Yakazara disk encryption yeWindows Linux yakaiswa masisitimu. Encrypted multi-boot

Yakagadziridzwa yega gwara kune yakazara-dhisiki encryption muRuNet V0.2.

Cowboy strategy:

[A] Windows 7 system block encryption yeiyo yakaiswa system;
[B] GNU/Linux system block encryption (Debian) yakaiswa system (kusanganisira / boot);
[C] GRUB2 configuration, bootloader kuchengetedzwa nedhijitari siginicha / authentication / hashing;
[D] kubvisa—kuparadzwa kwedata risina kunyorwa;
[E] kuchengetedza kwepasirese kweiyo encrypted OS;
[F] kurwisa <pachinhu [C6]> chinangwa - GRUB2 bootloader;
[G] zvinyorwa zvinobatsira.

╭───Scheme ye#room 40# :
├──╼ Windows 7 yakaiswa - yakazara system encryption, isina kuvanzwa;
├──╼ GNU/Linux yakaiswa (Debian uye derivative distributions) - yakazara system encryption, isina kuvanzwa(/, kusanganisira / boot; chinja);
├──╼ yakazvimirira bootloader: VeraCrypt bootloader yakaiswa muMBR, GRUB2 bootloader yakaiswa mune yakawedzera chikamu;
├──╼hapana kuisirwa kweOS / kuisirwazve kunodiwa;
└──╼cryptographic software yakashandiswa: VeraCrypt; Cryptosetup; GnuPG; Seahorse; Hashdeep; GRUB2 ndeyemahara/yemahara.

Chirongwa chiri pamusoro chinogadzirisa zvishoma dambudziko re "remote boot kune flash drive", inobvumidza iwe kunakidzwa encrypted OS Windows/Linux uye kuchinjanisa data kuburikidza ne "encrypted chiteshi" kubva kune imwe OS kuenda kune imwe.

PC boot order (imwe yesarudzo):

• kubatidza muchina;
• kurodha VeraCrypt bootloader (kuisa iyo password password icharamba ichitanga Windows 7);
• kudzvanya kiyi ye "Esc" inotakura iyo GRUB2 boot loader;
• GRUB2 boot loader (sarudza kugovera/GNU/Linux/CLI), inoda kuvimbiswa kweGRUB2 superuser <login/password>;
• mushure mekubudirira kwechokwadi uye kusarudzwa kwekugovera, iwe uchada kuisa passphrase kuti uzarure "/boot/initrd.img";
• mushure mekuisa mapassword asina kukanganisa, GRUB2 "inoda" password yekupinda (yechitatu, BIOS password kana GNU/Linux mushandisi account password - usafunge) kuvhura uye boot GNU/Linux OS, kana otomatiki kutsiva kiyi yakavanzika (mapassword maviri + kiyi, kana password + kiyi);
• kupindira kwekunze mukati meiyo GRUB2 kumisikidzwa kuchaomesa iyo GNU/Linux boot process.

Zvinonetsa? Ok, handei tinogadzirisa maitiro.

Kana partitioning a hard drive (MBR tafura) PC haigone kuve neanopfuura mana main partitions, kana 4 huru uye imwe yakawedzerwa, pamwe nenzvimbo isina kugoverwa. Chikamu chakawedzerwa, chakasiyana neicho chikuru, chinogona kuve nezvikamu zvidiki (madhiraivha ane musoro = chikamu chakawedzerwa). Mune mamwe mazwi, iyo "yakawedzerwa chikamu" paHDD inotsiva LVM yebasa riripo: yakazara system encryption. Kana dhisiki yako yakakamurwa kuita 4 main partitions, unofanirwa kushandisa lvm, kana kushandura (pamwe nefomati) chikamu kubva pane chikuru kuenda kumberi, kana kushandisa zvine hungwaru zvikamu zvina zvese uye siya zvese sezvazviri, kuwana mhedzisiro yaunoda. Kunyangwe iwe uine chikamu chimwe pa diski yako, Gpart ichakubatsira iwe kugovera HDD yako (nezvimwe zvikamu) pasina kurasikirwa kwedata, asi zvakadaro nechirango chidiki chezviito zvakadaro.

Iyo hard drive dhizaini dhizaini, maererano neiyo iyo nyaya yese ichataurwa, inoratidzwa mutafura iri pazasi.

Tafura (Nhamba. 1) yezvikamu zve1TB.

Iwe unofanirwa kuva nechimwe chinhu chakafanana zvakare.
sda1 - chikamu chikuru No. 1 NTFS (encrypted);
sda2 - yakawedzerwa chikamu marker;
sda6 - zvine musoro dhisiki (ine GRUB2 bootloader yakaiswa);
sda8 - swap (encrypted swap file / kwete nguva dzose);
sda9 - bvunzo inonzwisisika dhisiki;
sda5 - inonzwisisika dhisiki yevanoda kuziva;
sda7 - GNU/Linux OS (yakachinjirwa OS kune yakavharidzirwa logic disk);
sda3 - chikamu chikuru Nha. 2 neWindows 7 OS (encrypted);
sda4 - chikamu chikuru Nha (yaive neGNU/Linux isina kunyorwa, yaishandiswa kuchengetedza/kwete nguva dzose).

[A] Windows 7 System Block Encryption

A1. VeraCrypt

Dhawunirodha kubva pamutemo nzvimbo, kana kubva pagirazi sourceforge yekuisa shanduro yeVeraCrypt cryptographic software (panguva yekuburitswa kwechinyorwa v1.24-Update3, iyo inotakurika vhezheni yeVeraCrypt haina kukodzera kune system encryption). Tarisa cheki yesoftware yakatorwa

$ Certutil -hashfile "C:VeraCrypt Setup 1.24.exe" SHA256

uye enzanisa mhedzisiro neCS yakatumirwa paVeraCrypt yekuvandudza webhusaiti.

Kana HashTab software yakaiswa, zviri nyore: RMB (VeraCrypt Setup 1.24.exe)-properties - hash sum yemafaira.

Kuti uone siginecha yechirongwa, software uye yekuvandudza yeruzhinji pgp kiyi inofanirwa kuiswa pane system. gnuPG; gpg4win.

A2. Kuisa/kumhanyisa VeraCrypt software ine kodzero dzemaneja

A3. Kusarudza masisitimu encryption paramita kune inoshanda partitionVeraCrypt - Sisitimu - Encrypt system partition / dhisiki - Yakajairika - Encrypt Windows system partition - Multiboot - (yambiro: "Vashandisi vasina ruzivo havakurudzirwe kushandisa nzira iyi" uye ichi ichokwadi, tinobvumirana "Hongu") - Boot disk ("hongu", kunyangwe zvisirizvo, ramba "hongu") - Nhamba yemadhisiki edhisiki "2 kana kupfuura" - Masystem akati wandei pane imwe dhisiki "Hongu" - Non-Windows bootloader "Kwete" (zvechokwadi, "Hongu," asi VeraCrypt / GRUB2 bootloaders haigovane MBR pakati pavo; kunyanya, chikamu chidiki chete cheiyo bootloader kodhi inochengetwa muMBR / boot track, chikamu chikuru chayo. iri mukati mefaira system) - Multiboot - Encryption marongero…

Kana iwe ukatsauka kubva pamatanho ari pamusoro (block system encryption zvirongwa), ipapo VeraCrypt ichapa yambiro uye haizokubvumiri kuti uvhare chikamu.

Munhanho inotevera yakanangana nekuchengetedzwa kwedata, ita "Muedzo" uye sarudza encryption algorithm. Kana iwe uine CPU yechinyakare, saka kazhinji inokurumidza encryption algorithm ichave Twofish. Kana iyo CPU ine simba, iwe unozoona mutsauko: AES encryption, zvinoenderana nemhedzisiro yebvunzo, ichave yakapetwa kakati wandei nekukurumidza kupfuura yayo crypto vakwikwidzi. AES yakakurumbira encryption algorithm; iyo Hardware yemazuva ano maCPU akagadziridzwa zvakanyanya kune ese "chakavanzika" uye "kubira".

VeraCrypt inotsigira kugona encrypt disks muAES cascade(Hove mbiri)/ uye mamwe masanganiswa. Pane yekare musimboti Intel CPU kubva makore gumi apfuura (pasina tsigiro yehardware yeAES, A/T cascade encryption) Kuderera kwekuita kunenge kusingaoneki. (ye AMD CPUs yenguva imwe chete/ ~ paramita, kuita kwakaderedzwa zvishoma). Iyo OS inoshanda zvine simba uye mashandisiro ezvekushandisa kune akajeka encryption haaonekwe. Mukupesana, semuenzaniso, kuderera kunooneka kwekuita nekuda kweiyo yakaiswa bvunzo isina kugadzikana desktop nharaunda Mate v1.20.1 (kana v1.20.2 handisi kunyatsorangarira) muGNU/Linux, kana nekuda kwekushanda kweiyo telemetry routine muWindows7↑. Kazhinji, vashandisi vane ruzivo vanoitisa Hardware performance bvunzo vasati vanyora. Semuenzaniso, muAida64/Sysbench/systemd-analyze mhosva inofananidzwa nemhedzisiro yebvunzo dzakafanana mushure mekuvhara sisitimu, nekudaro vachiramba ngano yavo yekuti "system encryption inokuvadza." Kunonoka kwemuchina uye kusagadzikana kunoonekwa kana uchitsigira / kudzoreredza encrypted data, nekuti iyo "system data backup" inoshanda pachayo haina kuyerwa mums, uye iwo akafanana <decrypt/encrypt on the fly> anowedzerwa. Pakupedzisira, mushandisi wega wega anotenderwa kupenengura necryptography anoyera encryption algorithm inopesana nekugutsikana kwemabasa aripo, nhanho yavo yeparanoia, uye nyore kushandisa.

Zviri nani kusiya iyo PIM paramende seyakagadzika, kuitira kuti kana uchirodha OS haufanirwe kuisa iyo chaiyo iteration kukosha nguva yega yega. VeraCrypt inoshandisa huwandu hukuru hwekudzokororwa kugadzira "inononoka hashi" chaiyo. Kurwiswa kwe "crypto snail" yakadaro uchishandisa nzira yeBrute force/rainbow tables zvine musoro chete nepfupi "nyore" passphrase uye rondedzero yemunhu akabatwa charset. Mutengo wekubhadhara simba repassword kunonoka kuisa iyo chaiyo password paunenge uchirodha OS. (kukwira VeraCrypt mavhoriyamu muGNU/Linux inokurumidza kukurumidza).
Yemahara software yekushandisa brute force kurwisa (bvisa passphrase kubva kuVeraCrypt/LUKS disk header) Hashcat. John the Ripper haazive "kutyora Veracrypt", uye kana achishanda neLUKS haanzwisise Twofish cryptography.

