disk yopulumutsa anthu m'chilengedwe Windows — apo ayi. Wopanga VeraCrypt sanaphatikizepo yankho la vutoli mu boma zolemba pa "disiki yopulumutsa," koma anapereka yankho m'njira yosiyana: adapanga mapulogalamu ena opangira "disiki yopulumutsa ya USB" kupezeka kwaulere pa forum yake ya VeraCrypt. Wosunga zakale wa pulogalamuyi Windows – “Pangani USB Veracrypt Rescue Disk.” Mukasunga rescue disk.iso, njira yobisa dongosolo la block system ya active partition iyamba. OS siimasiya kugwira ntchito panthawi yobisa, ndipo PC siifunika kuyambiranso. Njira yobisa ikatha, active partition imabisidwa mokwanira ndipo ikonzeka kugwiritsidwa ntchito. Ngati VeraCrypt bootloader sikuwoneka mukayamba PC, ndipo ntchito yobwezeretsa mutu siithandiza, onani mbendera ya “boot”; iyenera kuyikidwa pa active partition yomwe ili ndi fayilo. Windows (mosasamala kanthu za kubisa ndi OS zina, onani tebulo No. 1).
Uku ndi kufotokoza kwa kubisa kwa dongosolo la block ndi OS Windows yatha.

[B] LUKS. Kubisa kwa GNU/Linux (~Debian) anaika OS. Algorithm ndi Masitepe

Kuti muteteze zomwe zayikidwa Debian/kugawa kochokera ku chipangizo, kumafuna kujambula gawo lokonzedwa ku chipangizo cha block yeniyeni ndikuchisamutsa ku disk ya GNU/ yojambulidwa.Linux, ndikuyika/kukonza GRUB2. Ngati mulibe seva ya barebones ndipo mumayamikira nthawi yanu, muyenera kugwiritsa ntchito GUI, ndipo malamulo ambiri a terminal omwe afotokozedwa pansipa cholinga chake ndi kulowetsedwa mu "Chuck Norris mode."

B1. Kuyambitsa PC kuchokera ku usb yamoyo GNU/Linux

"Chitani mayeso a crypto pakugwira ntchito kwa hardware"

lscpu && сryptsetup benchmark

Ngati ndinu mwiniwake wokondwa wa galimoto yamphamvu yokhala ndi chithandizo cha hardware cha AES, ndiye kuti manambala adzawoneka ngati mbali yamanja ya terminal; ngati ndinu mwiniwake wokondwa, koma ndi zipangizo zakale, manambala adzawoneka ngati kumanzere.

B2. Kugawa kwa disk. kukwera/kupanga fs logical disk HDD to Ext4 (Gparted)

B2.1. Kupanga mutu wobisika wa sda7 partitionNdifotokoza mayina a magawo, apa ndi kupitilira apo, molingana ndi tebulo langa logawa lomwe laikidwa pamwambapa. Malinga ndi mawonekedwe a disk yanu, muyenera kulowetsa mayina ogawa.

Mapu a Logical Drive Encryption (/dev/sda7> /dev/mapper/sda7_crypt).
#Kupanga kosavuta kwa "LUKS-AES-XTS gawo"

cryptsetup -v -y luksFormat /dev/sda7

Zosankha:

* luksFormat - kuyambitsa kwa mutu wa LUKS;
* -y -passphrase (osati fungulo / fayilo);
* -v -verbalization (kuwonetsa zambiri mu terminal);
* /dev/sda7 - diski yanu yomveka kuchokera pamagawo owonjezera (kumene GNU ikukonzekera kusamutsidwa/kusungidwa/Linux).

Kusinthitsa kwachinsinsi <LUKS1: aes-xts-plain64, Chinsinsi: 256 bits, LUKS mutu hashing: sha256, RNG: /dev/urandom> (kutengera mtundu wa cryptsetup).

#Проверка default-алгоритма шифрования
cryptsetup  --help #самая последняя строка в выводе терминала.

Ngati palibe chithandizo cha hardware cha AES pa CPU, chisankho chabwino chingakhale kupanga "LUKS-Twofish-XTS-partition" yowonjezera.

B2.2. Kupanga kwapamwamba kwa "LUKS-Twofish-XTS-partition"

cryptsetup luksFormat /dev/sda7 -v -y -c twofish-xts-plain64 -s 512 -h sha512 -i 1500 --use-urandom

Zosankha:
* luksFormat - kuyambitsa kwa mutu wa LUKS;
* /dev/sda7 ndi disk yanu yamtsogolo yobisika;
* -v mawu;
* -y mawu achinsinsi;
* -c sankhani algorithm ya data;
* -s encryption key size;
* -h hashing algorithm/crypto ntchito, RNG yogwiritsidwa ntchito (--use-urandom) kupanga chinsinsi chapadera cha encryption/decryption for the logical disk header, kiyi yachiwiri yamutu (XTS); kiyi yapadera yapadera yosungidwa pamutu wa disk wobisika, kiyi yachiwiri ya XTS, metadata yonseyi ndi kachitidwe kachinsinsi komwe, pogwiritsa ntchito kiyi ya master ndi kiyi yachiwiri ya XTS, kubisa / kubisa chilichonse pagawolo. (kupatula mutu wagawo) kusungidwa mu ~ 3MB pagawo losankhidwa la hard disk.
* -i kubwereza mu milliseconds, m'malo mwa "kuchuluka" (kuchedwa kwa nthawi pokonza mawu achinsinsi kumakhudza kutsitsa kwa OS ndi mphamvu ya cryptographic ya makiyi). Kuti mukhalebe ndi mphamvu zobisika, ndi mawu achinsinsi osavuta ngati "Chirasha" muyenera kuwonjezera -(i) mtengo; ndi mawu achinsinsi ovuta ngati "?8dƱob/øfh" mtengo ukhoza kuchepetsedwa.
* -gwiritsa ntchito-urandom jenereta ya manambala mwachisawawa, imapanga makiyi ndi mchere.

Pambuyo pojambula gawo sda7> sda7_crypt (ntchitoyo ndi yachangu, popeza mutu wobisika umapangidwa ndi ~ 3 MB ya metadata ndipo ndizo zonse), muyenera kupanga ndi kuyika fayilo ya sda7_crypt.

B2.3. Kuyerekezera

cryptsetup open /dev/sda7 sda7_crypt
#выполнение данной команды запрашивает ввод секретной парольной фразы.

zosankha:
* tsegulani - fananizani ndi gawo "ndi dzina";
* / dev/sda7 -logic disk;
* sda7_crypt - kupanga mapu omwe amagwiritsidwa ntchito kuyika magawo obisika kapena kuyiyambitsa OS ikayamba.

B2.4. Kupanga fayilo ya sda7_crypt ku ext4. Kuyika disk mu OS(Zindikirani: simungathe kugwira ntchito ndi gawo losungidwa mu Gparted)

#форматирование блочного шифрованного устройства
mkfs.ext4 -v -L DebSHIFR /dev/mapper/sda7_crypt 

zosankha:
* -v -kunena mawu;
* -L - chizindikiro choyendetsa (chomwe chimawonetsedwa mu Explorer pakati pa ma drive ena).

Kenako, muyenera kuyika chipangizo chotchinga /dev/sda7_crypt kudongosolo

mount /dev/mapper/sda7_crypt /mnt

Kugwira ntchito ndi mafayilo mu chikwatu cha /mnt kumangobisa / kubisa deta mu sda7.

Ndizosavuta kupanga mapu ndikuyika magawo mu Explorer (nautilus/caja GUI), kugawa kudzakhala kale pamndandanda wosankha disk, chomwe chatsalira ndikulowetsa mawu oti mutsegule / kutsitsa disk. Dzina lofananira lidzasankhidwa zokha osati "sda7_crypt", koma zina monga /dev/mapper/Luks-xx-xx...

B2.5. Kusunga mutu wa chimbale (~3MB metadata)Chimodzi mwazambiri zofunika ntchito zomwe ziyenera kuchitika mosazengereza - kopi yosunga zobwezeretsera mutu wa "sda7_crypt". Ngati mulemba / kuwononga mutu (mwachitsanzo, kukhazikitsa GRUB2 pagawo la sda7, etc.), deta yobisidwa idzatayika kwathunthu popanda mwayi uliwonse woyibwezeretsa, chifukwa sikungatheke kupanganso makiyi omwewo; makiyi amapangidwa mwapadera.

#Бэкап заголовка раздела
cryptsetup luksHeaderBackup --header-backup-file ~/Бэкап_DebSHIFR /dev/sda7 

#Восстановление заголовка раздела
cryptsetup luksHeaderRestore --header-backup-file <file> <device>

zosankha:
* luksHeaderBackup —header-backup-file -backup command;
* luksHeaderRestore —header-backup-file -restore command;
* ~/Backup_DebSHIFR - fayilo yosunga zobwezeretsera;
* /dev/sda7 - gawo lomwe kopi yosungira ya mutu wa disk iyenera kusungidwa.
Pa sitepe iyi <kupanga ndi kusintha magawo osungidwa> kwatha.

B3. Kutumiza GNU OS/Linux (sda4) ku gawo lobisika (sda7)

Pangani chikwatu /mnt2 (Dziwani - tikugwirabe ntchito ndi live usb, sda7_crypt imayikidwa pa /mnt), ndipo timayika GNU/ yathuLinux ku /mnt2, yomwe ikufunika kusungidwa mwachinsinsi.

mkdir /mnt2
mount /dev/sda4 /mnt2

Timachita kusamutsa kolondola kwa OS pogwiritsa ntchito pulogalamu ya Rsync

rsync -avlxhHX --progress /mnt2/ /mnt

Zosankha za Rsync zafotokozedwa mu ndime E1.

