Sirta diskka buuxa ee nidaamyada lagu rakibay Windows Linux. Kabaha badan ee qarsoon

La cusboonaysiiyay hagaha sirta-disk-ka buuxa ee RuNet V0.2.

Istaraatiijiyada Cowboy:

[A] Windows 7 nidaamka xannibista sirta nidaamka rakibay;
[B] Nidaamka GNU/Linux wuxuu xannibaa sirta (Debian) nidaamka rakibay (oo ay ku jiraan /boot);
[C] qaabeynta GRUB2, ilaalinta bootloader oo leh saxeex dhijitaal ah/xaqiijin/hashing;
[D] ka-saarid-burburinta xogta aan qarsoodiga ahayn;
[E] kaydka caalamiga ah ee OS sir ah;
[F] weerar <ku saabsan shayga [C6]> bartilmaameed - GRUB2 bootloader;
[G] dukumeenti waxtar leh

╭─── Qorshaha #qolka 40# :
├──╼ Windows 7 lagu rakibay - sirta nidaamka buuxa, ma qarsoona;
├──╼ GNU/Linux waa la rakibay (Debian iyo qaybinta kala soocida) - sirta nidaamka buuxa, ma qarsoona(/, ay ku jiraan /boot; beddelaad);
├──╼ bootloaders madax banaan: Bootloader VeraCrypt waxa lagu rakibay MBR, GRUB2 bootloader waxa lagu rakibay qaybta la dheereeyey;
├──╼ Rakibaadda OS-ga looma baahna;
└──╼ software sir ah oo la isticmaalay: VeraCrypt; Cryptsetup; GnuPG; Seahorse; Hashdeep; GRUB2 waa bilaash/free.

Nidaamka kor ku xusan wuxuu qayb ahaan xalliyaa dhibaatada "bootka fogaanta ee flash drive", wuxuu kuu ogolaanayaa inaad ku raaxaysato OS Windows/Linux sir ah oo aad ku beddesho xogta adigoo isticmaalaya "channel sir ah" mid ka mid ah OS ilaa mid kale.

Dalabka bootinta PC (mid ka mid ah xulashooyinka):

• daarida mishiinka;
• ku shubaya bootloader-ka VeraCrypt ( Gelida erayga sirta ah ee saxda ah waxay sii wadi doontaa in la bootiyo Windows 7);
• riixaya furaha "Esc" wuxuu ku shubi doonaa bootloader GRUB2;
• GRUB2 bootloader (door qaybinta/GNU/Linux/CLI), waxay u baahan doontaa xaqiijinta GRUB2 superuser <login/password>;
• ka dib markii si guul leh loo xaqiijiyo iyo xulashada qaybinta, waxaad u baahan doontaa inaad geliso erayga sirta ah si aad u furto "/boot/initrd.img";
• Ka dib marka la geliyo ereyada sirta ah ee aan khaladka lahayn, GRUB2 waxay "u baahan doontaa" gelitaanka erayga sirta ah (Saddexaad, erayga sirta ah ee BIOS ama erayga sirta ah ee isticmaalaha GNU/Linux - ha tixgelin) si loo furo oo loo furo GNU/Linux OS, ama beddelka tooska ah ee furaha sirta ah (laba furaha sirta ah + furaha, ama furaha + furaha);
• Faragelinta dibadda ee qaabeynta GRUB2 waxay qaboojin doontaa habka bootinta GNU/Linux.

dhib badan? Hagaag, aynu tagno si toos ah hababka.

Marka la qaybinayo hard drive (MBR miiska) Kombuyuutarku ma yeelan karo wax ka badan 4 qaybood oo waaweyn, ama 3 weyn iyo mid la fidiyey, iyo sidoo kale aag aan la qoondayn. Qaybta la dheereeyey, oo ka duwan tan ugu weyn, waxay ka koobnaan kartaa qaybo-hoosaadyo (Logic Drives=Qayb la dheereeyey). Si kale haddii loo dhigo, "qaybta la dheereeyey" ee HDD waxay ku beddeshaa LVM hawsha gacanta ku haysa: sirta nidaamka buuxa. Haddii diskkaaga loo qaybiyo 4 qaybood oo waaweyn, waxaad u baahan tahay inaad isticmaasho lvm, ama beddelo (oo leh qaabayn) qaybta ugu weyn ilaa heer sare, ama si xikmad leh u isticmaal dhammaan afarta qaybood oo wax walba u daa sida ay yihiin, adigoo helaya natiijada la rabay. Xitaa haddii aad hal qayb ku leedahay diskkaaga, Gparted ayaa kaa caawin doona inaad qaybiso HDD-gaaga (qaybo dheeri ah) iyada oo aan lumin xogta, laakiin weli ganaax yar ee falalka noocaas ah.

Nidaamka qaabaynta wadista adag, ee la xidhiidha maqaalka oo dhan ayaa laga hadli doonaa, ayaa lagu soo bandhigay shaxda hoose.

Shaxda (No. 1) ee qaybaha 1TB.

Waa inaad haysataa wax la mid ah sidoo kale.
sda1 - qaybta ugu weyn ee No. 1 NTFS (qarsoon);
sda2 - calaamadaynta qaybta la dheereeyey;
sda6 - disk macquul ah (waxa ay ku rakibtay bootloader GRUB2);
sda8 - isku beddelasho (faylka isku beddelashada sir ah / had iyo jeer maaha);
sda9 - tijaabi disk macquul ah;
sda5 - disk macquul ah oo loogu talagalay kuwa xiisaha leh;
sda7 - GNU/Linux OS (OS loo wareejiyay saxan macquul ah oo qarsoon);
sda3 - qaybta ugu weyn ee No. 2 oo leh Windows 7 OS (qarsoon);
sda4 - qaybta ugu muhiimsan No. 3 (waxa ay ku jirtay GNU/Linux aan qarsoodi ahayn, oo loo isticmaalo gurmad/ma aha had iyo jeer).

[A] Windows 7 Nidaamka Block sirta ah

A1. VeraCrypt

Ka soo dejiso goobta rasmiga ah, ama ka muraayadda sourceforge nooca rakibaadda ee VeraCrypt software cryptographic (waqtiga daabacaada maqaalka v1.24-Update3, nooca la qaadi karo ee VeraCrypt kuma habboona sirta nidaamka). Hubi jeegga software-ka la soo dejiyay

$ Certutil -hashfile "C:VeraCrypt Setup 1.24.exe" SHA256

oo barbar dhig natiijada CS-ga lagu dhejiyay degelka horumariyaha VeraCrypt.

Haddii software-ka HashTab la rakibo, way fududahay: RMB (Setup VeraCrypt 1.24.exe)hantida - wadarta xashiishka ee faylasha.

Si loo xaqiijiyo saxeexa barnaamijka, software-ka iyo furaha guud ee pgp horumariyaha waa in lagu rakibaa nidaamka gnuPG; gpg4win.

A2. Ku rakibida/ socodsiinta software-ka VeraCrypt ee leh xuquuqda maamulaha

A3. Xulashada cabbirada sirta nidaamka ee qaybta firfircoonVeraCrypt - Nidaamka - Qaybaha nidaamka sir / disk - Caadi - Sir qaybinta nidaamka Windows - Multiboot - ( digniin: "Isticmalayaasha aan khibradda lahayn laguma talinayo inay adeegsadaan habkan" tani waa run, waxaan ku raacsanahay "Haa") – Boot disk ("Haa", xitaa haddii aysan sidaas ahayn, weli "haa") - Tirada disksyada nidaamka "2 ama in ka badan" - Nidaamyo dhowr ah oo ku yaal hal disk "Haa" - bootloader aan Windows ahayn "Maya" (runtii, "Haa," laakiin VeraCrypt/GRUB2 bootloaders ma wadaagi doonaan MBR dhexdooda; si sax ah, kaliya qaybta ugu yar ee koodhka bootloader-ka ayaa lagu kaydiyaa MBR/boot track, qaybta ugu weyn ee ka mid ah waa. ku dhex yaal nidaamka faylka) - Multiboot - Hababka sirta ah

Haddii aad ka leexato tillaabooyinka kore (nidaamyada sirta nidaamka block), ka dib VeraCrypt waxay soo saari doontaa digniin mana kuu ogolaan doonto inaad sirayso qaybta.

Tallaabada xigta ee ilaalinta xogta la beegsaday, samee "Test" oo dooro algorithm sir ah. Haddii aad leedahay CPU duugoobay, markaa waxay u badan tahay algorithm sirta ugu dhaqsaha badan inuu noqon doono Twofish. Haddii CPU-gu uu awood badan yahay, waxaad ogaan doontaa farqiga: AES encryption, marka loo eego natiijooyinka tijaabada, waxay noqon doontaa dhowr jeer ka dhakhso badan tartamayaasha crypto. AES waa algorithm sir caan ah; qalabka CPU-yada casriga ah waxaa si gaar ah loogu hagaajiyay labadaba "sirta" iyo "jabsiga".

VeraCrypt waxay taageertaa awooda lagu sireeyo saxanadaha gudaha AES cascade(Twofish)/iyo isku-dhafka kale. On a core Intel CPU XNUMX sano ka hor (iyada oo aan la helin taageero qalab AES, A/T cascade encryption) Hoos u dhaca waxqabadku asal ahaan waa mid aan la fahmi karin. (CPU-yada AMD ee isla waayaha/~beegyada, waxqabadka wax yar ayaa la dhimay). OS-gu si firfircoon ayuu u shaqeeyaa isticmaalka kheyraadka ee sirta hufana waa mid aan la arki karin. Taa bedelkeeda, tusaale ahaan, waxaa jira hoos u dhac muuqda oo ku yimid waxqabadka iyadoo ay ugu wacan tahay jawiga miiska tijaabada ee lagu rakibay Mate v1.20.1 (ama v1.20.2 si sax ah uma xasuusto) gudaha GNU/Linux, ama iyadoo ay ugu wacan tahay hawl-galka joogtada ah ee telemetry ee Windows7↑. Caadi ahaan, isticmaalayaasha khibradda leh waxay sameeyaan imtixaannada waxqabadka qalabka ka hor inta aan la sirin. Tusaale ahaan, gudaha Aida64/Sysbench/systemd-falanqaynta eedda waxaa la barbar dhigayaa natiijooyinkii isla imtixaanadii ka dib markii la sireeyay nidaamka, si ay naftooda u beeniyaan khuraafaadka ah in "sistamka sirta ah ay waxyeello leedahay." Hoos u dhaca mishiinka iyo dhibka ayaa la ogaan karaa marka dib loo soo celinayo / dib u soo celinayo xogta sirta ah, sababtoo ah "kaabta xogta nidaamka" lafteeda laguma qiyaaso ms, iyo kuwa la mid ah <decrypt/ encrypt on the fly> ayaa lagu daraa. Ugu dambeyntiina, isticmaale kasta oo loo oggol yahay inuu ku tinker-ka-qaadista xog-ururinta wuxuu dheelli-tiraa algorithm-ka sireed ka dhanka ah ku qanacsanaanta hawlaha gacanta, heerkooda paranoia, iyo fududaynta isticmaalka.

Way fiicantahay in laga tago parameter-ka PIM sida caadiga ah, sidaa darteed marka aad ku shubanayso OS-ka uma baahnid inaad geliso qiimayaasha saxda ah mar kasta. VeraCrypt waxay isticmaashaa tiro aad u badan oo ku celcelin ah si ay u abuurto xashiish gaabis ah oo run ah. Weerar lagu qaado "Crypto snail" oo kale iyadoo la adeegsanayo habka loo yaqaan 'Brute force/miisaska qaansoroobaad' waxay macno samaynaysaa oo keliya ereyga "fudud" ee gaaban iyo liiska shakhsi ahaaneed ee dhibbanaha. Qiimaha lagu bixinayo xoogga erayga sirta ah waa daahitaanka gelitaanka erayga sirta ah ee saxda ah marka la shubayo OS-ka. (Ku-kordhinta mugga VeraCrypt ee GNU/Linux aad bay u dhakhso badan tahay).
Software bilaash ah oo loogu talagalay hirgelinta weerarrada xoogga ah (ka soo saar erayga sirta ah ee VeraCrypt/LUKS madaxa diskka) Hashcat. John the Ripper ma garanayo sida loo "jebiyo Veracrypt", iyo marka LUKS la shaqaynayo ma fahmin cryptography Twofish.