Nekuda kwesimba rekriptographic ye encryption algorithms, isingamisikike cypherpunks iri kugadzira software ine akasiyana kurwisa vector. Semuenzaniso, kutora metadata/kiyi kubva ku RAM (inotonhora bhutsu / yakananga memory yekuwana kurwisa), Pane yakasarudzika yemahara uye isiri-yemahara software yeizvi zvinangwa.

Paunenge wapedza kumisikidza / kugadzira "yakasarudzika metadata" yeiyo encrypted inoshanda partition, VeraCrypt ichapa kutangazve PC uye kuyedza mashandiro eiyo boot loader. Mushure mekutangazve / kutanga Windows, VeraCrypt ichaisa mumodhi yekumira, zvese zvinosara ndezvekusimbisa iyo encryption maitiro - Y.

Padanho rekupedzisira re encryption system, VeraCrypt ichapa kugadzira kopi yekuchengetedza yemusoro weiyo inoshanda encrypted partition muchimiro che "veracrypt rescue disk.iso" - izvi zvinofanirwa kuitwa - mune iyi software kushanda kwakadaro kunodiwa (muLUKS, sezvinodiwa - izvi zvinosuruvarisa zvakasiiwa, asi zvinosimbiswa muzvinyorwa). Rescue disk ichauya inobatsira kune wese munhu, uye kune vamwe kanopfuura kamwe. Kurasikirwa (musoro/MBR nyora patsva) kopi yekuchengetedza yemusoro icharamba zvachose kupinda kune yakavharwa partition neOS Windows.

A4. Kugadzira VeraCrypt kununura USB/dhisikiNekumisikidza, VeraCrypt inopa kupisa "~ 2-3MB yemetadata" kuCD, asi havasi vanhu vese vane dhisiki kana DWD-ROM madhiraivha, uye kugadzira bootable flash drive "VeraCrypt Rescue disk" chichava chishamiso chehunyanzvi kune vamwe: Rufus / GUIdd-ROSA ImageWriter uye imwe software yakafanana haizokwanisi kuita basa racho, nokuti kunze kwekukopa metadata ye offset kune bootable flash drive, unoda kukopa / kuisa mufananidzo kunze kwefaira system ye USB drive, muchidimbu, kukopa nenzira kwayo iyo MBR/mugwagwa kune keychain. Unogona kugadzira bootable flash drive kubva kuGNU/Linux OS uchishandisa “dd” utility, uchitarisa chiratidzo ichi.

Kugadzira dhisiki yekununura muWindows nharaunda kwakasiyana. Mugadziri weVeraCrypt haana kusanganisira mhinduro yedambudziko iri mumukuru zvinyorwa ne "rescue disk", asi akaronga mhinduro nenzira yakasiyana: akaisa imwe software yekugadzira "usb rescue disk" yekusununguka kusununguka pane yake VeraCrypt forum. Muchengetedzi weiyi software yeWindows "kugadzira usb veracrypt yekununura disk". Mushure mekuchengetedza kununura disk.iso, maitiro e block system encryption yeiyo inoshanda partition ichatanga. Panguva yekunyorera, kushanda kweOS hakumire; PC restart haidiwe. Pakupera kweiyo encryption oparesheni, iyo inoshanda partition inove yakavharirwa zvizere uye inogona kushandiswa. Kana VeraCrypt bootloader isingaoneki paunotanga PC, uye musoro wekudzorera musoro haubatsiri, saka tarisa "boot" mureza, inofanira kuiswa kune chikamu apo Windows iripo. (pasinei nekunyorera uye imwe OS, ona tafura Nha. 1).
Izvi zvinopedzisa tsananguro ye block system encryption neWindows OS.

[B]LUKS. GNU/Linux encryption (~Debian) yakaiswa OS. Algorithm uye Matanho

Kuti uvhare iyo yakaiswa Debian / derivative kugovera, iwe unofanirwa kumepu iyo yakagadziridzwa kupatsanurwa kune chaiyo block mudziyo, uiendese kune iyo mepu GNU/Linux dhisiki, uye isa / gadzirisa GRUB2. Kana iwe usina isina simbi sevha, uye iwe uchikoshesa nguva yako, saka unofanirwa kushandisa iyo GUI, uye yakawanda yemirairo yekupedzisira inotsanangurwa pazasi inoitirwa kuti iitwe mu "Chuck-Norris mode".

B1. Booting PC kubva live usb GNU/Linux

"Ita bvunzo yecrypto yekushanda kwehardware"

lscpu && сryptsetup benchmark

Kana iwe uri muridzi anofara wemotokari ine simba ine AES tsigiro yehardware, ipapo manhamba achaita senge kurudyi kweiyo terminal; kana iwe uri muridzi anofara, asi neakare hardware, nhamba dzinoita senge kuruboshwe.

B2. Diski partitioning. kukwirisa/kugadzirisa fs zvine musoro dhisiki HDD kuenda kuExt4 (Gparted)

B2.1. Kugadzira iyo encrypted sda7 partition musoroIni ndichatsanangura mazita ezvikamu, pano uye mberi, maererano netafura yangu yekugovera yakatumirwa pamusoro. Zvinoenderana nedhisiki yako dhizaini, iwe unofanirwa kutsiva yako yekugovera mazita.

Logical Drive Encryption Mapping (/dev/sda7> /dev/mapper/sda7_crypt).
#Kusikwa kuri nyore kwe "LUKS-AES-XTS chikamu"

cryptsetup -v -y luksFormat /dev/sda7

Sarudzo:

* luksFormat - kutanga kweLUKS musoro;
* -y -passphrase (kwete kiyi / faira);
* -v -verbalization (kuratidza ruzivo mune terminal);
* /dev/sda7 - yako inonzwisisika dhisiki kubva kune yakawedzera chikamu (uko kwakarongwa kuendesa / encrypt GNU / Linux).

Default encryption algorithm <LUKS1: aes-xts-plain64, Kiyi: 256 bits, LUKS musoro hashing: sha256, RNG: /dev/urandom> (zvinoenderana neiyo cryptsetup vhezheni).

#Проверка default-алгоритма шифрования
cryptsetup  --help #самая последняя строка в выводе терминала.

Kana pasina tsigiro yehardware yeAES paCPU, sarudzo yakanakisa ingave yekugadzira yakawedzera "LUKS-Twofish-XTS-partition".

B2.2. Kugadzirwa kwepamberi kwe "LUKS-Twofish-XTS-partition"

cryptsetup luksFormat /dev/sda7 -v -y -c twofish-xts-plain64 -s 512 -h sha512 -i 1500 --use-urandom

Sarudzo:
* luksFormat - kutanga kweLUKS musoro;
* /dev/sda7 ndeyeramangwana rako rakavharidzirwa zvine musoro dhisiki;
* -v kutaura;
* -y izwi rekupinda;
* -c sarudza data encryption algorithm;
* -s encryption kiyi saizi;
* -h hashing algorithm/crypto basa, RNG yakashandiswa (--shandisa-urandom) kugadzira yakasarudzika encryption/decryption kiyi yeiyo inonzwisisika disk header, yechipiri header kiyi (XTS); yakasarudzika master kiyi yakachengetwa mu encrypted disk header, yechipiri XTS kiyi, iyi metadata yese uye encryption routine iyo, uchishandisa master kiyi uye yechipiri XTS kiyi, encrypts/decrypts chero data pane partition. (kunze kwemusoro wechikamu) yakachengetwa mu ~ 3MB pane yakasarudzwa hard disk partition.
* -i iterations mumamilliseconds, panzvimbo ye "mari" (iyo nguva yekunonoka kana kugadzirisa passphrase inokanganisa kurodha kweOS uye cryptographic simba remakiyi). Kuti uchengetedze chiyero chesimba recryptographic, nepassword iri nyore se "Russian" unofanirwa kuwedzera iyo -(i) kukosha; nepassword yakaoma senge "?8dƱob/øfh" kukosha kunogona kudzikiswa.
* -shandisa-urandom nhamba jenareta, inogadzira makiyi nemunyu.

Mushure memepu chikamu sda7> sda7_crypt (kushanda kuri kukurumidza, sezvo musoro wakavharidzirwa wakagadzirwa ne ~ 3 MB yemetadata uye ndizvo zvese), iwe unofanirwa kufomati uye kukwira iyo sda7_crypt faira system.

B2.3. Kuenzanisa

cryptsetup open /dev/sda7 sda7_crypt
#выполнение данной команды запрашивает ввод секретной парольной фразы.

sarudzo:
* vhura - fananidza chikamu "nezita";
* /dev/sda7 -logical disk;
* sda7_crypt - mepu yezita inoshandiswa kukwirisa iyo yakavharidzirwa partition kana kuitanga kana OS yatanga.

B2.4. Kugadzira iyo sda7_crypt faira system kune ext4. Kuisa dhisiki muOS(Cherechedza: haugone kushanda neiyo encrypted partition muGparted)

#форматирование блочного шифрованного устройства
mkfs.ext4 -v -L DebSHIFR /dev/mapper/sda7_crypt 

sarudzo:
* -v -kutaura;
* -L - drive label (iyo inoratidzwa muExplorer pakati pemamwe madhiraivha).

Tevere, iwe unofanirwa kukwira iyo chaiyo-yakavharidzirwa block mudziyo /dev/sda7_crypt kune sisitimu

mount /dev/mapper/sda7_crypt /mnt

Kushanda nemafaira ari mu/mnt dhairekitori kunozongovhara/decrypt data mu sda7.

Zviri nyore kumepu uye kumisa chikamu muExplorer (nautilus/caja GUI), kupatsanurwa kunenge kwatove kuri mudhisiki yekusarudza rondedzero, chasara kuisa izwi rekuvhura / decrypt dhisiki. Iro zita rinofananidzwa richasarudzwa otomatiki uye kwete "sda7_crypt", asi chimwe chinhu senge /dev/mapper/Luks-xx-xx...

B2.5. Kuchengetedza musoro wedhisiki (~ 3MB metadata)Chimwe chezvakanyanya zvakakosha mabasa anoda kuitwa pasina kunonoka - kopi yekuchengetedza yemusoro we "sda7_crypt". Kana iwe ukanyora pamusoro / kukanganisa musoro (semuenzaniso, kuisa GRUB2 pane sda7 partition, nezvimwewo), iyo data yakavharidzirwa icharasika zvachose pasina mukana wekuidzosa, nekuti hazvizogoneke kugadzira zvakare makiyi akafanana; makiyi anogadzirwa zvakasiyana.

#Бэкап заголовка раздела
cryptsetup luksHeaderBackup --header-backup-file ~/Бэкап_DebSHIFR /dev/sda7 

#Восстановление заголовка раздела
cryptsetup luksHeaderRestore --header-backup-file <file> <device>

sarudzo:
* luksHeaderBackup —header-backup-file -backup command;
* luksHeaderRestore —header-backup-file -restore command;
* ~/Backup_DebSHIFR - faira rekuchengetedza;
* /dev/sda7 - chikamu chine encrypted disk header backup kopi inofanira kuchengetwa.
Pane ino nhanho <kugadzira uye kugadzirisa iyo encrypted partition> inopedzwa.

