Fa'afou a latou lava ta'iala ile fa'ailoga fa'aigoa atoa ile RuNet V0.2.
Fuafuaga Cowboy:
[A] Windows 7 fa'ailoga poloka poloka o le faiga fa'apipi'i;
[B] GNU/Linux fa'ailoga poloka poloka (Debian) faiga fa'apipi'i (e aofia ai /fa'a);
[C] GRUB2 faʻatulagaina, puipuiga o le bootloader faʻatasi ma saini numera / faʻamaoniga / faʻailoga;
[D] aveese—fa'aleagaina o fa'amaumauga e le'i fa'ailogaina;
[E] faaleoleo lautele o le OS fa'ailoga;
[F] osofa'i <i le mea [C6]> sini - GRUB2 bootloader;
[G]pepa fesoasoani.
╭─── Ata o le #potu 40# :
├──╼ Windows 7 faʻapipiʻi - faʻamalamalamaga atoa, e le natia;
├──╼ GNU/Linux fa'apipi'i (Debian ma fa'asoa fa'asolo) - fa'ailoga fa'ailoga atoa, e le natia(/, e aofia ai /boot; swap);
├──╼ tuto'atasi bootloader: VeraCrypt bootloader fa'apipi'i i le MBR, GRUB2 bootloader fa'apipi'i i le vaeluaga lautele;
├──╼leai se OS fa'apipi'i/toe fa'apipi'i mana'omia;
└──╼cryptographic polokalame fa'aoga: VeraCrypt; cryptsetup; GnuPG; solofanua; Hashdeep; GRUB2 e leai se totogi/sa'oloto.
O le polokalame o loʻo i luga o loʻo foia ai le faʻafitauli o le "vaʻa mamao i se flash drive", e mafai ai ona e fiafia i le faʻailogaina o le OS Windows / Linux ma fefaʻasoaʻi faʻamatalaga e ala i se "faʻailoga faʻailoga" mai le tasi OS i le isi.
Poloaiga ta'avale PC (se tasi o filifiliga):
- fa'aola le masini;
- utaina le VeraCrypt bootloader (o le ulufale i le upu sa'o o le a fa'aauau pea ona fa'aa'a le Windows 7);
- oomi le "Esc" ki o le a utaina le GRUB2 boot loader;
- GRUB2 faʻapipiʻi taʻavale (filifili tufatufa/GNU/Linux/CLI), o le a manaʻomia le faʻamaonia o le GRUB2 superuser <login/password>;
- a maeʻa le faʻamaoniga manuia ma le filifilia o le tufatufaga, e tatau ona e ulufale i se fuaitau e tatala ai le "/boot/initrd.img";
- pe a uma ona e ulufale i upu faʻamaonia e leai se mea sese, GRUB2 o le a "manaʻomia" se faʻamatalaga faʻaulu (tolu, BIOS password poo le GNU/Linux user account password - aua le mafaufau) e tatala ma fa'aa'e le GNU/Linux OS, po'o le sui otometi o se ki lilo (lua upu faataga + ki, po o upu faataga + ki);
- faʻalavelave fafo i totonu o le GRUB2 configuration o le a faʻamalo ai le GNU/Linux boot process.
Fa'alavelave? Lelei, se'i o tatou otometi faiga.
Pe a vaeluaina se kesi malo (Siata MBR) O se PC e le mafai ona sili atu i le 4 vaega autu, poʻo le 3 autu ma le tasi faʻalautele, faʻapea foʻi ma se vaega e leʻi faʻatagaina. O se vaega fa'alautele, e le pei o le vaega autu, e mafai ona aofia ai vaega laiti (fa'atonuga fa'atatau = vaeluaga fa'alautele). I se isi faaupuga, o le "vaega faʻalautele" i luga o le HDD e suitulaga i le LVM mo le galuega o loʻo i ai: faʻailoga faʻapipiʻi atoa. Afai e vaevaeina lau tisiki i ni vaega autu se 4, e tatau ona e faʻaogaina le lvm, poʻo le suiga (fa'atasi ai ma le fa'atulagaina) vaega mai le autu i le alualu i luma, poʻo le faʻaaoga tatau vaega uma e fa ma tuʻu mea uma e pei ona i ai, maua le taunuuga manaʻomia. E tusa lava pe tasi lau vaeluaga i luga o lau disk, Gparted o le a fesoasoani ia te oe e vaelua lau HDD (mo vaega faaopoopo) e aunoa ma le leiloa o faʻamaumauga, ae o loʻo i ai pea se faʻasalaga itiiti mo ia gaioiga.
O le fa'atulagaina o le ta'avale malo, e fa'atatau i le mea o le a fa'amatalaina ai le tala atoa, o lo'o tu'uina atu i le laulau i lalo.
Laulau (Nu. 1) o vaeluaga 1TB.
E tatau foi ona i ai se mea faapena.
sda1 - vaega autu Numera 1 NTFS (fa'ailoga);
sda2 - faʻailoga vaega faʻalautele;
sda6 - tisiki talafeagai (ua faʻapipiʻi le GRUB2 bootloader);
sda8 - swap (faʻailoga swap faila / e le o taimi uma);
sda9 - su'ega fa'atatau tisiki;
sda5 - tisiki talafeagai mo le fia iloa;
sda7 - GNU/Linux OS (siitia le OS i se tisiki fa'ailoga fa'ailoga);
sda3 - vaega autu Numera 2 ma le Windows 7 OS (fa'ailoga);
sda4 - vaega autu Nu.3 (o lo'o i ai le GNU/Linux e le'i fa'ailogaina, fa'aoga mo fa'amaumauga/e le o taimi uma).
[A] Windows 7 System Block Encryption
A1. VeraCrypt
La'uina mai , pe mai le fa'ata fa'apipi'i fa'asologa o VeraCrypt cryptographic software (i le taimi o le lolomiina o le tusiga v1.24-Update3, o le telefoni feaveaʻi o VeraCrypt e le talafeagai mo faʻamatalaga faʻapipiʻi). Siaki le siaki o le polokalama na sii mai
$ Certutil -hashfile "C:VeraCrypt Setup 1.24.exe" SHA256
ma faʻatusatusa le taunuʻuga ma le CS na faʻapipiʻiina i luga o le VeraCrypt developer website.
Afai e faʻapipiʻi le polokalama HashTab, e sili atu ona faigofie: RMB (VeraCrypt Setup 1.24.exe)-properties - hash sum o faila.
Ina ia faʻamaonia le saini o le polokalame, e tatau ona faʻapipiʻi le polokalama faʻapipiʻi ma le pgp faʻasalalau lautele i luga o le polokalama ; .
A2. Fa'apipi'i/fa'againa le polokalama VeraCrypt ma aia tatau fa'afoe
A3. Filifilia faiga fa'ailoga fa'ailoga mo le vaeluaga malosiVeraCrypt - Faiga - Faʻailogaina le vaeluaga / disk - masani - Faʻailogaina le vaeluaga o le Windows - Multiboot - (Lapataiga: "E le fautuaina tagata faʻapitoa e faʻaoga lenei metotia" ma e moni lenei mea, matou te malilie "Ioe") – Tisiki fa'avae (“ioe”, tusa lava pe leai, ae “ioe”) - Numera o tisiketi "2 pe sili atu" - Tele faiga i luga o le tasi tisiki "Ioe" - E le o Windows bootloader "Leai" (o le mea moni, "Ioe," ae o le VeraCrypt / GRUB2 boot loaders o le a le faʻasoaina le MBR ia i latou lava; sili atu, naʻo le vaega pito sili ona laʻititi o le faʻailoga faʻailoga o loʻo teuina i le MBR / boot track, o le vaega autu o le o loʻo i totonu o le faila faila) - Multiboot - Fa'ailoga fa'ailoga...
Afai e te alu ese mai laasaga o loʻo i luga (poloka poloka faiga fa'ailoga), ona tuʻuina atu lea e VeraCrypt se lapataiga ma o le a le faʻatagaina oe e faʻailogaina le vaeluaga.
I le isi laasaga agai i le puipuiga o faʻamatalaga faʻatatau, fai se "Suʻega" ma filifili se faʻamatalaga algorithm. Afai e iai sau PPU tuai, e foliga mai o le algorithm faʻamalamalamaga sili ona vave o le Twofish. Afai e malosi le PPU, o le ae matauina le eseesega: AES encryption, e tusa ai ma faʻaiʻuga o suʻega, o le a tele taimi e sili atu le vave nai lo ana tauva crypto. O le AES o se faʻailoga faʻailoga algorithm faʻapitoa o masini faʻaonaponei e faʻapitoa mo le "mea lilo" ma le "hacking".
E lagolagoina e VeraCrypt le mafai ona fa'aigoa fa'ailoga tisiki i totonu o le AES cascade(Twofish)/ma isi fa'apotopotoga. I luga ole Intel CPU tuai mai le sefulu tausaga talu ai (e aunoa ma se meafaigaluega lagolago mo AES, A/T cascade encryption) O le fa'aitiitia o le fa'atinoga e matua'i le iloa. (mo AMD PPU o le vaitau tutusa/~parameters, faʻatinoga e faʻaititia teisi). Ole OS e galue malosi ma o le faʻaaogaina o punaoa mo faʻamatalaga manino e le o vaaia. I se faʻatusatusaga, mo se faʻataʻitaʻiga, o loʻo i ai se faʻaititia o le faʻatinoga ona o le faʻapipiʻiina o le suʻega suʻega ole siosiomaga Mate v1.20.1 (po o le v1.20.2 ou te le manatua lelei) i le GNU/Linux, pe ona o le fa'agaioiga o le telemetry masani i Windows7↑. E masani lava, o tagata fa'apitoa e fa'atino su'ega fa'atinoga o meafaigaluega a'o le'i fa'ailoga. Mo se faʻataʻitaʻiga, i le Aida64/Sysbench/systemd-analyze tuʻuaʻiga e faʻatusatusa i faʻaiʻuga o suʻega tutusa pe a uma ona faʻailogaina le faiga, ma faʻamaonia ai le tala faʻasolopito mo i latou lava e faapea "o faʻamatalaga faʻapipiʻi e afaina." O le faʻagesegese o le masini ma le faʻalavelave e iloagofie pe a faʻapipiʻi / toe faʻaleleia faʻamatalaga faʻailoga, aua o le "faʻamaumauga faʻamaumauga faʻamaumauga" lava ia e le o fuaina i le ms, ma o latou lava <decrypt/encrypt on the fly> e faʻaopoopoina. Mulimuli ane, o tagata taʻitoʻatasi uma e faʻatagaina e faʻaogaina i le cryptography e paleni le faʻailoga algorithm e faasaga i le faamalieina o galuega o loʻo i ai, o latou tulaga o le paranoia, ma le faigofie o le faʻaogaina.
E sili atu le tuʻuina o le PIM parameter e le mafai, ina ia pe a faʻapipiʻi le OS e te le manaʻomia le tuʻuina atu o tau faʻamatalaga saʻo i taimi taʻitasi. VeraCrypt faʻaaogaina se numera tele o faʻamatalaga e fatu ai se "sage hash" moni. O se osofaʻiga i luga o sea "crypto snail" e faʻaaoga ai le Brute force / nuanua faʻataʻitaʻiga laulau e faʻatatau i se faʻamatalaga puupuu "faigofie" ma le lisi a le tagata manua. O le tau e totogi mo le malosi o le password o le tuai i le ulufale i le upu sa'o pe a utaina le OS. (O le faʻapipiʻiina o voluma VeraCrypt i le GNU/Linux e sili atu le vave).
