kdpv - Reuters
Kana iwe ukahaya sevha, saka iwe hauna kutonga kwakazara pamusoro payo. Izvi zvinoreva kuti chero nguva vanhu vakanyatsodzidziswa vanogona kuuya kune hoster uye kukumbira kuti upe chero data rako. Uye mugadziri achavadzosera kana kudiwa kuchigadziriswa maererano nemutemo.
Iwe haudi kuti yako yewebhu sevha matanda kana mushandisi data iburitse kune chero munhu. Hazvibviri kuvaka dziviriro yakanaka. Zvinenge zvisingaite kuti uzvidzivirire kubva kune muenzi ane iyo hypervisor uye anokupa iwe chaiwo muchina. Asi zvichida zvichave zvichiita kuderedza njodzi zvishoma. Kuvharidzira mota dzekurojesa hakuna maturo sezvazvinoratidzika pakutanga. Panguva imwecheteyo, ngatitarisei kutyisidzira kwekutorwa kwedata kubva kumaseva emuviri.
Kutyisidzira modhi
Sezvo mutemo, muchengeti achaedza kuchengetedza zvido zvemutengi zvakanyanya sezvinobvira nemutemo. Kana tsamba kubva kuzviremera zvepamutemo ichingokumbira matanda ekupinda, mugadziri haape zvekuraswa kwemakina ako ese ane dhatabhesi. Zvirinani hazvifanire kudaro. Kana vakabvunza data rese, mugadziri anokopa iwo chaiwo dhisiki nemafaira ese uye iwe hauzoziva nezvazvo.
Pasinei nemamiriro ezvinhu, chinangwa chako chikuru ndechekuita kuti kurwiswa kuve kwakaoma uye kudhura. Panowanzova nesarudzo nhatu huru dzekutyisidzira.
Zvepamutemo
Kazhinji kazhinji, tsamba yepepa inotumirwa kuhofisi yepamutemo yehoster ine chinodiwa chekupa iyo data inodiwa zvinoenderana nemutemo unoenderana. Kana zvese zvikaitwa nemazvo, mugadziri anopa anodiwa ekuwana matanda uye imwe data kune zviremera zvepamutemo. Kazhinji vanongokumbira kuti utumire data inodiwa.
Dzimwe nguva, kana zvichinyatsodikanwa, vamiririri vemasangano ekuchengetedza mutemo vanouya kunzvimbo yedata mumunhu. Semuenzaniso, kana iwe uine yako yakazvitsaurira sevha uye data kubva ipapo inogona kutorwa chete mumuviri.
Munyika dzese, kuwana mukana wezvivakwa zvepachivande, kutsvaga uye zvimwe zviitiko zvinoda humbowo hwekuti data racho rinogona kunge riine ruzivo rwakakosha rwekuferefetwa kwemhosva. Mukuwedzera, gwaro rekutsvaga rinoitwa maererano nemitemo yose inodiwa. Panogona kunge paine nuances ine chekuita nezvakasiyana zvemitemo yenzvimbo. Chinhu chikuru chaunofanirwa kunzwisisa ndechekuti kana nzira yepamutemo yakarurama, vamiriri venzvimbo yedata havazoregi chero ani zvake apfuura pamusuwo.
Uyezve, munyika zhinji haugone kungoburitsa michina yekumhanyisa. Semuenzaniso, muRussia, kusvika pakupera kwa2018, maererano neChikamu 183 cheCode of Criminal Procedure yeRussian Federation, chikamu 3.1, yakavimbiswa kuti panguva yekubata, kutorwa kwemagetsi ekuchengetedza nhepfenyuro kwakaitwa pamwe chete nekutora chikamu. wenyanzvi. Nekukumbira kwemuridzi wepamutemo weakabatwa emagetsi ekuchengetedza media kana muridzi weruzivo rwuri pavari, nyanzvi iri kutora chikamu mukutora, pamberi pezvapupu, inokopa ruzivo kubva kune yakabatwa yemagetsi ekuchengetedza media kune mamwe emagetsi ekuchengetedza media.
Zvino, zvinosuruvarisa, pfungwa iyi yakabviswa muchinyorwa.
Chakavanzika uye zvisiri pamutemo
Iyi yatova nharaunda yebasa remakomuredhi akadzidziswa kubva kuNSA, FBI, MI5 nemamwe masangano ane mavara matatu. Kazhinji, mutemo wenyika unopa masimba akawandisa kune zvimiro zvakadaro. Uyezve, pane nguva dzose kurambidzwa kwemutemo pane chero kuburitswa kwakananga kana zvisina kunanga kwechokwadi chaicho chekushandira pamwe nemasangano ekuchengetedza mutemo akadaro. Kune zvakafanana muRussia .