Komanso, ndikofunikira kusokoneza gawo la logic disk

e4defrag -c /mnt/ #после проверки, e4defrag выдаст, что степень дефрагментации раздела~"0", это заблуждение, которое может вам стоить существенной потери производительности!
e4defrag /mnt/ #проводим дефрагментацию шифрованной GNU/Linux

Pangani lamulo: chitani e4defrag pa encrypted GNU/LINux nthawi ndi nthawi ngati muli ndi HDD.
Kusamutsa ndi Kugwirizanitsa [GNU/Linux > GNU/Linux-encrypted] pa sitepe iyi zatha.

B4. Kukonza GNU/Linux pa gawo lobisika la sda7

Mukamaliza kusamutsa bwino OS /dev/sda4 > /dev/sda7, muyenera kulowa GNU/Linux pa gawo lobisika, ndikuchita makonzedwe ena (popanda kuyambitsanso PC) mogwirizana ndi encrypted system. Ndiye kuti, khalani mu usb wamoyo, koma perekani malamulo "okhudzana ndi muzu wa OS yosungidwa." "chroot" idzatengera zomwezo. Kuti mulandire mwachangu zambiri za OS yomwe mukugwira nayo ntchito pano (zobisika kapena ayi, popeza deta mu sda4 ndi sda7 ndi yolumikizidwa), sinthani OS. Pangani ma root directory (sda4/sda7_crypt) mafayilo opanda kanthu, mwachitsanzo, /mnt/encryptedOS ndi /mnt2/decryptedOS. Yang'anani mwachangu zomwe OS muli (kuphatikiza zamtsogolo):

ls /<Tab-Tab>

B4.1. "Kuyerekeza kulowa mu OS yobisika"

mount --bind /dev /mnt/dev
mount --bind /proc /mnt/proc
mount --bind /sys /mnt/sys
chroot /mnt

B4.2. Kutsimikizira kuti ntchito ikuchitika motsutsana ndi encrypted system

ls /mnt<Tab-Tab> 
#и видим файл "/шифрованнаяОС"

history
#в выводе терминала должна появиться история команд su рабочей ОС.

B4.3. Kupanga / kukonza kusinthana kwa encrypted, kusintha crypttab/fstabPopeza fayilo yosinthana imasinthidwa nthawi iliyonse OS ikayamba, sizomveka kupanga ndikusintha mapu ku diski yomveka tsopano, ndikulowetsa malamulo monga mundime B2.2. Kwa Kusinthana, makiyi ake osakhalitsa obisala adzapangidwa pa chiyambi chilichonse. Kuzungulira kwa moyo wa makiyi osinthana: kutsika / kutsika magawo osinthira (+kuyeretsa RAM); kapena kuyambitsanso OS. Kukhazikitsa kusinthana, kutsegula fayilo yomwe imayang'anira kasinthidwe ka zida za block encrypted (zofanana ndi fayilo ya fstab, koma yomwe ili ndi crypto).

nano /etc/crypttab 

timakonza

#"dzina lofuna" "chida choyambira" "fayilo yayikulu" "zosankha"
swap /dev/sda8 /dev/urandom swap,cipher=twofish-xts-plain64,size=512,hash=sha512

Zosankha
* kusinthana - dzina lojambulidwa mukabisa /dev/mapper/swap.
* /dev/sda8 - gwiritsani ntchito magawo anu oyenera kusinthana.
* /dev/urandom - jenereta wa makiyi osasinthika osinthana (ndi boot iliyonse yatsopano ya OS, makiyi atsopano amapangidwa). Jenereta ya / dev/urandom imakhala yocheperako kuposa / dev/mwachisawawa, pambuyo pake / dev/random imagwiritsidwa ntchito pogwira ntchito m'malo oopsa. Mukatsitsa OS, /dev/random imachepetsa kutsitsa kwa mphindi zingapo ± (onani systemd-analyze).
* swap,cipher=twofish-xts-plain64,size=512,hash=sha512: -gawo likudziwa kuti likusintha ndipo limapangidwa "mogwirizana"; encryption algorithm.

#Открываем и правим fstab
nano /etc/fstab

timakonza

# kusinthana kunali pa / dev / sda8 panthawi yoyika
/dev/mapper/kusinthana palibe sw 0 0

/dev/mapper/swap ndi dzina lomwe linayikidwa mu crypttab.

Kusinthana kwa encrypted
Ngati pazifukwa zina simukufuna kusiya gawo lonse la fayilo yosinthira, ndiye kuti mutha kutenga njira ina komanso yabwinoko: kupanga fayilo yosinthira mufayilo pagawo losungidwa ndi OS.

fallocate -l 3G /swap #создание файла размером 3Гб (почти мгновенная операция)
chmod 600 /swap #настройка прав
mkswap /swap #из файла создаём файл подкачки
swapon /swap #включаем наш swap
free -m #проверяем, что файл подкачки активирован и работает
printf "/swap none swap sw 0 0" >> /etc/fstab #при необходимости после перезагрузки swap будет постоянный

Kukhazikitsa kwa magawo osinthana kwatha.

B4.4. Kukhazikitsa GNU/ yobisikaLinux (kusintha mafayilo a crypttab/fstab)Fayilo ya /etc/crypttab, monga yalembedwera pamwambapa, ikufotokoza zida zobisika zomwe zimakonzedwa panthawi ya boot.

#правим /etc/crypttab 
nano /etc/crypttab 

ngati mudafananiza ndime sda7>sda7_crypt monga mundime B2.1

# "dzina lofuna" "chida choyambira" "fayilo yayikulu" "zosankha"
sda7_crypt UUID=81048598-5bb9-4a53-af92-f3f9e709e2f2 none luks

ngati mudafananiza ndime sda7>sda7_crypt monga mundime B2.2

# "dzina lofuna" "chida choyambira" "fayilo yayikulu" "zosankha"
sda7_crypt UUID=81048598-5bb9-4a53-af92-f3f9e709e2f2 none cipher=twofish-xts-plain64,size=512,hash=sha512

ngati mudafanana ndi gawo la sda7>sda7_crypt monga mundime B2.1 kapena B2.2, koma simukufuna kulowanso mawu achinsinsi kuti mutsegule ndi kuyambitsa OS, ndiye m'malo mwa mawu achinsinsi mutha kusintha fayilo yachinsinsi/chisawawa.

# "dzina lofuna" "chida choyambira" "fayilo yayikulu" "zosankha"
sda7_crypt UUID=81048598-5bb9-4a53-af92-f3f9e709e2f2 /etc/skey luks

mafotokozedwe
* palibe - imati mukatsitsa OS, kulowa mawu achinsinsi ndikofunikira kuti mutsegule muzu.
* UUID - chizindikiritso cha magawo. Kuti mudziwe ID yanu, lembani pa terminal (kumbukirani kuti kuyambira pano kupita mtsogolo, mukugwira ntchito pamalo ochezera a chroot, osati mu terminal ina ya usb).

fdisk -l #проверка всех разделов
blkid #должно быть что-то подобное 

/dev/sda7: UUID=«81048598-5bb9-4a53-af92-f3f9e709e2f2» TYPE=«crypto_LUKS» PARTUUID=«0332d73c-07»
/dev/mapper/sda7_crypt: LABEL=«DebSHIFR» UUID=«382111a2-f993-403c-aa2e-292b5eac4780» TYPE=«ext4»

mzerewu umawonekera mukapempha blkid kuchokera pamtundu wa usb wokhala ndi sda7_crypt wokwera).
Mumatenga UUID kuchokera ku sdaX yanu (osati sdaX_crypt!, UUID sdaX_crypt - idzasiyidwa yokha pamene ikupanga grub.cfg config).
* cipher=twofish-xts-plain64,size=512,hash=sha512 -luks encryption in advanced mode.
* /etc/skey - fayilo yachinsinsi, yomwe imalowetsedwa kuti mutsegule OS (m'malo molowetsa mawu achinsinsi a 3rd). Mutha kufotokoza fayilo iliyonse mpaka 8MB, koma deta idzawerengedwa <1MB.

#Создание "генерация" случайного файла <секретного ключа> размером 691б.
head -c 691 /dev/urandom > /etc/skey

#Добавление секретного ключа (691б) в 7-й слот заголовка luks
cryptsetup luksAddKey --key-slot 7 /dev/sda7 /etc/skey

#Проверка слотов "пароли/ключи luks-раздела"
cryptsetup luksDump /dev/sda7 

Idzawoneka motere:

(chitani nokha ndikudziwonera nokha).

cryptsetup luksKillSlot /dev/sda7 7 #удаление ключа/пароля из 7 слота

/etc/fstab ili ndi chidziwitso chofotokozera zamafayilo osiyanasiyana.

#Правим /etc/fstab
nano /etc/fstab

# "mafayilo" "malo okwera" "mtundu" "zosankha" "taya" "kupita"
# / anali pa / dev / sda7 panthawi yakukhazikitsa
/dev/mapper/sda7_crypt / ext4 errors=remount-ro 0 1

mwina
* /dev/mapper/sda7_crypt - dzina la sda7> sda7_crypt mapu, lomwe limatchulidwa mu fayilo /etc/crypttab.
Kukonzekera kwa crypttab/fstab kwatha.

B4.5. Kusintha mafayilo osinthira. Mphindi yofunikaB4.5.1. Kusintha config /etc/initramfs-tools/conf.d/resume

#Если у вас ранее был активирован swap раздел, отключите его. 
nano /etc/initramfs-tools/conf.d/resume

ndi comment out (ngati alipo) "#" mzere "yambiranso". Fayiloyo iyenera kukhala yopanda kanthu.