Free software mo le faʻatinoina o osofaʻiga faʻamalosi (ave'ese le fuaitau mai le VeraCrypt/LUKS tisiki ulutala) Hashcat. John the Ripper e le iloa pe faapefea ona "tape Veracrypt", ma pe a galulue ma LUKS e le malamalama i le cryptography Twofish.
Ona o le malosi o le cryptographic o faʻamatalaga algorithms, o cypherpunks e le mafai ona taofia o loʻo atiaʻe polokalama faʻatasi ma se osofaʻiga osofaʻi ese. Mo se faʻataʻitaʻiga, aveese mai metadata / ki mai le RAM (fa'ailoga malulu/fa'asa'o le fa'aogaina o le manatua), O lo'o iai polokalame fa'apitoa e leai se totogi ma e leai se totogi mo nei fa'amoemoe.
I le maeʻa ai o le faʻatulagaina / faʻatupuina "metadata tulaga ese" o le vaeluaga faʻapipiʻiina, VeraCrypt o le a ofoina atu e toe amata le PC ma faʻataʻitaʻi le gaioiga o lona bootloader. A maeʻa ona toe faʻafou / amata Windows, VeraCrypt o le a faʻapipiʻiina i le tulaga faʻatali, pau lava le mea o loʻo totoe o le faʻamaonia lea o le faʻailoga faʻailoga - Y.
I le laasaga mulimuli o le faʻailoga faʻailoga, VeraCrypt o le a ofoina atu e fai se kopi faʻapolopolo o le ulutala o le vaeluaga faʻailoga malosi i le tulaga o le "veracrypt rescue disk.iso" - e tatau ona faia lenei mea - i totonu o lenei polokalama o se faagaioiga faapea o se manaoga (i le LUKS, e pei o se manaʻoga - o le mea e leaga ai ua le faʻaaogaina, ae o loʻo faʻamamafaina i faʻamaumauga). O le a fesoasoani le tisiki laveai mo tagata uma, ma mo nisi e sili atu ma le tasi. leiloa (ulutala/MBR toe tusi) o se kopi faaleoleo o le ulutala o le a faafitia tumau le avanoa i le vaeluaga decrypted ma OS Windows.
A4. Fausia se VeraCrypt laveai USB / diskOna o le faaletonu, VeraCrypt ofo atu e susunuina "~ 2-3MB o metadata" i se CD, ae le o tagata uma e i ai tisiki po o DWD-ROM drives, ma le fatuina o se bootable flash drive "VeraCrypt Rescue disk" o le a avea ma se mea faʻapitoa mo nisi: Rufus / GUIdd-ROSA ImageWriter ma isi polokalama faapena o le a le mafai ona taulimaina le galuega, aua i le faaopoopo atu i le kopiina o metadata offset i se bootable flash drive, e tatau ona e kopi / faapipii le ata i fafo atu o le faila faila o le USB drive, i se faapuupuuga, kopi sao le MBR/auala i keychain. E mafai ona e fatuina se taʻavale flash bootable mai le GNU / Linux OS e faʻaaoga ai le aoga "dd", vaʻai i lenei faʻailoga.
O le fatuina o se tisiki laveai i se siosiomaga Windows e ese. E leʻi aofia ai e le tagata faʻavae VeraCrypt le fofo i lenei faʻafitauli i le ofisa e ala i le "rescue disk", ae na tuʻuina atu se fofo i se auala ese: na ia faʻapipiʻi polokalame faʻaopoopo mo le fatuina o se "usb rescue disk" mo avanoa saoloto i luga o lana VeraCrypt forum. O le archivist o lenei polokalama mo Windows o loʻo "fausia le usb veracrypt rescue disk". A maeʻa ona faʻasaoina le disk.iso laveai, o le a amata le faʻagasologa o le faʻailoga poloka poloka o le vaeluaga malosi. I le taimi o faʻamatalaga, e le taofia le faʻaogaina o le OS; I le mae'a ai o le fa'ailoga fa'ailoga, o le vaeluaga o lo'o fa'agaoioia ua fa'aigoa atoa ma mafai ona fa'aoga. Afai e le aliali mai le VeraCrypt boot loader pe ae amataina le PC, ma e le fesoasoani le faʻaleleia o le ulutala, ona siaki lea o le fuʻa "boot", e tatau ona seti i le vaeluaga o loʻo i ai Windows (e tusa lava po o le a le faʻailoga ma isi OS, vaʻai le laulau Nu. 1).
E fa'amae'a ai le fa'amatalaga o fa'ailoga poloka poloka ma le Windows OS.
[B]LUKS. GNU/Linux encryption (~Debian) fa'apipi'i OS. Algorithm ma Laasaga
Ina ia faʻapipiʻi se faʻapipiʻi Debian / faʻasologa o mea, e tatau ona e faʻafanua le vaeluaga saunia i se masini poloka poloka, faʻafeiloaʻi i le faʻafanua GNU / Linux disk, ma faʻapipiʻi / faʻapipiʻi GRUB2. Afai e leai sau 'auʻaunaga uʻamea, ma e te faʻatauaina lou taimi, ona e manaʻomia lea e faʻaaoga le GUI, ma o le tele o faʻatonuga faʻamatalaga o loʻo faʻamatalaina i lalo e tatau ona faʻatautaia i le "Chuck-Norris mode".
B1. Fa'aosoina le PC mai le ola usb GNU/Linux
“Faia se suega crypto mo le faatinoga o meafaigaluega”
lscpu && сryptsetup benchmark
Afai o oe o le tagata e ona le fiafia o se taavale malosi ma le lagolago a le meafaigaluega a le AES, o le numera o le a foliga i le itu taumatau o le faʻailoga pe afai o oe o se tagata fiafia, ae faʻatasi ai ma mea tuai, o numera o le a pei o le itu tauagavale;
B2. Vaevae tisiki. fa'apipi'i/fa'atulagaina fs logical disk HDD i le Ext4 (Gparted)
B2.1. Fausia se fa'ailoga fa'ailoga sda7 vaeluagaO le a ou faʻamatalaina igoa o vaeluaga, iinei ma isi, e tusa ai ma laʻu laulau vaeluaga o loʻo lafoina i luga. E tusa ai ma le fa'atulagaina o lau tisiki, e tatau ona e suitulaga i lou igoa vaeluaga.
Logical Drive Encryption Mapping (/dev/sda7 > /dev/mapper/sda7_crypt).
# Faigofie le faia o se "LUKS-AES-XTS vaeluaga"
cryptsetup -v -y luksFormat /dev/sda7Filifiliga:
* luksFormat - amataina o le ulutala LUKS;
* -y -passphrase (e le o le ki / faila);
* -v -fa'aaliga (fa'aali fa'amatalaga i totonu o le fa'ailoga);
* /dev/sda7 - lau tisiki talafeagai mai le vaeluaga lautele (lea o loʻo fuafua e faʻafeiloaʻi / faʻailoga GNU / Linux).
Algoritimi fa'ailoga fa'amaufa'ailogaina <LUKS1: aes-xts-plain64, Ki: 256 bits, fa'aulu fa'auluuluga LUKS: sha256, RNG: /dev/urandom> (faʻalagolago ile cryptsetup version).
#Проверка default-алгоритма шифрования
cryptsetup --help #самая последняя строка в выводе терминала.Afai e leai se meafaigaluega lagolago mo AES i luga o le PPU, o le filifiliga sili o le a faia se faalautele "LUKS-Twofish-XTS-vaega".
B2.2. Fausiaina maualuga o le "LUKS-Twofish-XTS-vaega"
cryptsetup luksFormat /dev/sda7 -v -y -c twofish-xts-plain64 -s 512 -h sha512 -i 1500 --use-urandom
Filifiliga:
* luksFormat - amataina o le ulutala LUKS;
* /dev/sda7 o lau tisiki fa'ailoga fa'ailoga i le lumana'i;
* -v tautalaga;
* -y upusii;
* -c filifili faʻamatalaga faʻamatalaga algorithm;
* -s encryption ki tele;
* -h hashing algorithm/crypto galuega, RNG faʻaaogaina (--fa'aoga-urandom) e fa'atupuina ai se fa'ailoga fa'ailoga/fa'a'ese'ese fa'apitoa mo le fa'aulutala fa'atatau tisiki, se ki fa'auluuluga lona lua (XTS); se ki matai tulaga ese e teuina i totonu o le ulutala tisiki encrypted, se XTS ki lona lua, o nei metadata uma ma se faʻailoga masani e, faʻaaogaina le ki matai ma le XTS ki lona lua, faʻailoga / decrypts soʻo se faʻamatalaga i luga o le vaeluaga. (sei vagana ai le ulutala vaega) teuina i le ~ 3MB i luga o le vaeluaga hard disk filifilia.
* -i fa'asologa i milliseconds, nai lo le "aofa'i" (o le fa'atuai o le taimi pe a fa'agaoioia le passphrase e a'afia ai le utaina o le OS ma le malosi fa'ata'otoga o ki). Ina ia faatumauina le paleni o le malosi o le cryptographic, faatasi ai ma se upu faigofie e pei o le "Rusia" e te manaʻomia le faʻateleina o le tau -(i) faʻatasi ai ma se faʻamatalaga faigata e pei o le "?8dƱob/øfh" e mafai ona faʻaititia le tau;
* —use-urandom random number generator, gaosia ki ma masima.
A maeʻa faʻafanua le vaega sda7> sda7_crypt (O le taʻaloga e vave, talu ai o se ulutala faʻailoga ua faia ma le ~ 3 MB o metadata ma naʻo mea uma), e te manaʻomia le faʻatulagaina ma faʻapipiʻi le sda7_crypt file system.
B2.3. Faatusatusaga
cryptsetup open /dev/sda7 sda7_crypt
#выполнение данной команды запрашивает ввод секретной парольной фразы.
filifiliga:
* tatala - fetaui ma le vaega "ma le igoa";
* /dev/sda7 -logical disk;
* sda7_crypt - fa'afanua igoa e fa'aoga e fa'apipi'i ai le vaeluaga fa'ailoga pe fa'amataina pe a fa'asolo le OS.
B2.4. Fa'asologa o le faila faila sda7_crypt i le ext4. Fa'apipi'i se tisiki i le OS(Manatua: e le mafai ona e galue i se vaeluaga faʻailoga i Gparted)
#форматирование блочного шифрованного устройства
mkfs.ext4 -v -L DebSHIFR /dev/mapper/sda7_crypt
filifiliga:
* -v -faaupuga;
* -L - igoa ta'avale (lea o lo'o fa'aalia i Explorer i isi ta'avale).
O le isi, e tatau ona e faʻapipiʻi le masini poloka poloka /dev/sda7_crypt i le faiga
mount /dev/mapper/sda7_crypt /mntO le galue ma faila i totonu o le / mnt folder o le a otometi lava ona faʻailoga / faʻailoga faʻamaumauga i le sda7.
E sili atu ona faigofie le faʻafanua ma faʻapipiʻi le vaeluaga i Explorer (nautilus/caja GUI), o le vaeluaga o le a uma ona i ai i le lisi o filifiliga tisiki, na o le pau lava le mea e totoe o le ulufale i le passphrase e tatala / decrypt le disk. O le igoa fetaui o le a filifilia otometi ae le o le "sda7_crypt", ae o se mea e pei o /dev/mapper/Luks-xx-xx...
B2.5. Fa'asao le ulutala tisiki (~3MB metadata)O se tasi o mea sili taua fa'agaioiga e mana'omia ona fai e aunoa ma le fa'atuai - o se kopi fa'apolopolo o le ulutala "sda7_crypt". Afai e te toe tusi/faaleagaina le ulutala (mo se faʻataʻitaʻiga, faʻapipiʻi GRUB2 i luga o le sda7 partition, ma isi), o faʻamatalaga faʻamaufaʻailogaina o le a leiloloa atoa e aunoa ma se avanoa e toe faʻaleleia ai, aua o le a le mafai ona toe faʻafouina ia lava ki e faia tulaga ese.