B3. Kutakura GNU/Linux OS (sda4) kune yakavanzika partition (sda7)

Gadzira faira /mnt2 (Cherechedza - tichiri kushanda ne live usb, sda7_crypt yakaiswa pa /mnt), uye woisa yedu GNU/Linux mu/mnt2, inoda kuvharirwa.

mkdir /mnt2
mount /dev/sda4 /mnt2

Isu tinoita chaiyo yekufambisa OS tichishandisa Rsync software

rsync -avlxhHX --progress /mnt2/ /mnt

Rsync sarudzo dzinotsanangurwa mundima E1.

Tevere, zvinodiwa defragment a logical disk partition

e4defrag -c /mnt/ #после проверки, e4defrag выдаст, что степень дефрагментации раздела~"0", это заблуждение, которое может вам стоить существенной потери производительности!
e4defrag /mnt/ #проводим дефрагментацию шифрованной GNU/Linux

Ita mutemo: ita e4defrag pane encrypted GNU/LINux nguva nenguva kana uine HDD.
Kuchinjisa uye kuwiriranisa [GNU/Linux> GNU/Linux-encrypted] kunopedzwa padanho iri.

AT 4. Kumisikidza GNU/Linux pane encrypted sda7 partition

Mushure mekubudirira kuendesa iyo OS / dev / sda4> / dev/sda7, unofanirwa kupinda muGNU/Linux pane yakavharidzirwa chikamu uye kuita imwe gadziriso. (pasina rebooting PC) maererano ne encrypted system. Kureva, iva mune live usb, asi ita mirairo "inoenderana nemudzi weiyo encrypted OS." "chroot" ichatevedzera mamiriro akafanana. Kukurumidza kugamuchira ruzivo rweiyo OS yauri kushanda nayo parizvino (yakavharidzirwa kana kwete, sezvo data iri mu sda4 uye sda7 yakawiriraniswa), desynchronize OS. Gadzira mumadhairekitori emidzi (sda4/sda7_crypt) isina chinhu mamaki mafaera, semuenzaniso, /mnt/encryptedOS uye /mnt2/decryptedOS. Kurumidza tarisa kuti OS yauri pairi (kusanganisira remangwana):

ls /<Tab-Tab>

B4.1. "Simulation yekupinda mune yakavanzika OS"

mount --bind /dev /mnt/dev
mount --bind /proc /mnt/proc
mount --bind /sys /mnt/sys
chroot /mnt

B4.2. Kuona kuti basa rinoitwa zvichipesana neiyo encrypted system

ls /mnt<Tab-Tab> 
#и видим файл "/шифрованнаяОС"

history
#в выводе терминала должна появиться история команд su рабочей ОС.

B4.3. Kugadzira/kugadzirisa encrypted swap, editing crypttab/fstabSezvo faira rekuchinja rakarongwa pese panotanga OS, hazvina musoro kugadzira uye kuchinjisa mepu kune inonzwisisika dhisiki ikozvino, uye nyora mirairo semundima B2.2. YeSwap, makiyi ayo enguva pfupi encryption anozogadzirwa otomatiki pakutanga kwega kwega. Hupenyu kutenderera kwemakiyi ekuchinjanisa: kudzikisa / kudzika chinjana partition (+kuchenesa RAM); kana kutangazve OS. Kumisikidza shanduko, kuvhura iyo faira ine chekuita nekugadziriswa kwe block encrypted zvishandiso (inofananidzwa nefstab faira, asi inotarisira crypto).

nano /etc/crypttab 

tinogadzirisa

#"zita rechinangwa" "source mudziyo" "kiyi faira" "sarudzo"
swap /dev/sda8 /dev/urandom swap,cipher=twofish-xts-plain64,size=512,hash=sha512

mikana
* chinjana - zita rine mepu paunenge uchinyorera /dev/mapper/swap.
* /dev/sda8 - shandisa yako inonzwisisika partition yekuchinjana.
* /dev/urandom - jenareta yezvakasarudzika encryption makiyi ekuchinjanisa (nebhoti yega yega OS, makiyi matsva anogadzirwa). Iyo / dev/urandom jenareta haina kurongeka kupfuura / dev/random, mushure mezvose / dev/random inoshandiswa kana uchishanda mumamiriro ezvinhu ane njodzi. Kana uchirodha OS, /dev/random inononoka kurodha kwemaminetsi akati wandei (ona systemd-kuongorora).
* swap,cipher=twofish-xts-plain64,size=512,hash=sha512: -chikamu chinoziva kuti chakachinjika uye chakarongwa “zvichienderana”; encryption algorithm.

#Открываем и правим fstab
nano /etc/fstab

tinogadzirisa

# swap yaive pa / dev / sda8 panguva yekuisirwa
/dev/mapper/swap hapana chinja sw 0 0

/dev/mapper/swap ndiro zita rakaiswa mucrypttab.

Alternative encrypted swap
Kana nekuda kwechimwe chikonzero iwe usingade kusiya chikamu chose chekuchinja faira, saka unogona kuenda neimwe nzira uye iri nani nzira: kugadzira chinja faira mufaira pane yakavharidzirwa partition neOS.

fallocate -l 3G /swap #создание файла размером 3Гб (почти мгновенная операция)
chmod 600 /swap #настройка прав
mkswap /swap #из файла создаём файл подкачки
swapon /swap #включаем наш swap
free -m #проверяем, что файл подкачки активирован и работает
printf "/swap none swap sw 0 0" >> /etc/fstab #при необходимости после перезагрузки swap будет постоянный

Iyo swap partition setup yapera.

B4.4. Kumisikidza encrypted GNU/Linux (kugadzirisa crypttab/fstab mafaera)Iyo /etc/crypttab faira, sezvakanyorwa pamusoro, inotsanangura encrypted block zvishandiso zvinogadziriswa panguva yebhoti system.

#правим /etc/crypttab 
nano /etc/crypttab 

kana wakafananidza sda7>sda7_crypt chikamu sezviri mundima B2.1

# "zita rechinangwa" "source mudziyo" "kiyi faira" "sarudzo"
sda7_crypt UUID=81048598-5bb9-4a53-af92-f3f9e709e2f2 none luks

kana wakafananidza sda7>sda7_crypt chikamu sezviri mundima B2.2

# "zita rechinangwa" "source mudziyo" "kiyi faira" "sarudzo"
sda7_crypt UUID=81048598-5bb9-4a53-af92-f3f9e709e2f2 none cipher=twofish-xts-plain64,size=512,hash=sha512

kana wakafananidza sda7> sda7_crypt chikamu sezviri mundima B2.1 kana B2.2, asi usingade kuisa zvakare password kuti uvhure uye uvhure OS, ipapo panzvimbo yepassword unogona kutsiva kiyi yakavanzika/random faira.

# "zita rechinangwa" "source mudziyo" "kiyi faira" "sarudzo"
sda7_crypt UUID=81048598-5bb9-4a53-af92-f3f9e709e2f2 /etc/skey luks

tsananguro
* hapana - inoshuma kuti kana uchirodha OS, kupinda yakavanzika passphrase inodiwa kuvhura mudzi.
* UUID - partition identifier. Kuti uwane ID yako, nyora pane terminal (chiyeuchidzo kuti kubva panguva ino zvichienda mberi, uri kushanda mune terminal munzvimbo yechroot, uye kwete mune imwe live usb terminal).

fdisk -l #проверка всех разделов
blkid #должно быть что-то подобное 

/dev/sda7: UUID=«81048598-5bb9-4a53-af92-f3f9e709e2f2» TYPE=«crypto_LUKS» PARTUUID=«0332d73c-07»
/dev/mapper/sda7_crypt: LABEL=«DebSHIFR» UUID=«382111a2-f993-403c-aa2e-292b5eac4780» TYPE=«ext4»

mutsetse uyu unoonekwa paunenge uchikumbira blkid kubva kune live usb terminal ine sda7_crypt yakaiswa).
Iwe unotora iyo UUID kubva kune yako sdaX (kwete sdaX_crypt!, UUID sdaX_crypt - ichasiiwa otomatiki paunenge uchigadzira grub.cfg config).
* cipher=twofish-xts-plain64,size=512,hash=sha512 -luks encryption in advanced mode.
* /etc/skey - chakavanzika kiyi faira, iyo inoiswa otomatiki kuvhura OS boot (panzvimbo pekuisa iyo 3rd password). Unogona kutsanangura chero faira kusvika ku8MB, asi data ichaverengwa <1MB.

#Создание "генерация" случайного файла <секретного ключа> размером 691б.
head -c 691 /dev/urandom > /etc/skey

#Добавление секретного ключа (691б) в 7-й слот заголовка luks
cryptsetup luksAddKey --key-slot 7 /dev/sda7 /etc/skey

#Проверка слотов "пароли/ключи luks-раздела"
cryptsetup luksDump /dev/sda7 

Ichaita seizvi:

( ita wega uzvionere wega).

cryptsetup luksKillSlot /dev/sda7 7 #удаление ключа/пароля из 7 слота

/etc/fstab ine ruzivo runotsanangura nezve akasiyana mafaera masisitimu.

#Правим /etc/fstab
nano /etc/fstab

# "faira system" "mount point" "type" "options" "dump" "pass"
# / yaive pa / dev / sda7 panguva yekuisirwa
/dev/mapper/sda7_crypt / ext4 errors=remount-ro 0 1

sarudzo
* /dev/mapper/sda7_crypt - zita re sda7> sda7_crypt mapping, iyo inotsanangurwa mu /etc/crypttab faira.
Iyo crypttab/fstab setup yapera.

B4.5. Kugadzirisa mafaira ekugadzirisa. Nguva yakakoshaB4.5.1. Kugadzirisa iyo config /etc/initramfs-tools/conf.d/resume

#Если у вас ранее был активирован swap раздел, отключите его. 
nano /etc/initramfs-tools/conf.d/resume

uye comment out (kana iripo) "#" mutsara "tangazve". Iyo faira inofanira kunge isina zvachose.

B4.5.2. Kugadzirisa iyo config /etc/initramfs-tools/conf.d/cryptsetup

nano /etc/initramfs-tools/conf.d/cryptsetup

inofanira kufanana

# /etc/initramfs-tools/conf.d/cryptsetup
CRYPTSETUP=hongu
kunze CRYPTSETUP

B4.5.3. Kugadzirisa iyo /etc/default/grub config (iyi config ine basa rekukwanisa kugadzira grub.cfg kana uchishanda ne encrypted / boot)

nano /etc/default/grub

wedzera mutsetse "GRUB_ENABLE_CRYPTODISK=y"
kukosha 'y', grub-mkconfig uye grub-install ichatarisa madhiraivha akavharidzirwa uye kugadzira mimwe mirairo inodiwa kuti uwane iwo panguva yebhutsu. (insmods ).
panofanira kunge paine kufanana

GRUB_DEFAULT = 0
GRUB_TIMEOUT = 1
GRUB_DISTRIBUTOR=`lsb_release -i -s 2> /dev/null || echo Debian`
GRUB_CMDLINE_LINUX_DEFAULT="acpi_backlight=mutengesi"
GRUB_CMDLINE_LINUX = "nyarara splash noautomount"
GRUB_ENABLE_CRYPTODISK=y

B4.5.4. Kugadzirisa iyo config /etc/cryptsetup-initramfs/conf-hook

nano /etc/cryptsetup-initramfs/conf-hook

tarisa kuti mutsetse akataura kunze <#>.
Munguva yemberi (uye kunyange ikozvino, iyi parameter haizove nezvainoreva, asi dzimwe nguva inopindira nekuvandudza initrd.img mufananidzo).

