E nchafalitse tataiso ea hau ho encryption ea disk e felletseng ho RuNet V0.2.
Leano la Cowboy:
[A] Windows 7 block block encryption ea sistimi e kentsoeng;
[B] GNU/Linux thibela encryption (Debian) e kentsoeng tsamaiso (ho kenyeletsoa /boot);
[C] GRUB2 tlhophiso, ts'ireletso ea bootloader e nang le signature ea dijithale / netefatso / hashing;
[D] ho hlobola—tšenyo ea data e sa ngolisoang;
[E] bekapo ea bokahohle ea OS e patiloeng;
[F] hlasela <ka ntlha [C6]> target - GRUB2 bootloader;
[G] litokomane tse thusang.
╭───Scheme ea #room 40# :
├──╼ Windows 7 e kentsoe - encryption e felletseng ea sistimi, e sa patehileng;
├──╼ GNU/Linux e kentsoe (Debian le tse tsoang ho tse ling) - encryption e felletseng ea sistimi, ha e patehe(/, ho kenyeletsoa /boot; swap);
├──╼ li-bootloader tse ikemetseng: VeraCrypt bootloader e kenngoa ho MBR, GRUB2 bootloader e kenngoa karolong e atolositsoeng;
├──╼ha ho hlokahale ho kenya / ho kenya hape OS;
└──╼cryptographic software e sebelisitsoeng: VeraCrypt; cryptsetup; GnuPG; Seahorse; Hashdeep; GRUB2 ke mahala/mahala.
Morero o ka holimo o rarolla bothata ba "homote boot ho flash drive", e u lumella ho natefeloa ke OS e kentsoeng ea Windows/Linux le ho fapanyetsana data ka "mocha o kentsoeng" ho tloha ho OS ho ea ho e 'ngoe.
Odara ea boot ea PC (e 'ngoe ea likhetho):
- ho bulela mochine;
- ho kenya bootloader ea VeraCrypt (ho kenya phasewete e nepahetseng ho tla tsoela pele ho qala Windows 7);
- ho tobetsa konopo ea "Esc" ho tla kenya bootloader ea GRUB2;
- GRUB2 bootloader (khetha kabo/GNU/Linux/CLI), e tla hloka netefatso ea GRUB2 superuser <login/password>;
- ka mor'a ho netefatsa katleho le khetho ea kabo, o tla hloka ho kenya phasewete ho bula "/boot/initrd.img";
- ka mor'a ho kenya li-passwords tse se nang liphoso, GRUB2 e tla "hloka" ho kenngoa ha password (ea boraro, password ea BIOS kapa password ea akhaonto ea mosebelisi ea GNU/Linux - u se nahane) ho notlolla le ho bulela GNU/Linux OS, kapa ho kenya senotlolo sa lekunutu sebakeng sa othomathike (li-passwords tse peli + senotlolo, kapa senotlolo + senotlolo);
- ho kenella kantle ho tlhophiso ea GRUB2 ho tla emisa ts'ebetso ea boot ea GNU/Linux.
Mathata? Ho lokile, ha re e'o iketsetsa lits'ebetso.
Ha o arola hard drive (tafole ea MBR) PC e ke ke ea ba le likarolo tse kholo tsa 4, kapa tse 3 tse kholo le tse atolositsoeng, hammoho le sebaka se sa abuoang. Karolo e atolositsoeng, ho fapana le e kholo, e ka ba le likaroloana (li-drive tse utloahalang=karohano e atolositsoeng). Ka mantsoe a mang, "karohano e atolositsoeng" ho HDD e nka sebaka sa LVM bakeng sa mosebetsi o teng: encryption e felletseng ea sistimi. Haeba disk ea hau e arotsoe ka likarolo tse 4 tse kholo, o hloka ho sebelisa lvm, kapa ho fetola (ka mokhoa oa ho fomata) karolo ho tloha ka sehloohong ho ea ho e tsoetseng pele, kapa ka bohlale sebelisa likarolo tse 'nè' me u siee ntho e 'ngoe le e' ngoe e le joalo, ho fumana sephetho se lakatsehang. Leha o na le karohano e le 'ngoe ho disk ea hau, Gparted e tla u thusa ho arola HDD ea hau (bakeng sa likarolo tse ling) ntle le tahlehelo ea data, empa ho ntse ho e-na le kotlo e nyenyane bakeng sa liketso tse joalo.
Sekema sa sebopeho sa hard drive, mabapi le seo sengoloa sohle se tla buuoa ka sona, se hlahisoa tafoleng e ka tlase.
Lethathamo (No. 1) ea likarolo tsa 1TB.
Le uena u lokela ho ba le ntho e tšoanang.
sda1 - karohano e kholo No. 1 NTFS (encrypted);
sda2 - letšoao le atolositsoeng la karolo;
sda6 - disk e utloahalang (e na le bootloader ea GRUB2 e kentsoeng);
sda8 - swap (faele e encrypted swap / eseng kamehla);
sda9 - disk e utloahalang ea teko;
sda5 - disk e utloahalang bakeng sa ba batlang ho tseba;
sda7 - GNU/Linux OS (e fetiselitsoeng OS ho disk e encrypted logic);
sda3 - karohano e kholo No. 2 e nang le Windows 7 OS (encrypted);
sda4 - karolo e kholo No. 3 (e ne e na le GNU/Linux e sa ngolisoang, e sebelisetsoang ho boloka / eseng kamehla).
[A] Windows 7 System Block Encryption
A1. VeraCrypt
Khoasolla ho tsoa ho , kapa ho tloha seiponeng mofuta oa ho kenya software ea VeraCrypt cryptographic (ka nako ea ho phatlalatsoa ha sengoloa sa v1.24-Update3, mofuta o nkehang oa VeraCrypt ha oa tšoaneleha bakeng sa encryption ea sistimi). Lekola cheke ea software e jarollotsoeng
$ Certutil -hashfile "C:VeraCrypt Setup 1.24.exe" SHA256
'me u bapise sephetho le CS e behiloeng webosaeteng ea mohlahlami oa VeraCrypt.
Haeba software ea HashTab e kentsoe, ho bonolo le ho feta: RMB (VeraCrypt Setup 1.24.exe)-properties - kakaretso ea hash ea lifaele.
Ho netefatsa tshaeno ea lenaneo, software le senotlolo sa pgp sa sechaba se tlameha ho kenngoa tsamaisong. ; .
A2. Ho kenya / ho tsamaisa software ea VeraCrypt e nang le litokelo tsa batsamaisi
A3. Ho khetha liparamente tsa encryption ea sistimi bakeng sa karohano e sebetsangVeraCrypt - Sistimi - Encrypt partition / disk - Tloaelehileng - Encrypt Windows system partition - Multiboot - (temoso: "Basebelisi ba se nang boiphihlelo ha ba khothalletsoe ho sebelisa mokhoa ona" 'me sena ke' nete, re lumellana le "Ee") - Boot disk (“ee”, leha ho se joalo, e ntse e le “e”) - Palo ea li-disk tsa "2 kapa ho feta" - Litsamaiso tse 'maloa ho disk e le' ngoe "Ee" - "Non-Windows bootloader" "Che" (ha e le hantle, "E," empa li-bootloader tsa VeraCrypt / GRUB2 li ke ke tsa arolelana MBR har'a tsona; ka ho toba, ke karolo e nyenyane feela ea khoutu ea bootloader e bolokiloeng pina ea MBR / boot, karolo e kholo ea eona ke e fumanehang ka har'a sistimi ea faele) - Multiboot - Litlhophiso tsa encryption…
Haeba u kheloha mehatong e kaholimo (li-block system encryption schemes), ebe VeraCrypt e tla fana ka temoso 'me e ke ke ea u lumella ho koala karohano.
Mohato o latelang o lebisang ts'ireletso ea data e lebisitsoeng, etsa "Teko" 'me u khethe algorithm ea encryption. Haeba u na le CPU ea khale, ho ka etsahala hore ebe algorithm e potlakileng haholo e tla ba Twofish. Haeba CPU e le matla, u tla hlokomela phapang: AES encryption, ho ea ka liphetho tsa liteko, e tla ba makhetlo a 'maloa ka potlako ho feta bahlolisani ba eona ba crypto. AES ke algorithm e tsebahalang ea encryption; lisebelisoa tsa li-CPU tsa sejoale-joale li ntlafalitsoe ka ho khetheha bakeng sa "sephiri" le "hacking".