#Бэкап заголовка раздела
cryptsetup luksHeaderBackup --header-backup-file ~/Бэкап_DebSHIFR /dev/sda7
#Восстановление заголовка раздела
cryptsetup luksHeaderRestore --header-backup-file <file> <device>
filifiliga:
* luksHeaderBackup —header-backup-file -backup command;
* luksHeaderRestore —header-backup-file -restore command;
* ~/Backup_DebSHIFR - faila faila;
* /dev/sda7 - vaeluaga o lana kopi fa'aulu fa'ailoga fa'ailoga e tatau ona fa'asaoina.
I lenei laʻasaga <faia ma faʻasaʻo le vaeluaga faʻailoga> ua maeʻa.
B3. Tu'u le GNU/Linux OS (sda4) i se vaega fa'ailoga (sda7)
Fausia se faila / mnt2 (Manatua - o loʻo matou galulue pea ma usb ola, sda7_crypt o loʻo faʻapipiʻi i / mnt), ma faʻapipiʻi le matou GNU/Linux i /mnt2, lea e manaʻomia ona faʻailoga.
mkdir /mnt2
mount /dev/sda4 /mnt2
Matou te faʻatinoina le faʻafeiloaʻiga OS saʻo e faʻaaoga ai le polokalama Rsync
rsync -avlxhHX --progress /mnt2/ /mntRsync filifiliga o loʻo faʻamatalaina i le parakalafa E1.
Le isi e tatau defragment se vaevaega tisiki talafeagai
e4defrag -c /mnt/ #после проверки, e4defrag выдаст, что степень дефрагментации раздела~"0", это заблуждение, которое может вам стоить существенной потери производительности!
e4defrag /mnt/ #проводим дефрагментацию шифрованной GNU/Linux
Fai se tulafono: fai e4defrag i luga ole GNU/LInux fa'ailoga mai lea taimi i lea taimi pe a iai sau HDD.
O le fesiitaiga ma le synchronization [GNU/Linux> GNU/Linux-encrypted] ua maeʻa i lenei laasaga.
I LE 4. Fa'atūina le GNU/Linux i luga o se fa'ailoga sda7 vaeluaga
A maeʻa ona faʻafeiloaʻi lelei le OS / dev / sda4> / dev / sda7, e tatau ona e ulufale i totonu o le GNU / Linux i luga o le faʻailoga faʻailoga ma faia nisi faʻatulagaga (e aunoa ma le toe faʻafouina PC) fa'atatau i se faiga fa'ailoga. O lona uiga, ia i totonu o le usb ola, ae faʻatino poloaiga "e faʻatatau i le aʻa o le OS faʻailoga." "chroot" o le a faʻataʻitaʻiina se tulaga tutusa. Ina ia vave maua faʻamatalaga o le OS o loʻo e galue ai nei (faailoga pe leai, talu ai o faʻamaumauga i sda4 ma sda7 o loʻo faʻamaopoopoina), desynchronize le OS. Fausia i totonu o faʻamaumauga aʻa (sda4/sda7_crypt) faila fa'ailoga gaogao, mo se fa'ata'ita'iga, /mnt/encryptedOS ma /mnt2/decryptedOS. Vave siaki po'o le a le OS o lo'o e iai (e aofia ai mo le lumanaʻi):
ls /<Tab-Tab>B4.1. "Faʻataʻitaʻiga o le ulufale i totonu o se OS faʻailoga"
mount --bind /dev /mnt/dev
mount --bind /proc /mnt/proc
mount --bind /sys /mnt/sys
chroot /mnt
B4.2. Fa'amaonia o le galuega o lo'o faia faasaga i se faiga fa'ailoga
ls /mnt<Tab-Tab>
#и видим файл "/шифрованнаяОС"
history
#в выводе терминала должна появиться история команд su рабочей ОС.B4.3. Fausiaina/fa'atulagaina swap fa'ailoga, fa'asa'o crypttab/fstabTalu ai ona o le faila swap e faʻapipiʻiina i taimi uma e amata ai le OS, e leai se uiga e fai ma faʻafanua swap i se tisiki talafeagai i le taimi nei, ma faʻapipiʻi poloaiga e pei o le parakalafa B2.2. Mo Swap, o ana lava ki fa'ailoga le tumau o le a otometi lava ona gaosia i amataga ta'itasi. Taamilosaga o le olaga o ki swap: tatala/talaese le vaeluaga swap (+fa'amamaina le RAM); pe toe amata le OS. Fa'atulaga swap, tatala le faila e nafa ma le fa'atulagaina o poloka poloka masini (e tutusa ma se faila fstab, ae nafa ma le crypto).
nano /etc/crypttab matou fa'asa'o
#"igoa autu" "masini puna" "faila autu" "filifiliga"
swap /dev/sda8 /dev/urandom swap,cipher=twofish-xts-plain64,size=512,hash=sha512
Filifiliga
* swap - fa'afanua igoa pe a fa'ailoga /dev/mapper/swap.
* / dev / sda8 - faʻaaoga lau vaeluaga talafeagai mo swap.
* /dev/urandom - fa'atupuina o ki fa'ailoga fa'ailoga mo swap (fa'atasi ai ma ta'aloga fou OS ta'itasi, e faia ai ni ki fou). O le / dev / urandom generator e itiiti ifo nai lo / dev / random, pe a uma / dev / random e faʻaaogaina pe a galue i tulaga mataʻutia paranoid. Pe a utaina le OS, /dev/random fa'agesegese le utaina mo ni nai ± minute (vaai systemd-analyse).
* swap,cipher=twofish-xts-plain64,size=512,hash=sha512: -e iloa e le vaeluaga o le swap ma ua faʻatulagaina "faʻatatau"; fa'ailoga algorithm.
#Открываем и правим fstab
nano /etc/fstab
matou fa'asa'o
# swap sa i luga / dev / sda8 aʻo faʻapipiʻi
/dev/mapper/swap leai se swap sw 0 0
/dev/mapper/swap o le igoa lea na seti i le crypttab.
Suiga fa'ailoga fa'ailoga
Afai mo nisi mafuaʻaga e te le manaʻo e tuʻuina atu se vaeluaga atoa mo se faila swap, ona mafai lea ona e alu i se isi auala ma sili atu: fatuina se faila swap i se faila i luga o se vaeluaga faʻailoga ma le OS.
fallocate -l 3G /swap #создание файла размером 3Гб (почти мгновенная операция)
chmod 600 /swap #настройка прав
mkswap /swap #из файла создаём файл подкачки
swapon /swap #включаем наш swap
free -m #проверяем, что файл подкачки активирован и работает
printf "/swap none swap sw 0 0" >> /etc/fstab #при необходимости после перезагрузки swap будет постоянныйUa mae'a le seti vaeluaga.
B4.4. Fa'atūina GNU/Linux fa'aigoaina (fa'atonu faila crypttab/fstab)O le faila /etc/crypttab, e pei ona tusia i luga, o loʻo faʻamatalaina ai poloka poloka poloka o loʻo faʻapipiʻiina i le taimi o le taʻavale.
#правим /etc/crypttab
nano /etc/crypttab
pe a e fa'atusaina le vaega sda7>sda7_crypt pei o le parakalafa B2.1
# "igoa autu" "masini puna" "faila autu" "filifiliga"
sda7_crypt UUID=81048598-5bb9-4a53-af92-f3f9e709e2f2 none luks
pe a e fa'atusaina le vaega sda7>sda7_crypt pei o le parakalafa B2.2
# "igoa autu" "masini puna" "faila autu" "filifiliga"
sda7_crypt UUID=81048598-5bb9-4a53-af92-f3f9e709e2f2 none cipher=twofish-xts-plain64,size=512,hash=sha512
afai e te fetaui ma le sda7> sda7_crypt vaega e pei o le parakalafa B2.1 poʻo le B2.2, ae e te le manaʻo e toe faʻaoga le upu faʻaulu e tatala ma faʻaulu le OS, nai lo le faʻaupuga e mafai ona e suitulaga i se ki faalilolilo / faila faʻafuaseʻi
# "igoa autu" "masini puna" "faila autu" "filifiliga"
sda7_crypt UUID=81048598-5bb9-4a53-af92-f3f9e709e2f2 /etc/skey luks
faʻamatalaga
* leai se - lipoti pe a utaina le OS, e manaʻomia le ulufale i se faʻamatalaga faalilolilo e tatala ai le aʻa.
* UUID - fa'ailoga vase. Ina ia su'e lau ID, ta'i i totonu le laina (faamanatu mai le taimi nei i luma, o loʻo e galue i totonu o se faʻamau i totonu o se siosiomaga chroot, ae le o se isi laina usb ola).
fdisk -l #проверка всех разделов
blkid #должно быть что-то подобное
/dev/sda7: UUID=«81048598-5bb9-4a53-af92-f3f9e709e2f2» TYPE=«crypto_LUKS» PARTUUID=«0332d73c-07»
/dev/mapper/sda7_crypt: LABEL=«DebSHIFR» UUID=«382111a2-f993-403c-aa2e-292b5eac4780» TYPE=«ext4»
e iloa lenei laina pe a talosagaina blkid mai le ola usb terminal ma sda7_crypt mounted).
E te ave le UUID mai lau sdaX (e le sdaX_crypt!, UUID sdaX_crypt - o le a otometi lava ona tuua pe a fatuina le grub.cfg config).
* cipher=twofish-xts-plain64,size=512,hash=sha512 -luks encryption i le tulaga maualuga.
* /etc/skey - faila ki faalilolilo, lea e faʻapipiʻi otometi e tatala ai le OS boot (nai lo le ulufale i le 3rd password). E mafai ona e faʻamaonia soʻo se faila e oʻo atu i le 8MB, ae o faʻamaumauga o le a faitauina <1MB.
#Создание "генерация" случайного файла <секретного ключа> размером 691б.
head -c 691 /dev/urandom > /etc/skey
#Добавление секретного ключа (691б) в 7-й слот заголовка luks
cryptsetup luksAddKey --key-slot 7 /dev/sda7 /etc/skey#Проверка слотов "пароли/ключи luks-раздела"
cryptsetup luksDump /dev/sda7
O le a foliga mai e pei o lenei:
(fai e oe lava ma vaai mo oe lava).
cryptsetup luksKillSlot /dev/sda7 7 #удаление ключа/пароля из 7 слота/etc/fstab o loʻo iai faʻamatalaga faʻamatalaga e uiga i faila faila eseese.
#Правим /etc/fstab
nano /etc/fstab
# "faiga faila" "matau mauga" "ituaiga" "filifiliga" "lafoa'i" "pasese"
# / sa i luga / dev / sda7 i le taimi o faʻapipiʻi
/dev/mapper/sda7_crypt / ext4 mea sese=remount-ro 0 1
filifiliga
* /dev/mapper/sda7_crypt - le igoa o le sda7>sda7_crypt mapping, lea o loʻo faʻamaonia i le faila /etc/crypttab.
Ua mae'a le seti crypttab/fstab.
B4.5. Fa'asa'o faila fa'atulaga. Taimi tauaB4.5.1. Fa'asa'o le config /etc/initramfs-tools/conf.d/resume
#Если у вас ранее был активирован swap раздел, отключите его.
nano /etc/initramfs-tools/conf.d/resume
ma fa'ailoa mai (pe a iai) "#" laina "fa'aauau". E tatau ona matua gaogao le faila.