Sababtoo ah xoogga sirta ah ee algorithms-ka qarsoodiga ah, cypherpunks aan la joojin karin ayaa soo saaraya software leh vector weerar oo ka duwan. Tusaale ahaan, ka soo saarida xogta badan/furayaasha RAM (Weerar gelitaanka bootka qabow/tooska ah ee xusuusta), Waxaa jira software gaar ah oo bilaash ah iyo mid aan bilaash ahayn oo ujeeddooyinkan ah.

Marka la dhammeeyo dejinta/samaynta "metadata gaarka ah" ee qaybta firfircoon ee qarsoon, VeraCrypt waxay soo bandhigi doontaa inay dib u bilowdo PC oo ay tijaabiso shaqeynta bootloader-keeda. Ka dib dib-u-kicinta/bilawga Windows, VeraCrypt waxay ku shuban doontaa qaabka heeganka ah, waxa hadhay oo dhan waa in la xaqiijiyo habka sirta ah - Y.

Talaabada ugu dambeysa ee sirta nidaamka, VeraCrypt waxay bixin doontaa si ay u abuurto koobi kayd ah oo ah madaxa qaybta sirta ah ee firfircoon ee qaabka "veracrypt badbaadinta disk.iso" - tan waa in la sameeyaa - Software-kaan waxaa shardi u ah hawlgalkan (LUKS dhexdeeda, shuruud ahaan - tani nasiib darro waa laga tagay, laakiin waxaa lagu xoojiyay dukumeentiyada). Saxanka samatabbixinta ayaa u anfacaya qof walba, iyo qaar ka badan hal mar. Khasaare (madaxa/MBR dib u qor) nuqul ka mid ah madaxa ayaa si joogto ah u diidi doona gelitaanka qaybta la furay ee OS Windows.

A4. Samaynta VeraCrypt samatabbixinta USB/diskSida caadiga ah, VeraCrypt waxay bixisaa in ay gubato "~ 2-3MB ee metadata" CD-ga, laakiin dhammaan dadku ma haystaan ​​saxannada ama darawallada DWD-ROM, iyo abuurista flash drive "VeraCrypt Rescue disk" waxay u noqon doontaa yaab farsamo qaar ka mid ah: Rufus / GUIdd-ROSA ImageWriter iyo software kale oo la mid ah ma awoodi doonaan inay la qabsadaan hawsha, sababtoo ah marka lagu daro nuqul ka mid ah metadata ah ee flash drive bootable, waxaad u baahan tahay in aad nuqul ka / paste sawirka ka baxsan nidaamka file ee USB drive, marka la soo koobo, si sax ah u koobiyee MBR/wadadda furaha. Waxaad GNU/Linux OS ka samayn kartaa flash drive adigoo isticmaalaya "dd" utility, adigoo eegaya calaamadan.

Abuuritaanka saxanka samatabbixinta ee deegaanka Windows way ka duwan tahay. Horumariyaha VeraCrypt kuma darin xalka dhibaatadan rasmiga ah dukumeenti by "saski samatabbixinta", laakiin soo jeediyay xal si ka duwan: waxa uu soo dhejiyay software dheeraad ah si ay u abuuraan "USb samatabbixinta disk" si ay lacag la'aan ah u helaan golihiisa VeraCrypt. Kaydka software-kan ee Windows ayaa "abuuraya saxanka badbaadada ee usb veracrypt". Ka dib markii la keydiyo badbaadada disk.iso, habka xannibaadda sirta nidaamka ee qaybta firfircoon ayaa bilaaban doonta. Inta lagu jiro sirta, hawlgalka OS ma joogsado; dib u bilaabista PC looma baahna. Marka la dhammeeyo hawlgalka sirta ah, qaybta firfircooni waxay noqotaa mid si buuxda loo xafiday oo waa la isticmaali karaa. Haddii bootloader-ka VeraCrypt uusan soo muuqan marka aad bilowdo PC-ga, iyo hawlgalka soo kabashada madaxa uusan ku caawinin, ka dibna calaamadee calanka "boot", waa in lagu dhejiyaa qaybta meesha ay Windows joogto. (iyada oo aan loo eegin sirta iyo OS kale, eeg shaxda No. 1).
Tani waxay dhamaystiraysaa sirta nidaamka xannibaadda ee Windows OS.

[B]LUKS. Sirta GNU/Linux (~Debian) rakibay OS. Algorithm iyo Tallaabooyinka

Si aad u sirayso qaybinta Debian/ka soo jeeda, waxaad u baahan tahay inaad khariidad ka samayso qaybta diyaarsan qalabka block-ka ah, ku wareeji khariidadda GNU/Linux disk, oo rakib/habbee GRUB2. Haddii aadan haysan server bir ah oo qaawan, oo aad qiimeyso waqtigaaga, markaa waxaad u baahan tahay inaad isticmaasho GUI, iyo inta badan amarrada terminalka ee hoos lagu sharraxay waxaa loola jeedaa in lagu socodsiiyo "Chuck-Norris mode".

B1. Ka soo kabashada kombuyutarka tooska ah ee GNU/Linux

"Samee tijaabada crypto ee waxqabadka hardware"

lscpu && сryptsetup benchmark

Haddii aad tahay mulkiilaha faraxsan ee baabuur xoog leh oo leh taageerada qalabka AES, markaa lambaradu waxay u ekaan doonaan dhinaca midig ee terminalka; haddii aad tahay mulkiilaha faraxsan, laakiin leh qalab qadiimi ah, lambaradu waxay u ekaan doonaan dhinaca bidix.

B2. Qaybinta diskka. Kordhinta/qaabaynta fs disk macquul ah HDD ilaa Ext4 (Gparted)

B2.1. Abuuritaanka sir qarsoon ee qaybta qaybta sda7Waxaan ku tilmaami doonaa magacyada qaybaha, halkan iyo si ka sii badan, si waafaqsan shaxda qaybinta ee kor ku xusan. Marka loo eego qaabka diskkaaga, waa inaad badashaa magacyada qaybtaada.

Khariidaynta Sirta Drive-ka ee macquulka ah (/dev/sda7> /dev/mapper/sda7_crypt).
#Abuur fudud oo ah "qayb LUKS-AES-XTS"

cryptsetup -v -y luksFormat /dev/sda7

Ikhtiyaarada:

* luksFormat - bilowga madaxa LUKS;
* -y -passphrase (ma aha furaha/faylka);
* -v -hadalka (muujinta macluumaadka ee terminalka);
* / dev/sda7 - diskkaaga macquulka ah ee qaybta la dheereeyey (halka la qorsheeyay in lagu wareejiyo / sir GNU/Linux).

Algorithm-ka sirta ah ee asalka ah <LUKS1: aes-xts-plain64, Furaha: 256 bits, LUKS madaxa hashing: sha256, RNG: /dev/urandom> (waxay kuxirantahay nooca cryptsetup).

#Проверка default-алгоритма шифрования
cryptsetup  --help #самая последняя строка в выводе терминала.

Haddii aysan jirin wax taageero qalab ah oo AES ah oo ku saabsan CPU, doorashada ugu fiican waxay noqon doontaa in la abuuro "LUKS-Twofish-XTS-partition" oo la fidiyay.

B2.2. Abuur sare oo "LUKS-Twofish-XTS-partition"

cryptsetup luksFormat /dev/sda7 -v -y -c twofish-xts-plain64 -s 512 -h sha512 -i 1500 --use-urandom

Ikhtiyaarada:
* luksFormat - bilowga madaxa LUKS;
* / dev/sda7 waa saxankaaga macquulka ah ee qarsoon mustaqbalka;
* -v odhaahda;
* -y weedh sir ah;
* -c dooro algorithm sirta xogta;
* -s cabbirka muhiimka ah sirta;
* -h hashing algorithm/crypto function, RNG la isticmaalay (--isticmaalka-urandom) si loo abuuro furaha sirta/decryption gaar ah oo loogu talagalay madaxa diskka macquulka ah, furaha madaxa sare (XTS); fure u gaar ah oo lagu kaydiyay madaxa diskka sir ah, furaha XTS sare, dhammaan xogtan metadata iyo hab-socodka sirta ah kaas oo isticmaalaya furaha sayidka iyo furaha sare ee XTS, sir/dejiya xog kasta oo ku saabsan qaybta (marka laga reebo cinwaanka qaybta) ku kaydsan ~ 3MB qaybta Hard Disk-ga ee la doortay.
* -i ku celcelinta millise seconds, halkii "caddad" (dib u dhaca wakhtiga marka la farsameynayo erayga sirta ah wuxuu saameeyaa rarka OS-ka iyo xoogga qarsoodiga ah ee furayaasha). Si aad u ilaaliso dheelitirnaanta xoogga sirta ah, oo leh furaha sirta ah ee fudud sida "Ruushka" waxaad u baahan tahay inaad kordhiso -(i) qiimaha; oo leh erayga sirta ah ee adag sida "?8dƱob/øfh" qiimaha waa la dhimi karaa.
* —Isticmaal-urandom-ka curiyaha nambarka random-ka, wuxuu abuuraa furayaal iyo milix.

Ka dib marka la sawiro qaybta sda7> sda7_crypt (Qaliinku waa dhakhso, maadaama madax sir ah lagu abuuray ~ 3 MB oo xog badan ah waana intaas oo dhan), waxaad u baahan tahay inaad qaabayso oo aad ku dhejiso nidaamka faylka sda7_crypt.

B2.3. Isbarbardhigga

cryptsetup open /dev/sda7 sda7_crypt
#выполнение данной команды запрашивает ввод секретной парольной фразы.

fursadaha:
* furan - ku dhig qaybta "magac leh";
* / dev/sda7-disk macquul ah;
* sda7_crypt - khariidad magaceed oo loo isticmaalo in lagu dhejiyo qaybta sirta ah ama lagu bilaabo marka OS-ga kabaha.

B2.4. U qaabaynta nidaamka faylka sda7_crypt ilaa ext4. Ku rakibida diskka OS-ka(Fiiro gaar ah: ma awoodi doontid inaad la shaqeyso qayb sir ah oo ku taal Gparted)

#форматирование блочного шифрованного устройства
mkfs.ext4 -v -L DebSHIFR /dev/mapper/sda7_crypt 

fursadaha:
* -v -hadalka;
* -L - calaamadda wadista (kaas oo lagu muujiyey Explorer ka mid ah darawallada kale).

Marka xigta, waa inaad ku dhejisaa qalabka sirta ah ee qarsoon / dev/sda7_crypt nidaamka

mount /dev/mapper/sda7_crypt /mnt

Ku shaqaynta feylasha ku jira galka/mnt waxay si toos ah u qarin doontaa/dhafin doontaa xogta gudaha sda7.

Way ku habboon tahay in la khariidado oo lagu dhejiyo qaybta Explorer (nautilus/caja GUI), qaybtu waxay mar hore ku jiri doontaa liiska xulashada diskka, waxa hadhay oo dhan waa in la geliyo erayga sirta ah si loo furo / u furto diskka. Magaca la midka ah si toos ah ayaa loo dooran doonaa oo maaha "sda7_crypt", laakiin wax sida /dev/mapper/Luks-xx-xx...

B2.5. Kaydinta madaxa disc (~ 3MB xogta badan)Mid ka mid ah kuwa ugu muhiim ah Hawlgallada u baahan in la sameeyo iyada oo aan dib loo dhigin - nuqul ka mid ah madaxa "sda7_crypt". Haddii aad dib u qorto/dhaawacdo madaxa (tusaale ahaan, ku rakibida GRUB2 qaybta sda7, iwm.), xogta sir ah ayaa gabi ahaanba lumi doonta iyada oo aan wax suurtagal ah laga helin, sababtoo ah ma noqon doonto mid aan suurtagal ahayn in dib loo soo saaro furayaasha isku midka ah; furayaasha ayaa loo abuuray si gaar ah.