VeraCrypt e ts'ehetsa bokhoni ba ho patala li-disk ka har'a cascade ea AES(Litlhapi tse peli)/le metswako e meng. Ho Intel CPU ea khale ho tloha lilemong tse leshome tse fetileng (ntle le tšehetso ea hardware bakeng sa AES, A/T cascade encryption) Ho fokotseha ha ts'ebetso ha e le hantle ha ho bonahale. (bakeng sa li-CPU tsa AMD tsa nako e tšoanang / ~ liparamente, ts'ebetso e fokotsehile hanyane). OS e sebetsa ka matla 'me tšebeliso ea lisebelisoa bakeng sa encryption e hlakileng ha e bonahale. Ho fapana le hoo, mohlala, ho fokotseha ho hlokomelehang ha ts'ebetso ka lebaka la tlhahlobo e kentsoeng e sa tsitsang tikolohong ea komporo Mate v1.20.1 (kapa v1.20.2 Ha ke hopole hantle) ho GNU/Linux, kapa ka lebaka la ts'ebetso ea mokhoa oa telemetry ho Windows7↑. Ka tloaelo, basebelisi ba nang le boiphihlelo ba etsa liteko tsa ts'ebetso ea Hardware pele ho encryption. Mohlala, ho Aida64/Sysbench/systemd-analyze blame e bapisoa le liphetho tsa liteko tse ts'oanang ka mor'a ho notlela sisteme, ka hona ba hanana le tšōmo ea bona ea hore "system encryption e kotsi." Ho fokotseha ha mochine le ho senyeha hoa hlokomeleha ha u tšehetsa / ho tsosolosa lintlha tse patiloeng, hobane ts'ebetso ea "backup data" ka boeona ha e lekanngoe ka ms, 'me tse tšoanang <decrypt/encrypt on the fly> lia eketsoa. Qetellong, mosebelisi e mong le e mong ea lumelletsoeng ho qhekella ka li-cryptography o lekanya algorithm ea encryption khahlano le khotsofalo ea mesebetsi e teng, boemo ba bona ba paranoia, le boiketlo ba ts'ebeliso.
Ho molemo ho tlohela parameter ea PIM e le ea kamehla, e le hore ha u kenya OS ha ua tlameha ho kenya litekanyetso tse nepahetseng tsa ho pheta-pheta nako le nako. VeraCrypt e sebelisa palo e kholo ea ho pheta-pheta ho theha "hash e butle" e le kannete. Tlhaselo ea "crypto snail" e joalo e sebelisang mokhoa oa litafole tsa Brute force / mookoli e utloahala feela ka poleloana e khuts'oane e "bonolo" le lethathamo la charset ea motho ea hlasetsoeng. Theko ea ho lefella matla a password ke ho lieha ho kenya phasewete e nepahetseng ha o kenya OS. (ho phahamisa meqolo ea VeraCrypt ho GNU/Linux ho potlakile haholo).
Software ea mahala ea ho kenya ts'ebetsong litlhaselo tsa brute force ( ntša poleloana ho tsoa ho VeraCrypt/LUKS sehlooho sa disk) Hashcat. John the Ripper ha a tsebe ho "senya Veracrypt", mme ha a sebetsa le LUKS ha a utloisise li-cryptography tsa Twofish.
Ka lebaka la matla a cryptographic a li-algorithms tsa encryption, li-cypherpunks tse sa tsitsang li ntse li hlahisa software e nang le vector e fapaneng ea tlhaselo. Mohlala, ho ntša metadata/linotlolo ho tsoa ho RAM (tlhaselo e batang ea ho kena / ho fihlella mohopolo o tobileng), Ho na le software e khethehileng ea mahala le e seng mahala bakeng sa merero ena.
Ha o qetile ho theha / ho hlahisa "metadata e ikhethang" ea karohano e sebetsang e kentsoeng, VeraCrypt e tla fana ka ho qala PC bocha le ho leka ts'ebetso ea bootloader ea eona. Kamora ho qala bocha/ho qala Windows, VeraCrypt e tla kenya maemong a standby, se setseng ke ho netefatsa ts'ebetso ea encryption - Y.
Bohatong ba ho qetela ba encryption ea sistimi, VeraCrypt e tla fana ka tlhahiso ea ho etsa kopi ea "backup" ea sehlooho sa karolo e sebetsang e patiloeng ka mokhoa oa "veracrypt rescue disk.iso" - sena se tlameha ho etsoa - ho software ena ts'ebetso e joalo ea hlokahala (ho LUKS, joalo ka tlhokahalo - ka bomalimabe sena se siiloe, empa se hatisoa litokomaneng). Rescue disk e tla thusa motho e mong le e mong, 'me bakeng sa ba bang ho feta hang. Tahlehelo (hlooho/MBR ngola bocha) kopi ea "backup" ea hlooho e tla hana ka ho sa feleng phihlello ea karohano e sirelelitsoeng ka OS Windows.
A4. Ho theha VeraCrypt pholoso ea USB/diskKa ho sa feleng, VeraCrypt e fana ka ho chesa "~ 2-3MB ea metadata" ho CD, empa ha se batho bohle ba nang le li-disk kapa li-drive tsa DWD-ROM, 'me ho theha bootable flash drive "VeraCrypt Rescue disk" e tla ba ntho e makatsang ho ba bang: Rufus / GUIdd-ROSA ImageWriter le lisebelisoa tse ling tse tšoanang li ke ke tsa khona ho sebetsana ka katleho le mosebetsi ona, hobane ntle le ho kopitsa metadata ea offset ho bootable flash drive, o hloka ho kopitsa / ho beha setšoantšo ka ntle ho tsamaiso ea faele ea USB drive, ka bokhutšoanyane, ka nepo kopitsa MBR / tsela ho keychain. U ka etsa bootable flash drive ho tloha GNU/Linux OS u sebelisa "dd" utility, sheba letšoao lena.
Ho theha disk ea pholoso tikolohong ea Windows ho fapane. Moqapi oa VeraCrypt ha a ka a kenyelletsa tharollo ea bothata bona ho ofisiri ka "rescue disk", empa o ile a etsa tlhahiso ea tharollo ka tsela e fapaneng: o ile a beha software e eketsehileng bakeng sa ho theha "usb pholoso disk" bakeng sa ho fumana mahala ho seboka sa hae sa VeraCrypt. Setsebi sa polokelo ea lisebelisoa tsa Windows ke "ho theha disk ea pholoso ea usb veracrypt". Ka mor'a ho boloka disk.iso ea pholoso, mokhoa oa ho thibela mokhoa oa ho thibela karolo e sebetsang o tla qala. Nakong ea encryption, ts'ebetso ea OS ha e emise; ho qala PC ha ho hlokahale. Ha ho phetheloa ts'ebetso ea encryption, karohano e sebetsang e ba e kentsoeng ka botlalo mme e ka sebelisoa. Haeba mochine oa bootloader oa VeraCrypt o sa hlahe ha o qala PC, 'me ts'ebetso ea ho tsosolosa hlooho ha e thuse, joale hlahloba "boot" folakha, e tlameha ho behoa karolong eo Windows e leng teng. (ho sa tsotellehe encryption le OS tse ling, bona tafole No. 1).
Sena se phethela tlhaloso ea block system encryption le Windows OS.
[B]LUKS. GNU/Linux encryption (~Debian) e kentse OS. Algorithm le Mehato
E le hore u koahele kabo e kentsoeng ea Debian / derivative, u hloka ho etsa 'mapa oa karohano e lokiselitsoeng ho sesebelisoa sa block block, se fetisetse ho disk ea GNU/Linux e entsoeng ka 'mapa,' me u kenye / u lokise GRUB2. Haeba u sena seva sa tšepe se se nang letho, 'me u nka nako ea hau e le ea bohlokoa, joale u lokela ho sebelisa GUI,' me boholo ba litaelo tsa terminal tse hlalositsoeng ka tlase li reretsoe ho tsamaisoa ka "Chuck-Norris mode".