B4.5.2. Kusintha config /etc/initramfs-tools/conf.d/cryptsetup

nano /etc/initramfs-tools/conf.d/cryptsetup

ziyenera kufanana

# /etc/initramfs-tools/conf.d/cryptsetup
CRYPTSETUP=inde
kutumiza kunja CRYPTSETUP

B4.5.3. Kusintha /etc/default/grub config (chikhazikitso ichi chimakhala ndi kuthekera kopanga grub.cfg mukamagwira ntchito ndi encrypted /boot)

nano /etc/default/grub

onjezani mzere "GRUB_ENABLE_CRYPTODISK=y"
value 'y', grub-mkconfig ndi grub-install adzayang'ana ma drive osungidwa ndi kupanga malamulo owonjezera ofunikira kuti awapeze pa nthawi yoyambira. (insmods ).
payenera kukhala kufanana

GRUB_DEFAULT = 0
GRUB_TIMEOUT = 1
GRUB_DISTRIBUTOR=`lsb_release -i -s 2> /dev/null || echo Debian`
GRUB_CMDLINE_LINUX_DEFAULT="acpi_backlight=vendor"
GRUB_CMDLINE_LINUX="kuwaza kwachete noautomount"
GRUB_ENABLE_CRYPTODISK=y

B4.5.4. Kusintha config /etc/cryptsetup-initramfs/conf-hook

nano /etc/cryptsetup-initramfs/conf-hook

fufuzani kuti mzerewo ndemanga <#>.
M'tsogolo (ndipo ngakhale tsopano, parameter iyi sidzakhala ndi tanthauzo, koma nthawi zina imasokoneza kukonzanso chithunzi cha initrd.img).

B4.5.5. Kusintha config /etc/cryptsetup-initramfs/conf-hook

nano /etc/cryptsetup-initramfs/conf-hook

onjezerani

KEYFILE_PATTERN=”/etc/skey”
UMASK=0077

Izi zidzanyamula kiyi yachinsinsi "skey" mu initrd.img, fungulo likufunika kuti mutsegule muzu pamene OS ikuyambira. (ngati simukufuna kuyikanso mawu achinsinsi, kiyi ya "skey" imalowetsedwa m'malo mwagalimoto).

B4.6. Sinthani /boot/initrd.img [mtundu]Kuti munyamule kiyi yachinsinsi mu initrd.img ndikugwiritsa ntchito cryptsetup fixes, sinthani chithunzicho

update-initramfs -u -k all

pamene mukukonzekera initrd.img (monga iwo amati "Ndizotheka, koma sizotsimikizika") machenjezo okhudzana ndi cryptsetup adzawonekera, kapena, mwachitsanzo, chidziwitso cha kutayika kwa ma module a Nvidia - izi ndi zachilendo. Pambuyo pokonzanso fayilo, onetsetsani kuti yasinthidwa, onani nthawi (zogwirizana ndi chilengedwe cha chroot./boot/initrd.img). Chonde chonde! pamaso [update-initramfs -u -k all] onetsetsani kuti cryptsetup yatsegulidwa /dev/sda7 sda7_crypt - ili ndi dzina lomwe limapezeka mu /etc/crypttab, apo ayi mukayambiranso padzakhala vuto la bokosi lotanganidwa)
Pa sitepe iyi, kukhazikitsa owona kasinthidwe watha.

[C] Kuyika ndi kukonza GRUB2/Protection

C1. Ngati ndi kotheka, sinthani magawo odzipereka a bootloader (gawo likufunika osachepera 20MB)

mkfs.ext4 -v -L GRUB2 /dev/sda6

C2. Phiri /dev/sda6 ku /mntChifukwa chake timagwira ntchito mu chroot, ndiye kuti sipadzakhala / mnt2 chikwatu muzu, ndipo chikwatu cha /mnt chidzakhala chopanda kanthu.
khazikitsani gawo la GRUB2

mount /dev/sda6 /mnt

Ngati muli ndi mtundu wakale wa GRUB2 woyikidwa, mu /mnt/boot/grub/i-386-pc directory (pulatifomu ina ndiyotheka, mwachitsanzo, osati "i386-pc") palibe ma module a crypto (mwachidule, chikwatucho chiyenera kukhala ndi zigawo, kuphatikizapo .mod: cryptodisk; luks; gcry_twofish; gcry_sha512; signature_test.mod), Pankhaniyi, GRUB2 iyenera kugwedezeka.

apt-get update
apt-get install grub2 

Zofunika! Mukakonza phukusi la GRUB2 kuchokera kumalo osungirako, mutafunsidwa "za kusankha" komwe mungayikitsire bootloader, muyenera kukana kukhazikitsa. (chifukwa - kuyesa kukhazikitsa GRUB2 - mu "MBR" kapena pa usb yamoyo). Kupanda kutero mudzawononga VeraCrypt mutu/loader. Pambuyo pokonzanso phukusi la GRUB2 ndikuletsa kuyika, chojambulira cha boot chiyenera kukhazikitsidwa pamanja pa disk yomveka, osati mu MBR. Ngati malo anu ali ndi mtundu wakale wa GRUB2, yesani sinthani zachokera patsamba lovomerezeka - sindinaziwone (inagwira ntchito ndi ma bootloaders aposachedwa a GRUB 2.02 ~BetaX).

C3. Kuyika GRUB2 mugawo lalitali [sda6]Muyenera kukhala ndi gawo lokwezedwa [chinthu C.2]

grub-install --force --root-directory=/mnt /dev/sda6

zosankha
* -force - kukhazikitsa bootloader, kunyalanyaza machenjezo onse omwe amakhalapo nthawi zonse ndikutsekereza kukhazikitsa (mbendera yofunikira).
* --root-directory - kukhazikitsa chikwatu ku muzu wa sda6.
* /dev/sda6 - gawo lanu la sdaХ (musaphonye <space> pakati pa /mnt /dev/sda6).

C4. Kupanga fayilo yosinthira [grub.cfg]Iwalani za lamulo la "update-grub2", ndipo gwiritsani ntchito lamulo lakusintha mafayilo onse

grub-mkconfig -o /mnt/boot/grub/grub.cfg

Mukamaliza kupanga / kukonzanso fayilo ya grub.cfg, zotuluka ziyenera kukhala ndi mizere ndi OS yopezeka pa disk. (grub-mkconfig ingapeze ndikuyika OS kuchokera ku USB yamoyo ngati muli ndi drive ya multiboot flash drive yokhala ndi Windows 10 ndi kugawa kwa pompopompo - ndi zachilendo). Ngati terminal ilibe "chopanda" ndipo fayilo ya "grub.cfg" sinapangidwe, ndiye kuti izi ndi zomwezo pomwe pali nsikidzi za GRUB mu dongosolo. (ndipo mwina ndiye wonyamula kuchokera kunthambi yoyeserera yankhokwe), khazikitsaninso GRUB2 kuchokera ku magwero odalirika.
Kukhazikitsa "kosavuta" ndikukhazikitsa GRUB2 kwatha.

C5. Kuyesa umboni wa GNU OS/ yobisikaLinuxKumaliza bwino ntchito ya crypto. Tulukani mosamala mu GNU/ yobisikaLinux (tulukani chilengedwe cha chroot).

umount -a #размонтирование всех смонтированных разделов шифрованной GNU/Linux
Ctrl+d #выход из среды chroot
umount /mnt/dev
umount /mnt/proc
umount /mnt/sys
umount -a #размонтирование всех смонтированных разделов на live usb
reboot

Pambuyo poyambitsanso PC, bootloader ya VeraCrypt iyenera kutsegula.


*Lowetsani mawu achinsinsi a gawo logwira ntchito - OS iyamba kutsitsa Windows.
*Kukanikiza batani la "Esc" kudzasamutsa ulamuliro ku GRUB2 posankha GNU/ yobisikaLinux – mufunika mawu achinsinsi (sda7_crypt) kuti mutsegule /boot/initrd.img (ngati grub2 yalemba kuti "siyikupezeka" - iyi ndi vuto ndi grub2 bootloader, iyenera kubwezeretsedwanso, mwachitsanzo, kuchokera ku nthambi yoyesera/yokhazikika ndi pd).


* Malingana ndi momwe mudakonzera dongosolo (onani ndime B4.4/4.5), mutalowa mawu achinsinsi olondola kuti mutsegule chithunzi /boot/initrd.img, mudzafunika mawu achinsinsi kuti mutenge OS kernel/root, kapena chinsinsi. key idzalowetsedwa m'malo " skey ", kuchotsa kufunika kolowetsanso mawu achinsinsi.

(chithunzi cha "kulowetsa m'malo mwachinsinsi").

*Njira yodziwika bwino yoyambira ya GNU idzayamba.Linux ndi kutsimikizira akaunti ya ogwiritsa ntchito.


* Pambuyo pa chilolezo cha ogwiritsa ntchito ndikulowa ku OS, muyenera kusinthanso /boot/initrd.img kachiwiri (onani B4.6).

update-initramfs -u -k all

Ndipo pakakhala mizere yowonjezera pamenyu ya GRUB2 (kuchokera ku chithunzi cha OS-m chokhala ndi usb) achotseni

mount /dev/sda6 /mnt
grub-mkconfig -o /mnt/boot/grub/grub.cfg

Chidule Chachidule cha Kubisa kwa GNU SystemLinux:

• GNU/Linuxinux yasungidwa kwathunthu, kuphatikiza /boot/kernel ndi initrd;
• kiyi yachinsinsi imayikidwa mu initrd.img;
• dongosolo lovomerezeka (lowetsani mawu achinsinsi kuti mutsegule initrd; mawu achinsinsi/kiyi yoyambira OS; mawu achinsinsi ovomereza akaunti Linux).

