Usiku wabwino nonse! Cholembachi chidzakhala chothandiza kwa iwo omwe amagwiritsa ntchito LUKS encryption data ndipo akufuna kubisa ma disks pansi pa Linux (Debian, Ubuntu) pa. magawo a decrypting the root partition. Ndipo sindinapeze zinthu zotere pa intaneti.
Posachedwapa, ndi kuchuluka kwa ma disks m'mashelufu, ndinakumana ndi vuto lochotsa ma disks pogwiritsa ntchito njira yodziwika bwino kudzera mu /etc/crypttab. Payekha, ndikuwunikira zovuta zingapo pogwiritsa ntchito njirayi, yomwe ndi yakuti fayilo ikuwerengedwa kokha pambuyo Mumakonda (phiri) kugawa mizu, zomwe zimakhudza kwambiri zogulitsa kunja kwa ZFS, makamaka ngati zidamangidwa kuchokera pazigawo za * _crypt, kapena zida za mdadm zomangidwanso kuchokera ku magawo. Tonse tikudziwa kuti mutha kugwiritsa ntchito zida za LUKS, sichoncho? Komanso vuto la kuyambika koyambirira kwa mautumiki ena, pomwe palibe magulu angapo, koma ntchito Ndikufuna kale kena kake (ndimagwira ntchito ndi Clustered Proxmox VE 5.x ndi ZFS pa iSCSI).
Zambiri za ZFSoverISCSIiSCSI imandigwirira ntchito kudzera mu LIO, ndipo kwenikweni, cholinga cha iscsi chikayamba ndipo sichiwona zida za ZVOL, zimangowachotsa pakukonzekera, zomwe zimalepheretsa machitidwe a alendo kuti asayambe. Chifukwa chake, mwina kubwezeretsa zosunga zobwezeretsera za json, kapena kuwonjezera zida zokhala ndi zozindikiritsa pa VM iliyonse, zomwe zimakhala zowopsa pakakhala makina ambiri otere ndipo kasinthidwe kalikonse kumakhala ndi disk yopitilira 1.
Ndipo funso lachiwiri lomwe ndilingalire ndi momwe ndingasinthire (iyi ndiye mfundo yayikulu yankhaniyi). Ndipo tikambirana za izi pansipa, pitani pansi!
Nthawi zambiri, pa intaneti, fayilo yayikulu imagwiritsidwa ntchito (yodziwonjezera yokha pagawo isanachitike ndi lamulo - cryptsetup luksAddKey), kapena mwapadera (pa intaneti ya chilankhulo cha Chirasha pali zambiri) - decrypt_derived script. yomwe ili mu /lib/cryptsetup/script/ (zowona, pali njira zina, koma ndinagwiritsa ntchito ziwirizi, zomwe zinapanga maziko a nkhaniyi). Ndinayesetsanso kuphatikizidwa kwathunthu nditayambiranso, popanda malamulo ena owonjezera mu kontrakitala, kuti chilichonse "chiwuluke" kwa ine nthawi imodzi. Chifukwa chake, dikirani? -
Tiyeni tiyambe!
Tiyeni tiyerekeze dongosolo, monga Debian, loyikidwa pa sda3_crypt crypto partition ndi ma disks khumi ndi awiri okonzeka kusindikizidwa ndikupangidwa kuti mukhale okhutira ndi mtima wanu. Tili ndi mawu achinsinsi (passphrase) kuti titsegule sda3_crypt, ndipo ndi gawo ili lomwe tidzachotsa "hash" pachinsinsi pamayendedwe (decrypted) ndikuwonjezera ku ma disks ena onse. Chilichonse ndi choyambirira, mu console yomwe tikuchita:
/lib/cryptsetup/scripts/decrypt_derived sda3_crypt | cryptsetup luksFormat /dev/sdX
kumene X ndi ma disks athu, magawo, ndi zina.