B1. Ho qala PC ho tsoa ho usb e phelang GNU/Linux
"Etsa tlhahlobo ea crypto bakeng sa ts'ebetso ea hardware"
lscpu && сryptsetup benchmark
Haeba u le mong'a koloi e matla e nang le tšehetso ea hardware ea AES, joale lipalo li tla shebahala joaloka lehlakoreng le letona la terminal; haeba u le mong'a ea thabileng, empa ka lisebelisoa tsa khale, lipalo li tla shebahala joaloka lehlakoreng le letšehali.
B2. Disk partitioning. ho kenya / ho hlophisa fs logic disk HDD ho Ext4 (Gparted)
B2.1. Ho theha sehlooho se kentsoeng sa sda7 partition headerKe tla hlalosa mabitso a li-partitions, mona le ho feta, ho latela tafole ea ka ea karohano e behiloeng ka holimo. Ho ea ka sebopeho sa disk ea hau, u tlameha ho kenya mabitso a karohano ea hau.
'Mapa oa "Logic Drive Encryption" (/dev/sda7> /dev/mapper/sda7_crypt).
#Ho theha karohano e bonolo ea "LUKS-AES-XTS"
cryptsetup -v -y luksFormat /dev/sda7Khetho:
* luksFormat - ho qala hlooho ea LUKS;
* -y -passphrase (eseng senotlolo / faele);
* -v -verbalization (ho bonts'a tlhahisoleseling ho terminal);
* /dev/sda7 - disk ea hau e utloahalang ho tloha karolong e atolositsoeng (moo ho reriloeng ho fetisetsa/encrypting GNU/Linux).
Algorithm ea kamehla ea encryption <LUKS1: aes-xts-plain64, Senotlolo: 256 bits, LUKS header hashing: sha256, RNG: /dev/urandom> (ho ipapisitse le mofuta oa cryptsetup).
#Проверка default-алгоритма шифрования
cryptsetup --help #самая последняя строка в выводе терминала.Haeba ho se na tšehetso ea hardware bakeng sa AES ho CPU, khetho e ntle ka ho fetisisa e ka ba ho theha "LUKS-Twofish-XTS-partition" e atolositsoeng.
B2.2. Tlhahiso e tsoetseng pele ea "LUKS-Twofish-XTS-partition"
cryptsetup luksFormat /dev/sda7 -v -y -c twofish-xts-plain64 -s 512 -h sha512 -i 1500 --use-urandom
Khetho:
* luksFormat - ho qala hlooho ea LUKS;
* /dev/sda7 ke disk ea hau ea bokamoso e kentsoeng ka mokhoa o hlakileng;
* -v ho bua ka mantsoe;
* -y polelo ea mantsoe;
* -c khetha algorithm ea encryption ea data;
* -s boholo ba senotlolo sa encryption;
* -h hashing algorithm/crypto function, RNG e sebelisitsoeng (--sebelisa-random) ho hlahisa senotlolo se ikhethileng sa encryption / decryption bakeng sa hlooho ea disk e utloahalang, senotlolo sa hlooho sa bobeli (XTS); senotlolo se ikhethileng se bolokiloeng hloohong ea disk e encrypted, senotlolo sa XTS sa bobeli, metadata ena kaofela le mokhoa oa ho notlolla, oo, ka ho sebelisa senotlolo le senotlolo sa XTS, o koalang / o hlakola data efe kapa efe e karohanong. (ntle le sehlooho sa karolo) e bolokiloe ka ~ 3MB karolong e khethiloeng ea disk e thata.
* -i ho pheta-pheta ka milliseconds, sebakeng sa "chelete" (nako ea ho lieha ha ho sebetsa poleloana e amang ho roala ha OS le matla a cryptographic a linotlolo). Ho boloka ho leka-lekana ha matla a cryptographic, ka password e bonolo joalo ka "Serussia" o hloka ho eketsa -(i) boleng; ka password e rarahaneng joalo ka "?8dƱob/øfh" boleng bo ka fokotsoa.
* - Sebelisa jenereithara e sa reroang ea linomoro, e hlahisa linotlolo le letsoai.
Kamora 'mapa oa karolo sda7> sda7_crypt (ts'ebetso e potlakile, kaha hlooho e patiloeng e entsoe ka ~ 3 MB ea metadata mme ke phetho), o hloka ho fomata le ho kenya sistimi ea faele ea sda7_crypt.
B2.3. Papiso
cryptsetup open /dev/sda7 sda7_crypt
#выполнение данной команды запрашивает ввод секретной парольной фразы.
dikgetho:
* bula - bapisa karolo "le lebitso";
* / dev/sda7 -logical disk;
* sda7_crypt - 'mapa oa mabitso o sebelisetsoang ho kenya karohano e patiloeng kapa ho e qala ha OS e qala.
B2.4. Ho hlophisa sistimi ea faele ea sda7_crypt ho ext4. Ho kenya disk ho OS(Tlhokomeliso: u ke ke ua khona ho sebetsa ka karohano e patiloeng ho Gparted)
#форматирование блочного шифрованного устройства
mkfs.ext4 -v -L DebSHIFR /dev/mapper/sda7_crypt
dikgetho:
* -v -ho bua ka mantsoe;
* -L - label ea drive (e bonts'itsoeng ho Explorer har'a li-drive tse ling).
Ka mor'a moo, o lokela ho kenya sesebelisoa sa "block-encrypted" /dev/sda7_crypt ho sistimi
mount /dev/mapper/sda7_crypt /mntHo sebetsa ka lifaele tse ka har'a foldara ea / mnt ho tla hlakola / ho hlakola data ka bo eona ho sda7.
Ho bonolo haholoanyane ho etsa 'mapa le ho kenya karohano ho Explorer (nautilus/caja GUI), karohano e tla be e se e le lethathamong la khetho ea disk, se setseng ke ho kenya poleloana ea ho bula / ho hlakola disk. Lebitso le ts'oanang le tla khethoa ka bohona eseng "sda7_crypt", empa ntho e kang /dev/mapper/Luks-xx-xx...
B2.5. Boloka sehlooho sa disk (~3MB metadata)E 'ngoe ea tse ngata bohlokoa ts'ebetso e hlokang ho etsoa ntle le tieho - kopi ea "backup" ea "sda7_crypt". Haeba u ngola / senya hlooho (mohlala, ho kenya GRUB2 karolong ea sda7, joalo-joalo), data e patiloeng e tla lahleha ka ho feletseng ntle le monyetla oa ho e khutlisa, hobane ho ke ke ha khoneha ho hlahisa linotlolo tse tšoanang; linotlolo li bōpiloe ka tsela e ikhethang.
#Бэкап заголовка раздела
cryptsetup luksHeaderBackup --header-backup-file ~/Бэкап_DebSHIFR /dev/sda7
#Восстановление заголовка раздела
cryptsetup luksHeaderRestore --header-backup-file <file> <device>
dikgetho:
* luksHeaderBackup —header-backup-file -backup taelo;
* luksHeaderRestore —header-backup-file -restore command;
* ~/Backup_DebSHIFR - faele ea ho boloka;
* /dev/sda7 - karohano eo kopi ea eona e kentsoeng ka hlooho ea disk e lokelang ho bolokoa.
Mohato ona <ho theha le ho hlophisa karohano e patiloeng> e phethiloe.
B3. Ho tsamaisa GNU/Linux OS (sda4) ho karohano e patiloeng (sda7)
Etsa foldara /mnt2 (Hlokomela - re ntse re sebetsa le live usb, sda7_crypt e behiloe ho /mnt), 'me u kenye GNU/Linux ea rona ho /mnt2, e hlokang ho ngolisoa.
mkdir /mnt2
mount /dev/sda4 /mnt2
Re etsa phetiso e nepahetseng ea OS re sebelisa software ea Rsync
rsync -avlxhHX --progress /mnt2/ /mntLikhetho tsa Rsync li hlalositsoe serapeng sa E1.
E latelang hoa hlokahala defragment karohano ea disk e utloahalang
e4defrag -c /mnt/ #после проверки, e4defrag выдаст, что степень дефрагментации раздела~"0", это заблуждение, которое может вам стоить существенной потери производительности!
e4defrag /mnt/ #проводим дефрагментацию шифрованной GNU/Linux
Etsa molao: etsa e4defrag ho GNU/LINux e patiloeng nako le nako haeba u na le HDD.
Phetisetso le khokahano [GNU/Linux > GNU/Linux-encrypted] e phethetsoe mohatong ona.