#Бэкап заголовка раздела
cryptsetup luksHeaderBackup --header-backup-file ~/Бэкап_DebSHIFR /dev/sda7 

#Восстановление заголовка раздела
cryptsetup luksHeaderRestore --header-backup-file <file> <device>

fursadaha:
* luksHeaderBackup —amar-backup file-header-backup;
* luksHeaderRestore —header-backup-file -soo celinta amarka;
* ~/ Backup_DebSHIFR - faylka kaydinta;
* / dev/sda7 - qayb ka mid ah oo nuqul ka mid ah madaxa disk sir ah waa in la kaydiyaa.
Tallaabadan <abuurista iyo tafatirka qaybta siraysan> waa la dhammaystiray.

B3. Soodejinta GNU/Linux OS (sda4) ilaa qayb qarsoon (sda7)

Samee gal /mnt2 (Fiiro gaar ah - waxaan wali la shaqeyneynaa usb toos ah, sda7_crypt wuxuu ku rakiban yahay / mnt), oo ku dheji GNU/Linux gudaha /mnt2, kaas oo u baahan in la sireeyo.

mkdir /mnt2
mount /dev/sda4 /mnt2

Waxaan sameynaa wareejinta OS saxda ah anagoo adeegsanayna software Rsync

rsync -avlxhHX --progress /mnt2/ /mnt

Xulashada Rsync waxaa lagu sifeeyay cutubka E1.

Marka xigta, waa lagama maarmaan defragment qayb disk macquul ah

e4defrag -c /mnt/ #после проверки, e4defrag выдаст, что степень дефрагментации раздела~"0", это заблуждение, которое может вам стоить существенной потери производительности!
e4defrag /mnt/ #проводим дефрагментацию шифрованной GNU/Linux

Sharci ka dhig: ku samee e4defrag GNU/Linux sir ah waqti ka waqti haddii aad haysato HDD.
Wareejinta iyo wada shaqaynta [GNU/Linux> GNU/Linux-encrypted] ayaa lagu dhammeeyay tallaabadan.

AT 4. Dejinta GNU/Linux qaybta sda7 sir ah

Ka dib markii si guul leh loo wareejiyo OS / dev / sda4> / dev / sda7, waxaad u baahan tahay inaad gasho GNU / Linux qaybta sirta ah oo aad sameyso qaabeyn dheeri ah (adigoon dib u kicin PC) marka loo eego nidaamka sir ah. Taasi waa, ku jir usb toos ah, laakiin fuliya amarada "marka loo eego asalka OS-ka sir ah." "Croot" waxay u ekaan doontaa xaalad la mid ah. Si aad dhakhso ugu hesho macluumaadka OS-ka aad hadda la shaqaynayso (waa la siray ama maya, mar haddii xogta ku jirta sda4 iyo sda7 la isku daray), kala saar OS-ka. Ku samee hagaha xididka (sda4/sda7_crypt) faylalka calaamadaynta maran, tusaale ahaan, /mnt/encryptedOS iyo /mnt2/decryptedOS. Si degdeg ah u hubi waxa OS aad ku jirto (oo ay ku jiraan mustaqbalka):

ls /<Tab-Tab>

B4.1. "Simulation of gelitaanka OS sir ah"

mount --bind /dev /mnt/dev
mount --bind /proc /mnt/proc
mount --bind /sys /mnt/sys
chroot /mnt

B4.2. Xaqiijinta in shaqada lagu fulayo si ka dhan ah nidaamka sir ah

ls /mnt<Tab-Tab> 
#и видим файл "/шифрованнаяОС"

history
#в выводе терминала должна появиться история команд su рабочей ОС.

B4.3. Abuuritaanka/habaynta isku beddelka sir ah, tafatirka crypttab/fstabMaadaama faylka isku beddelka la qaabeeyey mar kasta oo OS-ku bilaabmayo, macno ma samaynayso in la abuuro oo la khariidad ku beddelo saxan macquul ah hadda, oo geli amarrada sida ku xusan cutubka B2.2. Isbeddelka, furayaasha sirta ku meel gaadhka ah ee u gaarka ah ayaa si toos ah loo soo saari doonaa bilow kasta. Meertada nolosha furayaasha isdhaafsiga: furida/dejinta qaybta isdhaafsiga (+nadiifinta RAM); ama dib u bilow OS-ka. Dejinta isweydaarsiga, furitaanka faylka ka mas'uulka ah qaabeynta xannibaadda qalabka sir ah (oo la mid ah faylka fstab, laakiin mas'uul ka ah crypto).

nano /etc/crypttab 

waanu tafatirnaa

#"magaca bartilmaameedka" "qalabka isha" "faylka muhiimka ah" "options"
swap /dev/sda8 /dev/urandom swap,cipher=twofish-xts-plain64,size=512,hash=sha512

Fursadaha
* isku beddelasho - magac khariidad ah markaad sirayso /dev/mapper/swap.
* /dev/sda8 - u isticmaal qaybtaada macquulka ah si aad isku beddesho.
* /dev/urandom - abuuraha furayaasha sirta ah ee random ee isdhaafsiga (boot kasta oo cusub oo OS ah, furayaal cusub ayaa la abuuray). Koronto-dhaliyaha /dev/urandom wuu ka yar yahay random marka loo eego /dev/random, ka dib marka dhammaan /dev/random la isticmaalo marka lagu shaqeynayo xaalado qallafsan oo khatar ah. Marka la shubayo OS, /dev/ random waxay hoos u dhigtaa rarka dhowr ± daqiiqo (fiiri nidaamka-falanqaynta).
* swap,cipher=twofish-xts-plain64,size=512,hash=sha512: -Qaybku wuu garanayaa in la isweydaarsanayo oo loo habeeyey “sidaas”; sirta algorithm.

#Открываем и правим fstab
nano /etc/fstab

waanu tafatirnaa

# isku beddelku wuxuu ahaa / dev / sda8 intii lagu jiray rakibidda
/dev/mapper/iswap midna isweydaarsan maayo 0 0

/dev/mapper/swap waa magaca lagu dhejiyay crypttab.

Beddelka qarsoodiga ah ee beddelka
Haddii sabab qaar ka mid ah aadan rabin inaad ka tanaasusho qayb dhan oo ah faylka isku beddelka, markaa waxaad qaadan kartaa dariiq kale oo ka wanaagsan: abuurista fayl isku beddelasho ah oo ku jira qayb qarsoon oo OS ah.

fallocate -l 3G /swap #создание файла размером 3Гб (почти мгновенная операция)
chmod 600 /swap #настройка прав
mkswap /swap #из файла создаём файл подкачки
swapon /swap #включаем наш swap
free -m #проверяем, что файл подкачки активирован и работает
printf "/swap none swap sw 0 0" >> /etc/fstab #при необходимости после перезагрузки swap будет постоянный

Habaynta qaybta isdhaafsiga waa dhammaatay.

B4.4. Dejinta GNU/Linux sir ah (wax ka beddelka faylasha crypttab/fstab)Faylka /etc/crypttab, sida kor ku qoran, wuxuu qeexayaa qalabka xannibaadda sirta ah ee la habeeyey inta lagu jiro nidaamka boot.

#правим /etc/crypttab 
nano /etc/crypttab 

haddii aad u dhiganto qaybta sda7>sda7_crypt sida ku xusan cutubka B2.1

# "magaca bartilmaameedka" "qalabka isha" "faylka muhiimka ah" "ikhtiyaarada"
sda7_crypt UUID=81048598-5bb9-4a53-af92-f3f9e709e2f2 none luks

haddii aad u dhiganto qaybta sda7>sda7_crypt sida ku xusan cutubka B2.2

# "magaca bartilmaameedka" "qalabka isha" "faylka muhiimka ah" "ikhtiyaarada"
sda7_crypt UUID=81048598-5bb9-4a53-af92-f3f9e709e2f2 none cipher=twofish-xts-plain64,size=512,hash=sha512

Haddii aad ku habboon tahay qaybta sda7> sda7_crypt sida ku xusan cutubka B2.1 ama B2.2, laakiin aadan rabin inaad dib u geliso erayga sirta ah si aad u furto oo aad u furto OS-ka, markaa beddelka erayga sirta ah waxaad bedeli kartaa furaha sirta ah / faylka random

# "magaca bartilmaameedka" "qalabka isha" "faylka muhiimka ah" "ikhtiyaarada"
sda7_crypt UUID=81048598-5bb9-4a53-af92-f3f9e709e2f2 /etc/skey luks

Description
* midna - ayaa sheegaysa in marka la soo shubayo OS-ka, gelitaanka erayga sirta ah loo baahan yahay si loo furo xididka.
* UUID - aqoonsiga qaybinta. Si aad u ogaato aqoonsigaaga, ku qor terminalka (xusuusnow in laga bilaabo wakhtigan, aad ka shaqaynayso terminal ku yaal deegaanka chroot, oo aanad ka shaqaynayn terminal kale oo USB ah).

fdisk -l #проверка всех разделов
blkid #должно быть что-то подобное 

/dev/sda7: UUID=«81048598-5bb9-4a53-af92-f3f9e709e2f2» TYPE=«crypto_LUKS» PARTUUID=«0332d73c-07»
/dev/mapper/sda7_crypt: LABEL=«DebSHIFR» UUID=«382111a2-f993-403c-aa2e-292b5eac4780» TYPE=«ext4»

xariiqan waa la arki karaa marka laga codsanayo blkid terminalka tooska ah ee usb ee leh sda7_crypt ku rakiban).
Waxaad ka qaadanaysaa UUID sdaX kaaga (ma aha sdaX_crypt!, UUID sdaX_crypt - si toos ah ayaa looga tagi doonaa marka la soo saarayo grub.cfg config).
* cipher=twofish-xts-plain64,size=512,hash=sha512 -luks encryption oo ah qaab horumarsan.
* /etc/skey - faylka muhiimka ah ee sirta ah, kaas oo si toos ah loo geliyo si loo furo boot-ka OS (halkii aad geli lahayd furaha 3aad). Waxaad cayimi kartaa fayl kasta ilaa 8MB, laakiin xogta waxa la akhriyi doonaa <1MB.

#Создание "генерация" случайного файла <секретного ключа> размером 691б.
head -c 691 /dev/urandom > /etc/skey

#Добавление секретного ключа (691б) в 7-й слот заголовка luks
cryptsetup luksAddKey --key-slot 7 /dev/sda7 /etc/skey

#Проверка слотов "пароли/ключи luks-раздела"
cryptsetup luksDump /dev/sda7 

Waxay u ekaan doontaa sidatan:

(ladaada samee oo is arag).

cryptsetup luksKillSlot /dev/sda7 7 #удаление ключа/пароля из 7 слота

/etc/fstab waxay ka kooban tahay macluumaad qeexan oo ku saabsan nidaamyada faylalka kala duwan.

#Правим /etc/fstab
nano /etc/fstab

# "Nidaamka faylalka" "Burta dhibicda" "nooca" "ikhtiraacida" "tump" "pass"
# / wuxuu ahaa / dev / sda7 intii lagu jiray rakibida
/dev/mapper/sda7_crypt / ext4 errors=remount-ro 0 1

ikhtiyaar
* /dev/mapper/sda7_crypt - magaca sda7> sda7_crypt mapping, kaas oo lagu qeexay faylka /etc/crypttab.
Habaynta crypttab/fstab waa dhammaatay.

B4.5. Tafatirka faylasha qaabeynta Daqiiqad furahaB4.5.1. Tafatirka qaabka /etc/initramfs-tools/conf.d/resume

#Если у вас ранее был активирован swap раздел, отключите его. 
nano /etc/initramfs-tools/conf.d/resume

oo faallo ka bixi (haddii ay jirto) "#" line "resume". Faylku waa inuu gabi ahaanba madhan yahay.

