Full disk encryption ya Windows Linux anaika machitidwe. Encrypted multi-boot
Kusinthidwa kalozera wanu wa kubisa kwathunthu kwa disk mu RuNet V0.2.
Njira ya Cowboy:
[A] Windows 7 block block encryption yamakina oyika;
[B] GNU/Linux block block encryption (Wolemba) anaika dongosolo (kuphatikiza / boot);
[C] kasinthidwe ka GRUB2, chitetezo cha bootloader ndi siginecha ya digito / kutsimikizika / hashing;
[D] kuvulaβkuwononga deta yosabisika;
[E] zosunga zobwezeretsera zonse za OS yobisidwa;
[F] kuwukira <pa chinthu [C6]> chandamale - GRUB2 bootloader;
[G] zolemba zothandiza.
ββββScheme ya #room 40# :
ββββΌ Windows 7 yayikidwa - kubisa kwathunthu kwadongosolo, kosabisika;
ββββΌ GNU/Linux yayikidwa (Kugawa kwa Debian ndi zochokera) - kubisa kwathunthu kwadongosolo, osabisika(/, kuphatikiza / boot; kusinthana);
ββββΌ ma bootloader odziyimira pawokha: VeraCrypt bootloader imayikidwa mu MBR, GRUB2 bootloader imayikidwa mu gawo lotalikirapo;
ββββΌpalibe kukhazikitsa / kuyikanso kwa OS komwe kumafunikira;
ββββΌcryptographic mapulogalamu ogwiritsidwa ntchito: VeraCrypt; Kukonzekera kwachinsinsi; GnuPG; Seahorse; Hashdeep; GRUB2 ndi yaulere/yaulere.
Chiwembu chomwe chili pamwambapa chimathetsa vuto la "boot lakutali ku flash drive", limakupatsani mwayi wosangalala ndi encrypted OS Windows/Linux ndikusinthanitsa data kudzera pa "encrypted channel" kuchokera ku OS kupita ku imzake.
Kukonzekera kwa boot ya PC (imodzi mwazosankha):
kuyatsa makina;
kutsitsa VeraCrypt bootloader (kulowetsa mawu achinsinsi olondola kudzapitilira Windows 7);
kukanikiza batani la "Esc" kudzatsegula GRUB2 bootloader;
GRUB2 bootloader (sankhani kugawa/GNU/Linux/CLI), idzafuna kutsimikizika kwa GRUB2 superuser <login/password>;
ndikuyerekeza zotsatira ndi CS yotumizidwa patsamba la VeraCrypt.
Ngati pulogalamu ya HashTab yakhazikitsidwa, ndiyosavuta: RMB (Kukhazikitsa kwa VeraCrypt 1.24.exe)-properties - kuchuluka kwa mafayilo.
Kuti mutsimikizire siginecha ya pulogalamuyo, pulogalamuyo ndi kiyi ya pgp yapagulu iyenera kukhazikitsidwa padongosolo. gnuPG; gpg4win.
A2. Kuyika/kuyendetsa pulogalamu ya VeraCrypt yokhala ndi ufulu woyang'anira
A3. Kusankha magawo a encryption system for the active partitionVeraCrypt - System - Encrypt system partition/disk - Normal - Encrypt Windows system partition - Multiboot - (chenjezo: "Ogwiritsa ntchito osadziwa saloledwa kugwiritsa ntchito njirayi" ndipo izi ndi zoona, tikuvomereza "Inde") - Boot disk (βindeβ, ngakhale sichoncho, komabe βindeβ) - Chiwerengero cha ma disks "2 kapena kupitilira apo" - Makina angapo pa disk imodzi "Inde" - Non-Windows bootloader "Ayi" (M'malo mwake, "Inde," koma ma bootloaders a VeraCrypt / GRUB2 sangagawane MBR pakati pawo; makamaka, gawo laling'ono kwambiri la code bootloader limasungidwa mu MBR / boot track, gawo lalikulu ndi ili mkati mwa fayilo) - Multiboot - Zokonda za encryptionβ¦
Ngati mungapatuke pamasitepe omwe ali pamwambapa (block system encryption schemes), ndiye VeraCrypt ipereka chenjezo ndipo sikukulolani kuti mubisire magawowo.
Mu sitepe yotsatira yopita kuchitetezo cha data chomwe mukufuna, chitani "Mayeso" ndikusankha algorithm ya encryption. Ngati muli ndi CPU yachikale, ndiye kuti njira yofulumira kwambiri yolembera idzakhala Twofish. Ngati CPU ili yamphamvu, mudzawona kusiyana kwake: Kubisa kwa AES, malinga ndi zotsatira zoyesa, kudzakhala mofulumira kangapo kuposa omwe akupikisana nawo a crypto. AES ndi njira yodziwika bwino yolembera; zida zama CPU amakono zimakonzedwa mwapadera pa "chinsinsi" komanso "kubala".
VeraCrypt imathandizira kuthekera kosunga ma disks mu AES cascade(Nsomba ziwiri)/ ndi zosakaniza zina. Pamtundu wakale wa Intel CPU kuyambira zaka khumi zapitazo (popanda thandizo la hardware la AES, A/T cascade encryption) Kuchepa kwa magwiridwe antchito ndikosavuta. (kwa ma AMD CPU anthawi yomweyo/~magawo, magwiridwe antchito amachepetsedwa pang'ono). OS imagwira ntchito mwamphamvu ndipo kugwiritsidwa ntchito kwazinthu pakubisa kowonekera sikuwoneka. Mosiyana ndi izi, mwachitsanzo, kuchepa kwa magwiridwe antchito chifukwa cha mayeso omwe adayikidwa osakhazikika apakompyuta Mate v1.20.1 (kapena v1.20.2 sindikukumbukira ndendende) mu GNU/Linux, kapena chifukwa cha magwiridwe antchito a telemetry mu Windows7β. Nthawi zambiri, ogwiritsa ntchito odziwa amayesa kuyesa kwa Hardware asanalembe. Mwachitsanzo, mu Aida64/Sysbench/systemd-analyze mlandu amafaniziridwa ndi zotsatira za mayeso omwewo atatha kubisa makinawo, potero akutsutsa zabodza zabodza kuti "kubisa kachitidwe ndikovulaza." Kuchepa kwa makina ndi zovuta zimawonekera pothandizira / kubwezeretsa deta yosungidwa, chifukwa ntchito ya "system data backup" palokha siimayesedwa mu ms, ndipo zomwezo <decrypt/encrypt on the fly> zimawonjezedwa. Pamapeto pake, wogwiritsa ntchito aliyense amene amaloledwa tcheru ndi cryptography amalinganiza ma encryption algorithm motsutsana ndi kukhutitsidwa kwa ntchito zomwe ali nazo, kuchuluka kwawo kwa paranoia, komanso kugwiritsa ntchito mosavuta.