B4.5.2. Fa'asa'o le config /etc/initramfs-tools/conf.d/cryptsetup
nano /etc/initramfs-tools/conf.d/cryptsetupe tatau ona fetaui
# /etc/initramfs-tools/conf.d/cryptsetup
CRYPTSETUP=ioe
auina atu i fafo CRYPTSETUP
B4.5.3. Fa'asa'o le /etc/default/grub config (o lenei config e nafa ma le mafai ona gaosia grub.cfg pe a galue ma faʻailoga / boot)
nano /etc/default/grub
fa'aopoopo le laina "GRUB_ENABLE_CRYPTODISK=y"
taua 'y', grub-mkconfig ma grub-install o le a siaki mo faʻailoga faʻailoga ma faʻatupuina faʻatonuga faaopoopo e manaʻomia e maua ai i latou i le taimi o le taʻavale. (insmods ).
e tatau ona i ai se tutusa
GRUB_DEFAULT = 0
GRUB_TIMEOUT = 1
GRUB_DISTRIBUTOR=`lsb_release -i -s 2> /dev/null || echo Debian`
GRUB_CMDLINE_LINUX_DEFAULT="acpi_backlight=fa'atau"
GRUB_CMDLINE_LINUX="fa'aliga filemu noautomount"
GRUB_ENABLE_CRYPTODISK=y
B4.5.4. Fa'asa'o le config /etc/cryptsetup-initramfs/conf-hook
nano /etc/cryptsetup-initramfs/conf-hook
siaki lena laina fa'ailoa mai <#>.
I le lumanaʻi (ma e oʻo lava i le taimi nei, o lenei parakalafa o le a leai se uiga, ae o nisi taimi e faʻalavelave i le faʻafouina o le ata initrd.img).
B4.5.5. Fa'asa'o le config /etc/cryptsetup-initramfs/conf-hook
nano /etc/cryptsetup-initramfs/conf-hookfa'aopoopo
KEYFILE_PATTERN =”/etc/skey”
UMASK=0077
O lenei mea o le a faʻapipiʻi ai le ki faalilolilo "skey" i initrd.img, e manaʻomia le ki e tatala ai le aʻa pe a faʻasolo le OS. (afai e te le manaʻo e toe ulufale i le upu faʻamaonia, o le ki "skey" e suitulaga mo le taavale).
B4.6. Fa'afou /boot/initrd.img [version]Ina ia faʻapipiʻi le ki faalilolilo i initrd.img ma faʻaoga cryptsetup fixes, faʻafou le ata
update-initramfs -u -k all
pe a faʻafouina initrd.img (e pei ona latou fai mai "E mafai, ae e le o mautinoa") lapataiga e fesoʻotaʻi ma cryptsetup o le a faʻaalia, pe, mo se faʻataʻitaʻiga, se faʻamatalaga e uiga i le leiloa o Nvidia modules - e masani lava. A maeʻa ona faʻafouina le faila, siaki pe ua toe faʻafouina, vaʻai le taimi (fa'atatau ile chroot environment./boot/initrd.img). Faʻamolemole faʻamolemole! aʻo leʻi [update-initramfs -u -k all] ia mautinoa e siaki o loʻo tatala le cryptsetup / dev / sda7 sda7_crypt - o le igoa lea e aliali mai i /etc/crypttab, a leai pe a uma ona toe faʻafouina o le ai ai se faʻalavelave pisi)
I lenei laʻasaga, ua maeʻa le faʻatulagaina o faila faila.
[C] Fa'apipi'i ma fa'atulaga le GRUB2/Puipuiga
C1. Afai e manaʻomia, faʻapipiʻi le vaeluaga tuʻufaʻatasia mo le bootloader (o se vaeluaga e manaʻomia le itiiti ifo i le 20MB)
mkfs.ext4 -v -L GRUB2 /dev/sda6C2. Mauga /dev/sda6 i /mntO lea matou te galulue i le chroot, ona leai lea o / mnt2 directory i le aʻa, ma o le / mnt faila o le a gaogao.
faʻapipiʻi le vaega GRUB2
mount /dev/sda6 /mntAfai e iai sau lomiga tuai o le GRUB2 faʻapipiʻi, i le / mnt/boot/grub/i-386-pc directory (o isi tulaga e mafai, mo se faʻataʻitaʻiga, ae le o le "i386-pc") leai ni crypto modules (i se faapuupuuga, o le faila e tatau ona i ai modules, e aofia ai nei .mod: cryptodisk; luks; gcry_twofish; gcry_sha512; signature_test.mod), i lenei tulaga, GRUB2 e tatau ona luluina.
apt-get update
apt-get install grub2
Taua! Pe a faʻafouina le afifi GRUB2 mai le fale teu oloa, pe a fesiligia "e uiga i le filifilia" poʻo fea e faʻapipiʻi ai le bootloader, e tatau ona e teena le faʻapipiʻi (Mafuaaga - taumafai e faʻapipiʻi le GRUB2 - i le "MBR" poʻo luga ole usb ola). A leai o le ae faaleagaina le VeraCrypt header/loader. A maeʻa ona faʻafouina le GRUB2 afifi ma faʻamalo le faʻapipiʻiina, e tatau ona faʻapipiʻi lima le faʻapipiʻi taʻavale i luga o le tisiki talafeagai, ae le o le MBR. Afai o lau faleoloa o loʻo i ai se faʻamatalaga tuai o GRUB2, taumafai e mai le upega tafa'ilagi aloaia - e le'i siakiina (galue ma le GRUB 2.02 ~ BetaX bootloaders lata mai).
C3. Faʻapipiʻi GRUB2 i totonu o se vaeluaga lautele [sda6]E tatau ona iai sau vaeluaga fa'apipi'i [aitema C.2]
grub-install --force --root-directory=/mnt /dev/sda6
filifiliga
* -malosi - faʻapipiʻi o le bootloader, faʻafeiloaʻi lapataiga uma e toetoe lava a iai i taimi uma ma poloka le faʻapipiʻiina (fu'a mana'omia).
* --root-directory - fa'apipi'i fa'atonu i le a'a o sda6.
* /dev/sda6 - lau vaeluaga sdaХ (aua le misia le <space> i le va /mnt /dev/sda6).
C4. Fausiaina o se faila faila [grub.cfg]Fa'agalo le fa'atonuga "update-grub2", ma fa'aoga le fa'atonuga fa'atupuina o faila faila
grub-mkconfig -o /mnt/boot/grub/grub.cfg
a maeʻa le faʻatupuina / faʻafouina o le faila grub.cfg, e tatau ona i ai i le laina faʻapipiʻi laina (s) ma le OS o loʻo maua i luga o le disk ("grub-mkconfig" atonu o le a maua ma pikiina le OS mai se usb ola, pe afai e iai sau multiboot flash drive ma Windows 10 ma le tele o tufatufaga ola - e masani lava). Afai o le laina e "gaogao" ma o le "grub.cfg" faila e le o gaosia, o le tulaga lava lea e tasi pe a iai GRUB bugs i le polokalama. (ma e foliga mai o le loader mai le lala suʻega o le fale teu oloa), toe faʻapipiʻi le GRUB2 mai punaoa faʻalagolago.
Ua maeʻa le faʻapipiʻi "faigofie" ma le GRUB2 setup.
C5. Fa'amaoniga-su'ega ole fa'ailoga GNU/Linux OSMatou te faʻamaeʻaina saʻo le misiona crypto. Tu'u ma le fa'aeteete le GNU/Linux fa'ailoga (tu'ese le siosiomaga chroot).
umount -a #размонтирование всех смонтированных разделов шифрованной GNU/Linux
Ctrl+d #выход из среды chroot
umount /mnt/dev
umount /mnt/proc
umount /mnt/sys
umount -a #размонтирование всех смонтированных разделов на live usb
reboot
A maeʻa ona toe faʻafouina le PC, e tatau ona utaina le VeraCrypt bootloader.
*O le fa'auluina o le fa'aupuga mo le vaeluaga o le a amata ona utaina le Windows.
* O le oomiina o le "Esc" ki o le a tuʻuina atu le pule ile GRUB2, pe afai e te filifilia faʻailoga GNU/Linux - o le a manaʻomia se uputatala (sda7_crypt) e tatala ai /boot/initrd.img (afai e tusia e grub2 uuid "le maua" - o se faʻafitauli i le grub2 bootloader, e tatau ona toe faʻapipiʻi, eg.
* Faʻalagolago i le auala na e faʻapipiʻiina ai le faiga (silasila i le parakalafa B4.4/4.5), pe a uma ona e ulufale i le upu faʻamaonia saʻo e tatala ai le ata /boot/initrd.img, e te manaʻomia se faʻaupuga e utaina ai le OS kernel / root, poʻo le mealilo. ki o le a otometi lava ona suia i le " skey", faʻaumatia le manaʻoga e toe ulufale i le passphrase.
(screen “otometi suitulaga o se ki faalilolilo”).
* Ona sosoo ai lea ma le faagasologa masani o le utaina o le GNU/Linux ma le faʻamaoniga o faʻamatalaga faʻaoga.
* A maeʻa le faʻatagaina o tagata faʻaoga ma saini i le OS, e tatau ona e toe faʻafouina /boot/initrd.img (tagai B4.6).
update-initramfs -u -k allMa i le tulaga o isi laina i le lisi GRUB2 (mai OS-m pickup ma usb ola) fa‘ate‘a‘eseina i latou
mount /dev/sda6 /mnt
grub-mkconfig -o /mnt/boot/grub/grub.cfg
O se otootoga vave o le GNU/Linux system encryption:
- GNU/Linuxinux ua fa'ailoga atoatoa, e aofia ai /boot/kernel ma initrd;
- o le ki faalilolilo o loʻo afifi i initrd.img;
- polokalame fa'atagaina o iai nei (ulufale i le upu faataga e tatala ai le initrd; upu faataga / ki e faʻaulu ai le OS; faʻaupuga mo le faʻatagaina o le Linux account).
"Simple GRUB2 Configuration" faiga fa'ailoga o le poloka poloka ua mae'a.
C6. Fa'atonuga maualuga GRUB2. Puipuiga o le bootloader ma saini numera + puipuiga faʻamaoniaGNU/Linux ua fa'aigoaina atoa, ae le mafai ona fa'ailogaina le bootloader - o lenei tulaga e fa'atonuina e le BIOS. Mo lenei mafuaʻaga, e le mafai ona maua se seevae faʻailoga o le GRUB2, ae o se seevae filifili faigofie e mafai / avanoa, ae mai se vaaiga saogalemu e le manaʻomia [vaai P. F].
Mo le "vaivai" GRUB2, na faʻatinoina e le au atinaʻe se "saini / faʻamaoniga" faʻapipiʻi faʻapipiʻi algorithm.
- Pe a puipuia le bootloader e "lana lava saini numera," suiga i fafo o faila, poʻo se taumafaiga e utaina isi modules i totonu o lenei bootloader, o le a taʻitaʻia ai le faʻagasologa o le taʻavale ua poloka.
- Pe a puipuia le bootloader ma le faʻamaoni, ina ia filifili le utaina o se tufatufaga, poʻo le tuʻuina atu o faʻatonuga faaopoopo i le CLI, e tatau ona e ulufale i le saini ma le upega tafaʻilagi a le superuser-GRUB2.