B4.5.2. Tafatirka qaabka /etc/initramfs-tools/conf.d/cryptsetup

nano /etc/initramfs-tools/conf.d/cryptsetup

waa in ay isku mid noqdaan

# /etc/initramfs-tools/conf.d/cryptsetup
CRYPTSETUP=haa
dhoofinta CRYPTSETUP

B4.5.3. Tafatirka /etc/default/grub config (qaabayntan ayaa mas'uul ka ah awoodda soo saarista grub.cfg marka la shaqeynayo sir /boot)

nano /etc/default/grub

ku dar xariiqda "GRUB_ENABLE_CRYPTODISK=y"
qiimaha 'y', grub-mkconfig iyo grub-install ayaa hubin doona darawalada sir ah waxayna soo saari doonaan amarro dheeraad ah oo loo baahan yahay si loo galo wakhtiga boot. (insmods ).
waa in ay isu ekaadaan

GRUB_DEFAULT = 0
GRUB_TIMEOUT = 1
GRUB_DISTRIBUTOR=`lsb_sii dayn -i -s 2> /dev/null || Echo Debian'
GRUB_CMDLINE_LINUX_DEFAULT="acpi_backlight=iibiyaha"
GRUB_CMDLINE_LINUX = " xasilan splash noautomount"
GRUB_ENABLE_CRYPTODISK=y

B4.5.4. Tafatirka qaabka /etc/cryptsetup-initramfs/conf-hook

nano /etc/cryptsetup-initramfs/conf-hook

hubi in khadka faallo ka bixisay <#>.
Mustaqbalka (iyo xitaa hadda, halbeeggani wax macno ah ma yeelan doono, laakiin mararka qaarkood waxay faragelisaa cusboonaysiinta sawirka initrd.img).

B4.5.5. Tafatirka qaabka /etc/cryptsetup-initramfs/conf-hook

nano /etc/cryptsetup-initramfs/conf-hook

ku dar

KEYFILE_PATTERN=”/ iwm/skey”
UMASK=0077

Tani waxay xiri doontaa furaha sirta ah ee "skey" gudaha initrd.img, furaha ayaa loo baahan yahay si loo furo xididka marka OS-ga kabaha (haddii aadan rabin inaad geliso erayga sirta ah mar kale, furaha "furaha" ayaa lagu bedelayaa baabuurka).

B4.6. Cusbooneysii /boot/initrd.img [nooca]Si aad furaha sirta ugu xidho initrd.img oo aad u codsato hagaajinta cryptsetup, cusboonaysii sawirka

update-initramfs -u -k all

marka la cusboonaysiinayo initrd.img (sida ay yiraahdaan "Waa suurtagal, laakiin lama hubo") digniinaha la xidhiidha cryptsetup ayaa soo muuqan doona, ama, tusaale ahaan, ogeysiis ku saabsan luminta qaybaha Nvidia - tani waa caadi. Kadib cusboonaysiinta faylka, hubi in dhab ahaantii la cusboonaysiiyay, eeg wakhtiga (xitaa deegaanka chroot./boot/initrd.img). Digniin ka hor [update-initramfs -u -k all] hubi inaad hubiso in cryptsetup uu furan yahay / dev/sda7 sda7_crypt - kani waa magaca ka muuqda /etc/crypttab, haddii kale dib-u-kicinta ka dib waxaa jiri doona qalad sanduuqa mashquul ah)
Tallaabadan, dejinta faylasha qaabeynta waa dhammaatay.

[C] Rakibaadda iyo habaynta GRUB2/Ilaalinta

C1. Haddii loo baahdo, qaabee qaybta u go'an bootloader (qaybtu waxay u baahan tahay ugu yaraan 20MB)

mkfs.ext4 -v -L GRUB2 /dev/sda6

C2. Buur /dev/sda6 ilaa /mntMarkaa waxaan ku shaqeynaa chroot, ka dibna ma jiri doonto / mnt2 tusaha xididka, iyo galka / mnt wuu madhnaan doonaa.
ku dheji qaybta GRUB2

mount /dev/sda6 /mnt

Haddii aad haysato nooc ka weyn GRUB2 oo lagu rakibay, gudaha /mnt/boot/grub/i-386-pc directory (Madal kale waa suurtagal, tusaale ahaan, ma aha "i386-pc") ma jiraan modules crypto (si kooban, galku waa inuu ka kooban yahay qaybo, ay ku jiraan kuwan.mod: cryptodisk; luks; gcry_twofish; gcry_sha512; signature_test.mod), kiiskan, GRUB2 wuxuu u baahan yahay in la ruxo.

apt-get update
apt-get install grub2 

Muhiim! Markaad cusboonaysiinayso xirmada GRUB2 ee kaydka, marka la weydiiyo "ku saabsan doorashada" meesha lagu rakibo bootloader, waa inaad diiddaa rakibaadda (sababta - isku day inaad ku rakibto GRUB2 - gudaha "MBR" ama usb toos ah). Haddii kale waxaad dhaawici doontaa madaxa/loaderka VeraCrypt. Ka dib markii la cusboonaysiiyay baakadaha GRUB2 oo la baabi'iyay rakibaadda, bootloader waa in lagu rakibaa gacanta si saxan macquul ah, oo aan ku jirin MBR. Haddii kaydkaagu leeyahay nooca GRUB2 oo duugoobay, isku day cusbooneysiin Waxay ka timid degelka rasmiga ah - ma hubin (wuxuu la shaqeeyay GRUB 2.02 ~BetaX bootloaders).

C3. Ku rakibida GRUB2 ee qaybta la dheereeyey [sda6]Waa inaad haysataa qayb rakiban [shay C.2]

grub-install --force --root-directory=/mnt /dev/sda6

fursadaha
* -force - rakibida bootloader-ka, iyada oo la dhaafayo dhammaan digniinaha had iyo jeer jira oo xannibaya rakibaadda (calanka loo baahan yahay).
* --root-directory - rakibaadda hagaha ilaa xididka sda6.
* /dev/sda6 - qaybtaada sdaХ (ha moogaanin <space> inta u dhaxaysa /mnt /dev/sda6).

C4. Abuuritaanka faylka qaabeynta [grub.cfg]Iska ilow amarka "update-grub2", oo isticmaal amarka abuurista faylka qaabeynta oo buuxa

grub-mkconfig -o /mnt/boot/grub/grub.cfg

ka dib markii la dhamaystiro jiilka/cusboonaynta faylka grub.cfg, terminaalka wax soo saarka waa inuu ka kooban yahay xariiq(yada) OS-ka laga helay saxanka ("grub-mkconfig" waxay u badan tahay inay ka heli doonto oo ka soo qaadan doonto OS-ka USB-ka nool, haddii aad haysato flash drive-ka badan ee Windows 10 iyo farabadan qaybinta tooska ah - tani waa caadi). Haddii terminalku "madhan yahay" oo faylka "grub.cfg" aan la soo saarin, markaa tani waa isla kiis marka ay jiraan cilladaha GRUB ee nidaamka (oo ay u badan tahay rareeyaha ka yimid laanta tijaabada ee kaydka), dib uga soo deji GRUB2 ilo lagu kalsoon yahay.
Ku rakibida "qaabaynta fudud" iyo dejinta GRUB2 waa dhammaatay.

C5. Caddeynta-tijaabada sir ah GNU/Linux OSWaxaan si sax ah u dhameystirnay howlgalka crypto. Si taxadar leh uga tag GNU/Linux sir ah (ka bax deegaanka chroot).

umount -a #размонтирование всех смонтированных разделов шифрованной GNU/Linux
Ctrl+d #выход из среды chroot
umount /mnt/dev
umount /mnt/proc
umount /mnt/sys
umount -a #размонтирование всех смонтированных разделов на live usb
reboot

Ka dib dib-u-kicinta PC-ga, VeraCrypt bootloader waa inuu soo shubaa.


* Gelida erayga sirta ah ee qaybta firfircoon waxay bilaabi doontaa soo dejinta Windows.
* Riixitaanka furaha "Esc" wuxuu u wareejin doonaa kantaroolka GRUB2, haddii aad doorato GNU/Linux sir ah - erayga sirta ah (sda7_crypt) ayaa loo baahan doonaa si loo furo /boot/initrd.img (haddii grub2 u qoro uuid "lama helin" - tani waa a dhibaatada grub2 bootloader, waa in dib loo rakibaa, tusaale ahaan, laga bilaabo laanta tijaabada / xasilloon iwm.).


* Iyadoo ku xiran sida aad u habeysay nidaamka (fiiri cutubka B4.4/4.5), ka dib markaad geliso erayga sirta ah ee saxda ah si aad u furto sawirka /boot/initrd.img, waxaad u baahan doontaa erayga sirta ah si aad ugu shubto OS kernel/root, ama sirta furaha si toos ah ayaa loo beddeli doonaa "skey", taas oo meesha ka saaraysa baahida dib-u-gelinta erayga sirta ah.

(shaashada "beddelka tooska ah ee furaha sirta").

* Markaa habka la yaqaan ee ku shubista GNU/Linux ee leh aqoonsiga akoontada isticmaale ayaa raaci doona.


* Kadib oggolaanshaha isticmaalaha oo gal OS, waxaad u baahan tahay inaad cusboonaysiiso /boot/initrd.img mar labaad (eeg B4.6).

update-initramfs -u -k all

Iyo haddii ay dhacdo khadadka dheeriga ah ee menu-ka GRUB2 (ka soo qaada OS-m oo leh usb toos ah) ka saar

mount /dev/sda6 /mnt
grub-mkconfig -o /mnt/boot/grub/grub.cfg

Soo koobid degdeg ah oo ah sirta nidaamka GNU/Linux:

• GNU/Linuxinux si buuxda ayaa loo xafiday, oo ay ku jiraan /boot/kernel iyo initrd;
• furaha sirta ah waxaa lagu baakadeeyay initrd.img;
• nidaamka oggolaanshaha hadda ( Gelida erayga sirta ah si loo furo initrd; erayga sirta ah/furaha si loo bootiyo OS-ka; erayga sirta ah ee oggolaanshaha koontada Linux).

"Qaabka fudud ee GRUB2" sirta nidaamka qaybta xannibaadda waa dhammaatay.

C6. Habaynta GRUB2 horumarsan. Ilaalinta bootloader oo leh saxeex dhijitaal ah + ilaalinta xaqiijintaGNU/Linux gabi ahaanba waa sir, laakiin bootloader-ka lama sirin karo - xaaladdan waxaa qeexaya BIOS. Sababtan awgeed, kabaha sirta ah ee GRUB2 ma suurtowdo, laakiin kabo silsilad ah oo fudud ayaa suurtagal ah / la heli karaa, laakiin marka laga eego dhinaca amniga looma baahna [eeg. P. F.
GRUB2 "nuglaanta", horumariyayaashu waxay hirgeliyeen algorithm ilaalinta bootloader "saxiixa/xaqiijinta".

• Marka bootloader-ka lagu ilaaliyo “saxiixa dhijitaalka ah ee isaga u gaar ah,” wax ka beddelka dibadeed ee faylalka, ama isku dayga lagu shubayo qaybo dheeraad ah bootloader-kan, waxay horseedi doontaa in nidaamka boot-ka la xannibo.
• Markaad ilaalinayso bootloader-ka aqoonsiga, si aad u dooratid soo dejinta qaybinta, ama aad geliso amarro dheeraad ah CLI, waxaad u baahan doontaa inaad geliso login iyo erayga sirta ah ee superuser-GRUB2.

C6.1. Ilaalinta xaqiijinta bootloaderHubi inaad ka shaqaynayso terminal OS sir ah

ls /<Tab-Tab> #обнаружить файл-маркер

u samee furaha sirta ah ee superuser ee oggolaanshaha gudaha GRUB2

grub-mkpasswd-pbkdf2 #введите/повторите пароль суперпользователя. 