Muchiitiko chekutyisidzira kwakadai kune data rako, ivo vanenge vatoburitswa kunze. Zvakare, mukuwedzera kune nyore kubata, iyo yese isina pamutemo arsenal yebackdoor, zero-zuva kusagadzikana, kutorwa kwedata kubva kuRAM yemuchina wako chaiwo, uye mamwe mafaro anogona kushandiswa. Muchiitiko ichi, mugadziri achasungirwa kubatsira nyanzvi dzekuchengetedza mutemo zvakanyanya sezvinobvira.
Mushandi asina hunhu
Havasi vanhu vese vakanaka zvakaenzana. Mumwe we data center administrator angasarudza kuita mari yakawedzerwa uye kutengesa data rako. Zvimwe zviitiko zvinoenderana nesimba rake uye kuwana. Chinhu chinonyanya kusvota ndechekuti maneja ane mukana weiyo virtualization console ane kutonga kwakazara pamusoro pemakina ako. Iwe unogona kugara uchitora snapshot pamwe nezvose zviri mukati me RAM uye wozoidzidza zvishoma nezvishoma.
VDS
Saka une muchina chaiwo wawakapihwa nemugadziri. Ungaite sei encryption kuti uzvidzivirire? Kutaura zvazviri, hapana. Uyezve, kunyangwe sevha yakatsaurirwa yemumwe munhu inogona kupedzisira yave muchina chaiwo unoiswa michina inodiwa.
Kana basa reiyo kure system isiri yekungochengeta data, asi kuita mamwe masvomhu, saka sarudzo chete yekushanda nemuchina usina kuvimbika ndeyekuita. . Muchiitiko ichi, sisitimu ichaita masvomhu pasina kugona kunzwisisa kuti chii chaizvo chiri kuita. Nehurombo, mutengo wepamusoro wekushandisa encryption yakadaro wakakwira zvekuti kushandiswa kwavo kunoshanda parizvino kunongogumira kumabasa akatetepa.
Uyezve, panguva iyo iyo chaiyo muchina uri kushanda uye kuita zvimwe zviito, ese akavharidzirwa mavhoriyamu ari munzvimbo inosvikika, zvikasadaro iyo OS haizokwanise kushanda navo. Izvi zvinoreva kuti kuwana iyo virtualization console, unogona kugara uchitora mufananidzo wemuchina unomhanya uye wobvisa makiyi ese kubva kuRAM.
Vatengesi vakawanda vakaedza kuronga hardware encryption ye RAM kuitira kuti kunyange muchengeti haakwanise kuwana iyi data. Semuyenzaniso, Intel Software Guard Extensions tekinoroji, iyo inoronga nzvimbo dziri munzvimbo yekero inodzivirirwa kubva pakuverenga nekunyora kubva kunze kwenzvimbo iyi nemamwe maitiro, kusanganisira iyo inoshanda system kernel. Nehurombo, haugone kuvimba zvizere tekinoroji idzi, nekuti iwe uchaganhurwa kumuchina wako chaiwo. Mukuwedzera, mienzaniso yakagadzirwa kare iripo zve tekinoroji iyi. Zvakadaro, encrypting chaiwo muchina hazvina maturo sezvazvingaite.
Isu tinonyorera data paVDS
Rega ndiite chengetedzo ipapo ipapo kuti zvese zvatinoita pazasi hazvienderane nekuchengetedzwa kwakazara. Iyo hypervisor ichakubvumidza iwe kuti uite makopi anodiwa pasina kumisa sevhisi uye pasina kucherechedza kwako.
- Kana, pakukumbira, mugadziri anotamisa "inotonhora" mufananidzo wemuchina wako chaiwo, saka iwe wakachengeteka. Ichi ndicho chiitiko chinowanzoitika.
- Kana mugadziri akakupa mufananidzo uzere wemuchina wekumhanya, saka zvese zvakaipa. Yese data ichaiswa muhurongwa mune yakajeka fomu. Pamusoro pezvo, zvinogoneka kupuruzira RAM mukutsvaga makiyi akavanzika uye yakafanana data.
Nekusagadzikana, kana iwe wakatumira iyo OS kubva pamufananidzo wevanilla, iyo hoster haina midzi yekuwana. Iwe unogona kugara uchiisa midhiya nemufananidzo wekununura uye shandura password yemidzi nekudzvanya iyo chaiyo muchina nharaunda. Asi izvi zvinoda reboot, iyo inozoonekwa. Uyezve, ese akaiswa encrypted partitions anovharwa.
Nekudaro, kana kutumirwa kwemuchina chaiwo kusingabvi pamufananidzo wevanilla, asi kubva kune yakafanogadzirirwa, ipapo mugadziri anogona kazhinji kuwedzera yakasarudzika account kubatsira mune emergency mamiriro kune mutengi. Semuenzaniso, kushandura yakakanganwa midzi password.
