Manuia le ao ma le po tagata uma! O lenei pou o le a aoga mo i latou o loʻo faʻaogaina LUKS faʻamatalaga faʻamatalaga ma manaʻo e faʻamalo tisiki i lalo o Linux (Debian, Ubuntu) i luga. vaega o le decrypting le vaega a'a. Ma sa le mafai ona ou mauaina ia faamatalaga i luga o le Initoneti.
Talu ai nei lava, faatasi ai ma le faateleina o le numera o tisiki i totonu o fata, na ou oʻo ai i le faʻafitauli o le decrypting disks e faʻaaoga ai le sili atu nai lo le lauiloa auala e ala i /etc/crypttab. O le tagata lava ia, ou te faʻaalia ni nai faʻafitauli i le faʻaogaina o lenei metotia, o loʻo faitauina le faila na'o le mae'a ona utaina (fa'amau) le vaeluaga o a'a, lea e a'afia ai le fa'aulufale mai a le ZFS, ae maise lava pe a fai na fausia mai vaeluaga i luga o se *_crypt device, po'o mdadm raids fausia mai vaega fo'i. Matou te iloa uma e mafai ona e faʻaogaina le vaeluaina i luga o pusa LUKS, saʻo? Ma o le faʻafitauli foi o le amataga o isi auaunaga, pe a leai ni faʻasologa, ae faʻaaoga Ua uma ona ou manaʻomia se mea (Ou te galue ma faʻapipiʻi Proxmox VE 5.x ma ZFS i luga ole iSCSI).
O sina mea itiiti e uiga i le ZFSoverISCSIiSCSI galue mo aʻu e ala i le LIO, ma o le mea moni, pe a amata le sini o le iscsi ma e le vaʻaia masini ZVOL, e naʻo le aveesea o latou mai le faʻatulagaga, lea e taofia ai faiga malo mai le faʻaosoina. O le mea lea, pe toe faʻaleleia se faila faila json, poʻo le faʻaopoopoina ma le lima o masini ma faʻamatalaga mo VM taʻitasi, e matua leaga lava pe a tele naua masini ma faʻapipiʻi taʻitasi e sili atu i le 1 tisiki.
Ma o le fesili lona lua o le a ou mafaufauina o le auala e decrypt (o le autu autu lea o le tusiga). Ma o le a tatou talanoa e uiga i lenei mea i lalo, alu i lalo o le tipi!
O le tele o taimi, i luga o le Initaneti, o loʻo faʻaaogaina se faila autu (faʻaopoopoina e le tagata lava ia i le slot i luma atu o le poloaiga - cryptsetup luksAddKey), poʻo ni tuusaunoaga e le masani ai (i luga o le Initaneti i le gagana Rusia e itiiti lava faʻamatalaga) - o le decrypt_derived script o loʻo i totonu / lib / cryptsetup / script / (ioe, o loʻo i ai isi auala, ae na ou faʻaogaina nei mea e lua, lea na fausia ai le faavae o le tusiga). Sa ou taumafai foʻi mo le tuʻufaʻatasia tutoʻatasi pe a uma ona toe faʻafouina, e aunoa ma ni faʻatonuga faʻaopoopo i totonu o le faʻamafanafanaga, ina ia mafai ai e mea uma ona "lele i luga" mo aʻu i le taimi e tasi. O lea la, aisea e faatali ai? —
Tatou amata!
Se'i fa'apea o se faiga, pei o Debian, fa'apipi'i i luga o le sda3_crypt crypto partition ma le tele o tisiketi ua sauni e fa'ailogaina ma faia i lou loto. O loʻo i ai a matou faʻamatalaga (passphrase) e tatala ai le sda3_crypt, ma o lenei vaeluaga o le a matou aveese ai le "hash" mai le upu faʻamaonia i luga o le faʻaogaina (decrypted) system ma faʻaopoopo i le isi vaega o disks. O mea uma lava e tulagalua, i totonu o le faʻamafanafanaga matou te faʻatinoina:
/lib/cryptsetup/scripts/decrypt_derived sda3_crypt | cryptsetup luksFormat /dev/sdXlea X o tatou tisiki, vaeluaga, ma isi.