Ndikwabwino kusiya gawo la PIM ngati lachikhazikitso, kuti mukatsitsa OS, simuyenera kuyika zikhalidwe zenizeni nthawi iliyonse. VeraCrypt imagwiritsa ntchito maulendo angapo obwereza kuti apange "hashi yocheperako". Kuukira kwa "crypto nkhono" zotere pogwiritsa ntchito njira ya Brute force / utawaleza kumamveka kokha ndi mawu achidule "osavuta" komanso mndandanda wacharset wa wozunzidwayo. Mtengo wolipirira mphamvu yachinsinsi ndikuchedwa kulowa mawu achinsinsi olondola mukatsitsa OS. (kuyika ma voliyumu a VeraCrypt mu GNU/Linux ndikothamanga kwambiri).
Mapulogalamu aulere ogwiritsira ntchito brute force attack (chotsani mawu achinsinsi kuchokera kumutu wa disk wa VeraCrypt/LUKS) Hashcat. John the Ripper sadziwa "kuswa Veracrypt", ndipo pamene akugwira ntchito ndi LUKS samamvetsa Twofish cryptography.
Chifukwa cha mphamvu ya cryptographic ya ma aligorivimu achinsinsi, ma cypherpunks osayimitsa akupanga mapulogalamu okhala ndi vector yosiyana. Mwachitsanzo, kuchotsa metadata/makiyi ku RAM (kuukira kozizira / kuwongolera kukumbukira kukumbukira), Pali mapulogalamu apadera aulere komanso osakhala aulere pazolinga izi.
Mukamaliza kukhazikitsa / kupanga "metadata yapadera" ya gawo losungidwa, VeraCrypt iperekanso kuyambitsanso PC ndikuyesa magwiridwe antchito a bootloader yake. Pambuyo poyambitsanso / kuyambitsa Windows, VeraCrypt idzatsegula mumayendedwe oyimilira, zomwe zatsala ndikutsimikizira ndondomeko ya encryption - Y.
Pa gawo lomaliza la kubisa kwamakina, VeraCrypt ipereka mwayi wopanga zosunga zobwezeretsera zamutu wagawo losungidwa la "veracrypt rescue disk.iso" - izi ziyenera kuchitika - mu pulogalamuyo ntchito yotereyi ndiyofunika (mu LUKS, monga chofunikira - izi sizinasiyidwe mwatsoka, koma zagogomezedwa muzolemba). Rescue disk idzathandiza aliyense, komanso kwa ena kangapo. Kutayika (mutu/MBR lembaninso) kope losunga lamutu lidzakaniratu mwayi wofikira magawo otsekedwa ndi OS Windows.
A4. Kupanga VeraCrypt yopulumutsa USB/diskMwachikhazikitso, VeraCrypt ikupereka kuwotcha "~ 2-3MB ya metadata" ku CD, koma si anthu onse omwe ali ndi ma disks kapena ma DWD-ROM, ndikupanga bootable flash drive "VeraCrypt Rescue disk" zidzakhala zodabwitsa kwa ena: Rufus / GUIdd-ROSA ImageWriter ndi mapulogalamu ena ofanana sangathe kupirira ntchitoyi, chifukwa kuwonjezera pa kukopera metadata yochotsera pa bootable flash drive, muyenera kukopera / kumata chithunzicho kunja kwa fayilo ya USB drive, mwachidule, molondola kukopera MBR/msewu kwa keychain. Mukhoza kupanga bootable flash drive kuchokera ku GNU/Linux OS pogwiritsa ntchito "dd" zofunikira, kuyang'ana chizindikiro ichi.
Kupanga disk yopulumutsa m'malo a Windows ndikosiyana. Wopanga VeraCrypt sanaphatikizepo yankho la vutoli mwalamulo zolemba ndi "rescue disk", koma adapereka yankho mwanjira yosiyana: adayika pulogalamu yowonjezera yopanga "usb rescue disk" kuti apeze mwayi waulere pamwambo wake wa VeraCrypt. Wosunga zakale wa pulogalamuyo wa Windows ndi "kupanga usb veracrypt rescue disk". Pambuyo populumutsa disk.iso yopulumutsira, ndondomeko ya block system encryption ya magawo ogwira ntchito idzayamba. Pakubisa, kugwira ntchito kwa OS sikuyima; kuyambiranso kwa PC sikofunikira. Mukamaliza kubisala, gawo logwira ntchito limakhala losungidwa bwino ndipo lingagwiritsidwe ntchito. Ngati chojambulira cha VeraCrypt sichikuwoneka mukayambitsa PC, ndipo kuchira kwamutu sikuthandiza, ndiye yang'anani mbendera ya "boot", iyenera kukhazikitsidwa kugawa komwe Windows ilipo. (mosasamala kanthu za kubisa ndi OS zina, onani tebulo No. 1). Izi zimamaliza kufotokozera kwa block system encryption ndi Windows OS.
[B]LUKS. GNU/Linux encryption (~Debian) anaika OS. Algorithm ndi Masitepe
Kuti mulembetse kugawa kwa Debian / zotumphukira, muyenera kujambula magawo okonzekera ku chipangizo chotchinga, kusamutsa ku diski ya GNU/Linux, ndikuyika / kukonza GRUB2. Ngati mulibe seva yachitsulo yopanda kanthu, ndipo mumayamikira nthawi yanu, ndiye kuti muyenera kugwiritsa ntchito GUI, ndipo malamulo ambiri omwe akufotokozedwa pansipa akuyenera kuyendetsedwa mu "Chuck-Norris mode".
B1. Kuyambitsa PC kuchokera ku live usb GNU/Linux
"Chitani mayeso a crypto pakugwira ntchito kwa hardware"
lscpu && Ρryptsetup benchmark
Ngati ndinu mwiniwake wokondwa wa galimoto yamphamvu yokhala ndi chithandizo cha hardware cha AES, ndiye kuti manambala adzawoneka ngati mbali yamanja ya terminal; ngati ndinu mwiniwake wokondwa, koma ndi zipangizo zakale, manambala adzawoneka ngati kumanzere.
B2. Kugawa kwa disk. kukwera/kupanga fs logical disk HDD to Ext4 (Gparted)
B2.1. Kupanga mutu wobisika wa sda7 partitionNdifotokoza mayina a magawo, apa ndi kupitilira apo, molingana ndi tebulo langa logawa lomwe laikidwa pamwambapa. Malinga ndi mawonekedwe a disk yanu, muyenera kulowetsa mayina ogawa.
Mapu a Logical Drive Encryption (/dev/sda7> /dev/mapper/sda7_crypt).
#Kupanga kosavuta kwa "LUKS-AES-XTS gawo"
cryptsetup -v -y luksFormat /dev/sda7
Zosankha:
* luksFormat - kuyambitsa kwa mutu wa LUKS;
* -y -passphrase (osati fungulo / fayilo);
* -v -verbalization (kuwonetsa zambiri mu terminal);
* /dev/sda7 - diski yanu yomveka kuchokera pamagawo owonjezera (komwe ikukonzekera kusamutsa / kubisa GNU / Linux).