Kunyangwe kana iri nyaya yemufananidzo wakakwana, hazvisi zvese zvinosuwisa. Anorwisa haagamuchire mafaera akavharidzirwa kana iwe ukaaisa kubva kure kure faira system yemumwe muchina. Ehe, mune dzidziso, unogona kusarudza iyo RAM dump uye kubvisa iyo encryption kiyi kubva ipapo. Asi mukuita izvi hazvisi zvidiki uye hazvigoneke kuti maitiro acho achapfuura nyore kufambisa faira.
Odha motokari
Nezvinangwa zvedu zvekuyedza, tinotora muchina uri nyore mukati . Isu hatidi zviwanikwa zvakawanda, saka isu tichatora sarudzo yekubhadhara iyo megahertz uye traffic chaiyo inoshandiswa. Zvakangokwana zvekutamba nazvo.
Iyo classic dm-crypt yechikamu chose haina kubva. Nekutadza, dhisiki inopihwa muchidimbu chimwe, ine mudzi wechikamu chose. Kudonhedza ext4 partition pamudzi-wakaiswa imwe chidhinha chakavimbiswa pachinzvimbo chefaira. Ndakaedza) Ngoma haina kubatsira.
Kugadzira mudziyo wecrypto
Naizvozvo, isu hatisi kuvharidzira chikamu chose, asi tichashandisa faira crypto midziyo, iyo yakaongororwa uye yakavimbika VeraCrypt. Nezvinangwa zvedu izvi zvakakwana. Kutanga, isu tinoburitsa uye nekuisa iyo package neiyo CLI vhezheni kubva kune yepamutemo webhusaiti. Iwe unogona kutarisa siginecha panguva imwe chete.
wget https://launchpad.net/veracrypt/trunk/1.24-update4/+download/veracrypt-console-1.24-Update4-Ubuntu-18.04-amd64.deb
dpkg -i veracrypt-console-1.24-Update4-Ubuntu-18.04-amd64.deb
Iye zvino tichagadzira chigadziko chacho pane imwe nzvimbo mumba medu kuitira kuti tigone kuiisa pamaoko pakugadzirisazve. Mune inodyidzana sarudzo, isa saizi yemidziyo, password uye encryption algorithms. Iwe unogona kusarudza iyo patriotic cipher Grasshopper uye iyo Stribog hash basa.
veracrypt -t -c ~/my_super_secretZvino ngatiisei nginx, simudza mudziyo uye uzadze neruzivo rwakavanzika.
mkdir /var/www/html/images
veracrypt ~/my_super_secret /var/www/html/images/
wget https://upload.wikimedia.org/wikipedia/ru/2/24/Lenna.pngNgatigadzirise zvishoma /var/www/html/index.nginx-debian.html kuti uwane peji raunoda uye unogona kuritarisa.
Batanidza uye tarisa
Iyo mudziyo wakaiswa, iyo data inowanikwa uye inotumirwa.
Uye heino muchina mushure mekutangazve. Iyo data yakachengetedzwa zvakachengeteka mu ~/my_super_secret.
Kana iwe uchinyatsoida uye uchida iyo hardcore, saka iwe unogona encrypt iyo yese OS kuitira kuti kana iwe uchitangazve inoda kubatanidza kuburikidza ne ssh uye nekuisa password. Izvi zvichavawo zvakakwana mumamiriro ezvinhu ekungobvisa "cold data". Here uye kure dhisiki encryption. Kunyange zvazvo munyaya yeVDS yakaoma uye yakawandisa.
Simbi isina chinhu
Hazvisi nyore kuisa yako sevha munzvimbo yedata. Mumwe munhu akazvitsaurira anogona kuve muchina chaiwo unotamiswa zvishandiso zvese. Asi chimwe chinhu chinonakidza maererano nekudzivirira chinotanga kana iwe uine mukana wekuisa yako yakavimbika sevha yemuviri munzvimbo yedata. Pano iwe unogona kutoshandisa zvizere zvechinyakare dm-crypt, VeraCrypt kana chero imwe encryption yesarudzo yako.
Iwe unofanirwa kunzwisisa kuti kana yakazara encryption ikaitwa, sevha haizokwanisi kupora yega mushure mekutangazve. Izvo zvichave zvakakosha kusimudza kubatana kune yemuno IP-KVM, IPMI kana imwe yakafanana interface. Mushure mezvo isu tinopinda nemaoko master key. Iyo hurongwa inotaridzika-saka maererano nekuenderera uye kukanganisa kushivirira, asi hapana yakakosha dzimwe nzira kana iyo data yakakosha.