"Simple GRUB2 Configuration" kubisa kachitidwe ka block partition kwatha.

C6. Kusintha kwapamwamba kwa GRUB2. Chitetezo cha bootloader chokhala ndi siginecha ya digito + chitetezo chotsimikizikaGNU/Linux Bootloader imasungidwa yonse, koma bootloader singathe kusungidwa—ichi ndi chofunikira cha BIOS. Pachifukwa ichi, kuyambitsa GRUB2 mobisa ndi kosatheka, koma kuyambitsa kosavuta mobisa ndikotheka/kulipo. Kuchokera pamalingaliro achitetezo, izi sizofunikira [onani Gawo F].
Kwa "chiwopsezo" GRUB2, opanga adakhazikitsa "siginecha/kutsimikizira" chitetezo cha bootloader.

• Pamene bootloader imatetezedwa ndi "siginecha yake ya digito," kusintha kwakunja kwa mafayilo, kapena kuyesa kuyika ma modules owonjezera mu bootloader iyi, zidzachititsa kuti ntchito yotsegula ikhale yotsekedwa.
• Mukateteza bootloader ndi kutsimikizika, kuti musankhe kutsitsa kugawa, kapena kuyika malamulo owonjezera mu CLI, muyenera kulowetsa malowedwe ndi mawu achinsinsi a superuser-GRUB2.

C6.1. Chitetezo chotsimikizika cha BootloaderOnetsetsani kuti mukugwira ntchito mu terminal pa OS yosungidwa

ls /<Tab-Tab> #обнаружить файл-маркер

pangani mawu achinsinsi a superuser kuti muvomereze ku GRUB2

grub-mkpasswd-pbkdf2 #введите/повторите пароль суперпользователя. 

Pezani mawu achinsinsi. Chinachake chonga ichi

grub.pbkdf2.sha512.10000.DE10E42B01BB6FEEE46250FC5F9C3756894A8476A7F7661A9FFE9D6CC4D0A168898B98C34EBA210F46FC10985CE28277D0563F74E108FCE3ACBD52B26F8BA04D.27625A4D30E4F1044962D3DD1C2E493EF511C01366909767C3AF9A005E81F4BFC33372B9C041BE9BA904D7C6BB141DE48722ED17D2DF9C560170821F033BCFD8

onjezerani gawo la GRUB

mount /dev/sda6 /mnt 

sinthani config

nano -$ /mnt/boot/grub/grub.cfg 

onani kusaka kwamafayilo kuti palibe mbendera paliponse mu "grub.cfg" ("-unrestricted" "-user",
onjezani kumapeto kwenikweni (mzerewu usanachitike ### END /etc/grub.d/41_custom ###)
"khazikitsani superusers = "root"
password_pbkdf2 root hash."

Iyenera kukhala chinthu chonga ichi

# Fayilo iyi imapereka njira yosavuta yowonjezerera zolembera zamamenyu. Mwachidule lembani
# zolemba zomwe mukufuna kuwonjezera pambuyo pa ndemangayi. Samalani kuti musasinthe
# mzere wa 'exec mchira' pamwambapa.
### END /etc/grub.d/40_custom ###

### YAMBA /etc/grub.d/41_custom ###
ngati [ -f ${config_directory}/custom.cfg ]; ndiye
gwero ${config_directory}/custom.cfg
elif [ -z "${config_directory}" -a -f $prefix/custom.cfg ]; ndiye
gwero $prefix/custom.cfg;
fi
set superusers = "root"
password_pbkdf2 root grub.pbkdf2.sha512.10000.DE10E42B01BB6FEEE46250FC5F9C3756894A8476A7F7661A9FFE9D6CC4D0A168898B98C34EBA210F46FC10985CE28277D0563F74E108FCE3ACBD52B26F8BA04D.27625A4D30E4F1044962D3DD1C2E493EF511C01366909767C3AF9A005E81F4BFC33372B9C041BE9BA904D7C6BB141DE48722ED17D2DF9C560170821F033BCFD8
### END /etc/grub.d/41_custom ###
#

Ngati nthawi zambiri mumagwiritsa ntchito lamulo loti "grub-mkconfig -o /mnt/boot/grub/grub.cfg" ndipo simukufuna kusintha grub.cfg nthawi iliyonse, lowetsani mizere yomwe ili pamwambapa. (Login: Password) muzolemba za GRUB pansi kwambiri

nano /etc/grub.d/41_custom 

mphaka <<EOF
set superusers = "root"
password_pbkdf2 root grub.pbkdf2.sha512.10000.DE10E42B01BB6FEEE46250FC5F9C3756894A8476A7F7661A9FFE9D6CC4D0A168898B98C34EBA210F46FC10985CE28277D0563F74E108FCE3ACBD52B26F8BA04D.27625A4D30E4F1044962D3DD1C2E493EF511C01366909767C3AF9A005E81F4BFC33372B9C041BE9BA904D7C6BB141DE48722ED17D2DF9C560170821F033BCFD8
EOF

Mukapanga config "grub-mkconfig -o /mnt/boot/grub/grub.cfg", mizere yotsimikizira idzawonjezedwa ku grub.cfg.
Izi zimamaliza kukhazikitsidwa kwa kutsimikizika kwa GRUB2.

C6.2. Chitetezo cha bootloader chokhala ndi siginecha ya digitoZimaganiziridwa kuti muli kale ndi kiyi yanu ya pgp encryption (kapena pangani kiyi yotere). Dongosololi liyenera kukhala ndi pulogalamu yachinsinsi yoyika: gnuPG; kleopatra/GPA; Seahorse. Mapulogalamu a Crypto apangitsa moyo wanu kukhala wosavuta pazinthu zonsezi. Seahorse - mtundu wokhazikika wa phukusi 3.14.0 (mabaibulo apamwamba, mwachitsanzo, V3.20, ndi opanda pake ndipo ali ndi nsikidzi).

Kiyi ya PGP iyenera kupangidwa / kukhazikitsidwa / kuonjezedwa m'malo a su!

Pangani kiyi yachinsinsi

gpg - -gen-key

Tumizani kiyi yanu

gpg --export -o ~/perskey

Ikani disk yomveka mu OS ngati siyinayike kale

mount /dev/sda6 /mnt #sda6 – раздел GRUB2

yeretsani gawo la GRUB2

rm -rf /mnt/

Ikani GRUB2 mu sda6, kuyika kiyi yanu yachinsinsi pa chithunzi chachikulu cha GRUB "core.img"

grub-install --force --modules="gcry_sha256 gcry_sha512 signature_test gcry_dsa gcry_rsa" -k ~/perskey --root-directory=/mnt /dev/sda6

zosankha
* --force - khazikitsani bootloader, kudutsa machenjezo onse omwe amakhalapo nthawi zonse (mbendera yofunikira).
* —modules="gcry_sha256 gcry_sha512 signature_test gcry_dsa gcry_rsa" - amalangiza GRUB2 kuti ayambe kudzaza ma modules ofunikira pamene PC iyamba.
* -k ~/perskey -njira yopita ku "PGP key" (mutatha kulongedza fungulo mu fano, likhoza kuchotsedwa).
* --root-directory -ikani chikwatu cha boot pamizu ya sda6
/dev/sda6 - gawo lanu la sdaX.

Kupanga/kusintha grub.cfg

grub-mkconfig  -o /mnt/boot/grub/grub.cfg

Onjezani mzere "trust / boot/grub/perskey" mpaka kumapeto kwa fayilo ya "grub.cfg" (kakamizani kugwiritsa ntchito kiyi ya pgp.) Popeza tinayika GRUB2 ndi ma modules, kuphatikizapo siginecha module "signature_test.mod", izi zimathetsa kufunika kowonjezera malamulo monga "set check_signatures=enforce" ku config.

Iyenera kuwoneka chonchi (mizere yomaliza mu fayilo ya grub.cfg)

### YAMBA /etc/grub.d/41_custom ###
ngati [ -f ${config_directory}/custom.cfg ]; ndiye
gwero ${config_directory}/custom.cfg
elif [ -z "${config_directory}" -a -f $prefix/custom.cfg ]; ndiye
gwero $prefix/custom.cfg;
fi
trust /boot/grub/perskey
set superusers = "root"
password_pbkdf2 root grub.pbkdf2.sha512.10000.DE10E42B01BB6FEEE46250FC5F9C3756894A8476A7F7661A9FFE9D6CC4D0A168898B98C34EBA210F46FC10985CE28277D0563F74E108FCE3ACBD52B26F8BA04D.27625A4D30E4F1044962D3DD1C2E493EF511C01366909767C3AF9A005E81F4BFC33372B9C041BE9BA904D7C6BB141DE48722ED17D2DF9C560170821F033BCFD8
### END /etc/grub.d/41_custom ###
#

Njira yopita ku "/ boot/grub/perskey" sikuyenera kuloza ku gawo lina la disk, mwachitsanzo hd0,6; pa bootloader yokha, "muzu" ndiye njira yokhazikika ya magawo omwe GRUB2 yayikidwa. (onani set rot=..).