Pangani lamulo: chitani e4defrag pa encrypted GNU/LINux nthawi ndi nthawi ngati muli ndi HDD. Kusamutsa ndi kulunzanitsa [GNU/Linux > GNU/Linux-encrypted] kwatsirizidwa pa sitepe iyi.
PA 4. Kukhazikitsa GNU/Linux pagawo la encrypted sda7
Mukasamutsa bwino OS / dev/sda4> /dev/sda7, muyenera kulowa mu GNU/Linux pagawo lobisika ndikukonza zina. (popanda kuyambitsanso PC) mogwirizana ndi encrypted system. Ndiye kuti, khalani mu usb wamoyo, koma perekani malamulo "okhudzana ndi muzu wa OS yosungidwa." "chroot" idzatengera zomwezo. Kuti mulandire mwachangu zambiri za OS yomwe mukugwira nayo ntchito pano (zobisika kapena ayi, popeza deta mu sda4 ndi sda7 ndi yolumikizidwa), sinthani OS. Pangani ma root directory (sda4/sda7_crypt) mafayilo opanda kanthu, mwachitsanzo, /mnt/encryptedOS ndi /mnt2/decryptedOS. Yang'anani mwachangu zomwe OS muli (kuphatikiza zamtsogolo):
ls /<Tab-Tab>
B4.1. "Kuyerekeza kulowa mu OS yobisika"
mount --bind /dev /mnt/dev
mount --bind /proc /mnt/proc
mount --bind /sys /mnt/sys
chroot /mnt
B4.2. Kutsimikizira kuti ntchito ikuchitika motsutsana ndi encrypted system
ls /mnt<Tab-Tab>
#ΠΈ Π²ΠΈΠ΄ΠΈΠΌ ΡΠ°ΠΉΠ» "/ΡΠΈΡΡΠΎΠ²Π°Π½Π½Π°ΡΠΠ‘"
history
#Π² Π²ΡΠ²ΠΎΠ΄Π΅ ΡΠ΅ΡΠΌΠΈΠ½Π°Π»Π° Π΄ΠΎΠ»ΠΆΠ½Π° ΠΏΠΎΡΠ²ΠΈΡΡΡΡ ΠΈΡΡΠΎΡΠΈΡ ΠΊΠΎΠΌΠ°Π½Π΄ su ΡΠ°Π±ΠΎΡΠ΅ΠΉ ΠΠ‘.
B4.3. Kupanga / kukonza kusinthana kwa encrypted, kusintha crypttab/fstabPopeza fayilo yosinthana imasinthidwa nthawi iliyonse OS ikayamba, sizomveka kupanga ndikusintha mapu ku diski yomveka tsopano, ndikulowetsa malamulo monga mundime B2.2. Kwa Kusinthana, makiyi ake osakhalitsa obisala adzapangidwa pa chiyambi chilichonse. Kuzungulira kwa moyo wa makiyi osinthana: kutsika / kutsika magawo osinthira (+kuyeretsa RAM); kapena kuyambitsanso OS. Kukhazikitsa kusinthana, kutsegula fayilo yomwe imayang'anira kasinthidwe ka zida za block encrypted (zofanana ndi fayilo ya fstab, koma yomwe ili ndi crypto).
pamene mukukonzekera initrd.img (monga iwo amati "Ndizotheka, koma sizotsimikizika") machenjezo okhudzana ndi cryptsetup adzawonekera, kapena, mwachitsanzo, chidziwitso cha kutayika kwa ma module a Nvidia - izi ndi zachilendo. Pambuyo pokonzanso fayilo, onetsetsani kuti yasinthidwa, onani nthawi (zogwirizana ndi chilengedwe cha chroot./boot/initrd.img). Chonde chonde! pamaso [update-initramfs -u -k all] onetsetsani kuti cryptsetup yatsegulidwa /dev/sda7 sda7_crypt - ili ndi dzina lomwe limapezeka mu /etc/crypttab, apo ayi mukayambiranso padzakhala vuto la bokosi lotanganidwa) Pa sitepe iyi, kukhazikitsa owona kasinthidwe watha.
[C] Kuyika ndi kukonza GRUB2/Protection
C1. Ngati ndi kotheka, sinthani magawo odzipereka a bootloader (gawo likufunika osachepera 20MB)
mkfs.ext4 -v -L GRUB2 /dev/sda6
C2. Phiri /dev/sda6 ku /mntChifukwa chake timagwira ntchito mu chroot, ndiye kuti sipadzakhala / mnt2 chikwatu muzu, ndipo chikwatu cha /mnt chidzakhala chopanda kanthu.
khazikitsani gawo la GRUB2
mount /dev/sda6 /mnt
Ngati muli ndi mtundu wakale wa GRUB2 woyikidwa, mu /mnt/boot/grub/i-386-pc directory (pulatifomu ina ndiyotheka, mwachitsanzo, osati "i386-pc") palibe ma module a crypto (mwachidule, chikwatucho chiyenera kukhala ndi zigawo, kuphatikizapo .mod: cryptodisk; luks; gcry_twofish; gcry_sha512; signature_test.mod), Pankhaniyi, GRUB2 iyenera kugwedezeka.
apt-get update
apt-get install grub2
Zofunika! Mukakonza phukusi la GRUB2 kuchokera kumalo osungirako, mutafunsidwa "za kusankha" komwe mungayikitsire bootloader, muyenera kukana kukhazikitsa. (chifukwa - kuyesa kukhazikitsa GRUB2 - mu "MBR" kapena pa usb yamoyo). Kupanda kutero mudzawononga VeraCrypt mutu/loader. Pambuyo pokonzanso phukusi la GRUB2 ndikuletsa kuyika, chojambulira cha boot chiyenera kukhazikitsidwa pamanja pa disk yomveka, osati mu MBR. Ngati malo anu ali ndi mtundu wakale wa GRUB2, yesani sinthani zachokera patsamba lovomerezeka - sindinaziwone (inagwira ntchito ndi ma bootloaders aposachedwa a GRUB 2.02 ~BetaX).
zosankha
* -force - kukhazikitsa bootloader, kunyalanyaza machenjezo onse omwe amakhalapo nthawi zonse ndikutsekereza kukhazikitsa (mbendera yofunikira).
* --root-directory - kukhazikitsa chikwatu ku muzu wa sda6.
* /dev/sda6 - gawo lanu la sdaΠ₯ (musaphonye <space> pakati pa /mnt /dev/sda6).