Hel xashiishka sirta ah Wax sidan oo kale ah

grub.pbkdf2.sha512.10000.DE10E42B01BB6FEEE46250FC5F9C3756894A8476A7F7661A9FFE9D6CC4D0A168898B98C34EBA210F46FC10985CE28277D0563F74E108FCE3ACBD52B26F8BA04D.27625A4D30E4F1044962D3DD1C2E493EF511C01366909767C3AF9A005E81F4BFC33372B9C041BE9BA904D7C6BB141DE48722ED17D2DF9C560170821F033BCFD8

ku dheji qaybta GRUB

mount /dev/sda6 /mnt 

wax ka beddel qaabka

nano -$ /mnt/boot/grub/grub.cfg 

Hubi raadinta faylka in aysan jirin wax calaamad ah meel kasta oo ku taal "grub.cfg" ("-unstricted" "-user",
ku dar aakhirka (kahor xariiqda ### DHAMMAAD /etc/grub.d/41_custom ###)
"set superusers="root"
password_pbkdf2 xidid hash."

Waa inay noqotaa wax sidan oo kale ah

# Faylkaani wuxuu bixiyaa hab fudud oo lagu daro gelida menu-ga gaarka ah. Kaliya ku qor
# menu ka gelida aad rabto inaad ku darto faallooyinkan ka dib. Ka taxadar inaadan isbeddelin
# khadka 'exec tail' ee kore.
### DHAMMAAD /etc/grub.d/40_custom ###

### BEGIN /etc/grub.d/41_caado ###
haddii [-f ${config_directory}/custom.cfg]; markaas
isha ${config_directory}/custom.cfg
elif [-z "${config_directory}" -a -f $prefix/custom.cfg ]; markaas
isha $prefix/custom.cfg;
fi
dhigay superusers = "xidid"
password_pbkdf2 root grub.pbkdf2.sha512.10000.DE10E42B01BB6FEEE46250FC5F9C3756894A8476A7F7661A9FFE9D6CC4D0A168898B98C34EBA210F46FC10985CE28277D0563F74E108FCE3ACBD52B26F8BA04D.27625A4D30E4F1044962D3DD1C2E493EF511C01366909767C3AF9A005E81F4BFC33372B9C041BE9BA904D7C6BB141DE48722ED17D2DF9C560170821F033BCFD8
### DHAMMAAD /etc/grub.d/41_custom ###
#

Haddii aad inta badan isticmaasho amarka "grub-mkconfig -o /mnt/boot/grub/grub.cfg" oo aadan rabin inaad wax ka beddesho grub.cfg mar kasta, geli khadadka kore (Login: Password) ee qoraalka isticmaalaha GRUB ee ugu hooseeya

nano /etc/grub.d/41_custom 

bisad <<EOF
dhigay superusers = "xidid"
password_pbkdf2 root grub.pbkdf2.sha512.10000.DE10E42B01BB6FEEE46250FC5F9C3756894A8476A7F7661A9FFE9D6CC4D0A168898B98C34EBA210F46FC10985CE28277D0563F74E108FCE3ACBD52B26F8BA04D.27625A4D30E4F1044962D3DD1C2E493EF511C01366909767C3AF9A005E81F4BFC33372B9C041BE9BA904D7C6BB141DE48722ED17D2DF9C560170821F033BCFD8
EOF

Marka la soo saarayo qaabaynta “grub-mkconfig -o /mnt/boot/grub/grub.cfg”, khadadka ka masuulka ah xaqiijinta ayaa si toos ah loogu dari doonaa grub.cfg.
Talaabadani waxay dhamaystiraysaa habaynta xaqiijinta GRUB2.

C6.2. Ilaalinta bootloader oo leh saxeex dhijitaal ahWaxaa loo malaynayaa inaad hore u haysatay furahaaga sirta ah ee pgp ee gaarka ah (ama samee furahaas). Nidaamku waa inuu leeyahay software-ka-qarsoodi ah oo lagu rakibay: gnuPG; kleopatra/GPA; Seahorse. Software-ka Crypto wuxuu noloshaada ka dhigi doonaa mid aad u fudud dhammaan arrimahan oo kale. Seahorse - nooca xasilloon ee xirmada 3.14.0 (Noocyada ka sarreeya, tusaale ahaan, V3.20, waa cilladaysan oo waxay leeyihiin cillado waaweyn).

Furaha PGP wuxuu u baahan yahay in la soo saaro/la furo/ lagu daro oo keliya deegaanka su!

Samee furaha sirta shaqsiyeed

gpg - -gen-key

Dhoofinta furahaaga

gpg --export -o ~/perskey

Ku dheji diskka macquulka ah ee OS-ka haddii uusan horay u sii rakibin

mount /dev/sda6 /mnt #sda6 – раздел GRUB2

nadiifi qaybta GRUB2

rm -rf /mnt/

Ku rakib GRUB2 gudaha sda6, adoo gelinaya furahaaga gaarka ah sawirka GRUB ugu weyn "core.img"

grub-install --force --modules="gcry_sha256 gcry_sha512 signature_test gcry_dsa gcry_rsa" -k ~/perskey --root-directory=/mnt /dev/sda6

fursadaha
* --force - ku rakib bootloader-ka, adigoo dhaafaya dhammaan digniinaha had iyo jeer jira (calanka loo baahan yahay).
* —modules = "gcry_sha256 gcry_sha512 signature_test gcry_dsa gcry_rsa" - wuxuu farayaa GRUB2 inay horay u sii shubaan qaybaha lagama maarmaanka u ah marka kombuyuutarku bilaabo.
* -k ~/perskey -dariiqa loo maro "furaha PGP" (ka dib marka la xidho furaha sawirka, waa la tirtiri karaa).
* --root-directory -ku dheji buugga boot-ka ee xididka sda6
/dev/sda6 - qaybtaada sdaX.

Soo saarista/cusboonaynta grub.cfg

grub-mkconfig  -o /mnt/boot/grub/grub.cfg

Ku dar xariiqda "trust /boot/grub/perskey" dhamaadka faylka "grub.cfg" (xoogga isticmaalka furaha pgp.) Tan iyo markii aan ku rakibnay GRUB2 oo wata qaybo ka mid ah, oo ay ku jiraan moduleka saxeexa "signature_test.mod", tani waxay meesha ka saaraysaa baahida loo qabo in lagu daro amarada sida" set check_signatures=xoojinta" isku xidhka.

Waa inay u ekaataa wax sidan oo kale ah (dhammaadka xariiqda grub.cfg faylka)

### BEGIN /etc/grub.d/41_caado ###
haddii [-f ${config_directory}/custom.cfg]; markaas
isha ${config_directory}/custom.cfg
elif [-z "${config_directory}" -a -f $prefix/custom.cfg ]; markaas
isha $prefix/custom.cfg;
fi
trust /boot/grub/perskey
dhigay superusers = "xidid"
password_pbkdf2 root grub.pbkdf2.sha512.10000.DE10E42B01BB6FEEE46250FC5F9C3756894A8476A7F7661A9FFE9D6CC4D0A168898B98C34EBA210F46FC10985CE28277D0563F74E108FCE3ACBD52B26F8BA04D.27625A4D30E4F1044962D3DD1C2E493EF511C01366909767C3AF9A005E81F4BFC33372B9C041BE9BA904D7C6BB141DE48722ED17D2DF9C560170821F033BCFD8
### DHAMMAAD /etc/grub.d/41_custom ###
#

Jidka loo maro "/boot/grub/perskey" uma baahna in lagu tilmaamo qayb disk gaar ah, tusaale ahaan hd0,6; bootloader laftiisa, "root" waa dariiqa caadiga ah ee qaybta uu GRUB2 ku rakiban yahay (fiiri set qudhuntay=...).

Saxeexa GRUB2 (dhammaan faylasha ku jira dhammaan hagayaasha GRUB) oo wata furahaaga "perskey".
Xal fudud oo ku saabsan sida loo saxiixo (nautilus/caja sahamiye): ku rakib balaadhinta "seahorse" ee Explorer ee kaydka. Furahaaga waa in lagu daraa deegaanka su.
Ku fur Explorer leh sudo "/mnt/boot" - RMB - calaamad. Shaashada waxay u egtahay sidan

Furaha laftiisa waa "/mnt/boot/grub/perskey" (ku koobi tusaha grub) sidoo kale waa in lagu saxeexaa saxeexaaga. Hubi in saxeexa faylka [*.sig] ay ka muuqdaan tusaha/hab-hoosaadka.
Adigoo isticmaalaya habka kor lagu sharaxay, saxiix "/boot" (Kernel-keena, initrd). Haddii wakhtigaagu wax u qalmo, markaa habkani wuxuu meesha ka saarayaa baahida loo qabo qorista qoraalka bash si loo saxiixo "faylal badan."

Si aad meesha uga saarto dhammaan saxeexyada bootloader (haddii ay wax khaldameen)

rm -f $(find /mnt/boot/grub -type f -name '*.sig')

Si aan loo saxeexin bootloader ka dib cusboonaysiinta nidaamka, waxaanu xayiray dhammaan xidhmooyinka cusboonaysiinta ee la xidhiidha GRUB2.

apt-mark hold grub-common grub-pc grub-pc-bin grub2 grub2-common

Tallaabadan <ilaalin bootloader oo leh saxeex dhijitaalka ah> qaabaynta horumarsan ee GRUB2 waa la dhammaystiray.

C6.3. Tijaabada-tijaabada bootloader GRUB2, oo lagu ilaaliyo saxeexa dhijitaalka ah iyo xaqiijintaGRUB2. Markaad dooranayso qaybinta GNU/Linux kasta ama gelitaanka CLI (khadka taliska) Oggolaanshaha Superuser ayaa loo baahan doonaa. Kadib markaad geliso magaca isticmaalaha/password-ka saxda ah, waxaad u baahan doontaa erayga initrd

Shaashadda xaqiijinta guusha leh ee GRUB2 superuser.

Haddii aad farageliso mid ka mid ah faylasha GRUB2/ isbedel ku samayso grub.cfg, ama tirtirto faylka/saxiixa, ama aad ku shubto module.mod xaasidnimo ah, digniin u dhiganta ayaa soo bixi doonta. GRUB2 waxay joojin doontaa soo dejinta

Screenshot, isku day lagu faragalinayo GRUB2 "dibadda".

Inta lagu jiro bootinta "caadiga ah" "iyada oo aan la soo dhexgelin", heerka koodhka ka bixitaanka nidaamka waa "0". Sidaa darteed, lama garanayo in ilaalintu shaqaynayso iyo in kale (taas oo ah, "ilaalinta saxiixa bootloader ama la'aanteed" inta lagu jiro rarka caadiga ah xaaladdu waa isku mid "0" - tani waa mid xun).

Sidee loo hubiyo ilaalinta saxeexa dhijitaalka ah?

Habka aan ku habboonayn ee lagu hubiyo: been abuur/kasaar moduleka uu isticmaalo GRUB2, tusaale ahaan, ka saar saxiixa luks.mod.sig oo hel khalad.

Habka saxda ah: u tag bootloader CLI oo ku qor amarka

trust_list

Jawaab ahaan, waa inaad heshaa sawirka faraha "perskey", haddii xaaladdu tahay "0," markaa ilaalinta saxeexu ma shaqaynayso, laba jeer hubi cutubka C6.2.
Tallaabadan, qaabeynta horumarsan ee "Ilaalinta GRUB2 oo leh saxeex dhijitaal ah iyo xaqiijin" waa la dhammaystiray.

C7 Habka kaduwan ee ilaalinta bootloader GRUB2 iyadoo la isticmaalayo xashiishHabka "Ilaalinta/ Xaqiijinta Boot loader CPU" ee kor lagu tilmaamay waa mid caadi ah. Sababtoo ah cilladaha GRUB2, xaaladaha murugada leh waxay u nugul yihiin weerar dhab ah, oo aan hoos ku siin doono cutubka [F]. Intaa waxaa dheer, ka dib markii la cusboonaysiiyay OS/kernel, bootloader waa in dib loo saxiixo.