Kusaina GRUB2 (mafayilo onse muzolemba zonse / GRUB) ndi kiyi yanu "perskey".
Yankho losavuta la momwe mungasaina (kwa nautilus/caja explorer): yonjezerani "seahorse" yowonjezera kwa Explorer kuchokera kumalo osungirako. Kiyi yanu iyenera kuwonjezeredwa ku chilengedwe cha su.
Tsegulani Explorer ndi sudo "/ mnt/boot" - RMB - chizindikiro. Pazenera zikuwoneka motere

Mfungulo palokha ndi "/mnt/boot/grub/perskey" (koperani ku grub directory) iyeneranso kusaina ndi siginecha yanu. Onetsetsani kuti [*.sig] siginecha yamafayilo ikuwonekera m'ndandanda/magawo ang'onoang'ono.
Pogwiritsa ntchito njira yomwe tafotokozayi, sankhani "/ boot" (nkhokwe yathu, initrd). Ngati nthawi yanu ndiyofunika chilichonse, ndiye kuti njirayi imathetsa kufunika kolemba bash script kuti musayine "mafayilo ambiri."

Kuchotsa siginecha zonse za bootloader (ngati china chake chalakwika)

rm -f $(find /mnt/boot/grub -type f -name '*.sig')

Kuti tisasainire bootloader pambuyo pokonzanso dongosolo, timayimitsa ma phukusi onse okhudzana ndi GRUB2.

apt-mark hold grub-common grub-pc grub-pc-bin grub2 grub2-common

Gawo ili <tetezani bootloader ndi siginecha ya digito> kasinthidwe kapamwamba ka GRUB2 kwatha.

C6.3. Kuyesa kwaumboni kwa bootloader ya GRUB2, yotetezedwa ndi siginecha ya digito ndi kutsimikizikaGRUB2. Mukasankha GNU/ iliyonseLinux kapena lowani CLI (mzere wamalamulo) Chilolezo cha Superuser chidzafunika. Mukalowetsa dzina lolowera / mawu achinsinsi, mudzafunika initrd password

Chithunzi chotsimikizira bwino cha GRUB2 superuser.

Ngati musokoneza mafayilo aliwonse a GRUB2 / kusintha kwa grub.cfg, kapena kuchotsani fayilo / siginecha, kapena kukweza module.mod yoyipa, chenjezo lofanana lidzawonekera. GRUB2 isiya kutsitsa.

Screenshot, kuyesa kusokoneza GRUB2 "kuchokera kunja".

Panthawi yoyambira "yabwinobwino" "popanda kulowerera", ma code otuluka ndi "0". Chifukwa chake, sizikudziwika ngati chitetezo chimagwira ntchito kapena ayi (ndiko kuti, "ndi kapena popanda chitetezo cha siginecha ya bootloader" panthawi yomwe mukutsitsa, ndiye kuti "0" - izi ndizoyipa).

Momwe mungayang'anire chitetezo cha signature ya digito?

Njira yolakwika yowonera: yabodza / chotsani gawo logwiritsidwa ntchito ndi GRUB2, mwachitsanzo, chotsani siginecha luks.mod.sig ndikupeza cholakwika.

Njira yolondola: pitani ku bootloader CLI ndikulemba lamulo

trust_list

Poyankha, muyenera kulandira chala cha "perskey"; ngati udindo ndi "0," ndiye kuti chitetezo cha signature sichikugwira ntchito, onaninso ndime C6.2.
Pa sitepe iyi, kasinthidwe kapamwamba "Kuteteza GRUB2 ndi siginecha ya digito ndi kutsimikizika" kwatsirizidwa.

C7 Njira ina yotetezera GRUB2 bootloader pogwiritsa ntchito hashingNjira ya "CPU Boot Loader Protection/Authentication" yofotokozedwa pamwambapa ndi yachikale. Chifukwa cha kupanda ungwiro kwa GRUB2, m'mikhalidwe ya paranoid imatha kuukira kwenikweni, yomwe ndipereka pansipa ndime [F]. Kuphatikiza apo, mutatha kukonzanso OS/kernel, bootloader iyenera kusainanso.

Kuteteza GRUB2 bootloader pogwiritsa ntchito hashing

Ubwino kuposa classics:

• Mlingo wapamwamba wodalirika (hashing / verification imachitika kokha kuchokera kuzinthu zobisika za komweko. Gawo lonse lomwe lagawidwa pansi pa GRUB2 limawongoleredwa pakusintha kulikonse, ndipo china chilichonse chimasungidwa; mu dongosolo lakale ndi chitetezo cha CPU loader / Authentication, mafayilo okha amawongoleredwa, koma osati kwaulere. danga, momwemo "chinachake" choyipa" chitha kuwonjezeredwa).
• Kudula mitengo mwachinsinsi (lolemba lolembedwa ndi munthu lowerengeka lawonjezedwa pachiwembu).
• Kuthamanga (chitetezo / kutsimikizira gawo lonse lomwe laperekedwa kwa GRUB2 limachitika nthawi yomweyo).
• Automation ya njira zonse za cryptographic.

Zoyipa pazakale.

• Kunyenga kwa signature (mwachidziwitso, ndizotheka kupeza kugunda kwa ntchito kwa hashi).
• Kuwonjezeka kwa zovuta (poyerekeza ndi yakale, imafuna luso lochulukirapo mu GNU OS/Linux).

Momwe lingaliro la GRUB2 / partition hashing limagwirira ntchito

Gawo la GRUB2 "lidasainidwa"; boti la OS likayamba, gawo la bootloader limayang'aniridwa kuti silingasinthe, ndikutsata malo otetezedwa (obisika). Ngati bootloader kapena kugawa kwake kwasokonezedwa, kuwonjezera pa chipika cholowera, zotsatirazi zimayambitsidwa:

Chinthu.

Cheke chofananacho chimapezeka kanayi patsiku, zomwe sizimatsitsa zida zadongosolo.
Pogwiritsa ntchito lamulo la "-$ check_GRUB", cheke pompopompo chimachitika nthawi iliyonse osadula mitengo, koma ndi chidziwitso ku CLI.
Pogwiritsa ntchito lamulo la "-$ sudo signature_GRUB", GRUB2 bootloader / partition imasainanso nthawi yomweyo ndikudula mitengo yake. (zofunikira pambuyo pakusintha kwa OS/boot), ndipo moyo umapitilira.

Kukhazikitsa njira ya hashing ya bootloader ndi gawo lake

0) Tiyeni tisayine GRUB bootloader/gawo poyiyika koyamba mu /media/username

-$ hashdeep -c md5 -r /media/username/GRUB > /podpis.txt

1) Timapanga script popanda chowonjezera muzu wa encrypted OS ~/podpis, timagwiritsa ntchito zofunikira zachitetezo cha 744 ndi chitetezo chopanda pake.

Kudzaza nkhani zake

#!/bin/bash

#Проверка всего раздела выделенного под загрузчик GRUB2 на неизменность.
#Ведется лог "о вторжении/успешной проверке каталога", короче говоря ведется полный лог с тройной вербализацией. Внимание! обратить взор на пути: хранить ЦП GRUB2 только на зашифрованном разделе OS GNU/Linux. 
echo -e "******************************************************************n" >> '/var/log/podpis.txt' && date >> '/var/log/podpis.txt' && hashdeep -vvv -a -k '/podpis.txt' -r '/media/username/GRUB' >> '/var/log/podpis.txt'

a=`tail '/var/log/podpis.txt' | grep failed` #не использовать "cat"!! 
b="hashdeep: Audit failed"

#Условие: в случае любых каких-либо изменений в разделе выделенном под GRUB2 к полному логу пишется второй отдельный краткий лог "только о вторжении" и выводится на монитор мигание gif-ки "warning".
if [[ "$a" = "$b" ]] 
then
echo -e "****n" >> '/var/log/vtorjenie.txt' && echo "vtorjenie" >> '/var/log/vtorjenie.txt' && date >> '/var/log/vtorjenie.txt' & sudo -u username DISPLAY=:0 eom '/warning.gif' 
fi

Yambitsani script kuchokera su, hashing ya gawo la GRUB ndi bootloader yake idzayang'aniridwa, sungani chipikacho.

Tiyeni tipange kapena kukopera, mwachitsanzo, "fayilo yoyipa" [virus.mod] kugawo la GRUB2 ndikuyesa sikani / kuyesa kwakanthawi:

-$ hashdeep -vvv -a -k '/podpis.txt' -r '/media/username/GRUB

CLI iyenera kuwona kuwukiridwa kwa nyumba yathu.# Lolemba lokhazikika mu CLI

Ср янв  2 11::41 MSK 2020
/media/username/GRUB/boot/grub/virus.mod: Moved from /media/username/GRUB/1nononoshifr
/media/username/GRUB/boot/grub/i386-pc/mda_text.mod: Ok
/media/username/GRUB/boot/grub/grub.cfg: Ok
hashdeep: Audit failed
   Input files examined: 0
  Known files expecting: 0
          Files matched: 325
Files partially matched: 0
            Files moved: 1
        New files found: 0
  Known files not found: 0

#Monga mukuwonera, "Mafayilo adasunthika: 1 ndipo Audit yalephera" ikuwonekera, zomwe zikutanthauza kuti chekeyo idalephera.
Chifukwa cha mtundu wa magawo omwe akuyesedwa, m'malo mwa "Mafayilo atsopano adapezeka"> "Mafayilo asunthidwa"

2) Ikani gif apa> ~/warning.gif, ikani zilolezo ku 744.