AT 4. Ho theha GNU/Linux karohanong e kentsoeng ea sda7
Kamora ho fetisa ka katleho OS / dev/sda4> /dev/sda7, o hloka ho kena ho GNU/Linux karohanong e patiloeng ebe o etsa tlhophiso e eketsehileng. (ntle le ho qala PC hape) e amanang le sistimi e patiloeng. Ke hore, e-ba ho usb e phelang, empa u phethe litaelo "tse amanang le motso oa OS e patiloeng." "chroot" e tla etsisa boemo bo tšoanang. Ho fumana kapele tlhahisoleseling mabapi le OS eo u sebetsang le eona hajoale (e patiloe kapa che, kaha data e ho sda4 le sda7 li hokahantsoe), desynchronize OS. Etsa li-directory tsa metso (sda4/sda7_crypt) lifaele tse se nang letho, mohlala, /mnt/encryptedOS le /mnt2/decryptedOS. Sheba ka potlako hore na o ho OS efe (ho kenyeletsoa le bokamoso):
ls /<Tab-Tab>B4.1. "Papiso ea ho kena ka har'a OS e patiloeng"
mount --bind /dev /mnt/dev
mount --bind /proc /mnt/proc
mount --bind /sys /mnt/sys
chroot /mnt
B4.2. Ho netefatsa hore mosebetsi o etsoa khahlano le sistimi e patiloeng
ls /mnt<Tab-Tab>
#и видим файл "/шифрованнаяОС"
history
#в выводе терминала должна появиться история команд su рабочей ОС.B4.3. Ho theha / ho hlophisa swap e patiloeng, ho hlophisa crypttab/fstabKaha faele ea swap e hlophisitsoe nako le nako ha OS e qala, ha ho utloahale ho theha le ho fetola 'mapa ho disk e utloahalang hona joale, le ho ngola litaelo joaloka serapeng sa B2.2. Bakeng sa Swap, linotlolo tsa eona tsa nakoana tsa encryption li tla hlahisoa ka bo eona qalong. Phetoho ea bophelo ba linotlolo tsa swap: karohano ea ho theola / ho theola (+ho hloekisa RAM); kapa qala OS hape. Ho theha swap, ho bula faele e ikarabellang bakeng sa ho hlophisoa ha lisebelisoa tse patiloeng (e tšoanang le faele ea fstab, empa e ikarabella bakeng sa crypto).
nano /etc/crypttab rea fetola
#"lebitso la sepheo" "sesebelisoa sa mohloli" "faele ea bohlokoa" "likgetho"
swap /dev/sda8 /dev/urandom swap,cipher=twofish-xts-plain64,size=512,hash=sha512
Khetho
* fapanyetsana - lebitso la 'mapa ha u notlela /dev/mapper/swap.
* /dev/sda8 - sebelisa karohano ea hau e utloahalang bakeng sa ho fapanyetsana.
* /dev/urandom - jenereithara ea linotlolo tsa encryption tse sa reroang bakeng sa phapanyetsano (ka bootle e 'ngoe le e' ngoe e ncha ea OS, linotlolo tse ncha lia etsoa). Jenereithara ea / dev/urandom ha e na letho ho feta / dev / random, ka mor'a hore tsohle / dev/random e sebelisoa ha e sebetsa maemong a kotsi a paranoid. Ha o kenya OS, /dev/random e liehisa ho jarolla ka metsotso e mengata ± (sheba systemd-analyze).
* swap,cipher=twofish-xts-plain64,size=512,hash=sha512: -karohano e tseba hore e swap mme e hlophisitswe “ho ya ka”; algorithm ea encryption.
#Открываем и правим fstab
nano /etc/fstab
rea fetola
# swap e ne e le ka / dev / sda8 nakong ea ho kenya
/dev/mapper/swap ha ho na swap sw 0 0
/dev/mapper/swap ke lebitso le behiloeng ho crypttab.
Phetoho e 'ngoe e patiloeng
Haeba ka lebaka le itseng u sa batle ho tlohela karohano eohle bakeng sa faele ea swap, joale u ka nka tsela e 'ngoe hape e betere: ho theha faele ea swap faeleng e karohano e patiloeng le OS.
fallocate -l 3G /swap #создание файла размером 3Гб (почти мгновенная операция)
chmod 600 /swap #настройка прав
mkswap /swap #из файла создаём файл подкачки
swapon /swap #включаем наш swap
free -m #проверяем, что файл подкачки активирован и работает
printf "/swap none swap sw 0 0" >> /etc/fstab #при необходимости после перезагрузки swap будет постоянныйSetapo sa partition ea swap se felile.
B4.4. Ho theha GNU/Linux e kentsoeng (ho hlophisa lifaele tsa crypttab/fstab)Faele ea /etc/crypttab, joalokaha e ngotsoe ka holimo, e hlalosa lisebelisoa tse thibelang tse kentsoeng tse hlophisitsoeng nakong ea boot system.
#правим /etc/crypttab
nano /etc/crypttab
haeba u bapisa karolo ea sda7>sda7_crypt joalo ka serapeng sa B2.1
# "lebitso la sepheo" "sesebelisoa sa mohloli" "faele ea bohlokoa" "khetho"
sda7_crypt UUID=81048598-5bb9-4a53-af92-f3f9e709e2f2 none luks
haeba u bapisa karolo ea sda7>sda7_crypt joalo ka serapeng sa B2.2
# "lebitso la sepheo" "sesebelisoa sa mohloli" "faele ea bohlokoa" "khetho"
sda7_crypt UUID=81048598-5bb9-4a53-af92-f3f9e709e2f2 none cipher=twofish-xts-plain64,size=512,hash=sha512
haeba u bapisa karolo ea sda7> sda7_crypt joalo ka serapeng sa B2.1 kapa B2.2, empa u sa batle ho kenya phasewete hape ho notlolla le ho qalisa OS, joale sebakeng sa phasewete u ka kenya konopo ea lekunutu / faele e sa reroang.
# "lebitso la sepheo" "sesebelisoa sa mohloli" "faele ea bohlokoa" "khetho"
sda7_crypt UUID=81048598-5bb9-4a53-af92-f3f9e709e2f2 /etc/skey luks
tlhaloso
* ha ho le e 'ngoe - e tlaleha hore ha o kenya OS, ho kenya phasewete ea lekunutu ho hlokahala ho notlolla motso.
* UUID - sekhetho sa karohano. Ho tseba ID ea hau, thaepa ho terminal (hopotsa hore ho tloha nakong ena ho ea pele, u sebetsa sebakeng sa marang-rang sebakeng sa chroot, eseng sebakeng se seng sa usb se phelang).
fdisk -l #проверка всех разделов
blkid #должно быть что-то подобное
/dev/sda7: UUID=«81048598-5bb9-4a53-af92-f3f9e709e2f2» TYPE=«crypto_LUKS» PARTUUID=«0332d73c-07»
/dev/mapper/sda7_crypt: LABEL=«DebSHIFR» UUID=«382111a2-f993-403c-aa2e-292b5eac4780» TYPE=«ext4»
mohala ona oa bonahala ha o kopa blkid ho terminal ea usb e nang le sda7_crypt e kentsoeng).
U nka UUID ho sdaX ea hau (eseng sdaX_crypt!, UUID sdaX_crypt - e tla sala ka bo eona ha e hlahisa grub.cfg config).
* cipher=twofish-xts-plain64,size=512,hash=sha512 -luks encryption ka mokhoa o tsoetseng pele.
* /etc/skey - faele ea senotlolo sa lekunutu, e kentsoeng ka bo eona ho notlolla boot ea OS (ho e-na le ho kenya phasewete ea 3rd). O ka hlakisa faele efe kapa efe ho fihla ho 8MB, empa data e tla baloa <1MB.
#Создание "генерация" случайного файла <секретного ключа> размером 691б.
head -c 691 /dev/urandom > /etc/skey
#Добавление секретного ключа (691б) в 7-й слот заголовка luks
cryptsetup luksAddKey --key-slot 7 /dev/sda7 /etc/skey#Проверка слотов "пароли/ключи luks-раздела"
cryptsetup luksDump /dev/sda7
E tla shebahala tjena:
(etsa ka bowena mme o iponele).
cryptsetup luksKillSlot /dev/sda7 7 #удаление ключа/пароля из 7 слота/etc/fstab e na le tlhaiso-leseling e hlalosang mabapi le litsamaiso tse fapaneng tsa faele.