C6.1. Puipuiga fa'amaoni BootloaderSiaki o lo'o e galue i se fa'ailoga i luga o se OS fa'ailoga
ls /<Tab-Tab> #обнаружить файл-маркерfatuina se faʻaupuga superuser mo le faʻatagaina i le GRUB2
grub-mkpasswd-pbkdf2 #введите/повторите пароль суперпользователя. Maua le upu faataga hash. O se mea faapena
grub.pbkdf2.sha512.10000.DE10E42B01BB6FEEE46250FC5F9C3756894A8476A7F7661A9FFE9D6CC4D0A168898B98C34EBA210F46FC10985CE28277D0563F74E108FCE3ACBD52B26F8BA04D.27625A4D30E4F1044962D3DD1C2E493EF511C01366909767C3AF9A005E81F4BFC33372B9C041BE9BA904D7C6BB141DE48722ED17D2DF9C560170821F033BCFD8
faʻapipiʻi le vaeluaga o le GRUB
mount /dev/sda6 /mnt teuteu le config
nano -$ /mnt/boot/grub/grub.cfg
siaki le sailiga faila e leai ni fuʻa i soo se mea i le "grub.cfg" ("-unrestricted" "-user",
fa'aopoopo i le fa'ai'uga (i luma o le laina ### END /etc/grub.d/41_custom ###)
"set superusers="a'a"
password_pbkdf2 root hash."
E tatau ona iai se mea faapenei
# O lenei faila e maua ai se auala faigofie e faʻaopoopo ai faʻamaumauga lisi masani. Na'o le taina o le
# lisi lisi e te manaʻo e faʻaopoopo pe a uma lenei faʻamatalaga. Ia faaeteete ia aua nei suia
# le 'exec tail' laina luga.
### END /etc/grub.d/40_custom ###### BEGIN /etc/grub.d/41_custom ###
afai [ -f ${config_directory}/custom.cfg ]; ona
puna ${config_directory}/custom.cfg
elif [ -z "${config_directory}" -a -f $prefix/custom.cfg ]; ona
puna $prefix/custom.cfg;
fi
seti superusers="a'a"
password_pbkdf2 root grub.pbkdf2.sha512.10000.DE10E42B01BB6FEEE46250FC5F9C3756894A8476A7F7661A9FFE9D6CC4D0A168898B98C34EBA210F46FC10985CE28277D0563F74E108FCE3ACBD52B26F8BA04D.27625A4D30E4F1044962D3DD1C2E493EF511C01366909767C3AF9A005E81F4BFC33372B9C041BE9BA904D7C6BB141DE48722ED17D2DF9C560170821F033BCFD8
### END /etc/grub.d/41_custom ###
#
Afai e masani ona e faʻaaogaina le faʻatonuga "grub-mkconfig -o /mnt/boot/grub/grub.cfg" ma e te le manaʻo e fai suiga ile grub.cfg i taimi uma, ulufale i laina o loʻo i luga. (Logini: upu faataga) i le GRUB user script i le pito i lalo
nano /etc/grub.d/41_custom pusi <<EOF
seti superusers="a'a"
password_pbkdf2 root grub.pbkdf2.sha512.10000.DE10E42B01BB6FEEE46250FC5F9C3756894A8476A7F7661A9FFE9D6CC4D0A168898B98C34EBA210F46FC10985CE28277D0563F74E108FCE3ACBD52B26F8BA04D.27625A4D30E4F1044962D3DD1C2E493EF511C01366909767C3AF9A005E81F4BFC33372B9C041BE9BA904D7C6BB141DE48722ED17D2DF9C560170821F033BCFD8
EOF
Pe a fa'atupuina le config "grub-mkconfig -o /mnt/boot/grub/grub.cfg", o laina e nafa ma le fa'amaoni o le a fa'aopoopo otometi i grub.cfg.
O lenei laasaga e faʻamaeʻa ai le seti faʻamaonia GRUB2.
C6.2. Puipuiga o le uta i luga o le bootloader ma saini numeraO lo'o fa'apea ua uma ona iai sau fa'ailoga pgp patino (po o le faia o sea ki). E tatau ona fa'apipi'i le polokalama faakomepiuta: gnuPG; kleopatra/GPA; Suasami. Crypto software o le a faafaigofieina ai lou olaga i ia mataupu uma. Seahorse - tulaga mautu o le afifi 3.14.0 (faiga maualuga, mo se faʻataʻitaʻiga, V3.20, e faʻaletonu ma e iai ni faʻailoga taua).
O le ki PGP e manaʻomia ona faʻatupuina / faʻalauiloa / faʻaopoopo i totonu o le siosiomaga su!
Fausia ki fa'amaufa'ailoga patino
gpg - -gen-keyLafoa'i lau ki
gpg --export -o ~/perskeyFa'amau le tisiki talafeagai i le OS pe afai e le'i fa'apipi'iina
mount /dev/sda6 /mnt #sda6 – раздел GRUB2fa'amama le vaeluaga GRUB2
rm -rf /mnt/Faʻapipiʻi le GRUB2 i le sda6, tuʻu lau ki patino i le ata autu GRUB "core.img"
grub-install --force --modules="gcry_sha256 gcry_sha512 signature_test gcry_dsa gcry_rsa" -k ~/perskey --root-directory=/mnt /dev/sda6
filifiliga
* --force - faʻapipiʻi le bootloader, faʻafefe uma lapataiga o loʻo i ai i taimi uma (fu'a mana'omia).
* —modules="gcry_sha256 gcry_sha512 signature_test gcry_dsa gcry_rsa" - fa'atonu le GRUB2 e fa'apipi'i muamua modules e mana'omia pe a amata le PC.
* -k ~/perskey -path i le "PGP key" (pe a uma ona teu le ki i totonu o le ata, e mafai ona tapeina).
* --root-directory -seti le boot directory i le aʻa o le sda6
/dev/sda6 - lau vaeluaga sdaX.
Fausia/fa'afouina grub.cfg
grub-mkconfig -o /mnt/boot/grub/grub.cfgFa'aopoopo le laina "trust /boot/grub/perskey" i le pito o le faila "grub.cfg" (fa'amalosi le fa'aoga o le pgp ki.) Talu ai na matou faʻapipiʻiina le GRUB2 ma se seti o modules, e aofia ai le saini saini "signature_test.mod", e faʻaumatia ai le manaʻoga e faʻaopoopo tulafono e pei o le "set check_signatures = faʻamalosia" i le config.
E tatau ona foliga fa'apenei (laina fa'ai'u ile faila grub.cfg)
### BEGIN /etc/grub.d/41_custom ###
afai [ -f ${config_directory}/custom.cfg ]; ona
puna ${config_directory}/custom.cfg
elif [ -z "${config_directory}" -a -f $prefix/custom.cfg ]; ona
puna $prefix/custom.cfg;
fi
faatuatuaina /boot/grub/perskey
seti superusers="a'a"
password_pbkdf2 root grub.pbkdf2.sha512.10000.DE10E42B01BB6FEEE46250FC5F9C3756894A8476A7F7661A9FFE9D6CC4D0A168898B98C34EBA210F46FC10985CE28277D0563F74E108FCE3ACBD52B26F8BA04D.27625A4D30E4F1044962D3DD1C2E493EF511C01366909767C3AF9A005E81F4BFC33372B9C041BE9BA904D7C6BB141DE48722ED17D2DF9C560170821F033BCFD8
### END /etc/grub.d/41_custom ###
#
O le ala i le "/boot/grub/perskey" e le manaʻomia ona faʻasino i se vaeluaga faʻapitoa, mo se faʻataʻitaʻiga hd0,6 mo le bootloader lava ia, "root" o le ala le faʻaogaina o le vaeluaga o loʻo faʻapipiʻi ai le GRUB2; (silasila seti rot=..).
Saini GRUB2 (faila uma i totonu / GRUB directories) ma lau ki "perskey".
O se fofo faigofie ile auala e saini ai (mo nautilus/caja explorer): faʻapipiʻi le faʻaopoopoga "seahorse" mo Explorer mai le fale teu oloa. E tatau ona fa'aopoopo lau ki ile siosiomaga su.
Tatala Explorer ma sudo "/ mnt / boot" - RMB - saini. I luga o le lau e pei o lenei
O le ki lava ia o le "/mnt/boot/grub/perskey" (kopi ile grub directory) e tatau foi ona saini i lau lava saini. Siaki o saini faila [*.sig] o lo'o fa'aalia i totonu o le fa'atonuga/subdirectories.
I le faʻaaogaina o le auala o loʻo faʻamatalaina i luga, saini "/boot" (o tatou fatu, initrd). Afai o lou taimi e aoga i se mea, o lenei metotia e faʻaumatia ai le manaʻoga e tusi se tusitusiga bash e sainia "tele faila."
E aveese uma saini bootloader (pe a iai se mea na tupu)
rm -f $(find /mnt/boot/grub -type f -name '*.sig')Ina ia aua neʻi sainia le bootloader pe a uma ona faʻafouina le polokalama, matou te faʻamalo uma pusa faʻafouina e fesoʻotaʻi ma GRUB2.
apt-mark hold grub-common grub-pc grub-pc-bin grub2 grub2-commonI lenei laʻasaga <puipui le bootloader ma le saini numera> faʻapipiʻi maualuga o le GRUB2 ua maeʻa.
C6.3. Faʻamaoniga-suʻega o le GRUB2 bootloader, puipuia e le saini numera ma faʻamaoniaGRUB2. Pe a filifilia soʻo se tufatufa GNU / Linux poʻo le ulufale i le CLI (laina fa'atonu) E mana'omia le fa'atagaga a le Superuser. A maeʻa ona e ulufale i le igoa saʻo / password, o le ae manaʻomia le initrd password
Ata o le faʻamaoniga manuia o le GRUB2 superuser.
Afai e te faʻafefeina soʻo se faila GRUB2 / fai suiga i le grub.cfg, pe tape le faila / saini, poʻo le utaina o se module.mod leaga, o le a aliali mai se lapataiga talafeagai. GRUB2 o le a taofi le utaina.
Screenshot, o se taumafaiga e faʻalavelave i le GRUB2 "mai fafo".
I le taimi o le "masani" booting "e aunoa ma se faʻalavelave", o le tulaga o le code exit code o le "0". O le mea lea, e le o iloa pe aoga le puipuiga pe leai (o lona uiga, "faʻatasi pe leai foi se puipuiga o saini bootloader" i le taimi masani o le utaina o le tulaga e tutusa "0" - e leaga lea).
E fa'afefea ona siaki le puipuiga o saini numera?
O se auala le talafeagai e siaki ai: fa'asese/ave'ese se module fa'aaogaina e GRUB2, mo se fa'ata'ita'iga, aveese le saini luks.mod.sig ma maua se mea sese.
Le auala saʻo: alu i le bootloader CLI ma lolomi le poloaiga
trust_list
I le tali atu, e tatau ona e mauaina se "perskey" fingerprint pe afai o le tulaga o le "0," ona le aoga lea o le puipuiga o saini, toe siaki le parakalafa C6.2.
I lenei laʻasaga, ua maeʻa le faʻatulagaina o le "Puipuia GRUB2 ma le saini numera ma le faʻamaoni".
C7 Suiga auala e puipuia ai le GRUB2 bootloader e faʻaaoga ai le faʻaogainaO le "CPU Boot Loader Protection/Authentication" auala o loʻo faʻamatalaina i luga o se mea masani. Ona o le le atoatoa o le GRUB2, i tulaga faʻafefe e mafai ona aʻafia i se osofaʻiga moni, lea o le a ou tuʻuina atu i lalo i le parakalafa [F]. E le gata i lea, a maeʻa ona faʻafouina le OS / kernel, e tatau ona toe sainia le bootloader.
Puipuia le GRUB2 bootloader e faʻaaoga ai le faʻaogaina
Tulaga lelei nai lo mea masani:
- Tulaga maualuga o le faatuatuaina (hashing / faʻamaoniga e faia naʻo se punaoa faʻapitonuʻu faʻailoga. O le vaeluaga tuʻufaʻatasia atoa i lalo o le GRUB2 e pulea mo soʻo se suiga, ma o isi mea uma o loʻo faʻailogaina; i le faiga masani ma le CPU loader protection/Authentication, naʻo faila e pulea, ae le saoloto avanoa, lea e mafai ai ona faaopoopo "se mea" se mea leaga).