C4. Kupanga fayilo yosinthira [grub.cfg]Iwalani za lamulo la "update-grub2", ndipo gwiritsani ntchito lamulo lakusintha mafayilo onse
grub-mkconfig -o /mnt/boot/grub/grub.cfg
Mukamaliza kupanga / kukonzanso fayilo ya grub.cfg, zotuluka ziyenera kukhala ndi mizere ndi OS yopezeka pa disk. ("grub-mkconfig" mwina apeza ndikutenga OS kuchokera pa usb yamoyo, ngati muli ndi multiboot flash drive ndi Windows 10 ndi gulu la magawo amoyo - izi ndizabwinobwino). Ngati terminal ilibe "chopanda" ndipo fayilo ya "grub.cfg" sinapangidwe, ndiye kuti izi ndi zomwezo pomwe pali nsikidzi za GRUB mu dongosolo. (ndipo mwina ndiye wonyamula kuchokera kunthambi yoyeserera yankhokwe), khazikitsaninso GRUB2 kuchokera ku magwero odalirika. Kukhazikitsa "kosavuta" ndikukhazikitsa GRUB2 kwatha.
C5. Kuyesa kwaumboni kwa GNU/Linux OS yosungidwaTimamaliza ntchito ya crypto molondola. Kusiya mosamala GNU/Linux yosungidwa (tulukani chilengedwe cha chroot).
umount -a #ΡΠ°Π·ΠΌΠΎΠ½ΡΠΈΡΠΎΠ²Π°Π½ΠΈΠ΅ Π²ΡΠ΅Ρ ΡΠΌΠΎΠ½ΡΠΈΡΠΎΠ²Π°Π½Π½ΡΡ ΡΠ°Π·Π΄Π΅Π»ΠΎΠ² ΡΠΈΡΡΠΎΠ²Π°Π½Π½ΠΎΠΉ GNU/Linux
Ctrl+d #Π²ΡΡ ΠΎΠ΄ ΠΈΠ· ΡΡΠ΅Π΄Ρ chroot
umount /mnt/dev
umount /mnt/proc
umount /mnt/sys
umount -a #ΡΠ°Π·ΠΌΠΎΠ½ΡΠΈΡΠΎΠ²Π°Π½ΠΈΠ΅ Π²ΡΠ΅Ρ ΡΠΌΠΎΠ½ΡΠΈΡΠΎΠ²Π°Π½Π½ΡΡ ΡΠ°Π·Π΄Π΅Π»ΠΎΠ² Π½Π° live usb
reboot
Pambuyo poyambitsanso PC, bootloader ya VeraCrypt iyenera kutsegula.
"Simple GRUB2 Configuration" kubisa kachitidwe ka block partition kwatha.
C6. Kusintha kwapamwamba kwa GRUB2. Chitetezo cha bootloader chokhala ndi siginecha ya digito + chitetezo chotsimikizikaGNU/Linux ndi encrypted kwathunthu, koma bootloader sangathe encrypted - chikhalidwe ichi amalamulidwa ndi BIOS. Pachifukwa ichi, boot yotetezedwa ndi unyolo ya GRUB2 sizingatheke, koma boot yosavuta yokhala ndi unyolo ndi yotheka / ilipo, koma kuchokera kumbali ya chitetezo sikofunikira [onani. P. F].
Kwa "chiwopsezo" GRUB2, opanga adakhazikitsa "siginecha/kutsimikizira" chitetezo cha bootloader.
Pamene bootloader imatetezedwa ndi "siginecha yake ya digito," kusintha kwakunja kwa mafayilo, kapena kuyesa kuyika ma modules owonjezera mu bootloader iyi, zidzachititsa kuti ntchito yotsegula ikhale yotsekedwa.
Mukateteza bootloader ndi kutsimikizika, kuti musankhe kutsitsa kugawa, kapena kuyika malamulo owonjezera mu CLI, muyenera kulowetsa malowedwe ndi mawu achinsinsi a superuser-GRUB2.
C6.1. Chitetezo chotsimikizika cha BootloaderOnetsetsani kuti mukugwira ntchito mu terminal pa OS yosungidwa
ls /<Tab-Tab> #ΠΎΠ±Π½Π°ΡΡΠΆΠΈΡΡ ΡΠ°ΠΉΠ»-ΠΌΠ°ΡΠΊΠ΅Ρ
pangani mawu achinsinsi a superuser kuti muvomereze ku GRUB2
mphaka <<EOF
set superusers = "root"
password_pbkdf2 root grub.pbkdf2.sha512.10000.DE10E42B01BB6FEEE46250FC5F9C3756894A8476A7F7661A9FFE9D6CC4D0A168898B98C34EBA210F46FC10985CE28277D0563F74E108FCE3ACBD52B26F8BA04D.27625A4D30E4F1044962D3DD1C2E493EF511C01366909767C3AF9A005E81F4BFC33372B9C041BE9BA904D7C6BB141DE48722ED17D2DF9C560170821F033BCFD8
EOF
Mukapanga config "grub-mkconfig -o /mnt/boot/grub/grub.cfg", mizere yotsimikizira idzawonjezedwa ku grub.cfg. Izi zimamaliza kukhazikitsidwa kwa kutsimikizika kwa GRUB2.
C6.2. Chitetezo cha bootloader chokhala ndi siginecha ya digitoZimaganiziridwa kuti muli kale ndi kiyi yanu ya pgp encryption (kapena pangani kiyi yotere). Dongosololi liyenera kukhala ndi pulogalamu yachinsinsi yoyika: gnuPG; kleopatra/GPA; Seahorse. Mapulogalamu a Crypto apangitsa moyo wanu kukhala wosavuta pazinthu zonsezi. Seahorse - mtundu wokhazikika wa phukusi 3.14.0 (mabaibulo apamwamba, mwachitsanzo, V3.20, ndi opanda pake ndipo ali ndi nsikidzi).
Kiyi ya PGP iyenera kupangidwa / kukhazikitsidwa / kuonjezedwa m'malo a su!
Pangani kiyi yachinsinsi
gpg - -gen-key
Tumizani kiyi yanu
gpg --export -o ~/perskey
Ikani disk yomveka mu OS ngati siyinayike kale
mount /dev/sda6 /mnt #sda6 β ΡΠ°Π·Π΄Π΅Π» GRUB2
yeretsani gawo la GRUB2
rm -rf /mnt/
Ikani GRUB2 mu sda6, kuyika kiyi yanu yachinsinsi pa chithunzi chachikulu cha GRUB "core.img"
zosankha
* --force - khazikitsani bootloader, kudutsa machenjezo onse omwe amakhalapo nthawi zonse (mbendera yofunikira).
* βmodules="gcry_sha256 gcry_sha512 signature_test gcry_dsa gcry_rsa" - amalangiza GRUB2 kuti ayambe kudzaza ma modules ofunikira pamene PC iyamba.
* -k ~/perskey -njira yopita ku "PGP key" (mutatha kulongedza fungulo mu fano, likhoza kuchotsedwa).
* --root-directory -ikani chikwatu cha boot pamizu ya sda6
/dev/sda6 - gawo lanu la sdaX.