Ilaalinta bootloader-ka GRUB2 iyadoo la isticmaalayo xashiish

Faa'iidooyinka ka sarreeya classics:

• Heerka sare ee kalsoonida (hashing/xaqiijinta waxay ka dhacdaa kaliya khayraadka maxaliga ah ee sir ah. Dhammaan qaybta loo qoondeeyay ee hoos timaada GRUB2 waa la kantaroolaa wixii isbeddel ah, iyo wax kasta oo kale waa la siray; nidaamka caadiga ah ee ilaalinta / Xaqiijinta CPU, faylasha kaliya ayaa la xakameynayaa, laakiin maaha bilaash. meel bannaan, kaas oo "wax" wax xun" lagu dari karo).
• Gelin qarsoodi ah (Log sir ah oo bini'aadamku akhriyi karo ayaa lagu daray nidaamka).
• Xawaaraha (ilaalinta/xaqiijinta qayb dhan oo loo qoondeeyay GRUB2 waxay dhacdaa ku dhawaad ​​isla markiiba).
• Automation ee dhammaan hababka cryptographic.

Khasaarooyin ka badan classics.

• Been abuur saxiix (Aragti ahaan, waa suurtogal in la helo shil shaqo xashiish ah oo la bixiyay).
• Heerka dhibka oo kordhay (marka loo eego qadiimiga, xirfado yar oo dheeri ah oo GNU/Linux OS ah ayaa loo baahan yahay).

Sida fikradda hashing GRUB2/partition u shaqeyso

Qaybta GRUB2 waa “la saxeexay”, marka OS-gu booteeyo, qaybta bootloader-ka waxa la eegaa in aanay isbedelayn, oo ay ku xigto gelitaanka jawi ammaan ah (si qarsoodi ah). Haddii bootloader-ka ama qaybtiisa la jabiyo, marka lagu daro diiwaanka galitaanka, waxa soo socda ayaa la bilaabay:

Shay.

Jeeg la mid ah wuxuu dhacaa afar jeer maalintii, kaas oo aan ku shubin agabka nidaamka.
Isticmaalka amarka "-$ check_GRUB", hubinta degdega ah waxay dhacdaa wakhti kasta iyada oo aan la qorin, laakiin leh macluumaadka soo saarista CLI.
Adigoo isticmaalaya amarka "-$ sudo signature_GRUB", GRUB2 bootloader/qaybta isla markiiba dib ayaa loo saxeexay oo waa la cusboonaysiiyay. (Lama huraan ka dib cusboonaysiinta OS/boot), noloshuna way sii socotaa.

Hirgelinta habka hashing ee bootloader iyo qaybtiisa

0) Aan saxiixno GRUB bootloader/partition anagoo marka hore ku dhejineyno /media/username

-$ hashdeep -c md5 -r /media/username/GRUB > /podpis.txt

1) Waxaan abuurnaa qoraal iyada oo aan la kordhin xididka sirta ah ee OS ~/podpis, ku dabaqo 744 xuquuqaha amniga ee lagama maarmaanka ah iyo ilaalinta nacasnimada ah.

Buuxinta waxa ku jira

#!/bin/bash

#Проверка всего раздела выделенного под загрузчик GRUB2 на неизменность.
#Ведется лог "о вторжении/успешной проверке каталога", короче говоря ведется полный лог с тройной вербализацией. Внимание! обратить взор на пути: хранить ЦП GRUB2 только на зашифрованном разделе OS GNU/Linux. 
echo -e "******************************************************************n" >> '/var/log/podpis.txt' && date >> '/var/log/podpis.txt' && hashdeep -vvv -a -k '/podpis.txt' -r '/media/username/GRUB' >> '/var/log/podpis.txt'

a=`tail '/var/log/podpis.txt' | grep failed` #не использовать "cat"!! 
b="hashdeep: Audit failed"

#Условие: в случае любых каких-либо изменений в разделе выделенном под GRUB2 к полному логу пишется второй отдельный краткий лог "только о вторжении" и выводится на монитор мигание gif-ки "warning".
if [[ "$a" = "$b" ]] 
then
echo -e "****n" >> '/var/log/vtorjenie.txt' && echo "vtorjenie" >> '/var/log/vtorjenie.txt' && date >> '/var/log/vtorjenie.txt' & sudo -u username DISPLAY=:0 eom '/warning.gif' 
fi

Ka socodsii qoraalka su, xashiishka qaybta GRUB iyo bootloaderkeeda waa la eegi doonaa, keydso log.

Aan abuurno ama koobiyeyno, tusaale ahaan, "faylka xaasidnimada leh" [virus.mod] qaybta GRUB2 oo aan wadno iskaan/imtixaan ku meel gaar ah:

-$ hashdeep -vvv -a -k '/podpis.txt' -r '/media/username/GRUB

CLI waa in ay aragto duulaan lagu soo qaaday xaruntayada#CLI oo la jarjaray

Ср янв  2 11::41 MSK 2020
/media/username/GRUB/boot/grub/virus.mod: Moved from /media/username/GRUB/1nononoshifr
/media/username/GRUB/boot/grub/i386-pc/mda_text.mod: Ok
/media/username/GRUB/boot/grub/grub.cfg: Ok
hashdeep: Audit failed
   Input files examined: 0
  Known files expecting: 0
          Files matched: 325
Files partially matched: 0
            Files moved: 1
        New files found: 0
  Known files not found: 0

#Sida aad arki karto, "Faylasha guuray: 1 iyo Audit failure" ayaa soo muuqda, taas oo macnaheedu yahay in jeeggu fashilmay.
Sababtoo ah nooca qaybta la tijaabinayo, halkii laga heli lahaa "faylal cusub oo la helay"> "Faylasha la raray"

2) Geli gif-ka halkan> ~/warning.gif, u dhig rukhsadaha 744.

3) Habaynta fstab si ay otomaatig ugu dhejiso qaybta GRUB ee boot

-$ sudo nano /etc/fstab

LABEL=GRUB /media/username/GRUB ext4 waa khalad 0 0

4) Wareegtada log

-$ sudo nano /etc/logrotate.d/podpis 

/var/log/podpis.txt {
maalin kasta
wareeji 50
xaddiga 5M
taariikhda
ku cadaadi
dib-u-dhiska
olddir /var/log/old
}

/var/log/vtorjenie.txt {
bil kasta
wareeji 5
xaddiga 5M
taariikhda
olddir /var/log/old
}

5) Ku dar shaqo cron

-$ sudo crontab -e

dib u bilow '/ isdiiwaangelinta'
0 */6 * * * '/podpis

6) Abuurista magacyo joogto ah

-$ sudo su
-$ echo "alias подпись_GRUB='hashdeep -c md5 -r /media/username/GRUB > /podpis.txt'" >> /root/.bashrc && bash
-$ echo "alias проверка_GRUB='hashdeep -vvv -a -k '/podpis.txt' -r /media/username/GRUB'" >> .bashrc && bash

Kadib cusbooneysiinta OS -$ apt-get upgrade dib u saxeex qaybtayada GRUB
-$ подпись_GRUB
Halkaa marka ay marayso, ilaalinta xashiishka ee qaybta GRUB waa dhammaatay.

[D] tirtiridda - burburinta xogta aan sir lahayn

Tirtir faylalkaaga khaaska ah si gebi ahaanba "xitaa Ilaah ma akhriyi karo," sida uu sheegay afhayeenka South Carolina Trey Gowdy.

Sida caadiga ah, waxaa jira kala duwan " khuraafaad iyo halyeeyo", oo ku saabsan soo celinta xogta ka dib markii laga tirtiray darawalka adag. Haddii aad aaminsantahay sixirka internetka, ama aad xubin ka tahay bulshada webka Dr oo aadan waligaa isku dayin soo kabashada xogta kadib markii la tirtiray/la qoray. (tusaale ahaan, soo kabashada iyadoo la isticmaalayo R-studio), ka dib habka la soo jeediyay lagama yaabo inuu ku habboon yahay, isticmaal waxa kuugu dhow.

Ka dib markii si guul leh loogu wareejiyo GNU/Linux qayb sir ah, nuqulkii hore waa in la tirtiraa iyada oo aan suurtagal ahayn soo kabashada xogta. Habka nadiifinta caalamiga ah: software loogu talagalay Windows/Linux software GUI ee bilaashka ah BleachBit.
Xawaare qaabka qaybta, xogta u baahan in la burburiyo (oo loo maro Gparted) soo saar BleachBit, dooro "Nadiifi meel bannaan" - dooro qaybta (sdaX-gaaga oo wata nuqul hore oo GNU/Linux ah), habka qaadista ayaa bilaabmi doonta. BleachBit - waxay ku tirtirtaa diskka hal baas - tani waa waxa "waxaan u baahanahay", Laakiin! Tani waxay kaliya ku shaqeysaa aragti ahaan haddii aad qaabeysay diskka oo aad ku nadiifisay software BB v2.0.

Digniin! BB wuxuu tirtiraa saxanka, isaga oo ka tagaya xogta badan; Magacyada faylka waa la ilaaliyaa marka xogta la tirtiro (Ccleaner - kama tago xogta badan).

Iyo khuraafaadka ku saabsan suurtogalnimada soo kabashada xogta ma aha gebi ahaanba khuraafaad.Bleachbit V2.0-2 xidhmo hore oo OS Debian aan degganayn (iyo software kasta oo la mid ah: sfill; tirtir-Nautilus - ayaa sidoo kale lagu arkay ganacsigan wasakhaysan) dhab ahaantii waxa uu lahaa bug halis ah: shaqada "meel bannaynta xorta ah". waxay u shaqeysaa si qaldan on HDD/Flash drives (ntfs/ext4). Software-ka noocaan ah, marka la nadiifinayo meel bannaan, kuma qorto dhammaan diskka, sida isticmaaleyaal badani u maleynayaan. Iyo qaar (wax badan) Xogta la tirtiray OS/software waxa ay xogtan u aragtaa mid aan la tirtirin/acluumaad isticmaalaha iyo marka la nadiifinayo “OSP” waxa ay ka boodaa faylalkan. Dhibaatadu waxay tahay in waqti dheer ka dib, nadiifinta saxanka "Faylasha la tirtiray" waa la soo celin karaa xitaa ka dib 3+ baas oo saxanka tirtiraya.
On GNU/Linux ee Bleachbit 2.0-2 Hawlaha tirtiridda joogtada ah ee faylasha iyo hagayaasha waxay u shaqeeyaan si la isku halleyn karo, laakiin ma nadiifinayaan meel bannaan. Marka la barbardhigo: Windows gudaha CCleaner shaqada "OSP for ntfs" waxay u shaqeysaa si sax ah, Ilaahna runtii ma awoodi doono inuu akhriyo xogta la tirtiray.

Oo sidaas daraaddeed, in si fiican looga saaro " tanaasul" Xogtii hore ee aan qarsoodi ahayn, Bleachbit waxay u baahan tahay inay si toos ah u gasho xogtan, ka dib, isticmaal shaqada "si joogto ah u tirtir faylasha/tusaha".
Si aad meesha uga saarto "faylalka tirtiray adigoo isticmaalaya qalabka caadiga ah ee OS" gudaha Windows, isticmaal CCleaner/BB oo leh shaqada "OSP". Gudaha GNU/Linux dhibaatadan (tirtir faylasha tirtiray) waxa aad u baahantahay in aad adigu iskaa u tababarto (Tirtirida xogta + isku day madax banaan oo lagu soo celinayo waana inaadan ku tiirsanayn nooca software-ka (haddii aysan ahayn bookmark, ka dibna bug)), kaliya kiiskan waxaad awoodi doontaa inaad fahamto habka dhibaatadan oo aad si buuxda uga takhalusto xogta la tirtiray.

Ma aanan tijaabin Bleachbit v3.0, dhibka waxaa laga yaabaa in mar hore la hagaajiyay.
Bleachbit v2.0 si daacad ah ayuu u shaqeeyaa.

Tallaabadan, tirtiridda saxanka waa dhammaatay.

[E] Kaydinta guud ee OS sir ah

Isticmaale kastaa wuxuu leeyahay hab u gaar ah oo uu xogta u kaydiyo, laakiin xogta Nidaamka OS ee sir ah waxay u baahan tahay hab ka duwan hawsha. Software-ka midaysan, sida Clonezilla iyo software la mid ah, kuma shaqayn karaan si toos ah xogta sir ah.