- Fa'ailoga fa'ailoga (o lo'o fa'apipi'i fa'ailoga tagata e mafai ona faitau i ai i le polokalame).
- Televave (puipuiga / faʻamaoniga o se vaeluaga atoa na tuʻuina mo GRUB2 e tupu toetoe lava a vave).
- Otometi o faiga fa'ata'oto uma.
Fa'aletonu i luga o mea masani.
- Faafoliga pepelo o saini (fa'ata'ita'iga, e mafai ona maua se fa'alavelave fa'aogaina o le hash).
- Fa'ateleina tulaga faigata (faʻatusatusa i le masani, e manaʻomia sina tomai i le GNU/Linux OS).
E fa'afefea ona galue le manatu GRUB2/partition hashing
O le vaeluaga o le GRUB2 e "saini" pe a faʻapipiʻi le OS, siaki le vaeluaga o le uta mo le le mafai ona suia, sosoo ai ma le taina i totonu o se siosiomaga malupuipuia (faʻailoga). Afai o le bootloader poʻo lona vaeluaga o loʻo faʻafefeteina, faʻaopoopo i le log intrusion, o mea nei e faʻalauiloa:
Mea.
O se siaki fa'apena e tupu fa'afā i le aso, lea e le fa'atauina ai puna'oa a le system.
I le faʻaaogaina o le "-$ check_GRUB" poloaiga, o se siaki vave e tupu i soʻo se taimi e aunoa ma le taina, ae faʻatasi ai ma faʻamatalaga faʻamatalaga i le CLI.
I le faʻaaogaina o le faʻatonuga "-$ sudo signature_GRUB", o le GRUB2 boot loader / vaeluaga e vave ona toe sainia ma ona toe faʻafouina (e manaʻomia pe a maeʻa le faʻafouina o le OS / boot), ma faʻaauau le olaga.
Faʻatinoina o se auala faʻapipiʻi mo le bootloader ma lona vaega
0) Sei o tatou sainia le GRUB bootloader / vaeluaga e ala i le faʻapipiʻiina muamua i / media / igoa faʻaoga
-$ hashdeep -c md5 -r /media/username/GRUB > /podpis.txt1) Matou te fatuina se tusitusiga e aunoa ma se faʻaopoopoga i le aʻa o le faʻailoga OS ~/podpis, faʻaoga le 744 aia tatau saogalemu ma puipuiga faʻavalevalea i ai.
Faatumu mea o iai
#!/bin/bash
#Проверка всего раздела выделенного под загрузчик GRUB2 на неизменность.
#Ведется лог "о вторжении/успешной проверке каталога", короче говоря ведется полный лог с тройной вербализацией. Внимание! обратить взор на пути: хранить ЦП GRUB2 только на зашифрованном разделе OS GNU/Linux.
echo -e "******************************************************************n" >> '/var/log/podpis.txt' && date >> '/var/log/podpis.txt' && hashdeep -vvv -a -k '/podpis.txt' -r '/media/username/GRUB' >> '/var/log/podpis.txt'
a=`tail '/var/log/podpis.txt' | grep failed` #не использовать "cat"!!
b="hashdeep: Audit failed"
#Условие: в случае любых каких-либо изменений в разделе выделенном под GRUB2 к полному логу пишется второй отдельный краткий лог "только о вторжении" и выводится на монитор мигание gif-ки "warning".
if [[ "$a" = "$b" ]]
then
echo -e "****n" >> '/var/log/vtorjenie.txt' && echo "vtorjenie" >> '/var/log/vtorjenie.txt' && date >> '/var/log/vtorjenie.txt' & sudo -u username DISPLAY=:0 eom '/warning.gif'
fiFa'agasolo le fa'amaumauga mai su, o le faʻapipiʻiina o le GRUB partition ma lona bootloader o le a siakiina, faʻasaoina le ogalaau.
Sei o tatou fatuina pe kopi, mo se faʻataʻitaʻiga, se "faila leaga" [virus.mod] i le GRUB2 vaeluaga ma faʻataʻitaʻi se suʻega / suʻega le tumau:
-$ hashdeep -vvv -a -k '/podpis.txt' -r '/media/username/GRUBE tatau ona vaʻaia e le CLI se osofaʻiga o lo tatou -fale-#Trimmed log in CLI
Ср янв 2 11::41 MSK 2020
/media/username/GRUB/boot/grub/virus.mod: Moved from /media/username/GRUB/1nononoshifr
/media/username/GRUB/boot/grub/i386-pc/mda_text.mod: Ok
/media/username/GRUB/boot/grub/grub.cfg: Ok
hashdeep: Audit failed
Input files examined: 0
Known files expecting: 0
Files matched: 325
Files partially matched: 0
Files moved: 1
New files found: 0
Known files not found: 0
#E pei ona mafai ona e vaʻai atu, "Faʻatonu faila: 1 ma le Suʻetusi ua le manuia", o lona uiga ua le manuia le siaki.
Ona o le natura o le vaeluaga o loʻo faʻataʻitaʻiina, nai lo le "Faila fou ua maua"> "Faila na siitia"
2) Tuu le gif iinei > ~/warning.gif, seti le faatagaga i le 744.
3) Fa'atonu le fstab e fa'aautometi le vaeluaga o le GRUB i le ta'avale
-$ sudo nano /etc/fstabLABEL=GRUB /media/username/GRUB ext4 fa'aletonu 0 0
4) Liliu le ogalaau
-$ sudo nano /etc/logrotate.d/podpis /var/log/podpis.txt {
i aso taʻitasi
feauauaʻi 50
fua 5M
aso mulimuli
toso
tolopo
olddir /var/log/old
}/var/log/vtorjenie.txt {
māsina
feauauaʻi 5
fua 5M
aso mulimuli
olddir /var/log/old
}
5) Fa'aopoopo se galuega ile cron
-$ sudo crontab -e'/subscribe'
0 */6 * * * '/podpis
6) Fausia igoa fa'aigoa tumau
-$ sudo su
-$ echo "alias подпись_GRUB='hashdeep -c md5 -r /media/username/GRUB > /podpis.txt'" >> /root/.bashrc && bash
-$ echo "alias проверка_GRUB='hashdeep -vvv -a -k '/podpis.txt' -r /media/username/GRUB'" >> .bashrc && bash
A maeʻa le faʻafouina o le OS -$ apt-get upgrade toe saini le matou vaega GRUB
-$ подпись_GRUB
I le taimi nei, ua maeʻa le puipuiga o le GRUB partition.
[D] Soloia - fa'aleagaina o fa'amaumauga e le'i fa'ailogaina
Aveese atoatoa au faila patino “e oo lava i le Atua e le mafai ona faitau i ai,” o le faamatalaga lea a le failauga o Karolaina i Saute o Trey Gowdy.
E pei ona masani ai, e tele “talafatu ma ", e uiga i le toe faʻafoʻiina o faʻamatalaga pe a uma ona tape mai se kiliva malo. Afai e te talitonu i le cyberwitchcraft, pe o se tasi o le Dr web community ma e te leʻi taumafai lava e toe faʻaleleia faʻamaumauga pe a uma ona tapeina / soloia. (mo se faʻataʻitaʻiga, toe faʻaleleia e faʻaaoga ai le R-studio), ona foliga mai e le fetaui ma oe le auala fuafuaina, faʻaaoga le mea e sili ona latalata ia te oe.
A maeʻa ona faʻafeiloaʻi le GNU/Linux i se vaeluaga faʻailoga, e tatau ona tape le kopi tuai e aunoa ma le avanoa e toe faʻaleleia ai faʻamatalaga. Metotia fa'amama lautele: polokalame mo Windows/Linux free GUI software .
Anapogi fa'atulaga le vaega, o faʻamaumauga e manaʻomia ona faʻaumatia (e ala i le Gparted) faʻalauiloa BleachBit, filifili "Faʻamama avanoa avanoa" - filifili le vaeluaga (lau sdaX ma se kopi muamua o le GNU/Linux), o le a amata le faagasologa BleachBit - solo le disk i le tasi pasi - o le mea lea "matou te manaʻomia", Ae! E na'o le a'oa'oga e aoga pe afai e te fa'avasegaina le tisiki ma fa'amama i le BB v2.0 software.
Faʻalogo! BB solo le disk, tuʻu metadata igoa faila e faʻasaoina pe a faʻaumatia faʻamaumauga (Ccleaner - e le tuua metadata).
Ma o le tala faʻasolopito e uiga i le avanoa e toe faʻaleleia ai faʻamatalaga e le o se tala faʻasolopito atoa.Bleachbit V2.0-2 sa avea muamua ma pusa OS Debian e le mautu (ma soʻo se isi lava polokalama faʻapitoa: sfill; solo-Nautilus - sa maitauina foi i lenei pisinisi palapala) o le mea moni sa i ai se pusi mata'utia: o le galuega "fa'amama avanoa avanoa". e sese i luga o le HDD/Flash drive (ntfs/ext4). Polokalama o lenei ituaiga, pe a faʻamama avanoa avanoa, e le faʻaaogaina le disk atoa, e pei ona manatu le toʻatele o tagata faʻaoga. Ma nisi (o le tele ia) fa'amama fa'amaumauga O le OS/software e manatu o nei fa'amaumauga e le tapeina/fa'aoga fa'amatalaga ma pe a fa'amamāina le "OSP" e fa'amisi nei faila. O le faʻafitauli o le a maeʻa se taimi umi, faʻamamaina le disk "Faila solo" e mafai ona toe maua e tusa lava pe ua uma le 3+ pasi o solo le tisiki.
I luga ole GNU/Linux ile Bleachbit 2.0-2 O galuega o le tapeina tumau o faila ma fa'atonuga e galue ma le fa'atuatuaina, ae le fa'amama avanoa avanoa. Mo le faʻatusatusaga: i luga o Windows i CCleaner o loʻo galue lelei le "OSP mo ntfs", ma o le a le mafai lava e le Atua ona faitau faʻamaumauga ua tapeina.
Ma o lea, ia matua aveese "fetuuna'i" fa'amatalaga tuai e le'i fa'ailogaina, E mana'omia e Bleachbit le avanoa tuusa'o i nei fa'amatalaga, ona faʻaaoga lea o le "tapē tumau faila / directory" galuega.
Ina ia aveese "faila solo e faʻaaoga ai meafaigaluega OS masani" i Windows, faʻaaoga CCleaner / BB faʻatasi ai ma le "OSP" galuega. I le GNU/Linux i luga o lenei faʻafitauli (tapē ese faila ua tapeina) e tatau ona e fa'ata'ita'i na'o oe (tapēina o faʻamaumauga + o se taumafaiga tutoʻatasi e toe faʻafoʻisia ma e le tatau ona e faʻalagolago i le polokalama faakomepiuta (pe a le o se faʻailoga, o se pusa)), naʻo le tulaga lea o le a mafai ai ona e malamalama i le faiga o lenei faʻafitauli ma faʻaumatia atoa faʻamaumauga.
Ou te leʻi faʻataʻitaʻiina le Bleachbit v3.0, atonu ua uma ona faʻaleleia le faʻafitauli.
Bleachbit v2.0 galue faamaoni.
I le laasaga lea, ua mae'a le tapeina o tisiki.