B4.5.5. Kugadzirisa iyo config /etc/cryptsetup-initramfs/conf-hook

nano /etc/cryptsetup-initramfs/conf-hook

wedzera

KEYFILE_PATTERN=”/etc/skey”
UMASK=0077

Izvi zvicharongedza kiyi yakavanzika "skey" muinitrd.img, kiyi inodiwa kuvhura mudzi kana OS bhutsu. (kana iwe usingadi kuisa password zvakare, "skey" kiyi inotsiviwa nemotokari).

B4.6. Gadziridza /boot/initrd.img [version]Kurongedza kiyi yakavanzika muinitrd.img uye kushandisa cryptsetup inogadzirisa, gadziridza mufananidzo

update-initramfs -u -k all

when updating initrd.img (sezvavanotaura "Zvinogoneka, asi hazvina chokwadi") yambiro ine chekuita necryptsetup ichaonekwa, kana, semuenzaniso, chiziviso nezve kurasikirwa kweNvidia modules - izvi zvakajairika. Mushure mekugadzirisa faira, tarisa kuti yakagadziridzwa, ona nguva (inoenderana nechroot environment./boot/initrd.img). Cherechedza chinyorwa! pamberi [update-initramfs -u -k zvese] iva nechokwadi chekutarisa kuti cryptsetup yakavhurika /dev/sda7 sda7_crypt -Iri ndiro zita rinowanikwa mukati /etc/crypttab, zvikasadaro mushure mekutangazve pachava nekukanganisa kwebhokisi)
Padanho iri, kumisikidza mafaera ekugadzirisa kwapera.

[C] Kuisa uye kugadzirisa GRUB2 / Dziviriro

C1. Kana zvichidikanwa, gadzira iyo yakatsaurirwa kupatsanurwa kweiyo bootloader (chikamu chinoda kanenge 20MB)

mkfs.ext4 -v -L GRUB2 /dev/sda6

C2. Gomo /dev/sda6 kusvika /mntSaka isu tinoshanda muchroot, ipapo pachange pasina /mnt2 dhairekitori mumudzi, uye iyo /mnt folda ichave isina.
gomo iyo GRUB2 partition

mount /dev/sda6 /mnt

Kana iwe uine yekare vhezheni yeGRUB2 yakaiswa, mune /mnt/boot/grub/i-386-pc dhairekitori. (imwe puratifomu inogoneka, semuenzaniso, kwete "i386-pc") hapana crypto modules (muchidimbu, folda inofanira kuva nemamodules, kusanganisira aya .mod: cryptodisk; luks; gcry_twofish; gcry_sha512; signature_test.mod), mune iyi kesi, GRUB2 inoda kuzununguswa.

apt-get update
apt-get install grub2 

Zvakakosha! Paunenge uchigadziridza iyo GRUB2 package kubva kunzvimbo yekuchengetera, paunobvunzwa "nezvekusarudza" pekuisa iyo bootloader, unofanirwa kuramba kuisirwa. (chikonzero - edza kuisa GRUB2 - mu "MBR" kana pa live usb). Zvikasadaro iwe unokuvadza VeraCrypt musoro/loader. Mushure mekugadzirisa GRUB2 mapakeji uye kukanzura kuisirwa, iyo boot loader inofanira kuiswa nemaoko pane inonzwisisika disk, uye kwete muMBR. Kana yako repository ine yakare vhezheni yeGRUB2, edza update zvinobva kune webhusaiti yepamutemo - handisati ndazvitarisa (yakashanda neyazvino GRUB 2.02 ~BetaX bootloaders).

C3. Kuisa GRUB2 mune yakawedzera chikamu [sda6]Iwe unofanirwa kuve neyakaiswa partition [chinhu C.2]

grub-install --force --root-directory=/mnt /dev/sda6

sarudzo
* -force - kuisirwa bhootloader, ichipfuura yambiro dzese dzinogara dziripo uye kuvhara kuisirwa (inodiwa mureza).
* --root-dhairekitori - dhairekitori kuisirwa kumudzi wesda6.
* /dev/sda6 - yako sdaХ partition (usapotsa <space> pakati /mnt /dev/sda6).

C4. Kugadzira faira yekumisikidza [grub.cfg]Kanganwa nezve "update-grub2" kuraira, uye shandisa iyo yakazara yekumisikidza faira chizvarwa command

grub-mkconfig -o /mnt/boot/grub/grub.cfg

mushure mekupedza chizvarwa/updateti yegrub.cfg faira, chinobuda terminal chinofanira kunge chine mitsetse (s) ine OS inowanikwa padhisiki. ("grub-mkconfig" ingangowana uye inotora OS kubva kune mhenyu usb, kana uine multiboot flash drive ine Windows 10 uye boka rekugovera mhenyu - izvi zvakajairika). Kana iyo terminal isina "isina" uye iyo "grub.cfg" faira isina kugadzirwa, saka iyi ndiyo imwe nyaya kana paine GRUB bugs muhurongwa. (uye kazhinji kacho mutakuri kubva kubazi rekuyedza repository), dzorera GRUB2 kubva kune akavimbika masosi.
Iyo "yakapusa gadziriso" yekumisikidza uye GRUB2 kuseta kwapera.

C5. Humbowo-yedzo yeyakavharidzirwa GNU/Linux OSIsu tinopedzisa iyo crypto mission nenzira kwayo. Kunyatsosiya iyo encrypted GNU/Linux (exit chroot environment).

umount -a #размонтирование всех смонтированных разделов шифрованной GNU/Linux
Ctrl+d #выход из среды chroot
umount /mnt/dev
umount /mnt/proc
umount /mnt/sys
umount -a #размонтирование всех смонтированных разделов на live usb
reboot

Mushure mekugadzirisazve PC, VeraCrypt bootloader inofanira kurodha.


* Kuisa password yeiyo inoshanda partition kunotanga kurodha Windows.
* Kudzvanya "Esc" kiyi kunoendesa kutonga kuGRUB2, kana ukasarudza encrypted GNU/Linux - password (sda7_crypt) inozodiwa kuvhura /boot/initrd.img (kana grub2 inonyora uuid "isina kuwanikwa" - iyi dambudziko negrub2 bootloader, inofanirwa kudzoserwa, semuenzaniso, kubva kubvunzo bazi / yakagadzikana nezvimwe).


* Zvichienderana nekugadzirisa kwawakaita hurongwa (ona ndima B4.4/4.5), mushure mekuisa password yakarurama kuti uzarure mufananidzo /boot/initrd.img, iwe uchada password kuti uise OS kernel / root, kana chakavanzika. kiyi inozoisirwa otomatiki " skey", ichibvisa kukosha kwekuisa zvakare passphrase.

(screen "otomatiki kutsiva kiyi yakavanzika").

* Ipapo iyo yakajairika maitiro ekurodha GNU/Linux ine mushandisi account yechokwadi inozotevera.


* Mushure memvumo yemushandisi uye kupinda kuOS, unofanirwa kugadzirisa /boot/initrd.img zvakare (ona B4.6).

update-initramfs -u -k all

Uye kana kune mamwe mitsara mune GRUB2 menyu (kubva kuOS-m kutora ne live usb) vabvisei

mount /dev/sda6 /mnt
grub-mkconfig -o /mnt/boot/grub/grub.cfg

Pfupiso inokurumidza yeGNU/Linux system encryption:

• GNU/Linuxinux yakavharirwa zvizere, kusanganisira /boot/kernel uye initrd;
• kiyi yakavanzika inoiswa mukati initrd.img;
• ikozvino mvumo chirongwa (kuisa pasiwedhi kuti uvhure iyo initrd; password/kiyi yekubhuta OS; password yekubvumidza iyo Linux account).

"Simple GRUB2 Configuration" system encryption ye block partition yapera.

C6. Yepamberi GRUB2 kumisikidzwa. Kudzivirirwa kweBootloader nedhijitari siginecha + kuchengetedzwa kwechokwadiGNU/Linux yakavharirwa zvachose, asi iyo bootloader haigone kuvharirwa - ichi chimiro chinorairwa neBIOS. Nechikonzero ichi, bhoti yakavharidzirwa yakavharidzirwa yeGRUB2 haigoneke, asi bhutsu yakasungwa yakapusa inogoneka / iripo, asi kubva pakuona kwekuchengetedza haifanirwe [ona. P. F].
Kune iyo "isiri panjodzi" GRUB2, vagadziri vakaisa "siginicha / yekusimbisa" bootloader kuchengetedza algorithm.

• Kana iyo bootloader yakadzivirirwa ne "yayo siginecha yedhijitari," kuchinjika kwekunze kwemafaira, kana kuedza kurodha mamwe mamodule mubootloader iyi, zvinotungamira kuvharwa kwebhoti.
• Paunenge uchidzivirira bhootloader nehuchokwadi, kuti usarudze kurodha kugovera, kana kuisa yakawedzera mirairo muCLI, iwe unozofanirwa kuisa login uye password yeiyo superuser-GRUB2.

C6.1. Bootloader kuchengetedzwa kwechokwadiTarisa kuti uri kushanda mune terminal pane encrypted OS

ls /<Tab-Tab> #обнаружить файл-маркер

gadzira password yemushandisi yemvumo muGRUB2

grub-mkpasswd-pbkdf2 #введите/повторите пароль суперпользователя. 

Tora password hashi. Chinhu chakadai

grub.pbkdf2.sha512.10000.DE10E42B01BB6FEEE46250FC5F9C3756894A8476A7F7661A9FFE9D6CC4D0A168898B98C34EBA210F46FC10985CE28277D0563F74E108FCE3ACBD52B26F8BA04D.27625A4D30E4F1044962D3DD1C2E493EF511C01366909767C3AF9A005E81F4BFC33372B9C041BE9BA904D7C6BB141DE48722ED17D2DF9C560170821F033BCFD8

simudza chikamu cheGRUB

mount /dev/sda6 /mnt 

gadzirisa config

nano -$ /mnt/boot/grub/grub.cfg 

tarisa kutsvaga kwefaira kuti hapana mireza kupi zvako mu "grub.cfg" ("-unrestricted" "-user",
wedzera kumagumo chaiko (pamberi pemutsara ### END /etc/grub.d/41_custom ###)
"set superusers = "mudzi"
password_pbkdf2 mudzi hashi."