3) Kukonza fstab kuti ikhazikitse gawo la GRUB pa boot

-$ sudo nano /etc/fstab

LABEL=GRUB /media/username/GRUB ext4 zosasintha 0 0

4) Kuzungulira chipika

-$ sudo nano /etc/logrotate.d/podpis 

/var/log/podpis.txt {
tsiku ndi tsiku
tembenuza 50
kukula 5M
tsiku
compress
kuletsa
olddir /var/log/old
}

/var/log/vtorjenie.txt {
pamwezi
tembenuza 5
kukula 5M
tsiku
olddir /var/log/old
}

5) Onjezani ntchito ku cron

-$ sudo crontab -e

kuyambiransoko '/kulembetsa'
0 */6 * * * '/podpis

6) Kupanga ma aliase okhazikika

-$ sudo su
-$ echo "alias подпись_GRUB='hashdeep -c md5 -r /media/username/GRUB > /podpis.txt'" >> /root/.bashrc && bash
-$ echo "alias проверка_GRUB='hashdeep -vvv -a -k '/podpis.txt' -r /media/username/GRUB'" >> .bashrc && bash

Pambuyo pakusintha kwa OS -$ apt-get upgrade lembaninso gawo lathu la GRUB
-$ подпись_GRUB
Pakadali pano, chitetezo cha hashing cha gawo la GRUB chatha.

[D] Kupukuta - kuwononga deta yosasungidwa

Chotsani mafayilo anu aumwini kwathunthu kotero kuti “ngakhale Mulungu sangaŵerenge,” malinga ndi mneneri wa ku South Carolina, Trey Gowdy.

Monga mwachizolowezi, pali "nthano ndi nthano". nthano", za kubwezeretsa deta itatha kuchotsedwa pa hard drive. Ngati mumakhulupirira za cyberwitchcraft, kapena ndinu membala wa gulu la Dr ndipo simunayesepo kubwezeretsa deta itatha kuchotsedwa / kulembedwanso. (mwachitsanzo, kuchira pogwiritsa ntchito R-studio), ndiye njira yomwe ikufunsidwayo siyingagwirizane ndi inu, gwiritsani ntchito zomwe zili pafupi kwambiri ndi inu.

Pambuyo pa doko lopambana la GNU/Linux ku gawo lobisika, kopi yakale iyenera kuchotsedwa popanda kuthekera kobwezeretsa deta. Njira yoyeretsera yonse: mapulogalamu a Windows/Linux pulogalamu yaulere ya GUI BleachBit.
Mwamsanga sinthani gawo, deta yomwe iyenera kuwonongedwa (kudzera Gparted) yambitsani BleachBit, sankhani "Yeretsani malo aulere" - sankhani magawowo (sdaX yanu ndi kopi yakale ya GNU/Linux), ntchito yovula idzayamba. BleachBit - amapukuta disk mu chiphaso chimodzi - izi ndi zomwe "tikufuna", Koma! Izi zimangogwira ntchito mwachidziwitso ngati mudapanga disk ndikuyiyeretsa mu pulogalamu ya BB v2.0.

Chenjerani! BB imapukuta diski, kusiya metadata; mayina a fayilo amasungidwa pamene deta yachotsedwa (Ccleaner - samasiya metadata).

Ndipo nthano za kuthekera kwa kuchira kwa data si nthano chabe.Bleachbit V2.0-2 kale phukusi losakhazikika la OS Debian (ndi mapulogalamu ena aliwonse ofanana: sfill; pukuta-Nautilus - adawonedwanso mubizinesi yonyansayi) kwenikweni anali ndi cholakwika chovuta: ntchito ya "free space clearing". zimagwira ntchito molakwika pa HDD/Flash drives (ntfs/ext4). Mapulogalamu amtunduwu, pochotsa malo aulere, samalemba diski yonse, monga momwe ogwiritsa ntchito ambiri amaganizira. Ndipo ena (zambiri) fufutidwa deta Os/pulogalamu amaona kuti deta imeneyi si zichotsedwa / wosuta deta ndipo pamene kuyeretsa "OSP" ndi kulumpha owona awa. Vuto ndiloti patapita nthawi yaitali, kuyeretsa disk "zichotsedwa owona" akhoza anachira ngakhale pambuyo pa 3+ kupita kupukuta chimbale.
Pa GNU/Linux mu Bleachbit 2.0-2 Ntchito zochotseratu mafayilo ndi ma directories kwamuyaya zimagwira ntchito bwino, koma kuyeretsa malo mwaulere sikugwira ntchito. Poyerekeza: Windows Mu CCleaner, ntchito ya "OSP ya NTFS" imagwira ntchito bwino, ndipo Mulungu sangathe kuwerenga deta yochotsedwa.

Ndipo kotero, kuti bwinobwino kuchotsa "kunyengerera" data yakale yosabisika, Bleachbit ikufunika mwayi wofikira ku datayi, ndiye, gwiritsani ntchito "kufufutani mafayilo/akalozera" ntchito.
Kuchotsa "mafayilo ochotsedwa pogwiritsa ntchito zida zokhazikika za OS" mu Windows Gwiritsani ntchito CCleaner/BB ndi "OSP". Mu GNU/Linux pa vuto ili (chotsani mafayilo ochotsedwa) muyenera kuyeserera nokha (kuchotsa deta + kuyesa kodziyimira pawokha kuyibwezeretsa ndipo simuyenera kudalira mtundu wa pulogalamuyo (ngati sichosungira, ndiye cholakwika)), kokha mu nkhani iyi mudzatha kumvetsa limagwirira wa vutoli ndi kuchotsa deta zichotsedwa kwathunthu.

Sindinayese Bleachbit v3.0, vuto likhoza kukhala litakonzedwa kale.
Bleachbit v2.0 imagwira ntchito moona mtima.

Pa sitepe iyi, kupukuta litayamba kwatha.

[E] Kusunga kwapadziko lonse kwa OS yobisidwa

Wogwiritsa ntchito aliyense ali ndi njira yake yosungira deta, koma deta yosungidwa ya System OS imafuna njira yosiyana pang'ono ndi ntchitoyi. Mapulogalamu ogwirizana, monga Clonezilla ndi mapulogalamu ofanana, sangathe kugwira ntchito mwachindunji ndi deta yobisika.

Chidziwitso chavuto lakusunga zida zobisika:

1. chilengedwe chonse - njira yofanana yosungira/pulogalamu yosungira Windows/Linux;
2. kuthekera kogwira ntchito mu console ndi GNU live USB/Linux popanda kufunikira kotsitsa mapulogalamu ena (koma ndikulimbikitsabe GUI);
3. chitetezo cha zosunga zobwezeretsera - "zithunzi" zosungidwa ziyenera kusungidwa / kutetezedwa ndi mawu achinsinsi;
4. kukula kwa deta yobisika kuyenera kufanana ndi kukula kwa deta yeniyeni yomwe ikukopera;
5. kutulutsa kosavuta kwa mafayilo ofunikira kuchokera ku kopi yosunga zobwezeretsera (palibe chifukwa chofotokozera gawo lonselo poyamba).

Mwachitsanzo, zosunga zobwezeretsera / kubwezeretsa kudzera pa "dd" zofunikira

dd if=/dev/sda7 of=/путь/sda7.img bs=7M conv=sync,noerror
dd if=/путь/sda7.img of=/dev/sda7 bs=7M conv=sync,noerror

Zimafanana ndi pafupifupi mfundo zonse za ntchitoyi, koma malinga ndi mfundo 4 sizimatsutsidwa, chifukwa zimakopera gawo lonse la disk, kuphatikizapo malo aulere - osasangalatsa.

Mwachitsanzo, GNU/ backupLinux kudzera pa archiver [tar» | gpg] ndi yabwino, koma yosungira zinthu zina Windows Tiyenera kufunafuna njira ina yothetsera vutoli - sizosangalatsa.

E1. Kusunga Zonse Windows/Linuxkuphatikiza kwa voliyumu ya rsync (Grsync) + VeraCryptAlgorithm yopanga kopi yosunga zobwezeretsera:

1. kupanga chotengera encrypted (chiwerengero / fayilo) VeraCrypt kwa Os;
2. kusamutsa/kulunzanitsa OS pogwiritsa ntchito pulogalamu ya Rsync mu chidebe cha VeraCrypt crypto;
3. ngati kuli kofunikira, kukweza voliyumu ya VeraCrypt ku www.

Kupanga chotengera cha VeraCrypt chobisika chili ndi mawonekedwe ake:
kupanga voliyumu yamphamvu (kupanga DT kumapezeka kokha mu Windows, ingagwiritsidwenso ntchito mu GNU/Linux);
kupanga voliyumu yokhazikika, koma pamafunika kukhala ndi "khalidwe lopanda pake" (malinga ndi wopanga) - masanjidwe a chidebe.

Voliyumu yosinthasintha imapangidwa nthawi yomweyo mu OS Windows, koma pokopera deta kuchokera ku GNU OS/Linux > VeraCrypt DT, kawirikawiri, magwiridwe antchito a ntchito yosunga zobwezeretsera amachepa kwambiri.

Voliyumu yokhazikika ya 70 GB Twofish imapangidwa (tingonena, pafupifupi mphamvu ya PC) ku HDD ~ mu theka la ola (kulembanso zomwe kale zidasungidwa mu chiphaso chimodzi ndi chifukwa cha chitetezo). Kuchokera ku VeraCrypt Windows/Linux Mbali yokonza mwachangu voliyumu panthawi yopangidwa yachotsedwa, kotero kupanga kontena kumatheka kokha kudzera mu "kulembanso kamodzi" kapena kupanga voliyumu yosinthasintha.

Pangani voliyumu ya VeraCrypt yokhazikika (osati dynamic/ntfs), sipayenera kukhala vuto lililonse.

Konzani/pangani/tsegulani chidebe mu VeraCrypt GUI> GNU/Linux USB yamoyo (voliyumu idzaikidwa yokha ku /media/veracrypt2, voliyumu ya OS Windows yoikidwa mu /media/veracrypt1). Pangani zosunga zobwezeretsera zobisika za OS Windows pogwiritsa ntchito rsync GUI (grsync)poyang'ana mabokosi.