#Правим /etc/fstab
nano /etc/fstab
# "file system" "mount point" "mofuta" "options" "lahlela" "pass"
# / e ne e le / dev / sda7 nakong ea ho kenya
/dev/mapper/sda7_crypt / ext4 errors=remount-ro 0 1
khetho
* /dev/mapper/sda7_crypt - lebitso la sda7> sda7_crypt 'mapa, e boletsoeng ho file ea /etc/crypttab.
Setupo sa crypttab/fstab se felile.
B4.5. Ho lokisa lifaele tsa tlhophiso. Nako ea bohlokoaB4.5.1. Ho hlophisa config /etc/initramfs-tools/conf.d/resume
#Если у вас ранее был активирован swap раздел, отключите его.
nano /etc/initramfs-tools/conf.d/resume
le ho fana ka maikutlo (haeba e teng) "#" mola "qala hape". Faele e tlameha ho hloka letho ka botlalo.
B4.5.2. Ho hlophisa config /etc/initramfs-tools/conf.d/cryptsetup
nano /etc/initramfs-tools/conf.d/cryptsetuplokela ho nyalana
# /etc/initramfs-tools/conf.d/cryptsetup
CRYPTSETUP=e
romela kantle ho naha CRYPTSETUP
B4.5.3. Ho hlophisa /etc/default/grub config (sebopeho sena se ikarabella bakeng sa bokhoni ba ho hlahisa grub.cfg ha u sebetsa ka encrypted /boot)
nano /etc/default/grub
Kenya mola "GRUB_ENABLE_CRYPTODISK=y"
value 'y', grub-mkconfig le grub-install li tla hlahloba li-drive tse patiloeng ebe li hlahisa litaelo tse ling tse hlokahalang ho li fihlella ka nako ea ho qala. (insmods ).
ho tlameha ho be le ho tšoana
GRUB_DEFAULT = 0
GRUB_TIMEOUT = 1
GRUB_DISTRIBUTOR=`lsb_release -i -s 2> /dev/null || pheta Debian`
GRUB_CMDLINE_LINUX_DEFAULT="acpi_backlight=morekisi"
GRUB_CMDLINE_LINUX="ho phatloha ho khutsitseng noautomount"
GRUB_ENABLE_CRYPTODISK=y
B4.5.4. Ho hlophisa config /etc/cryptsetup-initramfs/conf-hook
nano /etc/cryptsetup-initramfs/conf-hook
hlahloba hore mola o fane ka maikutlo <#>.
Nakong e tlang (le hona joale, parameter ena e ke ke ea e-ba le moelelo leha e le ofe, empa ka linako tse ling e kena-kenana le ho ntlafatsa setšoantšo sa initrd.img).
B4.5.5. Ho hlophisa config /etc/cryptsetup-initramfs/conf-hook
nano /etc/cryptsetup-initramfs/conf-hookeketsa
KEYFILE_PATTERN=”/etc/skey”
UMASK=0077
Sena se tla kenya senotlolo sa lekunutu "skey" ho initrd.img, senotlolo se hlokahala ho notlolla motso ha OS e qala. (haeba u sa batle ho kenya phasewete hape, senotlolo sa "skey" se nkeloa sebaka ke koloi).
B4.6. Ntlafatsa /boot/initrd.img [version]Ho paka senotlolo sa lekunutu ho initrd.img le ho sebelisa litokiso tsa cryptsetup, nchafatsa setšoantšo
update-initramfs -u -k all
ha u nchafatsa initrd.img (joalokaha ba re "Hoa khoneha, empa ha ho na bonnete") litemoso tse amanang le cryptsetup li tla hlaha, kapa, mohlala, tsebiso mabapi le tahlehelo ea li-module tsa Nvidia - sena se tloaelehile. Kamora ho ntlafatsa faele, hlahloba hore na e hlile e ntlafalitsoe, bona nako (e amanang le tikoloho ea chroot./boot/initrd.img). Ela hloko ka kopo! pele [update-initramfs -u -k all] etsa bonnete ba ho hlahloba hore cryptsetup e bulehile /dev/sda7 sda7_crypt - lena ke lebitso le hlahang ho /etc/crypttab, ho seng joalo ka mor'a ho qala bocha ho tla ba le phoso ea lebokose la busy)
Mothating ona, ho seta lifaele tsa tlhophiso ho felile.
[C] Ho kenya le ho lokisa GRUB2/Protection
C1. Haeba ho hlokahala, hlophisa karohano e inehetseng bakeng sa bootloader (karohano e hloka bonyane 20MB)
mkfs.ext4 -v -L GRUB2 /dev/sda6C2. Thaba /dev/sda6 ho /mntKahoo re sebetsa ka chroot, joale ho ke ke ha e-ba le buka ea / mnt2 motso, 'me foldara ea /mnt e tla be e se na letho.
beha karolo ea GRUB2
mount /dev/sda6 /mntHaeba u na le mofuta oa khale oa GRUB2 o kentsoeng, bukeng ea /mnt/boot/grub/i-386-pc (sethala se seng sea khoneha, mohlala, eseng "i386-pc") ha ho na li-module tsa crypto (ka bokhutšoane, foldara e lokela ho ba le li-modules, ho kenyelletsa le tsena .mod: cryptodisk; luks; gcry_twofish; gcry_sha512; signature_test.mod), Tabeng ena, GRUB2 e hloka ho sisinyeha.
apt-get update
apt-get install grub2
Bohlokoa! Ha u ntlafatsa sephutheloana sa GRUB2 ho tloha polokelong, ha u botsoa "mabapi le ho khetha" moo u ka kenyang bootloader, u tlameha ho hana ho kenya. (lebaka - leka ho kenya GRUB2 - ho "MBR" kapa ho usb e phelang). Ho seng joalo u tla senya hlooho ea VeraCrypt / loader. Ka mor'a ho ntlafatsa liphutheloana tsa GRUB2 le ho hlakola ho kenya, bootloader e tlameha ho kenngoa ka letsoho ho disk e utloahalang, eseng ho MBR. Haeba polokelo ea hau e na le mofuta oa khale oa GRUB2, leka e tsoa webosaeteng ea semmuso - ha ke so e hlahlobe (e sebelitse le li-bootloader tsa morao-rao tsa GRUB 2.02 ~ BetaX).
C3. Ho kenya GRUB2 karohanong e atolositsoeng [sda6]U tlameha ho ba le karohano e behiloeng [ntho C.2]
grub-install --force --root-directory=/mnt /dev/sda6
likhetho
* -force - ho kenya bootloader, ho feta litemoso tsohle tse batlang li le teng kamehla le ho thibela ho kenya (folakha e hlokahalang).
* --root-directory - ho kenngoa ha directory ho ea motsong oa sda6.
* /dev/sda6 - karohano ea hau ea sdaХ (u se ke oa fetoa ke <sebaka> pakeng tsa /mnt /dev/sda6).
C4. Ho theha faele ea tlhophiso [grub.cfg]Lebala ka taelo ea "update-grub2", 'me u sebelise taelo e felletseng ea tlhahiso ea faele
grub-mkconfig -o /mnt/boot/grub/grub.cfg
ka mor'a ho qeta ho hlahisa / ho ntlafatsa faele ea grub.cfg, setsi sa lihlahisoa se lokela ho ba le mela le OS e fumanoang disk. ("grub-mkconfig" mohlomong e tla fumana le ho nka OS ho tsoa ho usb e phelang, haeba u na le multiboot flash drive e nang le Windows 10 le bongata ba liphaello tse phelang - sena se tloaelehile). Haeba "terminal" e "se na letho" mme faele ea "grub.cfg" e sa hlahisoa, ho joalo le ha ho na le likokoana-hloko tsa GRUB tsamaisong. ('me mohlomong ke mojaro o tsoang lekaleng la liteko la polokelo), kenya hape GRUB2 ho tsoa mehloling e tšepahalang.
Ho kenya "tlhophiso e bonolo" le ho seta GRUB2 ho felile.