Pambuyo polemba ma disks ndi "hash" kuchokera ku mawu athu ophatikizira, muyenera kudziwa UUID kapena ID - kutengera yemwe amagwiritsidwa ntchito ndi chiyani. Timatenga deta kuchokera ku /dev/disk/by-uuid ndi ndi-id motsatana.
Chotsatira ndikukonzekera mafayilo ndi mini-scripts za ntchito zomwe tikufunika kuti tigwire ntchito, tiyeni tipitilize:
cp -p /usr/share/initramfs-tools/hooks/cryptroot /etc/initramfs-tools/hooks/
cp -p /usr/share/initramfs-tools/scripts/local-top/cryptroot /etc/initramfs-tools/scripts/local-top/
patsogolo
touch /etc/initramfs-tools/hooks/decrypt && chmod +x /etc/initramfs-tools/hooks/decrypt
Zomwe zili mu ../decrypt
#!/bin/sh
cp -p /lib/cryptsetup/scripts/decrypt_derived "$DESTDIR/bin/decrypt_derived"
patsogolo
touch /etc/initramfs-tools/hooks/partcopy && chmod +x /etc/initramfs-tools/hooks/partcopy
Zomwe zili mu ../partcopy
#!/bin/sh
cp -p /sbin/partprobe "$DESTDIR/bin/partprobe"
cp -p /lib/x86_64-linux-gnu/libparted.so.2 "$DESTDIR/lib/x86_64-linux-gnu/libparted.so.2"
cp -p /lib/x86_64-linux-gnu/libreadline.so.7 "$DESTDIR/lib/x86_64-linux-gnu/libreadline.so.7"
pang'ono kwambiri
touch /etc/initramfs-tools/scripts/local-bottom/partprobe && chmod +x /etc/initramfs-tools/scripts/local-bottom/partprobe
Zomwe zili ../partprobe
#!/bin/sh
$DESTDIR/bin/partprobe
ndipo potsiriza, musanasinthe-initramfs, muyenera kusintha fayilo /etc/initramfs-tools/scripts/local-top/cryptroot, kuyambira mzere ~360, code snippet pansipa
Zachiyambi
# decrease $count by 1, apparently last try was successful.
count=$(( $count - 1 ))
message "cryptsetup ($crypttarget): set up successfully"
break
ndipo bweretsani ku mawonekedwe awa
Zasinthidwa
# decrease $count by 1, apparently last try was successful.
count=$(( $count - 1 ))
/bin/decrypt_derived $crypttarget | cryptsetup luksOpen /dev/disk/by-uuid/ *CRYPT_MAP*
/bin/decrypt_derived $crypttarget | cryptsetup luksOpen /dev/disk/by-id/ *CRYPT_MAP*
message "cryptsetup ($crypttarget): set up successfully"
break
Dziwani kuti UUID kapena ID zitha kugwiritsidwa ntchito pano. Chachikulu ndichakuti madalaivala ofunikira a zida za HDD / SSD amawonjezedwa ku /etc/initramfs-tools/modules. Mutha kudziwa dalaivala yemwe akugwiritsidwa ntchito ndi lamulo udevadm info -a -n /dev/sdX | egrep 'kuyang'ana|DRIVER'.
Tsopano popeza tamaliza ndipo mafayilo onse ali m'malo, thamangani update-initramfs -u -k onse -v, podula mitengo sayenera kukhala zolakwika pakukonza zolembedwa zathu. Timayambiranso, lowetsani mawu achinsinsi ndikudikirira pang'ono, kutengera kuchuluka kwa ma disks. Kenako, dongosolo lidzayamba ndipo pamapeto omaliza kukhazikitsidwa, ndiye pambuyo "kukweza" magawo a mizu, lamulo la partprobe lidzaperekedwa - lidzapeza ndikutenga magawo onse opangidwa pazida za LUKS ndi magulu aliwonse, akhale ZFS kapena mdadm, adzasonkhanitsidwa popanda mavuto! Ndipo zonsezi pamaso Mumakonda ntchito zazikulu ndi ntchito zomwe zimafunikira ma disks/rrarays awa.
zosintha1: Bwanji
Source: www.habr.com