NCpher nShield F3 Hardware Security Module
Sarudzo yakapfava inofungidzira kuti iyo data yakavharidzirwa uye kiyi inowanikwa zvakananga pane sevha pachayo mune yakakosha HSM (Hardware Security Module). Sezvo mutemo, izvi zvinoshanda chaizvo zvishandiso izvo zvinongopa Hardware cryptography, asi zvakare zvine maitiro ekuona kubira kwemuviri kuedza. Kana mumwe munhu akatanga kutenderedza server yako neakona grinder, iyo HSM ine yakazvimirira magetsi inogadzirisa makiyi ayo inochengeta mundangariro dzayo. Anorwisa achawana yakavharidzirwa mincemeat. Muchiitiko ichi, reboot inogona kuitika pakarepo.
Kubvisa makiyi isarudzo inokurumidza uye ine hunhu pane kumisa bhomba rethermite kana electromagnetic arrester. Kune michina yakadai, iwe ucharohwa kwenguva yakareba kwazvo nevavakidzani vako pa rack munzvimbo yedata. Uyezve, munyaya yekushandisa encryption pane midhiya pachayo, iwe unonzwa zvisingaite pamusoro. Zvese izvi zvinoitika pachena kune OS. Chokwadi, mune iyi kesi iwe unofanirwa kuvimba nemamiriro Samsung uye tariro kuti ine yakatendeseka AES256, uye kwete iyo banal XOR.
Panguva imwecheteyo, hatifanire kukanganwa kuti zviteshi zvese zvisina basa zvinofanirwa kunge zvakaremara kana kungozadzwa nekomboni. Zvikasadaro, unopa vanokurwisa mukana wekuita . Kana iwe uine PCI Express kana Thunderbolt inonamira kunze, kusanganisira USB nerutsigiro rwayo, uri panjodzi. Anorwisa achakwanisa kuita kurwisa kuburikidza aya madoko uye kuwana yakananga mukana kundangariro nemakiyi.
Mune shanduro yakaoma kwazvo, anorwisa achakwanisa kuita inotonhora bhutsu kurwisa. Panguva imwecheteyo, inongodira chikamu chakanaka chenitrogen yemvura museva yako, inobvisa zvimiti zvechando zvendangariro uye inotora marara kubva kwavari nemakiyi ese. Kazhinji, kutonhora kwenguva dzose kupfapfaidza uye tembiricha yakatenderedza -50 madhigirii inokwana kuita kurwisa. Panewo imwe nzira yakarurama. Kana usina kudzima kurodha kubva kumidziyo yekunze, saka algorithm yeanorwisa ichave yakapusa:
- Freeze memory sticks usina kuvhura case
- Batanidza yako bootable USB flash drive
- Shandisa zvakakosha zvinoshandiswa kuti ubvise data kubva kuRAM iyo yakapona pakatangazve nekuda kwechando.
Govanisa uye utonge
Zvakanaka, isu tinongova nemachina chaiwo, asi ini ndoda neimwe nzira kudzikisa njodzi dzekudonha kwedata.
Iwe unogona, mumusimboti, kuyedza kudzokorora dhizaini uye kugovera kuchengetedza data uye kugadzirisa munzvimbo dzakasiyana siyana. Semuenzaniso, iyo yekumberi ine encryption kiyi inobva kune hoster muCzech Republic, uye iyo yekumashure ine encrypted data iri kumwe kuRussia. Panyaya yekuedza kubvuta kwakajairika, hazvigoneke zvakanyanya kuti vezvemitemo vakwanise kuita izvi panguva imwe chete munzvimbo dzakasiyana. Uyezve, izvi zvinotisimbisa zvishoma pamusoro pechiitiko chekutora mufananidzo.
Zvakanaka, kana iwe unogona kufunga sarudzo yakachena zvachose - End-to-End encryption. Ehe, izvi zvinodarika chiyero cheiyo yakatarwa uye hazvireve kuita macalculation padivi remushini uri kure. Nekudaro, iyi isarudzo inogamuchirika kana zvasvika pakuchengeta uye kuwiriranisa data. Semuenzaniso, izvi zvinonyatso shandiswa muNextcloud. Panguva imwecheteyo, kuwiriranisa, kushandura uye zvimwe zvinonaka-sevha hazvizoendi.
Total
Hapana masisitimu akachengeteka zvakakwana. Chinangwa ndechokungoita kuti kurwiswa kuwedzere kukosha kupfuura zvingangoitika.
Kumwe kudzikiswa kwenjodzi dzekuwana data pane chaiyo saiti inogona kuwanikwa nekubatanidza encryption uye yakaparadzana chengetedzo nevatambi vakasiyana.
Imwe kana yakaderera sarudzo ndeye kushandisa yako wega hardware server.
Asi mugadziri achazofanira kuvimbwa neimwe nzira kana imwe. Indasitiri yese inotsamira pane izvi.
Source: www.habr.com