Zvinofanira kuva chinhu chakadai

# Iri faira rinopa nzira iri nyore yekuwedzera tsika menyu manyorero. Nyora kunyora iyo
# menyu mapindiro aunoda kuwedzera mushure mekutaura uku. Chenjera kusachinja
# iyo 'exec muswe' mutsara pamusoro.
### END /etc/grub.d/40_custom ###

### Tanga /etc/grub.d/41_custom ###
kana [ -f ${config_directory}/custom.cfg ]; zvino
kwakabva ${config_directory}/custom.cfg
elif [ -z "${config_directory}" -a -f $prefix/custom.cfg ]; zvino
kwakabva $prefix/custom.cfg;
fi
set superusers = "mudzi"
password_pbkdf2 root grub.pbkdf2.sha512.10000.DE10E42B01BB6FEEE46250FC5F9C3756894A8476A7F7661A9FFE9D6CC4D0A168898B98C34EBA210F46FC10985CE28277D0563F74E108FCE3ACBD52B26F8BA04D.27625A4D30E4F1044962D3DD1C2E493EF511C01366909767C3AF9A005E81F4BFC33372B9C041BE9BA904D7C6BB141DE48722ED17D2DF9C560170821F033BCFD8
### END /etc/grub.d/41_custom ###
#

Kana uchiwanzoshandisa murairo we "grub-mkconfig -o /mnt/boot/grub/grub.cfg" uye usingade kuchinja ku grub.cfg nguva dzose, isa mitsetse iri pamusoro. (Login: Password) mune GRUB mushandisi script pazasi chaipo

nano /etc/grub.d/41_custom 

katsi <<EOF
set superusers = "mudzi"
password_pbkdf2 root grub.pbkdf2.sha512.10000.DE10E42B01BB6FEEE46250FC5F9C3756894A8476A7F7661A9FFE9D6CC4D0A168898B98C34EBA210F46FC10985CE28277D0563F74E108FCE3ACBD52B26F8BA04D.27625A4D30E4F1044962D3DD1C2E493EF511C01366909767C3AF9A005E81F4BFC33372B9C041BE9BA904D7C6BB141DE48722ED17D2DF9C560170821F033BCFD8
EOF

Paunenge uchigadzira iyo config "grub-mkconfig -o /mnt/boot/grub/grub.cfg", mitsara ine chekuita nekusimbisa inozowedzerwa otomatiki ku grub.cfg.
Iyi nhanho inopedzisa iyo GRUB2 yekumisikidza kuseta.

C6.2. Bootloader kuchengetedzwa nedhijitari siginechaZvinofungidzirwa kuti watova neyako pgp encryption kiyi (kana kugadzira kiyi yakadaro). Iyo sisitimu inofanirwa kunge ine cryptographic software yakaiswa: gnuPG; kleopatra/GPA; Seahorse. Crypto software ichaita kuti hupenyu hwako huve nyore muzvinhu zvese zvakadaro. Seahorse - yakagadzikana shanduro yepakeji 3.14.0 (mavhezheni akakwira, semuenzaniso, V3.20, haana kukwana uye ane tsikidzi dzakakosha).

Iyo PGP kiyi inoda kugadzirwa / kutangwa / kuwedzerwa chete munharaunda yesu!

Gadzira kiyi ye encryption yako

gpg - -gen-key

Tumira kiyi yako

gpg --export -o ~/perskey

Isa iyo inonzwisisika dhisiki muOS kana isati yatoiswa

mount /dev/sda6 /mnt #sda6 – раздел GRUB2

chenesa iyo GRUB2 chikamu

rm -rf /mnt/

Isa GRUB2 mu sda6, uchiisa kiyi yako yakavanzika muhukuru GRUB mufananidzo "core.img"

grub-install --force --modules="gcry_sha256 gcry_sha512 signature_test gcry_dsa gcry_rsa" -k ~/perskey --root-directory=/mnt /dev/sda6

sarudzo
* --force - isa iyo bootloader, uchipfuura yambiro dzese dzinogara dziripo (inodiwa mureza).
* —modules="gcry_sha256 gcry_sha512 signature_test gcry_dsa gcry_rsa" - inorayira GRUB2 kuti itange kurodha mamodule anodiwa apo PC inotanga.
* -k ~/perskey -nzira ye "PGP kiyi" (mushure mekurongedza kiyi mumufananidzo, inogona kudzimwa).
* --root-dhairekitori -seta dhairekitori rebhutsu kumudzi we sda6
/dev/sda6 - yako sdaX partition.

Kugadzira/kuvandudza grub.cfg

grub-mkconfig  -o /mnt/boot/grub/grub.cfg

Wedzera mutsara "trust / boot/grub/perskey" kusvika kumagumo e "grub.cfg" faira (kumanikidza kushandisa pgp kiyi.) Sezvo takaisa GRUB2 ine seti yemamodules, kusanganisira siginecha module "signature_test.mod", izvi zvinobvisa kukosha kwekuwedzera mirairo se "set check_signatures = enforce" kune config.

Zvinofanira kutaridzika seizvi (mitsetse yekupedzisira mu grub.cfg faira)

### Tanga /etc/grub.d/41_custom ###
kana [ -f ${config_directory}/custom.cfg ]; zvino
kwakabva ${config_directory}/custom.cfg
elif [ -z "${config_directory}" -a -f $prefix/custom.cfg ]; zvino
kwakabva $prefix/custom.cfg;
fi
vimba /boot/grub/perskey
set superusers = "mudzi"
password_pbkdf2 root grub.pbkdf2.sha512.10000.DE10E42B01BB6FEEE46250FC5F9C3756894A8476A7F7661A9FFE9D6CC4D0A168898B98C34EBA210F46FC10985CE28277D0563F74E108FCE3ACBD52B26F8BA04D.27625A4D30E4F1044962D3DD1C2E493EF511C01366909767C3AF9A005E81F4BFC33372B9C041BE9BA904D7C6BB141DE48722ED17D2DF9C560170821F033BCFD8
### END /etc/grub.d/41_custom ###
#

Iyo nzira yeku "/ boot / grub / perskey" haidi kunongedzerwa kune chaiyo disk partition, semuenzaniso hd0,6; kune iyo bootloader pachayo, "mudzi" ndiyo yakasarudzika nzira yekugovera iyo GRUB2 yakaiswa. (ona set rot=..).

Kusaina GRUB2 (ese mafaera mune ese / GRUB madhairekitori) nekiyi yako "perskey".
Mhinduro iri nyore yekuti ungasaina sei (ye nautilus/caja muongorori): isa iyo "seahorse" yekuwedzera yeExplorer kubva pane repository. Kiyi yako inofanirwa kuwedzerwa kune su nharaunda.
Vhura Explorer ne sudo "/ mnt/boot" - RMB - saina. Pascreen zvinoita seizvi

Kiyi pachayo ndeye "/mnt/boot/grub/perskey" (kopi kune grub directory) inofanirawo kusainwa nesaini yako. Tarisa kuti [*.sig] siginicha yefaira inooneka mudhairekitori/subdirectories.
Uchishandisa nzira yatsanangurwa pamusoro, saina "/ boot" (kernel yedu, initrd). Kana nguva yako yakakosha chero chinhu, saka nzira iyi inobvisa kukosha kwekunyora bash script kusaina "mafaera akawanda."

Kuti ubvise masaginecha ese ebootloader (kana chimwe chinhu chakashata)

rm -f $(find /mnt/boot/grub -type f -name '*.sig')

Kuti urege kusaina iyo bootloader mushure mekugadzirisa sisitimu, isu tinoomesa ese ekugadzirisa mapakeji ane chekuita neGRUB2.

apt-mark hold grub-common grub-pc grub-pc-bin grub2 grub2-common

Pane ino nhanho <chengetedza bootloader ine dijitari siginecha> advanced kumisikidza yeGRUB2 inopedzwa.

C6.3. Humbowo-yedzo yeGRUB2 bootloader, yakachengetedzwa nedhijitari siginecha uye chokwadiGRUB2. Paunenge uchisarudza chero GNU/Linux kugovera kana kupinda muCLI (command line) Superuser mvumo ichadikanwa. Mushure mekuisa iyo chaiyo username / password, iwe unozoda iyo initrd password

Screenshot yekubudirira kwechokwadi kweiyo GRUB2 superuser.

Kana iwe ukakanganisa chero ipi zvayo yeGRUB2 mafaira / kuita shanduko ku grub.cfg, kana kudzima faira / siginicha, kana kutakura yakaipa module.mod, yambiro inoenderana ichaonekwa. GRUB2 ichambomira kurodha.

Screenshot, kuedza kupindira neGRUB2 "kubva kunze".

Panguva "yakajairika" kubhowa "pasina kupindira", iyo system yekubuda kodhi mamiriro ndeye "0". Naizvozvo, hazvizivikanwe kana kudzivirira kunoshanda kana kwete (kureva kuti, "ine kana isina bootloader siginecha chengetedzo" panguva yakajairwa kurodha chimiro chakafanana "0" - izvi zvakaipa).

Maitiro ekutarisa kuchengetedzwa kwedhijitari siginecha?

Nzira isina kunaka yekutarisa: fake / kubvisa module inoshandiswa neGRUB2, somuenzaniso, bvisa siginecha luks.mod.sig uye uwane kukanganisa.

Nzira chaiyo: enda kubootloader CLI uye nyora murairo

trust_list

Mukupindura, iwe unofanirwa kugamuchira "perskey" zvigunwe; kana chimiro chiri "0," saka siginecha yekudzivirira isingashande, kaviri-tarisa ndima C6.2.
Pane iyi nhanho, kugadziridzwa kwepamberi "Kudzivirira GRUB2 ine siginecha yedhijitari uye chokwadi" inopedzwa.

C7 Imwe nzira yekudzivirira iyo GRUB2 bootloader uchishandisa hashingIyo "CPU Boot Loader Dziviriro / Kutendesa" nzira inotsanangurwa pamusoro ndeye yakasarudzika. Pamusana pekusakwana kweGRUB2, mumamiriro ezvinhu eparanoid inokonzerwa nekurwisa kwechokwadi, iyo yandichapa pasi apa mundima [F]. Mukuwedzera, mushure mekugadzirisa OS / kernel, bootloader inofanira kunyorwa zvakare.

Kuchengetedza iyo GRUB2 bootloader uchishandisa hashing

Zvakanakira pane classics:

• Chiyero chepamusoro chekuvimbika (hashing / verification inoitika chete kubva kune yakavharidzirwa yenzvimbo sosi. Iyo yese yakagoverwa partition pasi peGRUB2 inodzorwa chero shanduko, uye zvimwe zvese zvakavharidzirwa; mune yekirasi chirongwa neCPU loader kuchengetedza / Kusimbisa, mafaira chete anodzorwa, asi kwete emahara. nzvimbo, umo "chimwe chinhu" chimwe chinhu chakashata" chinogona kuwedzerwa).
• Encrypted loggging (inoverengeka yemunhu yakavharidzirwa log inowedzerwa kuchirongwa).
• Speed (kudzivirira/kusimbisa chikamu chose chakagoverwa GRUB2 chinoitika ipapo ipapo).
• Automation yeese cryptographic maitiro.