C5. Teko ea bopaki ba GNU/Linux OS e kentsoengRe phethela mosebetsi oa crypto ka nepo. Ka hloko u siea GNU/Linux e patiloeng (tsoa tikolohong ea chroot).
umount -a #размонтирование всех смонтированных разделов шифрованной GNU/Linux
Ctrl+d #выход из среды chroot
umount /mnt/dev
umount /mnt/proc
umount /mnt/sys
umount -a #размонтирование всех смонтированных разделов на live usb
reboot
Kamora ho qala komporo hape, bootloader ea VeraCrypt e lokela ho kenya.
* Ho kenya phasewete bakeng sa karohano e sebetsang ho tla qala ho kenya Windows.
* Ho tobetsa konopo ea "Esc" ho tla fetisetsa taolo ho GRUB2, haeba u khetha GNU / Linux e patiloeng - ho tla hlokahala phasewete (sda7_crypt) ho notlolla /boot/initrd.img (haeba grub2 e ngola uuid "ha e fumanehe" - sena ke bothata ka grub2 bootloader, e lokela ho tsosolosoa, mohlala, ho tloha lekaleng la teko / setaleng joalo-joalo).
* Ho itšetlehile ka hore na u lokiselitse tsamaiso joang (sheba serapa sa B4.4/4.5), ka mor'a ho kenya phasewete e nepahetseng ho bula setšoantšo sa /boot/initrd.img, u tla hloka phasewete ho kenya OS kernel/root, kapa sephiri. senotlolo se tla nkeloa sebaka ka "skey", ho tlosa tlhoko ea ho kenya poleloana hape.
(skrine “automatic substitution of secret key”).
* Joale mokhoa o tloaelehileng oa ho kenya GNU/Linux ka netefatso ea akhaonto ea mosebedisi e tla latela.
* Kamora tumello ea mosebelisi le ho kena ho OS, o hloka ho nchafatsa /boot/initrd.img hape (sheba B4.6).
update-initramfs -u -k allMme haeba ho na le mela e meng ho menu ea GRUB2 (ho tloha ho pickup ea OS-m ka usb e phelang) ba tlose
mount /dev/sda6 /mnt
grub-mkconfig -o /mnt/boot/grub/grub.cfg
Kakaretso e potlakileng ea encryption ea sistimi ea GNU/Linux:
- GNU/Linuxinux e patiloe ka botlalo, ho kenyeletsoa /boot/kernel le initrd;
- senotlolo sa lekunutu se phuthetsoe ho initrd.img;
- leano la hona joale la tumello (ho kenya phasewete ho notlolla initrd; senotlolo / senotlolo sa ho bulela OS; phasewete bakeng sa ho lumella ak'haonte ea Linux).
"Sistimi e bonolo ea GRUB2" encryption ea "block partition" e felile.
C6. Tlhophiso e tsoetseng pele ea GRUB2. Tšireletso ea Bootloader ka signature ea dijithale + ts'ireletso ea netefatsoGNU/Linux e patiloe ka botlalo, empa bootloader e ke ke ea ngolisoa - boemo bona bo laeloa ke BIOS. Ka lebaka lena, boot e kentsoeng ka ketane ea GRUB2 ha e khonehe, empa boot e bonolo ea ketane e ka khoneha / e fumaneha, empa ho tloha sebakeng sa ts'ireletso ha ho hlokahale [bona P. F].
Bakeng sa GRUB2 e "kotsing", bahlahisi ba kentse ts'ebetsong algorithm ea ts'ireletso ea "signature / authentication" bootloader.
- Ha bootloader e sirelelitsoe ke "signature ea eona ea dijithale," phetoho ea kantle ea lifaele, kapa ho leka ho kenya li-module tse ling ho bootloader ena, ho tla etsa hore ts'ebetso ea ho jarolla e koetsoe.
- Ha u sireletsa bootloader ka bopaki, e le hore u khethe ho kenya kabo, kapa u kenye litaelo tse eketsehileng ho CLI, u tla hloka ho kenya ho kena le password ea superuser-GRUB2.
C6.1. Tšireletso ea netefatso ea BootloaderEtsa bonnete ba hore o sebetsa sebakeng sa polokelo ho OS e patiloeng
ls /<Tab-Tab> #обнаружить файл-маркерetsa password ea superuser bakeng sa tumello ho GRUB2
grub-mkpasswd-pbkdf2 #введите/повторите пароль суперпользователя. Fumana phasewete hash. Ntho e kang ena
grub.pbkdf2.sha512.10000.DE10E42B01BB6FEEE46250FC5F9C3756894A8476A7F7661A9FFE9D6CC4D0A168898B98C34EBA210F46FC10985CE28277D0563F74E108FCE3ACBD52B26F8BA04D.27625A4D30E4F1044962D3DD1C2E493EF511C01366909767C3AF9A005E81F4BFC33372B9C041BE9BA904D7C6BB141DE48722ED17D2DF9C560170821F033BCFD8
beha karolo ea GRUB
mount /dev/sda6 /mnt fetola config
nano -$ /mnt/boot/grub/grub.cfg
lekola patlo ea faele hore ha ho na lifolakha kae kapa kae ho "grub.cfg" ("-unrestricted" "-user",
eketsa qetellong haholo (pele ho mola ### END /etc/grub.d/41_custom ###)
"set superusers = "motso"
password_pbkdf2 motso hash."
E lokela hoba ntho e kang ena
# Faele ena e fana ka mokhoa o bonolo oa ho kenyelletsa li-menu tsa tloaelo. Tlanya feela
# likenyelletso tsa menyetla eo u batlang ho e kenyelletsa kamora maikutlo ana. Hlokomela hore u se ke ua fetoha
# mola oa 'exec tail' kaholimo.
### QETELA /etc/grub.d/40_custom ###### QALA /etc/grub.d/41_custom ###
haeba [ -f ${config_directory}/custom.cfg ]; ebe
mohloli ${config_directory}/custom.cfg
elif [ -z "${config_directory}" -a -f $prefix/custom.cfg ]; ebe
mohloli $prefix/custom.cfg;
fi
seta li-superuser = "motso"
password_pbkdf2 root grub.pbkdf2.sha512.10000.DE10E42B01BB6FEEE46250FC5F9C3756894A8476A7F7661A9FFE9D6CC4D0A168898B98C34EBA210F46FC10985CE28277D0563F74E108FCE3ACBD52B26F8BA04D.27625A4D30E4F1044962D3DD1C2E493EF511C01366909767C3AF9A005E81F4BFC33372B9C041BE9BA904D7C6BB141DE48722ED17D2DF9C560170821F033BCFD8
### QETELA /etc/grub.d/41_custom ###
#
Haeba hangata u sebelisa taelo "grub-mkconfig -o /mnt/boot/grub/grub.cfg" 'me u sa batle ho etsa liphetoho ho grub.cfg nako le nako, kenya mela e ka holimo. (Kena: Password) sengolong sa mosebelisi sa GRUB ka tlase haholo
nano /etc/grub.d/41_custom katse <<EOF
seta li-superuser = "motso"
password_pbkdf2 root grub.pbkdf2.sha512.10000.DE10E42B01BB6FEEE46250FC5F9C3756894A8476A7F7661A9FFE9D6CC4D0A168898B98C34EBA210F46FC10985CE28277D0563F74E108FCE3ACBD52B26F8BA04D.27625A4D30E4F1044962D3DD1C2E493EF511C01366909767C3AF9A005E81F4BFC33372B9C041BE9BA904D7C6BB141DE48722ED17D2DF9C560170821F033BCFD8
EOF
Ha o hlahisa "grub-mkconfig -o /mnt/boot/grub/grub.cfg", mela e ikarabellang bakeng sa netefatso e tla eketsoa ka bo eona ho grub.cfg.
Mohato ona o phethela tlhophiso ea netefatso ea GRUB2.
C6.2. Tšireletso ea Bootloader ka signature ea dijithaleHo nahanoa hore u se u ntse u e-na le senotlolo sa hau sa pgp encryption (kapa etsa senotlolo se joalo). Sistimi e tlameha ho ba le software ea cryptographic e kentsoeng: gnuPG; kleopatra/GPA; Seahorse. Software ea Crypto e tla nolofaletsa bophelo ba hau haholo litabeng tsohle tse joalo. Seahorse - mofuta o tsitsitseng oa sephutheloana 3.14.0 (liphetolelo tse phahameng, mohlala, V3.20, li na le phoso 'me li na le likokoana-hloko tse kholo).