Kupanga/kusintha grub.cfg
grub-mkconfig -o /mnt/boot/grub/grub.cfg
Onjezani mzere "trust / boot/grub/perskey" mpaka kumapeto kwa fayilo ya "grub.cfg" (kakamizani kugwiritsa ntchito kiyi ya pgp.) Popeza tinayika GRUB2 ndi ma modules, kuphatikizapo siginecha module "signature_test.mod", izi zimathetsa kufunika kowonjezera malamulo monga "set check_signatures=enforce" ku config.
Iyenera kuwoneka chonchi (mizere yomaliza mu fayilo ya grub.cfg)
### YAMBA /etc/grub.d/41_custom ###
ngati [ -f ${config_directory}/custom.cfg ]; ndiye
gwero ${config_directory}/custom.cfg
elif [ -z "${config_directory}" -a -f $prefix/custom.cfg ]; ndiye
gwero $prefix/custom.cfg;
fi
trust /boot/grub/perskey
set superusers = "root"
password_pbkdf2 root grub.pbkdf2.sha512.10000.DE10E42B01BB6FEEE46250FC5F9C3756894A8476A7F7661A9FFE9D6CC4D0A168898B98C34EBA210F46FC10985CE28277D0563F74E108FCE3ACBD52B26F8BA04D.27625A4D30E4F1044962D3DD1C2E493EF511C01366909767C3AF9A005E81F4BFC33372B9C041BE9BA904D7C6BB141DE48722ED17D2DF9C560170821F033BCFD8
### END /etc/grub.d/41_custom ###
#
Njira yopita ku "/ boot/grub/perskey" sikuyenera kuloza ku gawo lina la disk, mwachitsanzo hd0,6; pa bootloader yokha, "muzu" ndiye njira yokhazikika ya magawo omwe GRUB2 yayikidwa. (onani set rot=..).
Kusaina GRUB2 (mafayilo onse muzolemba zonse / GRUB) ndi kiyi yanu "perskey".
Yankho losavuta la momwe mungasaina (kwa nautilus/caja explorer): yonjezerani "seahorse" yowonjezera kwa Explorer kuchokera kumalo osungirako. Kiyi yanu iyenera kuwonjezeredwa ku chilengedwe cha su.
Tsegulani Explorer ndi sudo "/ mnt/boot" - RMB - chizindikiro. Pazenera zikuwoneka motere
Njira yolondola: pitani ku bootloader CLI ndikulemba lamulo
trust_list
Poyankha, muyenera kulandira chala cha "perskey"; ngati udindo ndi "0," ndiye kuti chitetezo cha signature sichikugwira ntchito, onaninso ndime C6.2. Pa sitepe iyi, kasinthidwe kapamwamba "Kuteteza GRUB2 ndi siginecha ya digito ndi kutsimikizika" kwatsirizidwa.
C7 Njira ina yotetezera GRUB2 bootloader pogwiritsa ntchito hashingNjira ya "CPU Boot Loader Protection/Authentication" yofotokozedwa pamwambapa ndi yachikale. Chifukwa cha kupanda ungwiro kwa GRUB2, m'mikhalidwe ya paranoid imatha kuukira kwenikweni, yomwe ndipereka pansipa ndime [F]. Kuphatikiza apo, mutatha kukonzanso OS/kernel, bootloader iyenera kusainanso.
Kunyenga kwa signature (mwachidziwitso, ndizotheka kupeza kugunda kwa ntchito kwa hashi).
Kuwonjezeka kwa zovuta (poyerekeza ndi zachikale, maluso ochulukirapo mu GNU/Linux OS amafunikira).
Momwe lingaliro la GRUB2 / partition hashing limagwirira ntchito
Gawo la GRUB2 "lidasainidwa"; boti la OS likayamba, gawo la bootloader limayang'aniridwa kuti silingasinthe, ndikutsata malo otetezedwa (obisika). Ngati bootloader kapena kugawa kwake kwasokonezedwa, kuwonjezera pa chipika cholowera, zotsatirazi zimayambitsidwa:
Chinthu.
Cheke chofananacho chimapezeka kanayi patsiku, zomwe sizimatsitsa zida zadongosolo.
Pogwiritsa ntchito lamulo la "-$ check_GRUB", cheke pompopompo chimachitika nthawi iliyonse osadula mitengo, koma ndi chidziwitso ku CLI.
Pogwiritsa ntchito lamulo la "-$ sudo signature_GRUB", GRUB2 bootloader / partition imasainanso nthawi yomweyo ndikudula mitengo yake. (zofunikira pambuyo pakusintha kwa OS/boot), ndipo moyo umapitilira.
Kukhazikitsa njira ya hashing ya bootloader ndi gawo lake
0) Tiyeni tisayine GRUB bootloader/gawo poyiyika koyamba mu /media/username
1) Timapanga script popanda chowonjezera muzu wa encrypted OS ~/podpis, timagwiritsa ntchito zofunikira zachitetezo cha 744 ndi chitetezo chopanda pake.
Pambuyo pakusintha kwa OS -$ apt-get upgrade lembaninso gawo lathu la GRUB -$ ΠΏΠΎΠ΄ΠΏΠΈΡΡ_GRUB Pakadali pano, chitetezo cha hashing cha gawo la GRUB chatha.
[D] Kupukuta - kuwononga deta yosasungidwa
Chotsani mafayilo anu aumwini kwathunthu kotero kuti βngakhale Mulungu sangaΕ΅erenge,β malinga ndi mneneri wa ku South Carolina, Trey Gowdy.
Monga mwachizolowezi, pali "nthano ndi nthano". nthano", za kubwezeretsa deta itatha kuchotsedwa pa hard drive. Ngati mumakhulupirira za cyberwitchcraft, kapena ndinu membala wa gulu la Dr ndipo simunayesepo kubwezeretsa deta itatha kuchotsedwa / kulembedwanso. (mwachitsanzo, kuchira pogwiritsa ntchito R-studio), ndiye njira yomwe ikufunsidwayo siyingagwirizane ndi inu, gwiritsani ntchito zomwe zili pafupi kwambiri ndi inu.
Pambuyo posamutsa GNU/Linux bwinobwino kugawo lobisidwa, kope lakale liyenera kuchotsedwa popanda mwayi wobwezeretsa deta. Njira yoyeretsera padziko lonse lapansi: pulogalamu ya Windows/Linux yaulere ya GUI BleachBit.
Mwamsanga sinthani gawo, deta yomwe iyenera kuwonongedwa (kudzera Gparted) yambitsani BleachBit, sankhani "Yeretsani malo aulere" - sankhani magawowo (sdaX yanu yokhala ndi kopi yam'mbuyo ya GNU/Linux), ntchito yovula idzayamba. BleachBit - amapukuta disk mu chiphaso chimodzi - izi ndi zomwe "tikufuna", Koma! Izi zimangogwira ntchito mwachidziwitso ngati mudapanga disk ndikuyiyeretsa mu pulogalamu ya BB v2.0.
