Maalin iyo habeen wanaagsan qof walba! Boostada waxay faa'iido u yeelan doontaa kuwa isticmaala sirta xogta LUKS oo raba inay furto saxannada hoosta Linux (Debian, Ubuntu) marxaladaha decrypting qaybta xididka. Oo ma heli karin macluumaadkaas internetka.
Dhawaanahan, iyada oo ay korodhay tirada saxanadaha ku jira khaanadaha, waxaan ku dhex orday dhibaatada decrypting disks-ka iyadoo la adeegsanayo habka aad loo yaqaan ee /etc/crypttab. Shakhsi ahaan, waxaan iftiiminayaa dhowr dhibaato oo ku saabsan isticmaalka habkan, kuwaas oo ah in faylka la akhrinayo kaliya ka dib markii loading (buur) qaybta xididka, kaas oo si xun u saameeya soo dejinta ZFS, gaar ahaan haddii laga dhisay qaybo ka mid ah qalabka *_crypt, ama weerarada mdadm ee laga dhisay qaybo sidoo kale. Dhammaanteen waan ognahay inaad ku isticmaali karto weelasha LUKS ee qaybsan, sax? Iyo sidoo kale dhibaatada bilawga hore ee adeegyada kale, marka aysan jirin hannaan weli, laakiin Isticmaal Waxaan mar horeba u baahanahay wax (waxaan la shaqeeyaa Proxmox VE 5.x clustered and ZFS over iSCSI).
Wax yar oo ku saabsan ZFSoverISCSIiSCSI waxay iga shaqeysaa iyada oo loo marayo LIO, run ahaantii, marka iscsi bartilmaameedku bilaabo oo uusan arkin aaladaha ZVOL, waxay si fudud uga saartaa qaabeynta, taas oo ka hortagaysa nidaamyada martida inay kor u qaadaan. Sidaa darteed, ama dib u soo celinta faylka json, ama gacanta lagu daro aalado leh aqoonsi VM kasta, taas oo si fudud u xun marka ay jiraan daraasiin mashiinada noocaas ah iyo qaabayn kastaa waxay leedahay in ka badan 1 disk.
Su'aasha labaad ee aan tixgelin doono waa sida loo furfuro (tani waa qodobka muhiimka ah ee maqaalka). Tan hoose ayaan uga hadli doonaa, goynta hoos tag!
Inta badan, internetka, faylka muhiimka ah ayaa loo isticmaalaa (is-ku-darista booska ka horreeya kan amarka - cryptsetup luksAddKey), ama marar dhif ah (internetka luqadda Ruushka waxaa jira macluumaad aad u yar) - qoraalka decrypt_derived oo ku yaal /lib/cryptsetup/script/ (dabcan, waxaa jira siyaabo kale, laakiin waxaan isticmaalay labadan, kuwaas oo sameeyay saldhigga maqaalka). Waxaan sidoo kale ku dadaalay ka mid noqoshada madaxbannaanida buuxda ka dib dib-u-bilaabista, iyada oo aan wax amar ah oo dheeri ah lagu hayn console-ka, si wax walba ay "u kor ugu kacaan" hal mar. Haddaba, maxaa loo sugay? -
Aan bilowno!
Aynu ka soo qaadno nidaam, sida Debian, oo lagu rakibay qaybta sda3_crypt crypto partition iyo darsin saxan oo diyaar u ah in la sireeyo oo loo abuuro waxa qalbigaaga ku jira. Waxaan haynaa erayga sirta ah (passphrase) si aan u furno sda3_crypt, waana qaybtan in aan ka saarno "xashka" erayga sirta ah ee nidaamka socda (decrypted) oo aan ku dari doono inta kale ee saxanka. Wax walba waa hoose, console-ka waxaan ku fulinaa:
/lib/cryptsetup/scripts/decrypt_derived sda3_crypt | cryptsetup luksFormat /dev/sdXhalka X uu yahay saxannadayada, qaybsheena, iwm.
Ka dib marka aad saxannada ku sirayso "hash" oo ka mid ah eraygayaga sirta ah, waxaad u baahan tahay inaad ogaato UUID-ga ama aqoonsiga - iyadoo ku xiran cidda loo isticmaalo waxa iyo waxa. Waxaan ka qaadnaa xogta /dev/disk/by-uuid iyo by-id siday u kala horreeyaan.