Yembekezerani kuti ntchitoyi ithe. Kusungako kukamalizidwa, tidzakhala ndi fayilo imodzi yosungidwa.

Mofananamo, pangani kopi yosungira ya GNU/OSLinux, kuchotsa chizindikiro cha GUI rsync "chogwirizana ndi Windows".

Chenjerani! Chidebe cha Veracrypt cha "GNU backup/Linux» Pangani mu dongosolo la mafayilo ext4. Ngati mupanga zosunga zobwezeretsera ku chidebe cha ntfs, ndiye mukabwezeretsa kopi yoteroyo, mudzataya ufulu / magulu onse ku data yanu yonse.

Mutha kuchita ntchito zonse mu terminal. Zosankha zoyambirira za rsync:
* -g -sunga magulu;
* -P -kupita patsogolo - udindo wa nthawi yogwiritsidwa ntchito pa fayilo;
* -H - koperani zolimba monga ziliri;
* -a -archive mode (mbiri rlptgoD mbendera);
* -v -kunena mawu.

Ngati mukufuna kukweza voliyumu Windows VeraCrypt" kudzera mu console mu pulogalamu ya cryptsetup, mutha kupanga dzina lodziwika bwino (su)

echo "alias veramount='cryptsetup open --veracrypt --tcrypt-system --type tcrypt /dev/sdaX Windows_crypt && mount /dev/mapper/ Windows_crypt /media/veracrypt1'" >> .bashrc && bash

Tsopano, pa lamulo lakuti “zithunzi zambiri”, pempho lolowetsa mawu achinsinsi lidzawonekera, ndipo voliyumu ya dongosolo lobisika idzayikidwa mu OS. Windows.

Map/mount VeraCrypt system volume mu cryptsetup command

cryptsetup open --veracrypt --tcrypt-system --type tcrypt /dev/sdaX Windows_crypt
mount /dev/mapper/Windows_crypt /mnt

Mapu / phiri la VeraCrypt gawo / chotengera mu lamulo la cryptsetup

cryptsetup open --veracrypt --type tcrypt /dev/sdaY test_crypt
mount /dev/mapper/test_crypt /mnt

M'malo mwa dzina loyipa, tidzawonjezera (script to startup) voliyumu ya dongosolo ndi OS Windows ndi disk ya ntfs yolembedwa mwanzeru mu GNU/Linux

Pangani script ndikusunga mu ~/VeraOpen.sh

printf 'Ym9i' | base64 -d | cryptsetup open --veracrypt --tcrypt-system --type tcrypt /dev/sda3 Windows_crypt && mount /dev/mapper/Windows_crypt /media/Winda7 #декодируем пароль из base64 (bob) и отправляем его на запрос ввода пароля при монтировании системного диска ОС Windows.
printf 'Ym9i' | base64 -d | cryptsetup open --veracrypt --type tcrypt /dev/sda1 ntfscrypt && mount /dev/mapper/ntfscrypt /media/КонтейнерНтфс #аналогично, но монтируем логический диск ntfs.

Timagawa maufulu "olondola":

sudo chmod 100 /VeraOpen.sh

Pangani mafayilo awiri ofanana (dzina lomwelo!) mu /etc/rc.local ndi ~/etc/init.d/rc.local
Kudzaza mafayilo

#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will «exit 0» on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.

sh -c "sleep 1 && '/VeraOpen.sh'" #после загрузки ОС, ждём ~ 1с и только потом монтируем диски.
exit 0

Timagawa maufulu "olondola":

sudo chmod 100 /etc/rc.local && sudo chmod 100 /etc/init.d/rc.local 

Ndizo zonse, tsopano mukayamba GNU/Linux Sitifunikira kulemba mawu achinsinsi kuti tiike ma disk a NTFS obisika; ma diskwo amaikidwa okha.

Chidziwitso chachifupi pa zomwe zafotokozedwa pamwambapa mu ndime E1 sitepe ndi sitepe (koma tsopano pa OS GNU/Linux)
1) Pangani voliyumu mu ext4 fs > 4gb (ya fayilo) Linux mu Veracrypt [Cryptobox].
2) Yambitsaninso kuti mukhale ndi usb.
3) ~$ cryptsetup tsegulani /dev/sda7 Lunux #mapping partition encrypted.
4) ~$ khweza /dev/mapper/Linux /mnt #kuyika gawo lobisika ku /mnt.
5) ~$ mkdir mnt2 #kupanga chikwatu kuti musunge mtsogolo.
6) ~$ cryptsetup open —veracrypt —type tcrypt ~/CryptoBox CryptoBox && mount /dev/mapper/CryptoBox /mnt2 #Map voliyumu ya Veracrypt yotchedwa "CryptoBox" ndikukweza CryptoBox ku /mnt2.
7) ~$ rsync -avlxhHX -kupita patsogolo /mnt /mnt2/ #kusunga zosunga zobwezeretsera gawo losungidwa ku voliyumu ya Veracrypt.

(p/s/ ChenjeraniNgati mukutumiza GNU/ yobisikaLinux kuchokera ku zomangamanga/makina ena kupita ku ena, mwachitsanzo, Intel > AMD (ndiko kuti, mumagwiritsa ntchito zosunga zobwezeretsera kuchokera ku gawo limodzi lobisika kupita ku gawo lina lobisika Intel > AMD), Osayiwala Mukasamutsa OS yosungidwa, sinthani chinsinsi choloweza m'malo mwachinsinsi, mwina. kiyi yapitayo ~/etc/skey - sichidzakwaniranso gawo lina lobisika, ndipo sikoyenera kupanga kiyi yatsopano "cryptsetup luksAddKey" kuchokera pansi pa chroot - glitch ndizotheka, mu ~/etc/crypttab tchulani m'malo mwa "/ etc/skey" kwakanthawi "palibe" ", mutatha kuyambiranso ndikulowa mu OS, panganinso kiyi yanu yachinsinsi yamtchire).

Momwe akale a IT amakumbukira kupanga zosunga zobwezeretsera zosiyana za mitu ya OS yobisika Windows/Linuxkapena kubisa deta kudzakutembenukirani.
Pa sitepe iyi, zosunga zobwezeretsera za OS encrypted zatha.

[F] Kuukira pa GRUB2 bootloader

Onani zambiriNgati mwateteza bootloader yanu ndi siginecha ya digito ndi/kapena kutsimikizika (Onani mfundo C6.), ndiye izi sizingateteze ku mwayi wakuthupi. Deta yobisika ikadali yosafikirika, koma chitetezo chidzalambalalitsidwa (sinthaninso chitetezo cha siginecha ya digito) GRUB2 imalola munthu wa cyber-villain kubaya code yake mu bootloader popanda kudzutsa kukayikira. (pokhapokha ngati wogwiritsa ntchitoyo ayang'anira pamanja momwe bootloader ikuyendera, kapena abwere ndi code yawo yolimba ya grub.cfg).

Attack algorithm. Wolowerera

* Boot PC kuchokera ku usb yamoyo. Kusintha kulikonse (wophwanya malamulo) mafayilo adzadziwitsa mwiniwake wa PC za kulowetsedwa mu bootloader. Koma kuyikanso kosavuta kwa GRUB2 kusunga grub.cfg (ndi kuthekera kotsatira kusintha) idzalola wowukira kusintha mafayilo aliwonse (pamenepa, potsegula GRUB2, wogwiritsa ntchito weniweni sadzadziwitsidwa. Momwemo ndi chimodzimodzi <0>)
* Imayika gawo losalembetsedwa, sungani "/mnt/boot/grub/grub.cfg".
* Kukhazikitsanso bootloader (kuchotsa "perskey" pachithunzi cha core.img)

grub-install --force --root-directory=/mnt /dev/sda6

* Ikubweza "grub.cfg"> "/mnt/boot/grub/grub.cfg", sinthani ngati kuli kofunikira, mwachitsanzo, kuwonjezera gawo lanu la "keylogger.mod" kufoda yokhala ndi ma module odzaza, mu "grub.cfg" > mzere "insmod keylogger". Kapena, mwachitsanzo, ngati mdaniyo ali wochenjera, ndiye kuti akhazikitsanso GRUB2 (ma signature onse amakhalabe m'malo mwake) imapanga chithunzi chachikulu cha GRUB2 pogwiritsa ntchito "grub-mkimage ndi njira (-c)." Njira ya "-c" ikulolani kuti mukweze zosintha zanu musanalowetse "grub.cfg" yayikulu. Kukonzekera kumatha kukhala ndi mzere umodzi wokha: kuwongolera ku "modern.cfg" iliyonse, yosakanikirana, mwachitsanzo, ndi ~ 400 mafayilo. (ma module + siginecha) mu chikwatu "/boot/grub/i386-pc". Pachifukwa ichi, wowukira akhoza kuyika ma code osagwirizana ndi kutsegula ma modules popanda kukhudza "/boot/grub/grub.cfg", ngakhale wogwiritsa ntchito "hashsum" pa fayilo ndikuwonetsa kwakanthawi pazenera.
Wowukira sadzafunika kuthyola GRUB2 superuser lolowera / mawu achinsinsi; amangofunika kukopera mizere (yoyenera kutsimikizira) "/boot/grub/grub.cfg" ku "modern.cfg" yanu

set superusers = "root"
password_pbkdf2 root grub.pbkdf2.sha512.10000.DE10E42B01BB6FEEE46250FC5F9C3756894A8476A7F7661A9FFE9D6CC4D0A168898B98C34EBA210F46FC10985CE28277D0563F74E108FCE3ACBD52B26F8BA04D.27625A4D30E4F1044962D3DD1C2E493EF511C01366909767C3AF9A005E81F4BFC33372B9C041BE9BA904D7C6BB141DE48722ED17D2DF9C560170821F033BCFD8

Ndipo mwiniwake wa PC adzatsimikiziridwabe ngati GRUB2 superuser.