Ndipo nthano za kuthekera kwa kuchira kwa data si nthano chabe.Bleachbit V2.0-2 phukusi lakale la OS Debian losakhazikika (ndi mapulogalamu ena aliwonse ofanana: sfill; pukuta-Nautilus - adawonedwanso mubizinesi yonyansayi) kwenikweni anali ndi cholakwika chovuta: ntchito ya "free space clearing". zimagwira ntchito molakwika pa HDD/Flash drives (ntfs/ext4). Mapulogalamu amtunduwu, pochotsa malo aulere, samalemba diski yonse, monga momwe ogwiritsa ntchito ambiri amaganizira. Ndipo ena (zambiri) fufutidwa deta Os/pulogalamu amaona kuti deta imeneyi si zichotsedwa / wosuta deta ndipo pamene kuyeretsa "OSP" ndi kulumpha owona awa. Vuto ndiloti patapita nthawi yaitali, kuyeretsa disk "zichotsedwa owona" akhoza anachira ngakhale pambuyo pa 3+ kupita kupukuta chimbale.
Pa GNU/Linux ku Bleachbit 2.0-2 Ntchito zochotseratu mafayilo ndi zolemba zimagwira ntchito modalirika, koma osachotsa malo aulere. Poyerekeza: pa Windows mu CCleaner ntchito ya "OSP ya ntfs" imagwira ntchito bwino, ndipo Mulungu sangathe kuwerenga zomwe zachotsedwa.
Ndipo kotero, kuti bwinobwino kuchotsa "kunyengerera" data yakale yosabisika, Bleachbit ikufunika mwayi wofikira ku datayi, ndiye, gwiritsani ntchito "kufufutani mafayilo/akalozera" ntchito.
Kuti muchotse "mafayilo ochotsedwa pogwiritsa ntchito zida za OS" mu Windows, gwiritsani ntchito CCleaner/BB ndi ntchito ya "OSP". Mu GNU/Linux pa vutoli (chotsani mafayilo ochotsedwa) muyenera kuyeserera nokha (kuchotsa deta + kuyesa kodziyimira pawokha kuyibwezeretsa ndipo simuyenera kudalira mtundu wa pulogalamuyo (ngati sichosungira, ndiye cholakwika)), kokha mu nkhani iyi mudzatha kumvetsa limagwirira wa vutoli ndi kuchotsa deta zichotsedwa kwathunthu.
Wogwiritsa ntchito aliyense ali ndi njira yake yosungira deta, koma deta yosungidwa ya System OS imafuna njira yosiyana pang'ono ndi ntchitoyi. Mapulogalamu ogwirizana, monga Clonezilla ndi mapulogalamu ofanana, sangathe kugwira ntchito mwachindunji ndi deta yobisika.
Chidziwitso chavuto lakusunga zida zobisika:
university - algorithm yosunga zobwezeretsera / mapulogalamu a Windows / Linux;
Kutha kugwira ntchito mu kontrakitala ndi ma usb amoyo GNU/Linux popanda kufunikira kotsitsa pulogalamu yowonjezera (koma ndikulimbikitsabe GUI);
chitetezo cha zosunga zobwezeretsera - "zithunzi" zosungidwa ziyenera kusungidwa / kutetezedwa ndi mawu achinsinsi;
kukula kwa deta yobisika kuyenera kufanana ndi kukula kwa deta yeniyeni yomwe ikukopera;
kutulutsa kosavuta kwa mafayilo ofunikira kuchokera ku kopi yosunga zobwezeretsera (palibe chifukwa chofotokozera gawo lonselo poyamba).
Mwachitsanzo, zosunga zobwezeretsera / kubwezeretsa kudzera pa "dd" zofunikira
Zimafanana ndi pafupifupi mfundo zonse za ntchitoyi, koma malinga ndi mfundo 4 sizimatsutsidwa, chifukwa zimakopera gawo lonse la disk, kuphatikizapo malo aulere - osasangalatsa.
Mwachitsanzo, zosunga zobwezeretsera za GNU/Linux kudzera pankhokwe [tar" | gpg] ndiyosavuta, koma pa zosunga zobwezeretsera za Windows muyenera kuyang'ana njira ina - sizosangalatsa.
kupanga chotengera encrypted (chiwerengero / fayilo) VeraCrypt kwa Os;
kusamutsa/kulunzanitsa OS pogwiritsa ntchito pulogalamu ya Rsync mu chidebe cha VeraCrypt crypto;
ngati kuli kofunikira, kukweza voliyumu ya VeraCrypt ku www.
Kupanga chotengera cha VeraCrypt chobisika chili ndi mawonekedwe ake:
kupanga voliyumu yamphamvu (kupanga kwa DT kumapezeka mu Windows kokha, kutha kugwiritsidwanso ntchito mu GNU/Linux);
kupanga voliyumu yokhazikika, koma pamafunika kukhala ndi "khalidwe lopanda pake" (malinga ndi wopanga) - masanjidwe a chidebe.
Voliyumu yosunthika imapangidwa pafupifupi nthawi yomweyo mu Windows, koma mukakopera deta kuchokera ku GNU/Linux> VeraCrypt DT, ntchito yonse yosunga zobwezeretsera imachepa kwambiri.
Voliyumu yokhazikika ya 70 GB Twofish imapangidwa (tingonena, pafupifupi mphamvu ya PC) ku HDD ~ mu theka la ola (kulembanso zomwe kale zidasungidwa mu chiphaso chimodzi ndi chifukwa cha chitetezo). Ntchito yokonza voliyumu mwachangu mukaipanga yachotsedwa ku VeraCrypt Windows/Linux, kotero kupanga chidebe kumatheka kudzera "kulembanso pasipoti imodzi" kapena kupanga voliyumu yotsika kwambiri.
Konzani/kupanga/tsegulani chidebe mu VeraCrypt GUI> GNU/Linux live usb (voliyumuyo idzasinthidwa kukhala /media/veracrypt2, voliyumu ya Windows OS idzakwezedwa ku /media/veracrypt1). Kupanga zosunga zobwezeretsera za Windows OS pogwiritsa ntchito GUI rsync (grsync)poyang'ana mabokosi.
Mofananamo, pangani zosunga zobwezeretsera za GNU/Linux OS mwa kusayang'ana bokosi la "Windows compatibility" mu rsync GUI.
Chenjerani! pangani chidebe cha Veracrypt cha "zosunga zobwezeretsera za GNU/Linux" pamafayilo ext4. Ngati mupanga zosunga zobwezeretsera ku chidebe cha ntfs, ndiye mukabwezeretsa kopi yoteroyo, mudzataya ufulu / magulu onse ku data yanu yonse.