Tallaabada xigta waa diyaarinta faylasha iyo qoraallada-yar ee hawlaha aan u baahanahay, aan sii wadno:
cp -p /usr/share/initramfs-tools/hooks/cryptroot /etc/initramfs-tools/hooks/
cp -p /usr/share/initramfs-tools/scripts/local-top/cryptroot /etc/initramfs-tools/scripts/local-top/dheeraad ah
touch /etc/initramfs-tools/hooks/decrypt && chmod +x /etc/initramfs-tools/hooks/decryptNuxurka ../decrypt
#!/bin/sh
cp -p /lib/cryptsetup/scripts/decrypt_derived "$DESTDIR/bin/decrypt_derived"dheeraad ah
touch /etc/initramfs-tools/hooks/partcopy && chmod +x /etc/initramfs-tools/hooks/partcopyWaxa ku jira ../partcopy
#!/bin/sh
cp -p /sbin/partprobe "$DESTDIR/bin/partprobe"
cp -p /lib/x86_64-linux-gnu/libparted.so.2 "$DESTDIR/lib/x86_64-linux-gnu/libparted.so.2"
cp -p /lib/x86_64-linux-gnu/libreadline.so.7 "$DESTDIR/lib/x86_64-linux-gnu/libreadline.so.7"xoogaa dheeraad ah
touch /etc/initramfs-tools/scripts/local-bottom/partprobe && chmod +x /etc/initramfs-tools/scripts/local-bottom/partprobeNuxurka ../partprobe
#!/bin/sh
$DESTDIR/bin/partprobeiyo ugu dambeyntii, ka hor intaysan cusbooneysiin-initramfs, waxaad u baahan tahay inaad wax ka beddesho /etc/initramfs-tools/scripts/local-top/cryptroot file, laga bilaabo xariiq ~360, kood kood hoos
Asalka
# decrease $count by 1, apparently last try was successful.
count=$(( $count - 1 ))
message "cryptsetup ($crypttarget): set up successfully"
break
oo keen foomkan
Tafatiray
# decrease $count by 1, apparently last try was successful.
count=$(( $count - 1 ))
/bin/decrypt_derived $crypttarget | cryptsetup luksOpen /dev/disk/by-uuid/ *CRYPT_MAP*
/bin/decrypt_derived $crypttarget | cryptsetup luksOpen /dev/disk/by-id/ *CRYPT_MAP*
message "cryptsetup ($crypttarget): set up successfully"
breakOgsoonow in UUID ama aqoonsiga halkan lagu isticmaali karo. Waxa ugu muhiimsan waa in darawallada lagama maarmaanka u ah qalabka HDD / SSD lagu daro /etc/initramfs-tools/modules. Waxaad ogaan kartaa darawalka loo isticmaalo amarka udevadm info -a -n /dev/sdX | egrep 'looking|Drawalka'.
Hadda oo aan dhammaynnay oo dhammaan faylalka ay yaalliin, orod update-initramfs -u -k all -v, gudaha galitaanka waa in aanay noqon khaladaadka fulinta ee qoraalladayada. Dib ayaanu u kicinay, gelinaa erayga sirta ah oo aan sugno xoogaa, iyada oo ku xidhan tirada saxanka. Marka xigta, nidaamku wuxuu bilaabi doonaa iyo marxaladda ugu dambeysa ee furitaanka, oo ah ka dib "kordhinta" qaybta xididka, amarka partprobe waa la fulin doonaa - wuxuu heli doonaa oo soo qaadi doonaa dhammaan qaybaha la abuuray ee qalabka LUKS iyo qalab kasta, ha ahaato ZFS ama mdadm, waxaa la soo ururin doonaa dhibaato la'aan! Oo waxaas oo dhan ka hor inta aan la shubin adeegyada asaasiga ah iyo adeegyada u baahan saxanadahan/hababkan.
cusboonaysiin1: Sidee , Habkani wuxuu kaliya u shaqeeyaa LUKS1.
Source: www.habr.com