Senotlolo sa PGP se hloka ho hlahisoa / ho qalisoa / ho eketsoa feela tikolohong ea su!
Hlahisa senotlolo sa hau sa encryption
gpg - -gen-keyRomella senotlolo sa hau
gpg --export -o ~/perskeyKenya disk e utloahalang ho OS haeba e se e ntse e kenngoa
mount /dev/sda6 /mnt #sda6 – раздел GRUB2hloekisa karohano ea GRUB2
rm -rf /mnt/Kenya GRUB2 ho sda6, kenya senotlolo sa hau sa lekunutu setšoantšong se seholo sa GRUB "core.img"
grub-install --force --modules="gcry_sha256 gcry_sha512 signature_test gcry_dsa gcry_rsa" -k ~/perskey --root-directory=/mnt /dev/sda6
likhetho
* --force - kenya bootloader, u fete litemoso tsohle tse lulang li le teng (folakha e hlokahalang).
* -modules="gcry_sha256 gcry_sha512 signature_test gcry_dsa gcry_rsa" - e laela GRUB2 ho kenya pele li-module tse hlokahalang ha PC e qala.
* -k ~/perskey -tsela ea ho "PGP key" (kamora ho paka senotlolo setšoantšong, se ka hlakoloa).
* --root-directory -seta buka ea boot ho motso oa sda6
/dev/sda6 - karohano ea hau ea sdaX.
Ho hlahisa/ho nchafatsa grub.cfg
grub-mkconfig -o /mnt/boot/grub/grub.cfgKenya mola "trust /boot/grub/perskey" qetellong ea faele ea "grub.cfg" ( qobella tšebeliso ea senotlolo sa pgp.) Kaha re kentse GRUB2 ka sehlopha sa li-modules, ho kenyelletsa le mojule oa ho saena "signature_test.mod", sena se felisa tlhokahalo ea ho eketsa litaelo tse kang "set check_signatures=enforce" ho config.
E lokela ho shebahala tjena (mehala ea ho qetela faeleng ea grub.cfg)
### QALA /etc/grub.d/41_custom ###
haeba [ -f ${config_directory}/custom.cfg ]; ebe
mohloli ${config_directory}/custom.cfg
elif [ -z "${config_directory}" -a -f $prefix/custom.cfg ]; ebe
mohloli $prefix/custom.cfg;
fi
tšepa /boot/grub/perskey
seta li-superuser = "motso"
password_pbkdf2 root grub.pbkdf2.sha512.10000.DE10E42B01BB6FEEE46250FC5F9C3756894A8476A7F7661A9FFE9D6CC4D0A168898B98C34EBA210F46FC10985CE28277D0563F74E108FCE3ACBD52B26F8BA04D.27625A4D30E4F1044962D3DD1C2E493EF511C01366909767C3AF9A005E81F4BFC33372B9C041BE9BA904D7C6BB141DE48722ED17D2DF9C560170821F033BCFD8
### QETELA /etc/grub.d/41_custom ###
#
Tsela e eang ho "/ boot/grub/perskey" ha e hloke ho supa karohano e itseng ea disk, mohlala hd0,6; bakeng sa bootloader ka boeona, "motso" ke tsela ea kamehla ea karohano eo GRUB2 e kentsoeng ho eona. (sheba set rot=..).
Ho saena GRUB2 (lifaele tsohle ho li-directory tsohle / GRUB) ka senotlolo sa hau "perskey".
Tharollo e bonolo mabapi le mokhoa oa ho saena (bakeng sa mofuputsi oa nautilus/caja): kenya katoloso ea "seahorse" bakeng sa Explorer ho tsoa sebakeng sa polokelo. Senotlolo sa hau se tlameha ho eketsoa tikolohong ea su.
Bula Explorer ka sudo "/ mnt/boot" - RMB - saena. Ho skrine ho shebahala tjena
Senotlolo ka boeona ke "/mnt/boot/grub/perskey" (Kopitsa ho buka ea grub) e tlameha hape ho saenoa ka mosaeno oa hau. Etsa bonnete ba hore [*.sig] li-signature tsa faele li hlaha ho directory/subdirectories.
U sebelisa mokhoa o hlalositsoeng ka holimo, saena "/ boot" (kernel ea rona, initrd). Haeba nako ea hau e lekana le eng kapa eng, mokhoa ona o felisa tlhoko ea ho ngola lengolo la bash ho saena "lifaele tse ngata."
Ho tlosa li-signature tsohle tsa bootloader (haeba ho na le phoso)
rm -f $(find /mnt/boot/grub -type f -name '*.sig')E le hore u se ke ua saena bootloader ka mor'a ho ntlafatsa tsamaiso, re emisa liphutheloana tsohle tsa ntlafatso tse amanang le GRUB2.
apt-mark hold grub-common grub-pc grub-pc-bin grub2 grub2-commonMothating ona <sireletsa bootloader ka signature ea dijithale> tlhophiso e tsoetseng pele ea GRUB2 e phethetsoe.
C6.3. Teko ea bopaki ea bootloader ea GRUB2, e sirelelitsoeng ke signature ea dijithale le netefatsoGRUB2. Ha u khetha phepelo efe kapa efe ea GNU/Linux kapa u kenya CLI (mola oa taelo) Ho tla hlokahala tumello ea superuser. Kamora ho kenya lebitso la mosebelisi / phasewete e nepahetseng, o tla hloka password ea initrd
Setšoantšo sa skrini sa netefatso e atlehileng ea GRUB2 superuser.
Haeba u senya leha e le efe ea lifaele tsa GRUB2 / etsa liphetoho ho grub.cfg, kapa u hlakole faele / saena, kapa u kenye module.mod e kotsi, temoso e lumellanang e tla hlaha. GRUB2 e tla emisa ho kenya.
Screenshot, teko ea ho kena-kenana le GRUB2 "ho tsoa ka ntle".
Nakong ea "tloaelehileng" ea ho qala "ntle le ho kenella", boemo ba khoutu ea ho tsoa ke "0". Ka hona, ha ho tsejoe hore na tšireletso ea sebetsa kapa che (ke hore, "ka kapa ntle le ts'ireletso ea signature ea bootloader" nakong ea ho kenya maemo a tloaelehileng "0" - sena se fosahetse).
Mokhoa oa ho hlahloba tšireletso ea signature ea dijithale?
Tsela e sa thabiseng ea ho hlahloba: fake / tlosa module e sebelisoang ke GRUB2, mohlala, tlosa signature luks.mod.sig 'me u fumane phoso.
Tsela e nepahetseng: e-ea ho CLI ea bootloader 'me u thaepe taelo
trust_list
Ho arabela, o lokela ho fumana "perskey" monoana; haeba boemo ke "0," joale tšireletso ea signature ha e sebetse, hlahloba habeli serapa sa C6.2.
Mothating ona, tlhophiso e tsoetseng pele "Ho Sireletsa GRUB2 ka signature ea dijithale le netefatso" e phethiloe.
C7 Mokhoa o mong oa ho sireletsa bootloader ea GRUB2 o sebelisa hashingMokhoa oa "CPU Boot Loader Protection / Authentication" o hlalositsoeng ka holimo ke oa khale. Ka lebaka la ho se phethahale ha GRUB2, maemong a paranoid e ka hlaseloa habonolo ke tlhaselo ea sebele, eo ke tla fana ka eona ka tlase serapeng [F]. Ho phaella moo, ka mor'a ho ntlafatsa OS / kernel, bootloader e tlameha ho saena hape.
Ho sireletsa GRUB2 bootloader ho sebelisa hashing
Melemo ho feta classics:
- Boemo bo phahameng ba ho tšepahala (hashing / netefatso e etsahala feela ho tsoa mohloling o patiloeng oa lehae. Karohano eohle e abetsoeng tlas'a GRUB2 e laoloa bakeng sa liphetoho leha e le life, 'me ntho e' ngoe le e 'ngoe e ngotsoe ka mokhoa o patehileng; ka morero oa khale o nang le ts'ireletso ea CPU loader / Authentication, ke lifaele feela tse laoloang, empa eseng mahala. sebaka, moo ho ka ekeletsoang “ntho” ntho e mpe”).
- Ho rema lifate ka mokhoa o patiloeng (lengolo le ka balwang ke motho le kentswe leanong).