[E] Fa'asao lautele o le OS fa'ailoga
E tofu tagata ta'ito'atasi ma a latou lava auala e fa'amautu ai fa'amaumauga, ae o fa'amatalaga fa'ailoga System OS e mana'omia ai se faiga e ese ai i le galuega. Komipiuta tu'ufa'atasi, pei o Clonezilla ma polokalama fa'apena, e le mafai ona galue sa'o i fa'amatalaga fa'ailoga.
Faʻamatalaga o le faʻafitauli o le lagolagoina o masini poloka poloka:
- lautele - tutusa le algorithm faaleoleo / polokalama mo Windows / Linux;
- le mafai ona galue i totonu o le faʻamafanafanaga ma soʻo se usb GNU/Linux ola e aunoa ma le manaʻomia mo faʻaopoopoga polokalama faʻapipiʻi (ae fautuaina pea le GUI);
- saogalemu o kopi faaleoleo - "ata" teuina e tatau ona fa'ailogaina/puipuia;
- o le tele o faʻamatalaga faʻailoga e tatau ona fetaui ma le tele o faʻamatalaga moni o loʻo kopiina;
- faigofie ona aveese mai faila talafeagai mai se kopi faaleoleo (leai se mea e manaʻomia e faʻavasega muamua le vaega atoa).
Mo se faʻataʻitaʻiga, faʻasaʻo / toe faʻaleleia e ala i le "dd" aoga
dd if=/dev/sda7 of=/путь/sda7.img bs=7M conv=sync,noerror
dd if=/путь/sda7.img of=/dev/sda7 bs=7M conv=sync,noerrorE fetaui ma toetoe lava o vaega uma o le galuega, ae e tusa ai ma le vaega 4 e le tu i faitioga, talu ai e kopiina le vaeluaga atoa o le disk, e aofia ai avanoa avanoa - e le manaia.
Mo se faʻataʻitaʻiga, se GNU/Linux faʻamaumauga e ala i le archiver [tar" | gpg] e faigofie, ae mo Windows backup e tatau ona e suʻeina se isi fofo - e le manaia.
E1. Universal Windows/Linux backup. So'oga rsync (Grsync)+VeraCrypt volumaAlgorithm mo le faia o se kopi faaleoleo:
- fatuina o se atigipusa fa'ailoga (tele/faila) VeraCrypt mo OS;
- fesiita'i/fa'amaopoopo le OS e fa'aaoga ai le polokalama Rsync i totonu o le pusa crypto VeraCrypt;
- pe a mana'omia, tu'u i luga le voluma VeraCrypt ile www.
O le fatuina o se pusa VeraCrypt fa'ailoga e iai ona lava uiga:
fatuina o se voluma malosi (foia o le DT e na'o Windows e maua, e mafai fo'i ona fa'aoga ile GNU/Linux);
fatuina o se voluma masani, ae o loʻo i ai se manaʻoga o se "tagata faʻafefe" (e tusa ai ma le tagata atiaʻe) – fa'atulagaina o pusa.
O se voluma malosi e faia toetoe lava a vave i totonu o Windows, ae pe a kopiina faʻamaumauga mai le GNU/Linux> VeraCrypt DT, o le faʻatinoga atoa o le faʻagaioiga faʻasaʻo e faʻaitiitia tele.
Ua faia se voluma masani 70 GB Twofish (se'i tatou fai atu, i le averesi o le mana PC) i HDD ~ i le afa itula (o le soloiesea o faʻamaumauga o pusa muamua i le tasi pasi e mafua ona o manaʻoga saogalemu). O le galuega o le vave faʻatulagaina o se voluma pe a fatuina ua aveesea mai VeraCrypt Windows / Linux, o lea o le fatuina o se atigipusa e naʻo le "toe tusi tasi-pass" poʻo le fatuina o se voluma malosi maualalo.
Fausia se voluma masani VeraCrypt (e le malosi/ntfs), e le tatau ona i ai ni faafitauli.
Fa'atulaga/fausia/tatala se atigipusa i VeraCrypt GUI> GNU/Linux live usb (o le voluma o le a otometi i /media/veracrypt2, o le Windows OS volume o le a faʻapipiʻi i /media/veracrypt1). Fausia se faʻailoga faʻailoga o le Windows OS e faʻaaoga ai le GUI rsync (grsync)e ala i le siakiina o pusa.
Fa'atali mo le fa'agasologa e mae'a. O le taimi lava e maeʻa ai le faʻamaumauga, o le a tasi le matou faila faʻailoga.
E faʻapea foʻi, fatuina se kopi faʻapipiʻi o le GNU / Linux OS e ala i le le siakiina o le pusa siaki "Windows compatibility" ile rsync GUI.
Faʻalogo! fatu se pusa Veracrypt mo le "GNU/Linux backup" i le faila faila ext4. Afai e te faia se faʻamaumauga i se pusa ntfs, ona e toe faʻafoisia lea o se kopi, o le ae leiloa uma aia / vaega i au faʻamatalaga uma.
E mafai ona e faia gaioiga uma i totonu o le nofoaga. Filifiliga autu mo rsync:
* -g -fa'asao vaega;
* -P —agai i luma — tulaga o le taimi na faaalu e galue ai i le faila;
* -H - kopi hardlinks pei ona iai;
* -a -archive faiga (tele rlptgoD fu'a);
* -v -faaupuga.
Afai e te manaʻo e faʻapipiʻi se "Windows VeraCrypt volume" e ala i le faʻamafanafanaga i le cryptsetup software, e mafai ona e fatuina se igoa (su)
echo "alias veramount='cryptsetup open --veracrypt --tcrypt-system --type tcrypt /dev/sdaX Windows_crypt && mount /dev/mapper/ Windows_crypt /media/veracrypt1'" >> .bashrc && bash
O le taimi nei o le "ata sili" o le a faʻamalosia oe e ulufale i se fuaitau, ma o le faʻapipiʻiina o le Windows system volume o le a faʻapipiʻiina i le OS.
Fa'afanua/mauga o VeraCrypt system volume i le cryptsetup command
cryptsetup open --veracrypt --tcrypt-system --type tcrypt /dev/sdaX Windows_crypt
mount /dev/mapper/Windows_crypt /mntFaafanua/mauga VeraCrypt vaeluaga/container i le cryptsetup poloaiga
cryptsetup open --veracrypt --type tcrypt /dev/sdaY test_crypt
mount /dev/mapper/test_crypt /mntNai lo le igoa, matou te faʻaopoopoina (se faʻamatalaga e amata ai) se voluma faʻaoga ma Windows OS ma se faʻailoga ntfs faʻailoga talafeagai i le GNU/Linux startup
Fausia se tusitusiga ma teu i totonu ~/VeraOpen.sh
printf 'Ym9i' | base64 -d | cryptsetup open --veracrypt --tcrypt-system --type tcrypt /dev/sda3 Windows_crypt && mount /dev/mapper/Windows_crypt /media/Winda7 #декодируем пароль из base64 (bob) и отправляем его на запрос ввода пароля при монтировании системного диска ОС Windows.
printf 'Ym9i' | base64 -d | cryptsetup open --veracrypt --type tcrypt /dev/sda1 ntfscrypt && mount /dev/mapper/ntfscrypt /media/КонтейнерНтфс #аналогично, но монтируем логический диск ntfs.
Matou te tufatufa atu aia tatau "saʻo":
sudo chmod 100 /VeraOpen.shFausia faila tutusa se lua (igoa tutusa!) i /etc/rc.local ma ~/etc/init.d/rc.local
Faatumu faila
#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will «exit 0» on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.
sh -c "sleep 1 && '/VeraOpen.sh'" #после загрузки ОС, ждём ~ 1с и только потом монтируем диски.
exit 0Matou te tufatufa atu aia tatau "saʻo":
sudo chmod 100 /etc/rc.local && sudo chmod 100 /etc/init.d/rc.local O le mea lena, i le taimi nei pe a utaina le GNU / Linux matou te le manaʻomia le faʻaogaina o upu faʻaulu e faʻapipiʻi ai ntfs disks, e faʻapipiʻi otometi le tisiki.
O se faʻamatalaga puupuu e uiga i mea o loʻo faʻamatalaina i luga i le parakalafa E1 i lea laasaga ma lea laasaga (ae o le taimi nei mo OS GNU/Linux)
1) Fausia se voluma i fs ext4> 4gb (mo faila) Linux i Veracrypt [Cryptbox].
2) Toe fa'aola e ola usb.
3) ~$ cryptsetup tatala /dev/sda7 Lunux #mapping encrypted partition.
4) ~$ mount /dev/mapper/Linux /mnt #mount the encrypted partition to /mnt.
5) ~$ mkdir mnt2 #faia o se lisi mo se faʻamaumauga i le lumanaʻi.
6) ~$ cryptsetup tatala —veracrypt —type tcrypt ~/CryptoBox CryptoBox && mount /dev/mapper/CryptoBox /mnt2 #Map a Veracrypt volume ua faaigoaina “CryptoBox” ma faapipii le CryptoBox i /mnt2.
7) ~$ rsync -avlxhHX —agai i luma /mnt /mnt2/ #backup faagaioiga o se vaeluaga fa'ailoga i se fa'ailoga Veracrypt volume.
(p/s/ Faʻalogo! Afai o loʻo e faʻafeiloaʻi le GNU/Linux faʻapipiʻi mai le tasi fausaga / masini i le isi, mo se faʻataʻitaʻiga, Intel> AMD (o lona uiga, faʻapipiʻiina se faʻamaumauga mai le tasi vaeluaga faʻailoga i le isi faʻailoga Intel> AMD partition), Aua nei galo A maeʻa ona faʻafeiloaʻi le OS faʻailoga, faʻasaʻo le ki sui faalilolilo nai lo le upu faʻaulu, atonu. le ki muamua ~/etc/skey - o le a le toe fetaui ma se isi vaeluaga faʻailoga, ma e le fautuaina le fatuina o se ki fou "cryptsetup luksAddKey" mai lalo o le chroot - e mafai ona maua se faʻalavelave, naʻo le ~/etc/crypttab faʻamaonia nai lo le "/etc/skey" mo sina taimi "leai" ", pe a uma ona toe faʻafoʻi ma saini i totonu o le OS, toe fai lau kili faalilolilo faalilolilo).
I le avea ai ma tagata matutua IT, ia manatua e fai eseese faʻamaumauga o ulutala o faʻailoga Windows/Linux OS vaega, pe o le faʻailoga o le a faasaga ia te oe.
I lenei laasaga, ua maeʻa le faʻamaumauga o le OS faʻailoga.
[F] Osofaiga ile GRUB2 bootloader
Vaʻai faʻamatalagaAfai na e puipuia lau bootloader i se saini numera ma/poʻo le faʻamaonia (vaai le vaega C6.), o le a le puipuia lea mai le avanoa faaletino. O faʻamatalaga faʻapipiʻi o le a le mafai ona maua, ae o le puipuiga o le a faʻafefe (toe setiina le puipuiga o saini numera) GRUB2 faʻatagaina se cyber-villain e tui lana code i totonu o le bootloader e aunoa ma se masalosalo (se'i vagana ua mata'ituina ma le lima e le tagata le tulaga o le bootloader, po'o le sau ma a latou lava fa'ailoga-script code malosi mo grub.cfg).
Attack algorithm. Tagata fa'alavelave
* Faʻamauina le PC mai le usb ola. Soo se suiga (solole) faila o le a logoina le pule moni o le PC e uiga i le faʻalavelave i totonu o le bootloader. Ae o se toe faʻaleleia faigofie o le GRUB2 tausia grub.cfg (ma le agava'a mulimuli ane e fa'asa'o ai) o le a fa'atagaina se tagata osofa'i e fa'asa'o so'o se faila (i lenei tulaga, pe a utaina le GRUB2, o le a le logoina le tagata moni. O le tulaga e tutusa <0>)
* Faʻamauina se vaeluaga e leʻi faʻamaonia, teuina "/mnt/boot/grub/grub.cfg".