Bayaanka dhibaatada kaabista aaladaha block sir ah:

1. universality - isku mid ah kaydinta algorithm/software ee Windows/Linux;
2. Awoodda ay ugu shaqeyso konsole kasta oo GNU/Linux ah oo nool ah iyada oo aan loo baahnayn soodejinno software oo dheeri ah (laakiin wali kugula talin GUI);
3. badbaadada nuqullada kaydka ah - "sawirrada" kaydsan waa in la xafidaa/la ilaaliyaa erayga sirta ah;
4. cabbirka xogta sir ah waa in ay u dhigantaa cabbirka xogta dhabta ah ee la koobiyaynayo;
5. ka soo saarida habboon ee faylalka lagama maarmaanka ah ee nuqul kaabta (ma jirto shuruud ah in marka hore la furo qaybta oo dhan).

Tusaale ahaan, ku-celinta/soo-celinta iyada oo loo marayo utility "dd".

dd if=/dev/sda7 of=/путь/sda7.img bs=7M conv=sync,noerror
dd if=/путь/sda7.img of=/dev/sda7 bs=7M conv=sync,noerror

Waxay u dhigantaa ku dhawaad ​​dhammaan qodobbada hawsha, laakiin sida ku cad qodobka 4 ma istaago dhaleeceynta, tan iyo markii ay nuqul ka sameysey qaybta diskka oo dhan, oo ay ku jiraan meel bannaan oo bilaash ah - maaha mid xiiso leh.

Tusaale ahaan, kayd GNU/Linux ah oo loo maro kaydiyaha [tar" | gpg] waa ku habboon tahay, laakiin kaydinta Windows waxaad u baahan tahay inaad raadiso xal kale - ma ahan mid xiiso leh.

E1. Kaydinta Windows/Linux Universal. Isku xirka rsync (Grsync)+VeraCrypt muggaAlgorithm ee abuurista nuqul kaabta:

1. abuurista weel qarsoon (mugga/faylka) VeraCrypt ee OS;
2. wareejinta/isku-dubarid OS-ka adoo isticmaalaya software Rsync geliya weelka crypto VeraCrypt;
3. haddii loo baahdo, ku shubida mugga VeraCrypt www.

Abuuritaanka weelka qarsoon ee VeraCrypt wuxuu leeyahay astaamo u gaar ah:
abuurista mug firfircoon (abuurista DT waxaa laga heli karaa oo keliya Windows, sidoo kale waxaa lagu isticmaali karaa GNU/Linux);
abuurista mug joogto ah, laakiin waxaa jira shuruud ah "dabeecad paranoid" (sida uu qabo horumariyaha) - qaabaynta weelka.

Mug firfircoon ayaa isla markiiba laga dhex abuuraa Windows, laakiin marka xogta laga soo koobiyo GNU/Linux> VeraCrypt DT, waxqabadka guud ee hawlgalka kaydinta ayaa si weyn hoos ugu dhacaya.

Mugga laba kalluun ee 70 GB ayaa la sameeyay (Aan nidhaahno, celcelis ahaan awoodda PC) ilaa HDD ~ nus saac gudahood (ku-beddelka xogta weelka hore ee hal baas ayaa sabab u ah shuruudaha amniga). Shaqada si degdeg ah loo qaabeeyo mugga marka la abuurayo ayaa laga saaray VeraCrypt Windows/Linux, markaa abuurista weel waxa kaliya oo suurtagal ah iyada oo loo marayo "dib u qorida hal baas" ama abuurista mugga firfircoon ee waxqabadka hooseeya.

Samee mugga VeraCrypt joogto ah (ma aha mid firfircoon/ntfs), waa in aysan jirin wax dhibaato ah.

Ku habeyn/abuur/fur weel gudaha VeraCrypt GUI>GNU/Linux live usb (mugga ayaa si toos ah loogu rakibi doonaa /media/veracrypt2, mugga Windows OS waxa lagu dhejin doonaa /media/veracrypt1). Abuuritaanka kayd sir ah oo Windows OS ah iyadoo la adeegsanayo GUI rsync (grsync)adigoo hubinaya sanduuqyada.

Sug inta uu habsocodku dhammaystirayo. Marka kaydinta la dhammeeyo, waxaan yeelan doonnaa hal fayl oo sir ah.

Sidoo kale, samee koobi kayd ah oo ah GNU/Linux OS adiga oo iska saaraya sanduuqa hubinta ee “Windows ku habboonaanta” ee GUI rsync.

Digniin! u samee weelka Veracrypt ee "GNU/Linux backup" ee nidaamka faylka ext4. Haddii aad nuqul ka sameyso weelka ntfs, ka dib markaad soo celiso nuqulka noocaas ah, waxaad waayi doontaa dhammaan xuquuqda / kooxaha dhammaan xogtaada.

Waxaad ku fulin kartaa dhammaan hawlaha terminalka. Doorashooyinka aasaasiga ah ee rsync:
* -g -badbaadinta kooxaha;
* -P —horumar — heerka wakhtiga lagu qaatay ka shaqaynta faylka;
* -H - nuqul ka samee hardlinks sida uu yahay;
* -habka kaydinta (calanno badan oo rlptgoD ah);
* -v -hadalka.

Haddii aad rabto inaad ku dhejiso "Windows VeraCrypt mugga" adoo isticmaalaya konsole ee software-ka cryptsetup, waxaad samayn kartaa alias (su)

echo "alias veramount='cryptsetup open --veracrypt --tcrypt-system --type tcrypt /dev/sdaX Windows_crypt && mount /dev/mapper/ Windows_crypt /media/veracrypt1'" >> .bashrc && bash

Hadda amarka "sawirrada dhabta ah" ayaa kugu dhiirigelin doona inaad geliso erayga sirta ah, iyo mugga nidaamka Windows ee sir ah ayaa lagu dhejin doonaa OS-ka.

Khariidadda/Mouse-ka VeraCrypt mugga nidaamka cryptsetup

cryptsetup open --veracrypt --tcrypt-system --type tcrypt /dev/sdaX Windows_crypt
mount /dev/mapper/Windows_crypt /mnt

Map/Mouse VeraCrypt partition/container ku jira amarka cryptsetup

cryptsetup open --veracrypt --type tcrypt /dev/sdaY test_crypt
mount /dev/mapper/test_crypt /mnt

Halkii magac ahaan, waxaan ku dari doonaa (qoraalka si loo bilaabo) mugga nidaamka leh Windows OS iyo disk ntfs macquul ah oo sir ah GNU/Linux bilowga

Samee qoraal oo ku keydi ~/VeraOpen.sh

printf 'Ym9i' | base64 -d | cryptsetup open --veracrypt --tcrypt-system --type tcrypt /dev/sda3 Windows_crypt && mount /dev/mapper/Windows_crypt /media/Winda7 #декодируем пароль из base64 (bob) и отправляем его на запрос ввода пароля при монтировании системного диска ОС Windows.
printf 'Ym9i' | base64 -d | cryptsetup open --veracrypt --type tcrypt /dev/sda1 ntfscrypt && mount /dev/mapper/ntfscrypt /media/КонтейнерНтфс #аналогично, но монтируем логический диск ntfs.

Waxaan qaybinnaa xuquuqda "saxda ah":

sudo chmod 100 /VeraOpen.sh

Ku samee laba fayl oo isku mid ah (isku magac!) gudaha /etc/rc.local iyo ~/etc/init.d/rc.local
Buuxinta faylasha

#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will «exit 0» on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.

sh -c "sleep 1 && '/VeraOpen.sh'" #после загрузки ОС, ждём ~ 1с и только потом монтируем диски.
exit 0

Waxaan qaybinnaa xuquuqda "saxda ah":

sudo chmod 100 /etc/rc.local && sudo chmod 100 /etc/init.d/rc.local 

Taasi waa sidaas, hadda marka la soo shubayo GNU/Linux uma baahnid inaan galno ereyada sirta ah si aan ugu dhejino ntfs disks sir ah, saxanadaha si toos ah ayaa loogu rakibaa.

Qoraal kooban oo ku saabsan waxa kor lagu sharaxay cutubka E1 talaabo talaabo (laakin hadda OS GNU/Linux)
1) Ku samee mugga fs ext4> 4gb (faylka) Linux gudaha Veracrypt [Cryptbox].
2) Reboot si ay u noolaadaan USB.
3) ~$ cryptsetup furan /dev/sda7 Lunux #maping qayb qarsoodi ah.
4) ~$ ku dheji /dev/mapper/Linux /mnt #ku dheji qaybta qarsoon ee /mnt.
5) ~$ mkdir mnt2 #abuurista hagaha kaydka mustaqbalka.
6) ~$ cryptsetup furan —veracrypt —nooc tcrypt ~/CryptoBox CryptoBox && mount /dev/mapper/CryptoBox /mnt2 #Map mugga Veracrypt ee magaciisu yahay "CryptoBox" oo ku dheji CryptoBox to /mnt2.
7) ~$ rsync -avlxhHX —progress /mnt /mnt2/ #kaabaynta hawlgalka qayb sir ah oo mugga Veracrypt ah.

(p/s/ Digniin! Haddii aad u wareejinayso GNU/Linux sir ah hal naqshad/mashiin una wareejinaya mid kale, tusaale ahaan, Intel> AMD (taas oo ah, ka soo dejinta qayb ka mid ah qayb qarsoodi ah oo loo beddelo Intel kale oo qarsoon> Qaybta AMD), Ha ilaawin Kadib wareejinta OS-ga sir ah, tafatir furaha beddelka sirta ah beddelka erayga sirta ah, laga yaabee. Furihii hore ~/ iwm/skey - kuma habboona qayb kale oo sir ah, lagumana talinayo in la abuuro fure cusub "cryptsetup luksAddKey" oo ka hooseeya chroot - cilad ayaa suurtagal ah, kaliya gudaha ~/etc/crypttab cayimi bedelkii "/ etc/skey" si ku meel gaar ah "midna" ", ka dib dib u habeyn oo aad gasho OS, dib u samee furahaaga sirta ah mar labaad).

Halyeeyga IT ahaan, xasuusnoow inaad si gooni gooni ah u sameyso nuqul ka mid ah madaxyada qaybaha Windows/Linux OS sir ah, haddii kale sirtu way kuu soo jeesan doontaa.
Tallaabadan, kaydinta OS-ga sir ah ayaa la dhammaystiray.

[F] Weerar lagu qaaday bootloader-ka GRUB2

Faahfaahinta eegHaddii aad ku ilaalisay bootloader-kaaga saxeex dhijitaal ah iyo/ama xaqiijin ah (eeg barta C6.), markaa tani kama ilaalin doonto gelitaanka jirka. Xogta sir ah weli lama heli doono, laakiin ilaalinta waa laga gudbi doonaa (dib u hagaaji ilaalinta saxeexa dhijitaalka ah) GRUB2 wuxuu u oggolaanayaa cyber-villain inuu koodka geliyo bootloader-ka isagoon shaki gelin. (ilaa uu isticmaaluhu gacanta ku kormeero gobolka bootloader, ama aanu la iman koodka qoraal-qoraalka gardarrada adag ee grub.cfg).