Zvakaipa pamusoro pezvinyorwa zvekare.

• Forgery yekusaina (zvichireva, zvinokwanisika kuwana yakapihwa hash basa kudhumhana).
• Kuwedzera kuoma level (zvichienzaniswa neyekare, hunyanzvi hunyanzvi muGNU/Linux OS hunodiwa).

Iyo GRUB2/partition hashing pfungwa inoshanda sei

Iyo GRUB2 partition "yakasainwa"; kana OS bhutsu, iyo boot loader partition inotariswa kusachinjika, inoteverwa nekupinda munzvimbo yakachengeteka (yakavharidzirwa). Kana iyo bootloader kana kupatsanurwa kwayo ikakanganiswa, kuwedzera kune iyo intrusion log, zvinotevera zvinotangwa:

Chinhu.

Cheki yakafanana inoitika kana pazuva, iyo isingatakure zviwanikwa zvehurongwa.
Uchishandisa iyo "-$ check_GRUB" murairo, cheki yekukurumidza inoitika chero nguva pasina kutema matanda, asi neruzivo rwunobuda kuCLI.
Uchishandisa murairo we "-$ sudo siginecha_GRUB", iyo GRUB2 bootloader / partition inobva yasainazve ipapo uye yakagadziridzwa matanda. (inodiwa mushure meOS / boot update), uye hupenyu hunoenderera mberi.

Kuitwa kwehashing nzira yebootloader uye chikamu chayo

0) Ngatisainei GRUB bootloader/partition nekutanga kuiisa mu/media/username

-$ hashdeep -c md5 -r /media/username/GRUB > /podpis.txt

1) Isu tinogadzira script pasina yekuwedzera mumudzi weiyo encrypted OS ~/podpis, shandisa inodiwa 744 chengetedzo kodzero uye benzi rekudzivirira kwairi.

Kuzadza zviri mukati maro

#!/bin/bash

#Проверка всего раздела выделенного под загрузчик GRUB2 на неизменность.
#Ведется лог "о вторжении/успешной проверке каталога", короче говоря ведется полный лог с тройной вербализацией. Внимание! обратить взор на пути: хранить ЦП GRUB2 только на зашифрованном разделе OS GNU/Linux. 
echo -e "******************************************************************n" >> '/var/log/podpis.txt' && date >> '/var/log/podpis.txt' && hashdeep -vvv -a -k '/podpis.txt' -r '/media/username/GRUB' >> '/var/log/podpis.txt'

a=`tail '/var/log/podpis.txt' | grep failed` #не использовать "cat"!! 
b="hashdeep: Audit failed"

#Условие: в случае любых каких-либо изменений в разделе выделенном под GRUB2 к полному логу пишется второй отдельный краткий лог "только о вторжении" и выводится на монитор мигание gif-ки "warning".
if [[ "$a" = "$b" ]] 
then
echo -e "****n" >> '/var/log/vtorjenie.txt' && echo "vtorjenie" >> '/var/log/vtorjenie.txt' && date >> '/var/log/vtorjenie.txt' & sudo -u username DISPLAY=:0 eom '/warning.gif' 
fi

Mhanya script kubva su, iyo hashing yeGRUB partition uye bootloader yayo ichaongororwa, chengetedza danda.

Ngatigadzirei kana kukopa, semuenzaniso, "inotyisa faira" [virus.mod] kuchikamu cheGRUB2 uye tomhanyisa scan/kuyedza kwenguva pfupi:

-$ hashdeep -vvv -a -k '/podpis.txt' -r '/media/username/GRUB

Iyo CLI inofanirwa kuona kupinda kwedu -citadel-# Yakagadzirirwa danda muCLI

Ср янв  2 11::41 MSK 2020
/media/username/GRUB/boot/grub/virus.mod: Moved from /media/username/GRUB/1nononoshifr
/media/username/GRUB/boot/grub/i386-pc/mda_text.mod: Ok
/media/username/GRUB/boot/grub/grub.cfg: Ok
hashdeep: Audit failed
   Input files examined: 0
  Known files expecting: 0
          Files matched: 325
Files partially matched: 0
            Files moved: 1
        New files found: 0
  Known files not found: 0

#Sezvauri kuona, "Mafaira akafambiswa: 1 uye Audit yakundikana" inooneka, zvinoreva kuti cheki yakundikana.
Nekuda kwechimiro chechikamu chiri kuedzwa, pachinzvimbo che "Mafaira matsva awanikwa"> "Mafaira akafambiswa"

2) Isa iyo gif pano> ~/warning.gif, isa mvumo ku744.

3) Kugadzirisa fstab kuti iite otomatiki iyo GRUB partition pa boot

-$ sudo nano /etc/fstab

LABEL=GRUB /media/username/GRUB ext4 defaults 0 0

4) Kutenderedza danda

-$ sudo nano /etc/logrotate.d/podpis 

/var/log/podpis.txt {
mazuva ose
tenderera 50
saizi 5M
chinyorwa chezuva
compress
kunonoka
olddir /var/log/old
}

/var/log/vtorjenie.txt {
pamwedzi
tenderera 5
saizi 5M
chinyorwa chezuva
olddir /var/log/old
}

5) Wedzera basa kune cron

-$ sudo crontab -e

reboot '/subscription'
0 */6 * * * '/podpis

6) Kugadzira mazita echigarire

-$ sudo su
-$ echo "alias подпись_GRUB='hashdeep -c md5 -r /media/username/GRUB > /podpis.txt'" >> /root/.bashrc && bash
-$ echo "alias проверка_GRUB='hashdeep -vvv -a -k '/podpis.txt' -r /media/username/GRUB'" >> .bashrc && bash

Mushure mekuvandudza OS -$ apt-get upgrade sainazve yedu GRUB partition
-$ подпись_GRUB
Panguva ino, kudzivirira hashing kweiyo GRUB partition kwapera.

[D] Kupukuta - kuparadzwa kwe data isina kunyorwa

Dzima mafaira ako pachako zvakakwana zvokuti “kunyange Mwari haagoni kuaverenga,” maererano nomutauriri weSouth Carolina Trey Gowdy.

Senguva dzose, kune dzakasiyana-siyana "ngano uye legends", nezve kudzoreredza data mushure mekunge yadzimwa kubva kune hard drive. Kana iwe uchitenda mucyberwitchcraft, kana kuti uri nhengo yeDr webhu nharaunda uye usati wamboedza kudzoreredza data mushure mekudzimwa/kunyorwa pamusoro. (semuenzaniso, kupora uchishandisa R-studio), ipapo nzira yakarongwa haigoni kuenderana newe, shandisa izvo zviri pedyo newe.

Mushure mekubudirira kuendesa GNU/Linux kune yakavharidzirwa partition, iyo yekare kopi inofanirwa kudzimwa pasina mukana wekudzoreredza data. Yese nzira yekuchenesa: software yeWindows/Linux yemahara GUI software BleachBit.
Kurumidza gadzira chikamu, iyo data iyo inoda kuparadzwa (kuburikidza neGparted) vhura BleachBit, sarudza "Chenesa nzvimbo yemahara" - sarudza chikamu (sdaX yako nekopi yapfuura yeGNU/Linux), nzira yekubvisa ichatanga. BleachBit - inopukuta dhisiki mune imwe pass - izvi ndizvo "zvatinoda", Asi! Izvi zvinongoshanda mudzidziso kana iwe wakafometa dhisiki uye ukarichenesa muBB v2.0 software.

Cherechedza! BB inopukuta dhisiki, ichisiya metadata; mazita emafaira anochengetwa kana data rabviswa (Ccleaner - haina kusiya metadata).

Uye nhema nezve mukana wekudzoreredza data haisi ngano zvachose.Bleachbit V2.0-2 yaimbova isina kugadzikana OS Debian package (uye chero imwe software yakafanana: sfill; pukuta-Nautilus - yakaonekwawo mune iri bhizinesi rakasviba) chaizvo yaive neyakaoma bug: iyo "yemahara nzvimbo yekuchenesa" basa inoshanda zvisizvo paHDD/Flash drives (ntfs/ext4). Software yerudzi urwu, kana uchibvisa nzvimbo yemahara, haidzoreri dhisiki rese, sezvinofunga vashandisi vazhinji. Uye vamwe (zvakawanda) yakadzimwa data OS/software inoona iyi data seisina kubviswa/mushandisi data uye kana ichichenesa "OSP" inosvetuka mafaera aya. Dambudziko nderekuti mushure menguva yakareba kudaro, kuchenesa dhisiki "mafaira akadzimwa" anogona kuwanikwazve kunyangwe mushure me3+ inopfuura yekupukuta disc.
PaGNU/Linux paBleachbit 2.0-2 Mabasa ekudzima zvachose mafaira uye madhairekitori anoshanda akavimbika, asi kwete kubvisa nzvimbo yemahara. Kuenzanisa: paWindows muCCleaner basa re "OSP ye ntfs" rinoshanda nemazvo, uye Mwari havazokwanisi kuverenga data rakadzimwa.

Uye saka, kunyatsobvisa "kukanganisa" data yekare isina kunyorwa, Bleachbit inoda kupinda zvakananga kune iyi data, wobva washandisa “kubvisa zvachose mafaira/dhairekitori” basa.
Kuti ubvise "mafaira akadzimwa uchishandisa akajairika OS zvishandiso" muWindows, shandisa CCleaner/BB ine "OSP" basa. MuGNU/Linux pamusoro pedambudziko iri (dzima mafaira akadzimwa) unofanira kudzidzira wega (kudzima data + kuedza kwakazvimirira kuidzosera uye haufanirwe kuvimba nesoftware vhezheni (kana isiri bookmark, ipapo bug)), chete munyaya iyi iwe uchakwanisa kunzwisisa maitiro edambudziko iri uye kubvisa zvachose data yakabviswa.

Handina kuedza Bleachbit v3.0, dambudziko rinogona kunge rakatogadziriswa.
Bleachbit v2.0 inoshanda zvakatendeseka.

Padanho iri, kupukuta dhisiki kwapera.

[E] Universal backup yeiyo encrypted OS

Wese mushandisi ane yavo nzira yekudzosera data, asi encrypted System OS data inoda nzira yakati siyanei nebasa. Yakabatana software, senge Clonezilla uye yakafanana software, haigone kushanda zvakananga neyakavharidzirwa data.