Kutsegula unyolo (bootloader imatsegula bootloader ina), monga ndalemba pamwambapa, sizomveka (ndi cholinga china). Bootloader yosungidwa siyingakwezedwe chifukwa cha BIOS (boot boot restarts GRUB2> encrypted GRUB2, zolakwika!). Komabe, ngati mukugwiritsabe ntchito lingaliro la kutsitsa kwa unyolo, mutha kukhala otsimikiza kuti ndizomwe zimasungidwa. (osasintha) "grub.cfg" kuchokera kugawo lobisika. Ndipo ichinso ndi lingaliro labodza lachitetezo, chifukwa chilichonse chomwe chawonetsedwa mu "grub.cfg" (kutsitsa kwa ma module) kumawonjezera ma module omwe amatsitsidwa kuchokera ku GRUB2 yosalembetsedwa.

Ngati mukufuna kuwona izi, perekani / sungani magawo ena sdaY, lembani GRUB2 kwa izo (ntchito yoyika grub pagawo losungidwa sizotheka) ndi "grub.cfg" (zosintha zosasinthika) kusintha mizere monga iyi

menyu 'GRUBx2' --class parrot --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-simple-382111a2-f993-403-2c-aa292e-5b4780eacXNUMX' {
load_kanema
mu gzio
ngati [ x$grub_platform = xxen]; ndiye insmod xzio; matenda oopsa; fi
insmod gawo_msdos
insmod cryptodisk
insmod lux
insmod gcry_twofish
insmod gcry_twofish
insmod gcry_sha512
insmod ext2
cryptomount -u 15c47d1c4bd34e5289df77bcf60ee838
set root=’cryptouuid/15c47d1c4bd34e5289df77bcf60ee838′
zachilendo /boot/grub/grub.cfg
}

mizere
* insmod - kutsitsa ma module ofunikira kuti mugwiritse ntchito ndi disk encrypted;
* GRUBx2 - dzina la mzere womwe ukuwonetsedwa mumenyu yoyambira ya GRUB2;
* cryptomount -u 15c47d1c4bd34e5289df77bcf60ee838 -onani. fdisk -l (sda9);
* set root - kukhazikitsa mizu;
* yachibadwa /boot/grub/grub.cfg - fayilo yosinthika yokhazikika pamagawo obisika.

Chidaliro chakuti ndi "grub.cfg" yosungidwa yomwe yapakidwa ndi yankho labwino lolowetsa mawu achinsinsi / kutsegula "sdaY" posankha mzere "GRUBx2" mu menyu ya GRUB.

Mukamagwira ntchito mu CLI, kuti musasokonezedwe (ndipo onani ngati kusintha kwa "set root" kwagwira ntchito), pangani mafayilo opanda kanthu, mwachitsanzo, mu gawo lobisika "/shifr_grub", mugawo losasindikizidwa "/noshifr_grub". Kufufuza mu CLI

cat /Tab-Tab

Monga tafotokozera pamwambapa, izi sizingathandize kutsitsa ma module oyipa ngati ma module otere atha pa PC yanu. Mwachitsanzo, keylogger yomwe imatha kusunga makiyi ku fayilo ndikuyisakaniza ndi mafayilo ena mu "~/i386" mpaka itatsitsidwa ndi wowukira wokhala ndi PC.

Njira yosavuta yotsimikizira kuti chitetezo cha siginecha ya digito chikugwira ntchito mwachangu (osakonzanso), ndipo palibe amene adawukira bootloader, lowetsani lamulo mu CLI

list_trusted

poyankha timalandira kopi ya "perskey" yathu, kapena sitilandira kalikonse ngati tikuwukiridwa (muyeneranso kuyang'ana "set check_signatures=enforce").
Choyipa chachikulu cha sitepe iyi ndikulowetsa malamulo pamanja. Ngati muwonjezera lamulo ili ku "grub.cfg" ndikuteteza kasinthidwe ndi siginecha ya digito, ndiye kuti kutulutsa koyambirira kwa chithunzithunzi chachinsinsi pawindo ndi chachifupi kwambiri pa nthawi, ndipo simungakhale ndi nthawi yowona zotsatira mutakweza GRUB2. .
Palibe amene anganene kuti: wopanga mapulogalamu ake zolemba ndime 18.2 ikulengeza mwalamulo

"Zindikirani kuti ngakhale ndi chitetezo chachinsinsi cha GRUB, GRUB palokha siyingalepheretse munthu yemwe ali ndi mwayi wogwiritsa ntchito makinawo kuti asasinthe kasinthidwe ka firmware ya makinawo (mwachitsanzo, Coreboot kapena BIOS) kuti makinawo ayambike kuchokera ku chipangizo china (cholamulidwa ndi owukira). GRUB ndi ulalo umodzi wokha pamakina otetezeka a boot. "

GRUB2 ili ndi zinthu zambiri zomwe zingapangitse kuti munthu asamakhale ndi chitetezo, ndipo chitukuko chake chapita kale patsogolo kuposa MS-DOS, ngakhale kuti ndi bootloader chabe. N'zosadabwitsa kuti GRUB2 ikhoza kukhala OS "mawa," pomwe GNU/ yosinthika.Linux makina enieni a izo.

Kanema wachidule wamomwe ndidakhazikitsiranso chitetezo cha siginecha ya digito ya GRUB2 ndikulengeza kulowerera kwanga kwa wosuta weniweni (Ndinakuopani, koma mmalo mwa zomwe zikuwonetsedwa muvidiyoyi, mukhoza kulemba code / .mod yopanda vuto).

Zotsatira:

1) Kutseka kubisa kwa dongosolo la Windows — n'kosavuta kugwiritsa ntchito, ndipo chitetezo chokhala ndi mawu achinsinsi amodzi n'chosavuta kuposa chitetezo chokhala ndi mawu achinsinsi angapo mu GNU block system encryption/Linux, kunena zoona: chomalizachi chimachitika zokha.

2) Ndinalemba nkhaniyi kuti ndi yofunikira komanso mwatsatanetsatane zosavuta Buku lothandizira kubisa deta yonse pogwiritsa ntchito VeraCrypt/LUKS pa makina amodzi, lomwe pakadali pano ndi labwino kwambiri pa RuNet (IMHO). Bukuli lili ndi zilembo zoposa 50, kotero silinafotokoze mitu ina yosangalatsa: yokhudza olemba ma cryptographer omwe amasowa/amasunga mbiri yawo; yokhudza zomwe zili m'mabuku osiyanasiyana a GNU/GNU.Linux Salemba zambiri/salemba kalikonse za cryptography; za Nkhani 51 ya Constitution ya Russian Federation; za kupereka chilolezo/kuletsa encryption mu Russian Federation, chifukwa chake muyenera kubisa "root / boot". Kalozerayo adakhala wamkulu, koma mwatsatanetsatane. (pofotokoza ngakhale zosavuta), nayenso, izi zidzakupulumutsirani nthawi yochuluka mukafika "kubisa kwenikweni".

3) Kubisa kwathunthu kwa disk kunachitika pa Windows 7 64; GNU/Linux Parrot 4x; GNU/Debian 9.0 / 9.5.

4) Anakhazikitsa kuukira bwino pa wanu GRUB2 bootloader.

5) Maphunziro adalengedwa kuti athandize anthu onse osokonezeka mu CIS, kumene kugwira ntchito ndi kubisa kumaloledwa pamalamulo. Ndipo makamaka kwa iwo omwe akufuna kutulutsa kubisa kwa disk-disk popanda kuwononga machitidwe awo okhazikika.

6) Ndinakonzanso ndikuwongolera buku langa, lomwe ndi lofunikira mu 2020.

[G] Zolemba zothandiza

1. TrueCrypt User Guide (February 2012 RU)
2. VeraCrypt Documentation
3. /usr/share/doc/cryptsetup(-run) [zako] (zolemba zovomerezeka zokhudzana ndi kukhazikitsa GNU encryption/Linux pogwiritsa ntchito cryptsetup)
4. Official FAQ cryptsetup (zolemba zazifupi zokhudza kukhazikitsa GNU encryption/Linux pogwiritsa ntchito cryptsetup)
5. Kubisa kwa chipangizo cha LUKS (zolemba za archlinux)
6. Kufotokozera mwatsatanetsatane za cryptsetup syntax (tsamba la munthu wamkulu)
7. Kufotokozera mwatsatanetsatane kwa crypttab (tsamba la munthu wamkulu)
8. Zolemba zovomerezeka za GRUB2.

Ma tag: kubisa kwathunthu kwa disk, kubisa magawo, kubisa kwathunthu kwa disk Linux, kubisa kwathunthu kwa dongosolo LUKS1.

Ogwiritsa ntchito olembetsedwa okha ndi omwe angatenge nawo gawo pa kafukufukuyu. Lowani muakauntichonde.

Kodi mukubisa?

• 17,1%Ndimabisa chilichonse chomwe ndingathe. Ndine wonjenjemera.14

• 34,2%Ndimangobisa deta yofunika.28

• 14,6%Nthawi zina ndimabisa, nthawi zina ndimayiwala.12

• 34,2%Ayi, sindimabisa, ndizovuta komanso zodula.28

Ogwiritsa 82 adavota. Ogwiritsa 22 adakana.

Source: www.habr.com