Mutha kuchita ntchito zonse mu terminal. Zosankha zoyambirira za rsync:
* -g -sunga magulu;
* -P -kupita patsogolo - udindo wa nthawi yogwiritsidwa ntchito pa fayilo;
* -H - koperani zolimba monga ziliri;
* -a -archive mode (mbiri rlptgoD mbendera);
* -v -kunena mawu.
Ngati mukufuna kuyika "Windows VeraCrypt voliyumu" kudzera pakompyuta mu pulogalamu ya cryptsetup, mutha kupanga dzina (su)
echo "alias veramount='cryptsetup open --veracrypt --tcrypt-system --type tcrypt /dev/sdaX Windows_crypt && mount /dev/mapper/ Windows_crypt /media/veracrypt1'" >> .bashrc && bash
Tsopano lamulo la "zithunzi zambiri" lidzakupangitsani kuti mulowetse mawu achinsinsi, ndipo voliyumu yosungidwa ya Windows idzayikidwa mu OS.
Map/mount VeraCrypt system volume mu cryptsetup command
cryptsetup open --veracrypt --tcrypt-system --type tcrypt /dev/sdaX Windows_crypt
mount /dev/mapper/Windows_crypt /mnt
Mapu / phiri la VeraCrypt gawo / chotengera mu lamulo la cryptsetup
cryptsetup open --veracrypt --type tcrypt /dev/sdaY test_crypt
mount /dev/mapper/test_crypt /mnt
M'malo mwa mawu, tidzawonjezera (chilemba choyambira) voliyumu ya Windows OS ndi diski yomveka yosungidwa ya ntfs ku GNU/Linux poyambira.
Pangani mafayilo awiri ofanana (dzina lomwelo!) mu /etc/rc.local ndi ~/etc/init.d/rc.local
Kudzaza mafayilo
#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will Β«exit 0Β» on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.
sh -c "sleep 1 && '/VeraOpen.sh'" #ΠΏΠΎΡΠ»Π΅ Π·Π°Π³ΡΡΠ·ΠΊΠΈ ΠΠ‘, ΠΆΠ΄ΡΠΌ ~ 1Ρ ΠΈ ΡΠΎΠ»ΡΠΊΠΎ ΠΏΠΎΡΠΎΠΌ ΠΌΠΎΠ½ΡΠΈΡΡΠ΅ΠΌ Π΄ΠΈΡΠΊΠΈ.
exit 0
Monga omenyera nkhondo a IT, kumbukirani kupanga padera zosunga zobwezeretsera za mitu ya Windows/Linux OS yobisika, kapena kubisako kukutembenukirani. Pa sitepe iyi, zosunga zobwezeretsera za OS encrypted zatha.
[F] Kuukira pa GRUB2 bootloader
Onani zambiriNgati mwateteza bootloader yanu ndi siginecha ya digito ndi/kapena kutsimikizika (Onani mfundo C6.), ndiye izi sizingateteze ku mwayi wakuthupi. Deta yobisika ikadali yosafikirika, koma chitetezo chidzalambalalitsidwa (sinthaninso chitetezo cha siginecha ya digito) GRUB2 imalola munthu wa cyber-villain kubaya code yake mu bootloader popanda kudzutsa kukayikira. (pokhapokha ngati wogwiritsa ntchitoyo ayang'anira pamanja momwe bootloader ikuyendera, kapena abwere ndi code yawo yolimba ya grub.cfg).
Attack algorithm. Wolowerera
* Boot PC kuchokera ku usb yamoyo. Kusintha kulikonse (wophwanya malamulo) mafayilo adzadziwitsa mwiniwake wa PC za kulowetsedwa mu bootloader. Koma kuyikanso kosavuta kwa GRUB2 kusunga grub.cfg (ndi kuthekera kotsatira kusintha) idzalola wowukira kusintha mafayilo aliwonse (pamenepa, potsegula GRUB2, wogwiritsa ntchito weniweni sadzadziwitsidwa. Momwemo ndi chimodzimodzi <0>)
* Imayika gawo losalembetsedwa, sungani "/mnt/boot/grub/grub.cfg".
* Kukhazikitsanso bootloader (kuchotsa "perskey" pachithunzi cha core.img)
* Ikubweza "grub.cfg"> "/mnt/boot/grub/grub.cfg", sinthani ngati kuli kofunikira, mwachitsanzo, kuwonjezera gawo lanu la "keylogger.mod" kufoda yokhala ndi ma module odzaza, mu "grub.cfg" > mzere "insmod keylogger". Kapena, mwachitsanzo, ngati mdaniyo ali wochenjera, ndiye kuti akhazikitsanso GRUB2 (ma signature onse amakhalabe m'malo mwake) imapanga chithunzi chachikulu cha GRUB2 pogwiritsa ntchito "grub-mkimage ndi njira (-c)." Njira ya "-c" ikulolani kuti mukweze zosintha zanu musanalowetse "grub.cfg" yayikulu. Kukonzekera kumatha kukhala ndi mzere umodzi wokha: kuwongolera ku "modern.cfg" iliyonse, yosakanikirana, mwachitsanzo, ndi ~ 400 mafayilo. (ma module + siginecha) mu chikwatu "/boot/grub/i386-pc". Pachifukwa ichi, wowukira akhoza kuyika ma code osagwirizana ndi kutsegula ma modules popanda kukhudza "/boot/grub/grub.cfg", ngakhale wogwiritsa ntchito "hashsum" pa fayilo ndikuwonetsa kwakanthawi pazenera.
Wowukira sadzafunika kuthyola GRUB2 superuser lolowera / mawu achinsinsi; amangofunika kukopera mizere (yoyenera kutsimikizira) "/boot/grub/grub.cfg" ku "modern.cfg" yanu
set superusers = "root"
password_pbkdf2 root grub.pbkdf2.sha512.10000.DE10E42B01BB6FEEE46250FC5F9C3756894A8476A7F7661A9FFE9D6CC4D0A168898B98C34EBA210F46FC10985CE28277D0563F74E108FCE3ACBD52B26F8BA04D.27625A4D30E4F1044962D3DD1C2E493EF511C01366909767C3AF9A005E81F4BFC33372B9C041BE9BA904D7C6BB141DE48722ED17D2DF9C560170821F033BCFD8
Ndipo mwiniwake wa PC adzatsimikiziridwabe ngati GRUB2 superuser.
Kutsegula unyolo (bootloader imatsegula bootloader ina), monga ndalemba pamwambapa, sizomveka (ndi cholinga china). Bootloader yosungidwa siyingakwezedwe chifukwa cha BIOS (boot boot restarts GRUB2> encrypted GRUB2, zolakwika!). Komabe, ngati mukugwiritsabe ntchito lingaliro la kutsitsa kwa unyolo, mutha kukhala otsimikiza kuti ndizomwe zimasungidwa. (osasintha) "grub.cfg" kuchokera kugawo lobisika. Ndipo ichinso ndi lingaliro labodza lachitetezo, chifukwa chilichonse chomwe chawonetsedwa mu "grub.cfg" (kutsitsa kwa ma module) kumawonjezera ma module omwe amatsitsidwa kuchokera ku GRUB2 yosalembetsedwa.