Chirevo chedambudziko rekutsigira encrypted block zvishandiso:

1. universality - yakafanana backup algorithm/software yeWindows/Linux;
2. kugona kushanda mukoni nechero live usb GNU/Linux pasina kudiwa kwekuwedzera kurodha software (asi zvakadaro kurudzira GUI);
3. chengetedzo yemakopi ekuchengetedza - yakachengetwa "mifananidzo" inofanirwa kuvharirwa / password-yakachengetedzwa;
4. saizi yedata yakavharidzirwa inofanirwa kuenderana nehukuru hweiyo chaiyo data iri kukopwa;
5. kutorwa kuri nyore kwemafaira anodiwa kubva kukopi yekuchengetedza (hapana chinodiwa kuti unyore chikamu chose kutanga).

Semuenzaniso, backup / dzosera kuburikidza ne "dd" utility

dd if=/dev/sda7 of=/путь/sda7.img bs=7M conv=sync,noerror
dd if=/путь/sda7.img of=/dev/sda7 bs=7M conv=sync,noerror

Inoenderana neanenge ese mapeji ebasa, asi zvinoenderana nedanho 4 haimiri pakutsoropodza, nekuti inokopa iyo yese disk partition, kusanganisira yemahara nzvimbo - isingafadze.

Semuenzaniso, GNU/Linux backup kuburikidza nearchive [tar" | gpg] iri nyore, asi kuWindows backup iwe unofanirwa kutsvaga imwe mhinduro - hainakidze.

E1. Universal Windows/Linux backup. Batanidza rsync (Grsync)+VeraCrypt vhoriyamuAlgorithm yekugadzira kopi yekuchengetedza:

1. kugadzira mudziyo wakavharidzirwa (vhoriyamu/faira) VeraCrypt yeOS;
2. kutamisa/kuwiriranisa OS uchishandisa Rsync software muVeraCrypt crypto container;
3. kana zvichidikanwa, kurodha VeraCrypt vhoriyamu kuwww.

Kugadzira yakavharidzirwa VeraCrypt mudziyo ine hunhu hwayo:
kugadzira vhoriyamu ine simba (kugadzirwa kweDT kunowanikwa muWindows chete, kunogona kushandiswawo muGNU/Linux);
kugadzira vhoriyamu yenguva dzose, asi pane chinodiwa che "paranoid character" (maererano nemugadziri) - kugadzirwa kwemudziyo.

Vhoriyamu ine simba inogadzirwa kanenge ipapo muWindows, asi kana uchikopa data kubva kuGNU/Linux> VeraCrypt DT, kuita kwese kweiyo backup operation kunoderera zvakanyanya.

Yenguva dzose 70 GB Twofish vhoriyamu inogadzirwa (ngatingoti, paavhareji PC simba) kuHDD ~ muhafu yeawa (kudzoreredza iyo yaimbova mudziyo data mune imwe pass nekuda kwekuchengetedza zvinodiwa). Basa rekukurumidza kufometa vhoriyamu paunenge uchigadzira rakabviswa kubva kuVeraCrypt Windows/Linux, saka kugadzira mudziyo unogoneka chete kuburikidza ne "one-pass rewriting" kana kugadzira yakaderera-inoshanda simba vhoriyamu.

Gadzira yakajairika VeraCrypt vhoriyamu (kwete dynamic/ntfs), hapafaniri kuva nematambudziko.

Gadzirisa / gadzira / vhura mudziyo muVeraCrypt GUI> GNU/Linux live usb (iyo vhoriyamu ichaiswa otomatiki ku/media/veracrypt2, iyo Windows OS vhoriyamu ichaiswa ku/media/veracrypt1). Kugadzira yakavharidzirwa backup yeWindows OS uchishandisa GUI rsync (grsync)nekutarisa mabhokisi.

Mirira kuti chirongwa chipere. Kana iyo backup yapera, isu tichava neiyo encrypted faira.

Saizvozvo, gadzira kopi yekuchengetedza yeGNU/Linux OS nekusatarisisa iyo "Windows kuenderana" bhokisi rekutarisa mu rsync GUI.

Cherechedza! gadzira mudziyo weVeracrypt we "GNU/Linux backup" mufaira system ext4. Kana iwe ukaita backup kune ntfs mudziyo, ipapo paunodzorera kopi yakadaro, iwe ucharasikirwa nekodzero dzose / mapoka kune data rako rose.

Iwe unogona kuita zvese mashandiro mune terminal. Zvisarudzo zvekutanga zve rsync:
* -g -chengetedza mapoka;
* -P -kufambira mberi - mamiriro enguva yakashandiswa kushanda pafaira;
* -H - kopi hardlinks sezvazviri;
* -a -archive mode (mireza yerlptgoD yakawanda);
* -v -kutaura.

Kana iwe uchida kukwira "Windows VeraCrypt vhoriyamu" kuburikidza nekoni mune cryptsetup software, unogona kugadzira alias (su)

echo "alias veramount='cryptsetup open --veracrypt --tcrypt-system --type tcrypt /dev/sdaX Windows_crypt && mount /dev/mapper/ Windows_crypt /media/veracrypt1'" >> .bashrc && bash

Iye zvino "chaiyo mifananidzo" yekuraira ichaita kuti iwe uise passphrase, uye iyo encrypted Windows system vhoriyamu ichaiswa muOS.

Mepu/gomo VeraCrypt system vhoriyamu mune cryptsetup command

cryptsetup open --veracrypt --tcrypt-system --type tcrypt /dev/sdaX Windows_crypt
mount /dev/mapper/Windows_crypt /mnt

Mepu/gomo VeraCrypt partition/container mune cryptsetup command

cryptsetup open --veracrypt --type tcrypt /dev/sdaY test_crypt
mount /dev/mapper/test_crypt /mnt

Panzvimbo pezita, isu tichawedzera (gwaro rekutanga) vhoriyamu yehurongwa neWindows OS uye inonzwisisika yakavanzika ntfs disk kuGNU/Linux kutanga.

Gadzira chinyorwa uye chengeta mu ~/VeraOpen.sh

printf 'Ym9i' | base64 -d | cryptsetup open --veracrypt --tcrypt-system --type tcrypt /dev/sda3 Windows_crypt && mount /dev/mapper/Windows_crypt /media/Winda7 #декодируем пароль из base64 (bob) и отправляем его на запрос ввода пароля при монтировании системного диска ОС Windows.
printf 'Ym9i' | base64 -d | cryptsetup open --veracrypt --type tcrypt /dev/sda1 ntfscrypt && mount /dev/mapper/ntfscrypt /media/КонтейнерНтфс #аналогично, но монтируем логический диск ntfs.

Isu tinogovera kodzero "dzakarurama":

sudo chmod 100 /VeraOpen.sh

Gadzira mafaera maviri akafanana (zita rimwe chete!) mukati /etc/rc.local uye ~/etc/init.d/rc.local
Kuzadza mafaira

#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will «exit 0» on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.

sh -c "sleep 1 && '/VeraOpen.sh'" #после загрузки ОС, ждём ~ 1с и только потом монтируем диски.
exit 0

Isu tinogovera kodzero "dzakarurama":

sudo chmod 100 /etc/rc.local && sudo chmod 100 /etc/init.d/rc.local 

Ndizvozvo, ikozvino kana kurodha GNU / Linux isu hatidi kuisa mapassword kuti uise encrypted ntfs disks, madhisiki anoiswa otomatiki.

Tsamba muchidimbu nezve izvo zvinotsanangurwa pamusoro mundima E1 nhanho nhanho (asi ikozvino kune OS GNU/Linux)
1) Gadzira vhoriyamu mu fs ext4> 4gb (yefaira) Linux muVeracrypt [Cryptbox].
2) Reboot kuti urarame usb.
3) ~$ cryptsetup vhura /dev/sda7 Lunux #mapping encrypted partition.
4) ~$ gomo /dev/mapper/Linux /mnt #mount the encrypted partition to /mnt.
5) ~$ mkdir mnt2 #kugadzira dhairekitori rekuchengetedza ramangwana.
6) ~$ cryptsetup vhura -veracrypt -type tcrypt ~/CryptoBox CryptoBox && mount /dev/mapper/CryptoBox /mnt2 #Mepu yeVeracrypt vhoriyamu inonzi "CryptoBox" uye isa CryptoBox ku /mnt2.
7) ~$ rsync -avlxhHX -kufambira mberi /mnt /mnt2/ #backup mashandiro eiyo encrypted partition kune encrypted Veracrypt volume.

(p/s/ Cherechedza! Kana iwe uri kuendesa encrypted GNU/Linux kubva kune imwe dhizaini / muchina kuenda kune imwe, semuenzaniso, Intel> AMD (kureva, kuendesa backup kubva kune imwe yakavharidzirwa partition kune imwe encrypted Intel> AMD partition), Usakanganwa Mushure mekutamisa iyo yakavharidzirwa OS, gadzirisa chakavanzika chinotsiva kiyi panzvimbo yepassword, pamwe. kiyi yapfuura ~/etc/skey - haichakodzeri imwe yakavharidzirwa partition, uye hazvikurudzirwe kugadzira kiyi nyowani "cryptsetup luksAddKey" kubva pasi pechroot - glitch inogoneka, ingori mu ~/etc/crypttab tsanangura pachinzvimbo che "/ etc/skey" kwenguva pfupi "hapana" ", mushure mekugadzirisa zvakare uye kupinda muOS, dzokorora kiyi yako yakavanzika yemusango zvakare).

SeIT veterans, rangarira kuita zvakasiyana ma backups emusoro weiyo encrypted Windows/Linux OS partitions, kana iyo encryption ichapandukira iwe.
Padanho iri, kuchengetedza kweiyo encrypted OS kunopedzwa.

[F] Kurwisa pane GRUB2 bootloader

Ona zvakadzamaKana iwe wakadzivirira bootloader yako nedhijitari siginecha uye / kana huchokwadi (ona pfungwa C6.), zvino izvi hazvizodziviriri kubva pakuwana muviri. Iyo encrypted data icharamba isingawanikwe, asi dziviriro ichapfuura (reset kudzivirira siginecha yedhijitari) GRUB2 inobvumira cyber-villain kupinza kodhi yake mubootloader pasina kusimudza fungidziro. (kunze kwekunge mushandisi achiongorora nemaoko mamiriro ebootloader, kana kuuya neavo ega arbitrary-script code yegrub.cfg).