A maeʻa ona faʻailogaina le disks i se "hash" mai la matou passphrase, e tatau ona e suʻeina le UUID poʻo le ID - faʻalagolago i ai e masani i le a ma le a. Matou te ave faʻamatalaga mai /dev/disk/by-uuid ma by-id.
O le isi laasaga o le saunia lea o faila ma mini-scripts mo galuega tatou te manaʻomia, tatou faʻaauau:
cp -p /usr/share/initramfs-tools/hooks/cryptroot /etc/initramfs-tools/hooks/
cp -p /usr/share/initramfs-tools/scripts/local-top/cryptroot /etc/initramfs-tools/scripts/local-top/sili atu
touch /etc/initramfs-tools/hooks/decrypt && chmod +x /etc/initramfs-tools/hooks/decryptI totonu ole ../decrypt
#!/bin/sh
cp -p /lib/cryptsetup/scripts/decrypt_derived "$DESTDIR/bin/decrypt_derived"sili atu
touch /etc/initramfs-tools/hooks/partcopy && chmod +x /etc/initramfs-tools/hooks/partcopyO mea i totonu o le ../partcopy
#!/bin/sh
cp -p /sbin/partprobe "$DESTDIR/bin/partprobe"
cp -p /lib/x86_64-linux-gnu/libparted.so.2 "$DESTDIR/lib/x86_64-linux-gnu/libparted.so.2"
cp -p /lib/x86_64-linux-gnu/libreadline.so.7 "$DESTDIR/lib/x86_64-linux-gnu/libreadline.so.7"teisi atu
touch /etc/initramfs-tools/scripts/local-bottom/partprobe && chmod +x /etc/initramfs-tools/scripts/local-bottom/partprobeAnotusi ../partprobe
#!/bin/sh
$DESTDIR/bin/partprobema mulimuli, aʻo leʻi faʻafouina-initramfs, e tatau ona e faʻasaʻo le /etc/initramfs-tools/scripts/local-top/cryptroot file, amata mai le laina ~ 360, code snippet i lalo
Uluai
# decrease $count by 1, apparently last try was successful.
count=$(( $count - 1 ))
message "cryptsetup ($crypttarget): set up successfully"
break
ma aumai i lenei fomu
Fa'atonu
# decrease $count by 1, apparently last try was successful.
count=$(( $count - 1 ))
/bin/decrypt_derived $crypttarget | cryptsetup luksOpen /dev/disk/by-uuid/ *CRYPT_MAP*
/bin/decrypt_derived $crypttarget | cryptsetup luksOpen /dev/disk/by-id/ *CRYPT_MAP*
message "cryptsetup ($crypttarget): set up successfully"
breakManatua o le UUID poʻo le ID e mafai ona faʻaoga iinei. O le mea autu o le avetaʻavale talafeagai mo HDD / SSD masini e faʻaopoopo i /etc/initramfs-tools/modules. E mafai ona e su'eina po'o fea le aveta'avale o lo'o fa'aogaina i le fa'atonuga udevadm info -a -n /dev/sdX | egrep 'va'ai|TELE'.
O lea la ua mae'a ma ua fa'atulaga uma faila, tamo'e update-initramfs -u -k uma -v, i le logging e le tatau faatinoga sese o a tatou tusitusiga. Matou te toe faʻafouina, ulufale i le passphrase ma faʻatali teisi, faʻalagolago i le numera o disks. Le isi, o le a amata le faiga ma i le tulaga mulimuli o le faʻalauiloaina, e pei o le "faʻapipiʻiina" o le vaeluaga o le aʻa, o le a faʻatinoina le vaega o le vaega - o le a maua ma piki uma vaega na faia i luga o masini LUKS ma soʻo se faʻasologa, pe ZFS poʻo mdadm, o le a faʻapotopotoina e aunoa ma ni faʻafitauli! Ma o nei mea uma a'o le'i utaina 'au'aunaga autu ma 'au'aunaga e mana'omia nei tisiki/fa'asologa.
faʻafouga1: E faapefea , o lenei metotia e aoga mo LUKS1.
puna: www.habr.com