Algorithm weerar. Soo galey

* Kabaha kombuyuutarka ee USB-ga tooska ah. Isbeddel kasta (ku xad gudub) Faylasha ayaa ogeysiin doona milkiilaha dhabta ah ee PC wax ku saabsan faragelinta bootloader-ka. Laakin dib u rakib fudud oo GRUB2 ilaalinta grub.cfg (iyo awooda danbe ee lagu saxayo) waxay u oggolaan doontaa weeraryahan inuu tafatiro faylal kasta (Xaaladdan, marka la soo shubayo GRUB2, isticmaalaha dhabta ah lama ogeysiin doono. Xaaladdu waa isku mid <0>)
* Waxay dulsaartaa qayb aan qarsoodi ahayn, waxay kaydisaa "/mnt/boot/grub/grub.cfg".
* Dib u rakibta bootloader-ka (kasaarida "perskey" sawirka core.img)

grub-install --force --root-directory=/mnt /dev/sda6

Waxay soo celisaa "grub.cfg"> "/mnt/boot/grub/grub.cfg", tafatira haddi loo baahdo, tusaale ahaan, ku darida modulekaga "keylogger.mod" galka leh modules loader, gudaha "grub.cfg" > line "insmod keylogger". Ama, tusaale ahaan, haddii cadowgu khiyaaneeyo, ka dib markii dib loo rakibo GRUB2 (dhammaan saxiixyadu waa ay jiraan) waxay dhistaa sawirka GRUB2 ee ugu weyn iyadoo la adeegsanayo "grub-mkimage with option (-c)." Xulashada "-c" waxay kuu ogolaaneysaa inaad ku shubto qaabkaaga ka hor inta aanad ku shubin "grub.cfg" ugu weyn. Nidaamku wuxuu ka koobnaan karaa hal xariiq: dib u jiheynta "modern.cfg", isku dhafan, tusaale ahaan, oo leh ~ 400 faylal (Modules+saxiixyada) galka "/boot/grub/i386-pc" Xaaladdan oo kale, weeraryahanku wuxuu gelin karaa kood aan sabab lahayn iyo cutubyo rar ah isagoon saameyn ku yeelan "/boot/grub/grub.cfg", xitaa haddii isticmaaluhu uu "hashsum" ku dhejiyay faylka oo uu si ku meel gaar ah ugu soo bandhigay shaashadda.
Weeraryahan uma baahna inuu jabsado GRUB2 superuser login/password; wuxuu kaliya u baahan doonaa inuu koobiyeeyo khadadka (ka masuulka ah xaqiijinta) "/boot/grub/grub.cfg" ku socda "modern.cfg" kaaga

dhigay superusers = "xidid"
password_pbkdf2 root grub.pbkdf2.sha512.10000.DE10E42B01BB6FEEE46250FC5F9C3756894A8476A7F7661A9FFE9D6CC4D0A168898B98C34EBA210F46FC10985CE28277D0563F74E108FCE3ACBD52B26F8BA04D.27625A4D30E4F1044962D3DD1C2E493EF511C01366909767C3AF9A005E81F4BFC33372B9C041BE9BA904D7C6BB141DE48722ED17D2DF9C560170821F033BCFD8

Iyo mulkiilaha kombuyuutarku wali waxaa loo aqoonsan doonaa inuu yahay GRUB2 superuser.

Soo dejinta silsiladda (bootloader-ku wuxuu raray bootloader kale), sida aan kor ku qoray, macno ma samaynayso (waxaa loogu talagalay ujeedo kale). bootloader sir ah lama rari karo BIOS dartiis (Silsiladu waxay dib u bilaabataa GRUB2> GRUB2 sir ah, qalad!). Si kastaba ha noqotee, haddii aad weli isticmaasho fikradda silsiladda rarka, waxaad hubin kartaa inay tahay midda sir ah ee la raray. (lama casriyayn) "grub.cfg" ee qaybta qarsoon. Tani sidoo kale waa dareen been ah oo ammaan ah, sababtoo ah wax kasta oo lagu tilmaamay "grub.cfg" sir ah (Module loading) wuxuu ku darayaa cutubyo laga soo raray GRUB2 oo aan qarsoodi ahayn.

Haddii aad rabto inaad tan hubiso, ka dib u qoondee / sir qayb kale sdayY, koobi GRUB2 (qalin-ku-rakibaadda qaybta qarsoodiga ah suurtagal maaha) iyo "grub.cfg" (habayn aan qarsoodi ahayn) beddel xariiqyadan oo kale

menuentry 'GRUBx2' --class parrot --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-simple-382111a2-f993-403c-aa2e-292b5eac4780' {
load_video
insmod gzio
haddii [x$grub_platform = xxen]; ka dibna insmod xzio; insmod lzopio; fi
insmod part_msdos
insmod cryptodisk
insmod lux
insmod gcry_twofish
insmod gcry_twofish
insmod gcry_sha512
insmod ext2
cryptomount -u 15c47d1c4bd34e5289df77bcf60ee838
set root=’cryptouuid/15c47d1c4bd34e5289df77bcf60ee838′
caadi /boot/grub/grub.cfg
}

khadadka
* insmod - ku shubida cutubyada lagama maarmaanka u ah la shaqeynta saxan qarsoon;
* GRUBx2 - magaca xariiqda lagu soo bandhigay liiska kabaha GRUB2;
* cryptomount -u 15c47d1c4bd34e5289df77bcf60ee838 -eeg. fdisk -l (sda9);
* dejiso xidid - rakibo xidid;
* caadi /boot/grub/grub.cfg - faylka qaabeynta la fulin karo ee qayb qarsoon.

Kalsoonida ah in ay tahay "grub.cfg" sir ah oo la raray waa jawaab celin togan oo gelaysa erayga sirta ah/furitaanka "sdaY" marka la dooranayo xariiqda "GRUBx2" ee ku jira liiska GRUB.

Markaad ka shaqeyneyso CLI, si aysan u jahwareerin (oo hubi haddii doorsoomiyaha deegaanka "xidid dhigay" uu shaqeeyay), samee faylal calaamado maran, tusaale ahaan, qaybta sir ah "/shifr_grub", qaybta aan qarsoodiga ahayn "/ noshifr_grub". Hubinta CLI

cat /Tab-Tab

Sida kor ku xusan, tani kama caawin doonto soo dejinta cutubyada xaasidnimada ah haddii cutubyadan oo kale ay ku dhammaadaan PC-gaaga. Tusaale ahaan, keylogger awood u leh inuu keydiyo furayaasha furaha faylka oo ku qaso faylal kale "~/i386" ilaa uu soo dejiyo weeraryahan awood jireed u leh PC.

Habka ugu fudud ee lagu xaqiijin karo in ilaalinta saxiixa dhijitaalka ah ay si firfircoon u shaqaynayso (ma dib loo dajin), oo qofna kuma soo duulin bootloader-ka, geli taliska gudaha CLI

list_trusted

Jawaabta waxaan helnaa koobiga "perkey", ama waxba ma helno haddii nala soo weeraro (waxaad sidoo kale u baahan tahay inaad hubiso "set check_signatures=enforce").
Khasaaraha weyn ee tillaabadan waa in amarrada lagu galo gacanta. Haddii aad ku darto amarkan "grub.cfg" oo aad ilaaliso qaabka saxeexa dhijitaalka ah, markaa soo-saarka hordhaca ah ee sawirka muhiimka ah ee shaashadda ayaa aad u gaaban wakhtiga, waxaana laga yaabaa inaadan haysan wakhti aad ku aragto wax soo saarka ka dib markaad ku shubto GRUB2 .
Ma jiro qof si gaar ah u sheegan kara: horumariyaha tiisa dukumentiyo faqradda 18.2 ayaa si rasmi ah u caddaynaysa

"Ogsoonow in xitaa ilaalinta sirta ah ee GRUB, GRUB lafteedu kama hor istaagi karto qof jidh ahaan u geli kara mishiinka inuu beddelo qaabaynta mishiinka (tusaale, Coreboot ama BIOS) si uu u keeno mishiinku inuu ka soo kabsado qalab ka duwan (weerarka uu gacanta ku hayo). GRUB waxa ugu fiican hal xidhidh oo keliya oo ku jira silsilad boot ah oo sugan.

GRUB2 aad ayaa loogu raran yahay hawlo siin kara dareen badbaado been ah, horumarkeeduna wuxuu mar horeba ka sare maray MS-DOS xagga shaqaynta, laakiin waa bootloader. Waa wax lagu qoslo in GRUB2 - "berrito" ay u noqon karto OS-ka, iyo mashiinnada farsamada ee GNU/Linux ee la qaadi karo.

Fiidiyow gaaban oo ku saabsan sida aan dib ugu habeeyo ilaalinta saxeexa dhijitaalka ah ee GRUB2 oo aan caddeeyey faragelintayda isticmaale dhab ah (Waan ku baqay, laakiin halkii aad ka ahaan lahayd waxa ka muuqda fiidiyowga, waxaad qori kartaa kood aan waxyeello lahayn / .mod).

Gabagabo:

1) Xiritaanka nidaamka sirta ah ee Windows way fududahay in la hirgeliyo, ilaalinta hal sirdoon ayaa ka habboon ilaalinta dhowr furaha sirta ah ee GNU/Linux block system encryption, si ay u noqoto mid caddaalad ah: kan dambe waa otomaatig.

2) Waxaan u qoray maqaalka sida ku habboon oo faahfaahsan fudud hagaha sirta-buuxa ah ee VeraCrypt/LUKS hal guri mashiinka, kaas oo ilaa hadda ugu fiican RuNet (IMHO). Tilmaamuhu waa> 50k xaraf dheer, sidaas darteed ma aysan daboolin cutubyada xiisaha leh: cryptographers kuwaas oo baaba'a / ku haya hooska; ku saabsan xaqiiqda ah in buugaagta GNU / Linux ee kala duwan ay wax yar qoraan / ma qoraan wax ku saabsan cryptography; ku saabsan Qodobka 51 ee Dastuurka Federaalka Ruushka; O shati siinta/ mamnuuc sirta ah ee Federaalka Ruushka, oo ku saabsan sababta aad ugu baahan tahay inaad sir "root/boot". Tilmaamuhu wuxuu noqday mid aad u ballaaran, laakiin faahfaahsan. (iyaga oo qeexaya xitaa tillaabooyin fudud), markeeda, tani waxay kaa badbaadin doontaa waqti badan markaad tagto "sirta dhabta ah".

3) Sireeynta diskka buuxa ayaa lagu sameeyay Windows 7 64; GNU/Linux Parrot 4x; GNU/Debian 9.0/9.5.

4) Wuxuu fuliyay weerar lagu guuleystay isaga GRUB2 bootloader.

5) Casharrada waxaa loo sameeyay in lagu caawiyo dhammaan dadka jaahwareerka ah ee ku nool CIS, halkaas oo ka shaqeynta sirta laga oggol yahay heerka sharci-dejinta. Iyo ugu horrayn kuwa raba inay soo rogaan sireeynta diskka-buuxa iyaga oo aan burburin nidaamyadooda habaysan.

6) Dib loo shaqeeyay oo dib loo cusboonaysiiyay buug-gacmeedkayga, kaas oo khuseeya 2020.

[G] Dukumeenti waxtar leh

1. Hagaha Isticmaalaha TrueCrypt (Febraayo 2012 RU)
2. VeraCrypt Documentation
3. /usr/share/doc/cryptsetup(-run) [khayraadka deegaanka] (dokumenti faahfaahsan oo rasmi ah oo ku saabsan dejinta GNU/Linux sirta iyadoo la adeegsanayo cryptsetup)
4. cryptsetup-ka rasmiga ah ee FAQ (dokumentiyo kooban oo ku saabsan dejinta GNU/Linux sirta iyadoo la adeegsanayo cryptsetup)
5. Sirta aaladda LUKS (dokumentiyada archlinux)
6. Sharaxaad tafatiran ee cryptsetup syntax (Bogga nin weyn)
7. Sharaxaad faahfaahsan oo ku saabsan crypttab (Bogga nin weyn)
8. Warqadaha rasmiga ah ee GRUB2.

Tags: sireynta diskka buuxa, qarinta qaybinta, sirta diskka buuxa ee Linux, LUKS1 nidaam buuxa oo qarsoodi ah.

Isticmaalayaasha diiwaangashan oo keliya ayaa ka qaybqaadan kara sahanka. Soo gal, soo dhawoow.

Ma siraysaa?

• 17,1%Wax kasta oo aan awoodo waan sireeyaa. Waan ka xumahay.14

• 34,2%Kaliya waxaan sireeyaa xogta muhiimka ah.28

• 14,6%Mar waan sireeyaa, marna waan illoobaa.12

• 34,2%Maya, ma sirin, waa dhib iyo qaali.28

82 isticmaale ayaa u codeeyay. 22 isticmaale ayaa ka aamusay.

Source: www.habr.com