Ngati mukufuna kuwona izi, perekani / sungani magawo ena sdaY, lembani GRUB2 kwa izo (ntchito yoyika grub pagawo losungidwa sizotheka) ndi "grub.cfg" (zosintha zosasinthika) kusintha mizere monga iyi
menyu 'GRUBx2' --class parrot --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-simple-382111a2-f993-403-2c-aa292e-5b4780eacXNUMX' {
load_kanema
mu gzio
ngati [ x$grub_platform = xxen]; ndiye insmod xzio; matenda oopsa; fi
insmod gawo_msdos
insmod cryptodisk
insmod lux
insmod gcry_twofish
insmod gcry_twofish
insmod gcry_sha512
insmod ext2
cryptomount -u 15c47d1c4bd34e5289df77bcf60ee838
set root=βcryptouuid/15c47d1c4bd34e5289df77bcf60ee838β²
zachilendo /boot/grub/grub.cfg
}
mizere
* insmod - kutsitsa ma module ofunikira kuti mugwiritse ntchito ndi disk encrypted;
* GRUBx2 - dzina la mzere womwe ukuwonetsedwa mumenyu yoyambira ya GRUB2;
* cryptomount -u 15c47d1c4bd34e5289df77bcf60ee838 -onani. fdisk -l (sda9);
* set root - kukhazikitsa mizu;
* yachibadwa /boot/grub/grub.cfg - fayilo yosinthika yokhazikika pamagawo obisika.
Chidaliro chakuti ndi "grub.cfg" yosungidwa yomwe yapakidwa ndi yankho labwino lolowetsa mawu achinsinsi / kutsegula "sdaY" posankha mzere "GRUBx2" mu menyu ya GRUB.
Mukamagwira ntchito mu CLI, kuti musasokonezedwe (ndipo onani ngati kusintha kwa "set root" kwagwira ntchito), pangani mafayilo opanda kanthu, mwachitsanzo, mu gawo lobisika "/shifr_grub", mugawo losasindikizidwa "/noshifr_grub". Kufufuza mu CLI
cat /Tab-Tab
Monga tafotokozera pamwambapa, izi sizingathandize kutsitsa ma module oyipa ngati ma module otere atha pa PC yanu. Mwachitsanzo, keylogger yomwe imatha kusunga makiyi ku fayilo ndikuyisakaniza ndi mafayilo ena mu "~/i386" mpaka itatsitsidwa ndi wowukira wokhala ndi PC.
Njira yosavuta yotsimikizira kuti chitetezo cha siginecha ya digito chikugwira ntchito mwachangu (osakonzanso), ndipo palibe amene adawukira bootloader, lowetsani lamulo mu CLI
list_trusted
poyankha timalandira kopi ya "perskey" yathu, kapena sitilandira kalikonse ngati tikuwukiridwa (muyeneranso kuyang'ana "set check_signatures=enforce").
Choyipa chachikulu cha sitepe iyi ndikulowetsa malamulo pamanja. Ngati muwonjezera lamulo ili ku "grub.cfg" ndikuteteza kasinthidwe ndi siginecha ya digito, ndiye kuti kutulutsa koyambirira kwa chithunzithunzi chachinsinsi pawindo ndi chachifupi kwambiri pa nthawi, ndipo simungakhale ndi nthawi yowona zotsatira mutakweza GRUB2. .
Palibe amene anganene kuti: wopanga mapulogalamu ake zolemba ndime 18.2 ikulengeza mwalamulo
"Zindikirani kuti ngakhale ndi chitetezo chachinsinsi cha GRUB, GRUB palokha siyingalepheretse munthu yemwe ali ndi mwayi wogwiritsa ntchito makinawo kuti asasinthe kasinthidwe ka firmware ya makinawo (mwachitsanzo, Coreboot kapena BIOS) kuti makinawo ayambike kuchokera ku chipangizo china (cholamulidwa ndi owukira). GRUB ndi ulalo umodzi wokha pamakina otetezeka a boot. "
GRUB2 yodzaza kwambiri ndi ntchito zomwe zingapereke chidziwitso cha chitetezo chabodza, ndipo chitukuko chake chadutsa kale MS-DOS ponena za ntchito, koma ndi bootloader chabe. Ndizoseketsa kuti GRUB2 - "mawa" ikhoza kukhala OS, ndi makina osinthika a GNU/Linux ake.
Kanema wachidule wamomwe ndidakhazikitsiranso chitetezo cha siginecha ya digito ya GRUB2 ndikulengeza kulowerera kwanga kwa wosuta weniweni (Ndinakuopani, koma mmalo mwa zomwe zikuwonetsedwa muvidiyoyi, mukhoza kulemba code / .mod yopanda vuto).
Zotsatira:
1) Kubisa kwa block system kwa Windows ndikosavuta kukhazikitsa, ndipo kutetezedwa ndi mawu achinsinsi amodzi ndikosavuta kuposa kutetezedwa ndi mapasiwedi angapo okhala ndi GNU/Linux block system encryption, kunena chilungamo: yomalizayo ndi yodzichitira.
2) Ndinalemba nkhaniyi kuti ndi yofunikira komanso mwatsatanetsatane zosavuta chiwongolero cha kubisa kwathunthu kwa disk VeraCrypt/LUKS panyumba imodzi makina, omwe ali abwino kwambiri mu RuNet (IMHO). Bukuli ndi> zilembo za 50k zazitali, kotero silinafotokoze mitu yosangalatsa: olemba ma cryptographer omwe amasowa / amakhala mumthunzi; za mfundo yakuti m'mabuku osiyanasiyana a GNU/Linux amalemba pang'ono / samalemba za cryptography; za Gawo 51 la Constitution of the Russian Federation; O kupereka chilolezo/kuletsa encryption mu Russian Federation, chifukwa chake muyenera kubisa "root / boot". Kalozerayo adakhala wamkulu, koma mwatsatanetsatane. (pofotokoza ngakhale zosavuta), nayenso, izi zidzakupulumutsirani nthawi yochuluka mukafika "kubisa kwenikweni".
3) Kubisa kwathunthu kwa disk kunachitika pa Windows 7 64; GNU/Linux Parrot 4x; GNU/Debian 9.0/9.5.
4) Anakhazikitsa kuukira bwino pa wanu GRUB2 bootloader.
5) Maphunziro adalengedwa kuti athandize anthu onse osokonezeka mu CIS, kumene kugwira ntchito ndi kubisa kumaloledwa pamalamulo. Ndipo makamaka kwa iwo omwe akufuna kutulutsa kubisa kwa disk-disk popanda kuwononga machitidwe awo okhazikika.
6) Ndinakonzanso ndikuwongolera buku langa, lomwe ndi lofunikira mu 2020.