Kurwisa algorithm. Intruder

* Boots PC kubva mhenyu usb. Chero shanduko (mutyora) mafaira achazivisa muridzi chaiye wePC nezve kupindira mubootloader. Asi kuisirwa zvakare nyore kweGRUB2 kuchengeta grub.cfg (uye kugona kunotevera kuigadzirisa) ichabvumira anorwisa kugadzirisa chero mafaira (mumamiriro ezvinhu aya, pakurodha GRUB2, mushandisi chaiye haaziviswe. Mamiriro acho akafanana <0>)
* Inoisa chikamu chisina kunyorwa, zvitoro "/mnt/boot/grub/grub.cfg".
* Inoisazve bootloader (kubvisa "perskey" kubva pa core.img mufananidzo)

grub-install --force --root-directory=/mnt /dev/sda6

* Inodzorera "grub.cfg"> "/mnt/boot/grub/grub.cfg", inogadzirisa kana zvichidiwa, semuenzaniso, kuwedzera module yako "keylogger.mod" kune folda ine loader modules, mu "grub.cfg" > mutsetse "insmod keylogger". Kana, semuenzaniso, kana muvengi ari manomano, ipapo mushure mekudzorera GRUB2 (masaini ese anoramba aripo) inovaka iyo huru GRUB2 mufananidzo uchishandisa "grub-mkimage ine sarudzo (-c)." Iyo "-c" sarudzo inobvumidza iwe kurodha config yako usati waisa huru "grub.cfg". Iyo config inogona kuva nemutsara mumwe chete: redirection kune chero "modern.cfg", yakasanganiswa, semuenzaniso, ne ~400 mafaera. (mamodule + masiginicha) mune folda "/boot/grub/i386-pc". Muchiitiko ichi, munhu anorwisa anogona kuisa kodhi inopokana uye kutakura ma modules pasina kukanganisa "/boot/grub/grub.cfg", kunyange kana mushandisi akaisa "hashsum" kufaira uye akairatidza kwenguva pfupi pachiratidziro.
Anorwisa haazodi kubira iyo GRUB2 superuser login / password; anongoda kukopa mitsara. (ine basa rekusimbisa chokwadi) "/boot/grub/grub.cfg" kune yako "modern.cfg"

set superusers = "mudzi"
password_pbkdf2 root grub.pbkdf2.sha512.10000.DE10E42B01BB6FEEE46250FC5F9C3756894A8476A7F7661A9FFE9D6CC4D0A168898B98C34EBA210F46FC10985CE28277D0563F74E108FCE3ACBD52B26F8BA04D.27625A4D30E4F1044962D3DD1C2E493EF511C01366909767C3AF9A005E81F4BFC33372B9C041BE9BA904D7C6BB141DE48722ED17D2DF9C560170821F033BCFD8

Uye muridzi wePC acharamba achitenderwa seyo GRUB2 superuser.

Chain loading (bootloader inotakura imwe bootloader), sezvandanyora pamusoro apa, hazvina musoro (inoitirwa chinangwa chakasiyana). Encrypted bootloader haigone kurodha nekuda kweBIOS (cheni boot restarts GRUB2> encrypted GRUB2, kukanganisa!). Nekudaro, kana iwe uchiri kushandisa iyo pfungwa yekurodha ketani, unogona kuve nechokwadi chekuti ndiyo yakavharidzirwa iri kurodha. (haisi yemazuva ano) "grub.cfg" kubva kune yakavharidzirwa chikamu. Uye iyi ipfungwa yenhema yekuchengetedzeka, nekuti zvese zvinoratidzwa mune encrypted "grub.cfg" (module kurodha) inowedzera kusvika kumamodule akatakurwa kubva kune isina kunyorwa GRUB2.

Kana iwe uchida kutarisa izvi, wogogovera/encrypt imwe partition sdaY, kopira GRUB2 kwairi (grub-install operation pane yakavharidzirwa partition haigoneke) uye mu "grub.cfg" (isina kunyorwa config) shandura mitsetse seizvi

menyu 'GRUBx2' --class parrot --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-simple-382111a2-f993-403c-aa2e-292b5eac4780' {
load_video
insmod gzio
kana [ x$grub_platform = xxen]; then insmod xzio; insmod lzopio; fi
insmod chikamu_msdos
insmod cryptodisk
insmod lux
insmod gcry_twofish
insmod gcry_twofish
insmod gcry_sha512
insmod ext2
cryptomount -u 15c47d1c4bd34e5289df77bcf60ee838
set root=’cryptouuid/15c47d1c4bd34e5289df77bcf60ee838′
zvakajairika /boot/grub/grub.cfg
}

tambo
* insmod - kurodha mamodule anodiwa ekushanda neiyo encrypted disk;
* GRUBx2 - zita remutsara unoratidzwa muGRUB2 boot menu;
* cryptomount -u 15c47d1c4bd34e5289df77bcf60ee838 -ona. fdisk -l (sda9);
* set midzi - isa mudzi;
* zvakajairika /boot/grub/grub.cfg - inogoneka gadziriso faira pane yakavharidzirwa partition.

Kuvimba kuti ndiyo yakavharidzirwa "grub.cfg" yakatakurwa imhinduro yakanaka yekupinda password / kuvhura "sdaY" paunosarudza mutsara "GRUBx2" muGRUB menyu.

Paunenge uchishanda muCLI, kuti urege kuvhiringidzika (uye tarisa kana iyo "set root" nharaunda inoshanduka yakashanda), gadzira mafaira echiratidzo asina chinhu, semuenzaniso, muchikamu chakavharidzirwa "/shifr_grub", muchikamu chisina kunyorwa "/noshifr_grub". Kutarisa muCLI

cat /Tab-Tab

Sezvakataurwa pamusoro apa, izvi hazvizobatsiri kurodha mamodule ane utsinye kana mamodule akadaro apera paPC yako. Semuenzaniso, keylogger inozokwanisa kuchengetedza keystrokes kufaira uye kuisanganisa nemamwe mafaira mu "~/i386" kusvikira yatorwa neanorwisa ane simba rekushandisa kuPC.

Iyo iri nyore nzira yekuona kuti dhijitari siginecha yekudzivirira iri kushanda nesimba (isina kusetwa patsva), uye hapana apinda mubootloader, pinda murairo muCLI

list_trusted

mukupindura tinogamuchira kopi ye "perskey" yedu, kana isu hatigamuchire chinhu kana tikarwiswa (iwe zvakare unofanirwa kutarisa "set check_signatures=enforce").
Chinhu chakakosha chinokanganisa chedanho iri kuisa mirairo nemaoko. Kana iwe ukawedzera uyu murairo ku "grub.cfg" uye chengetedza iyo config nedhijitari siginicha, ipapo yekutanga kuburitsa kwekiyi snapshot pachiratidziro ipfupi mukuita nguva, uye unogona kunge usina nguva yekuona zvinobuda mushure mekurodha GRUB2. .
Iko hakuna munhu anonyanya kuita zvirevo kune: mugadziri mune yake zvinyorwa clause 18.2 inozivisa zviri pamutemo

"Ziva kuti kunyangwe neGRUB password dziviriro, GRUB pachayo haigone kudzivirira munhu ane mukana wekuwana muchina kubva pakuchinja iyo firmware yemuchina (semuenzaniso, Coreboot kana BIOS) kukonzeresa kuti muchina utange kubva kune imwe yakasiyana (inodzorwa neanorwisa). GRUB ndiyo inongori link imwe chete mucheni yakachengeteka yebhutsu."

GRUB2 yakawandisa nemabasa anogona kupa pfungwa yekuchengetedzwa kwenhema, uye kukura kwayo kwakatopfuura MS-DOS maererano nekushanda, asi inongova bootloader. Zvinosekesa kuti GRUB2 - "mangwana" inogona kuve iyo OS, uye bootable GNU/Linux chaiwo michina yayo.

Vhidhiyo pfupi nezve magadzirisiro andakaita iyo GRUB2 dijitari yekudzivirira siginecha uye ndakazivisa kupindira kwangu kumushandisi chaiye. (Ndakakutyira, asi panzvimbo yezvinoratidzwa muvhidhiyo, unogona kunyora zvisingakuvadzi kodhi yekodhi / .mod).

Mhedziso:

1) Block system encryption yeWindows iri nyore kuita, uye kudzivirira nepassword imwe iri nyore pane kuchengetedzwa nemapassword akati wandei neGNU/Linux block system encryption, kuve yakanaka: iyo yekupedzisira inongozviitira.

2) Ndakanyora nyaya yacho seyakakodzera uye yakadzama zviri nyore gwara rekuzara-dhisiki encryption VeraCrypt/LUKS pane imwe imba yemuchina, inova yakanyanya kunaka muRuNet (IMHO). Nhungamiro> 50k mavara akareba, saka haina kuvhara zvimwe zvitsauko zvinonakidza: cryptographers vanonyangarika / vanoramba vari mumimvuri; nezve chokwadi chekuti mumabhuku akasiyana-siyana eGNU/Linux vanonyora zvishoma / havanyore nezve cryptography; nezveChitsauko 51 cheBumbiro reMitemo yeRussian Federation; O rezinesi/ban encryption muRussian Federation, nezve nei uchifanira encrypt "root/boot". Nhungamiro yakave yakakura, asi yakadzama. (kutsanangura nyangwe matanho ari nyore), zvakare, izvi zvinokuchengetedza iwe nguva yakawanda kana iwe wasvika kune "chaiyo encryption".

3) Full disk encryption yakaitwa paWindows 7 64; GNU/Linux Parrot 4x; GNU/Debian 9.0/9.5.

4) Yakaitwa yakabudirira kurwisa ake GRUB2 bootloader.

5) Dzidziso yakasikwa kubatsira vanhu vese veparanoid muCIS, uko kushanda nekunyorera kunobvumidzwa padanho remutemo. Uye kunyanya kune avo vanoda kuburitsa yakazara-dhisiki encryption pasina kuputsa masisitimu avo akagadziridzwa.

6) Yakagadziridza zvakare uye yakagadziridza bhuku rangu, rine basa muna 2020.

[G] Zvinyorwa zvinobatsira

1. TrueCrypt User Guide (Kukadzi 2012 RU)
2. VeraCrypt Documentation
3. /usr/share/doc/cryptsetup(-run) [nzvimbo yenzvimbo] (zvinyorwa zvakatsanangurwa zvepamutemo pakugadzirisa GNU/Linux encryption uchishandisa cryptsetup)
4. Official FAQ cryptsetup (zvinyorwa zvipfupi pakumisikidza GNU/Linux encryption uchishandisa cryptsetup)
5. LUKS mudziyo encryption (archlinux zvinyorwa)
6. Tsanangudzo yakadzama ye cryptsetup syntax (arch man peji)
7. Tsanangudzo yakadzama ye crypttab (arch man peji)
8. Official GRUB2 zvinyorwa.

Tags: yakazara disk encryption, partition encryption, Linux yakazara disk encryption, LUKS1 yakazara system encryption.

Vashandisi vakanyoresa chete ndivo vanogona kutora chikamu muongororo. Nyorera mu, Munogamuchirwa.

Uri kunyora here?

• 17,1%Ndinonyora zvese zvandinogona. Ndiri kupengereka.14

• 34,2%Ini chete encrypt yakakosha data.28

• 14,6%Dzimwe nguva ndinonyora, dzimwe nguva ndinokanganwa.12

• 34,2%Kwete, handina encrypt, hazvina kunaka uye zvinodhura.28

82 vashandisi vakavhota. 22 vashandisi vakaramba.

Source: www.habr.com