* Toe faʻapipiʻi le bootloader (ave'ese le "perskey" mai le ata o le core.img)
grub-install --force --root-directory=/mnt /dev/sda6
* Toe fa'afo'i le "grub.cfg" > "/mnt/boot/grub/grub.cfg", fa'asa'o pe a mana'omia, mo se fa'ata'ita'iga, fa'aopoopo lau module "keylogger.mod" i le fa'ailoga ma modules loader, i le "grub.cfg" > laina "insmod keylogger". Pe, mo se faʻataʻitaʻiga, pe a fai togafiti le fili, ona toe faʻaleleia lea o le GRUB2 (o saini uma e tumau pea) na te fausia le ata autu GRUB2 e faʻaaoga ai le "grub-mkimage ma le filifiliga (-c)." O le "-c" filifiliga o le a faʻatagaina oe e utaina lau config aʻo leʻi utaina le autu "grub.cfg". O le config e mafai ona aofia ai na o le tasi le laina: toe faʻafeiloaʻi i soʻo se "modern.cfg", faʻafefiloi, mo se faʻataʻitaʻiga, ma ~ 400 faila (module+saini) i totonu o le pusa "/boot/grub/i386-pc". I lenei tulaga, e mafai e le tagata osofaʻi ona faʻaofi le faʻailoga faʻamaonia ma le utaina o modules e aunoa ma le afaina ai o le "/boot/grub/grub.cfg", e tusa lava pe faʻaaoga e le tagata faʻaoga le "hashsum" i le faila ma faʻaalia mo sina taimi i luga o le lau.
O le a le manaʻomia e se tagata osofaʻi le faʻaogaina o le GRUB2 superuser login/password; (e nafa ma le fa'amaoni) "/boot/grub/grub.cfg" i lau "modern.cfg"
seti superusers="a'a"
password_pbkdf2 root grub.pbkdf2.sha512.10000.DE10E42B01BB6FEEE46250FC5F9C3756894A8476A7F7661A9FFE9D6CC4D0A168898B98C34EBA210F46FC10985CE28277D0563F74E108FCE3ACBD52B26F8BA04D.27625A4D30E4F1044962D3DD1C2E493EF511C01366909767C3AF9A005E81F4BFC33372B9C041BE9BA904D7C6BB141DE48722ED17D2DF9C560170821F033BCFD8
Ma o le pule PC o le a faʻamaonia pea o le GRUB2 superuser.
Uiga filifili (bootloader utaina se isi bootloader), e pei ona ou tusia i luga, e le talafeagai (ua faʻamoemoe mo se faʻamoemoega ese). E le mafai ona utaina le bootloader fa'ailoga ona ole BIOS (o le filifili filifili toe amata GRUB2> fa'ailoga GRUB2, sese!). Ae peitaʻi, afai o loʻo e faʻaaogaina pea le manatu o le utaina o filifili, e mafai ona e mautinoa o le faʻailoga o loʻo faʻapipiʻiina. (e le'o fa'aonaponei) "grub.cfg" mai le vaeluaga fa'ailoga. Ma o se lagona sese foi lea o le saogalemu, aua o mea uma o loʻo faʻaalia i le faʻailoga "grub.cfg" (module utaina) faʻaopoopo i modules o loʻo utaina mai le GRUB2 e leʻi faʻamaonia.
Afai e te manaʻo e siaki lenei mea, ona tuʻufaʻatasia / faʻailoga se isi vaeluaga sdaY, kopi GRUB2 i ai (Grub-install operation i luga o se vaeluaga faʻailoga e le mafai) ma i le "grub.cfg" (fa'ailoga le fa'ailoga) sui laina fa'apenei
menuentry 'GRUBx2' --class parrot --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-simple-382111a2-f993-403c-aa2e-292b5eac4780' {
uta_video
insmod gzio
afai [x$grub_platform = xxen]; ona insmod xzio; insmod lzopio; fi
insmod vaega_msdos
insmod cryptodisk
insmod lux
insmod gcry_twofish
insmod gcry_twofish
insmod gcry_sha512
insmod ext2
cryptomount -u 15c47d1c4bd34e5289df77bcf60ee838
set root=’cryptouuid/15c47d1c4bd34e5289df77bcf60ee838′
masani /boot/grub/grub.cfg
}
laina
* insmod - utaina o modules talafeagai mo le galue ma se faʻailoga faʻailoga;
* GRUBx2 - igoa o le laina o loʻo faʻaalia i le GRUB2 boot menu;
* cryptomount -u 15c47d1c4bd34e5289df77bcf60ee838 -vaai. fdisk -l (sda9);
* seti aʻa - faʻapipiʻi aʻa;
* masani /boot/grub/grub.cfg - faila fetuutuunaiga faʻatinoina i luga o se vaeluaga faʻailoga.
O le mautinoa o le faʻailoga "grub.cfg" o loʻo faʻapipiʻiina o se tali lelei i le ulufale i le upu faʻamaonia / tatala "sdaY" pe a filifilia le laina "GRUBx2" i le lisi GRUB.
Pe a galue i le CLI, ina ia aua neʻi fenumiai (ma siaki pe na aoga le suiga ole siosiomaga "set root", fatu faila fa'ailoga gaogao, mo se fa'ata'ita'iga, i le vaega fa'ailoga "/shifr_grub", i le vaega e le'i fa'ailogaina "/noshifr_grub". Siaki ile CLI
cat /Tab-TabE pei ona taʻua i luga, o le a le fesoasoani lenei mea e tetee atu ai i le siiina mai o modules leaga pe afai o ia modules e iu i luga o lau PC. Mo se faʻataʻitaʻiga, o se keylogger o le a mafai ona faʻasaoina faʻamau i se faila ma faʻafefiloi ma isi faila i le "~ / i386" seia oʻo ina sii mai e se tagata osofaʻi ma le faʻaogaina faaletino i le PC.
Le auala pito sili ona faigofie e faʻamaonia ai o loʻo galue malosi le puipuiga o saini numera (e le toe setiina), ma e leai se tasi na osofaia le bootloader, ulufale i le poloaiga i le CLI
list_trusted
i le tali tatou te maua se kopi o la tatou "perskey", pe leai se mea e maua pe a osofaia i tatou (e tatau foi ona e siaki "set check_signatures = faʻamalosia").
O se fa'aletonu tele o lenei la'asaga o le fa'auluina ma le lima o fa'atonuga. Afai e te faʻaopoopoina lenei faʻatonuga i le "grub.cfg" ma puipuia le config i se saini numera, o le mea muamua na faia o le ata autu i luga o le lau e puupuu tele i le taimi, ma atonu e leai sou taimi e vaʻai ai i le gaioiga pe a uma ona utaina le GRUB2 .
E leai se tasi e faʻapitoa e faia ni faʻamatalaga i: le tagata faʻavae i lona Fuaiupu 18.2 ta'utino aloa'ia
“Manatua e tusa lava pe i ai le puipuiga o upu faataga a le GRUB, e le mafai e le GRUB lava ia ona taofia se tasi e maua le avanoa faaletino i le masini mai le suia o le firmware a le masini (faataitaiga, Coreboot poʻo le BIOS) faʻapipiʻi e faʻaoso ai le masini mai se isi masini (pulea-pule). O le GRUB e sili atu na'o le tasi le so'oga i totonu o se filifili fa'amaumau."
GRUB2 ua mamafa tele i galuega e mafai ona maua ai se lagona o le saogalemu sese, ma o lona atinaʻe ua uma ona sili atu MS-DOS i tulaga o galuega, ae ua na o se bootloader. E malie tele le GRUB2 - "taeao" e mafai ona avea ma OS, ma faʻaaogaina GNU / Linux masini masini mo ia.
O se vitio puupuu e uiga i le auala ou te toe setiina ai le puipuiga o le saini numera GRUB2 ma faʻaalia loʻu faʻalavelave i se tagata faʻaoga moni (Na ou fefe ia te oe, ae nai lo le mea o loʻo faʻaalia i le vitio, e mafai ona e tusia le code / .mod e le afaina ai).
Faaiuga:
1) Block system encryption mo Windows e faigofie ona faʻatinoina, ma o le puipuiga i le tasi upu faʻamaonia e sili atu ona faigofie nai lo le puipuiga i le tele o upu faʻamaonia ma le GNU/Linux poloka poloka faʻailoga, ina ia saʻo: o le mea mulimuli e otometi.
2) Na ou tusia le tusiga e talafeagai ma auiliili faigofie o se taʻiala ile faʻamatalaga faʻamatalaga atoa VeraCrypt / LUKS i le fale e tasi le masini, lea e sili mamao atu i le RuNet (IMHO). O le taʻiala e> 50k mataitusi umi, o lea e leʻi aofia ai nisi mataupu manaia: cryptographers o loʻo mou atu / tumau i le paolo; e uiga i le mea moni o tusi eseese GNU / Linux e tusi laiti / le tusitusi e uiga i faʻamatalaga; e uiga i le Mataupu 51 o le Faavae o le Malo o Rusia; O /fa'asa , e uiga i le mafuaʻaga e te manaʻomia ai faʻailoga "root/boot". O le taiala na aliali mai e fai si lautele, ae auiliili. (faʻamatala e oʻo lava i laasaga faigofie), i le isi itu, o le a faʻaolaina oe i le tele o taimi pe a e oʻo i le "faʻailoga moni".
3) Na faia le faʻailoga atoa o le disk ile Windows 7 64; GNU/Linux Parrot 4x; GNU/Debian 9.0/9.5.
4) Faʻatinoina se osofaʻiga manuia i lona GRUB2 bootloader.
5) Na faia aʻoaʻoga e fesoasoani ai i tagata faʻafefe uma i totonu o le CIS, lea e faʻatagaina ai le galulue faʻatasi ma faʻamalamalamaga i le tulafono. Aemaise lava mo i latou o loʻo manaʻo e faʻasalalau faʻamatalaga faʻamaufaʻailoga atoa e aunoa ma le talepeina o latou faiga faʻapipiʻi.
6) Toe galue ma faʻafouina laʻu tusi lesona, lea e talafeagai ile 2020.
[G] Fa'amaumauga aoga
- (Fepuari 2012 RU)
- /usr/share/doc/cryptsetup(-run) [punaoa i le lotoifale] (faʻamatalaga faʻamatalaga aloaʻia i le faʻatulagaina o faʻamatalaga GNU / Linux e faʻaaoga ai le cryptsetup)
- (faʻamatalaga puʻupuʻu ile faʻatulagaina o faʻamatalaga GNU/Linux e faʻaaoga ai le cryptsetup)
- (archlinux pepa aloaia)
- (Itulau a tagata arch)
- (Itulau a tagata arch)
- .
Fa'ailoga: fa'ailoga fa'ailoga atoa, fa'ailoga vaeluaga, fa'ailoga fa'ailoga atoa a Linux, fa'ailoga LUKS1 atoa.
Na'o tagata fa'aigoaina e mafai ona auai i le su'esu'ega. , faʻamolemole.
O e fa'ailogaina?
-
17,1%Ou te fa'ailoga mea uma ou te mafaia. Ua ou le mautonu.14
-
34,2%Na'o ou fa'ailogaina fa'amatalaga taua.28
-
14,6%O nisi taimi ou te encrypt, o nisi taimi ou te galo ai.12
-
34,2%Leai, ou te le fa'ailogaina, e le faigofie ma taugata.28
82 tagata fa'aoga na palota. 22 tagata fa'aoga na le mafai.
puna: www.habr.com