- Lebelo (ts'ireletso / netefatso ea karohano eohle e abetsoeng GRUB2 e etsahala hang hang).
- Automation ea mekhoa eohle ea cryptographic.
Mefokolo holim'a li-classics.
- Forgery of signature (ka khopolo, hoa khoneha ho fumana ho thulana ha mosebetsi oa hash).
- Keketseho ea boemo ba bothata (ha ho bapisoa le ea khale, ho hlokahala tsebo e eketsehileng ho GNU/Linux OS).
Mokhoa oa hashing oa GRUB2/partition hashing o sebetsa joang
Karohano ea GRUB2 "e saennoe"; ha lihoete tsa OS, karohano ea bootloader e hlahlojoa hore ha e fetohe, e lateloe ke ho kena sebakeng se sireletsehileng (se kentsoeng). Haeba bootloader kapa karohano ea eona e sekiselitsoe, ho kenyelletsa lethathamong la intrusion, tse latelang li hlahisoa:
Ntho.
Cheke e tšoanang e etsahala ka makhetlo a mane ka letsatsi, e sa keneng lisebelisoa tsa sistimi.
U sebelisa taelo ea "-$ check_GRUB", cheke ea hang-hang e etsahala ka nako efe kapa efe ntle le ho rema lifate, empa ka tlhahiso ea tlhahisoleseling ho CLI.
U sebelisa taelo ea "-$ sudo signature_GRUB", GRUB2 bootloader / partition e saena hape hang-hang le ho rema lifate tse nchafalitsoeng. (e hlokahalang ka mor'a ntlafatso ea OS / boot), 'me bophelo bo tsoela pele.
Ts'ebetsong ea mokhoa oa hashing bakeng sa bootloader le karolo ea eona
0) Ha re saeneng GRUB bootloader/partition ka ho qala ho e kenya ho / media/username
-$ hashdeep -c md5 -r /media/username/GRUB > /podpis.txt1) Re theha sengoloa ntle le katoloso motso oa OS ~/podpis e kentsoeng, re sebelisa litokelo tse hlokahalang tsa ts'ireletso ea 744 le ts'ireletso e se nang kelello ho eona.
Ho tlatsa litaba tsa eona
#!/bin/bash
#Проверка всего раздела выделенного под загрузчик GRUB2 на неизменность.
#Ведется лог "о вторжении/успешной проверке каталога", короче говоря ведется полный лог с тройной вербализацией. Внимание! обратить взор на пути: хранить ЦП GRUB2 только на зашифрованном разделе OS GNU/Linux.
echo -e "******************************************************************n" >> '/var/log/podpis.txt' && date >> '/var/log/podpis.txt' && hashdeep -vvv -a -k '/podpis.txt' -r '/media/username/GRUB' >> '/var/log/podpis.txt'
a=`tail '/var/log/podpis.txt' | grep failed` #не использовать "cat"!!
b="hashdeep: Audit failed"
#Условие: в случае любых каких-либо изменений в разделе выделенном под GRUB2 к полному логу пишется второй отдельный краткий лог "только о вторжении" и выводится на монитор мигание gif-ки "warning".
if [[ "$a" = "$b" ]]
then
echo -e "****n" >> '/var/log/vtorjenie.txt' && echo "vtorjenie" >> '/var/log/vtorjenie.txt' && date >> '/var/log/vtorjenie.txt' & sudo -u username DISPLAY=:0 eom '/warning.gif'
fiMatha mongolo ho tloha su, hashing ea karohano ea GRUB le bootloader ea eona e tla hlahlojoa, boloka log.
Ha re theheng kapa re kopise, ho etsa mohlala, "faele e kotsi" [virus.mod] karolong ea GRUB2 'me re etse tlhahlobo ea nakoana:
-$ hashdeep -vvv -a -k '/podpis.txt' -r '/media/username/GRUBCLI e tlameha ho bona tlhaselo ea qhobosheane ea rona.# E hlophisitsoe ho kena ho CLI
Ср янв 2 11::41 MSK 2020
/media/username/GRUB/boot/grub/virus.mod: Moved from /media/username/GRUB/1nononoshifr
/media/username/GRUB/boot/grub/i386-pc/mda_text.mod: Ok
/media/username/GRUB/boot/grub/grub.cfg: Ok
hashdeep: Audit failed
Input files examined: 0
Known files expecting: 0
Files matched: 325
Files partially matched: 0
Files moved: 1
New files found: 0
Known files not found: 0
#Joalokaha u bona, "Lifaele li tsamaile: 1 'me Audit e hlotsoe" e hlaha, ho bolelang hore cheke e hlolehile.
Ka lebaka la mofuta oa karohano e ntseng e lekoa, sebakeng sa "Lifaele tse ncha li fumanoe"> "Lifaele li tsamaisitsoe"
2) Beha gif mona> ~/warning.gif, beha tumello ho 744.
3) Ho lokisa fstab ho kenya karohano ea GRUB butle
-$ sudo nano /etc/fstabLABEL=GRUB /media/username/GRUB ext4 defaults 0 0
4) Ho potoloha logong
-$ sudo nano /etc/logrotate.d/podpis /var/log/podpis.txt {
letsatsi le letsatsi
potoloha 50
boholo ba 5M
letsatsi la letsatsi
qobella
lieha
olddir /var/log/old
}/var/log/vtorjenie.txt {
khoeli le khoeli
potoloha 5
boholo ba 5M
letsatsi la letsatsi
olddir /var/log/old
}
5) Kenya mosebetsi ho cron
-$ sudo crontab -e'/subscription'
0 */6 * * * '/podpis
6) Ho theha mabitso a sa feleng
-$ sudo su
-$ echo "alias подпись_GRUB='hashdeep -c md5 -r /media/username/GRUB > /podpis.txt'" >> /root/.bashrc && bash
-$ echo "alias проверка_GRUB='hashdeep -vvv -a -k '/podpis.txt' -r /media/username/GRUB'" >> .bashrc && bash
Ka mor'a ho ntlafatsa OS -$ apt-get upgrade saena hape karohano ea rona ea GRUB
-$ подпись_GRUB
Mothating ona, ts'ireletso ea hashing ea karohano ea GRUB e felile.
[D] Ho hlakola - tšenyo ea data e sa ngolisoang
Hlakola lifaele tsa hao tsa botho ka ho feletseng hoo “esita le Molimo a ke keng a li bala,” ho ea ka ’muelli oa Carolina Boroa Trey Gowdy.
Joalo ka tloaelo, ho na le "litšōmo le ", mabapi le ho khutlisetsa data ka mor'a hore e hlakoloe ho hard drive. Haeba u lumela ho cyberwitchcraft, kapa u le setho sa Dr web community mme ha ho mohla u kileng ua leka ho hlaphoheloa ha data ka mor'a hore e hlakoloe/e hlakoloe (mohlala, ho hlaphoheloa ho sebelisa R-studio), joale mokhoa o reriloeng ha o khone ho lumellana le uena, sebelisa se haufi le uena.
Kamora ho fetisetsa GNU/Linux ka katleho karolong e patiloeng, kopi ea khale e tlameha ho hlakoloa ntle le monyetla oa ho hlaphoheloa ha data. Mokhoa oa ho hloekisa hohle: software ea Windows/Linux mahala GUI software .
Ka potlako hlophisa karolo, lintlha tse lokelang ho senngoa (ka Gparted) qala BleachBit, khetha "Hloekisa sebaka sa mahala" - khetha karohano (sdaX ea hau e nang le kopi e fetileng ea GNU/Linux), mokhoa oa ho hlobolisa o tla qala. BleachBit - e hlakola disk ka pase e le 'ngoe - sena ke seo "re se hlokang", Empa! Sena se sebetsa feela ka khopolo haeba u fomata disk le ho e hloekisa ho BB v2.0 software.
Hlokomela! BB e hlakola disk, e siea metadata; mabitso a lifaele a bolokiloe ha data e tlosoa (Ccleaner - ha e tlohele metadata).
Le tšōmo mabapi le monyetla oa ho hlaphoheloa ha data hase tšōmo ka ho feletseng.Bleachbit V2.0-2 sephutheloana sa khale sa OS Debian se sa tsitsang (le software efe kapa efe e tšoanang: sfill; hlakola-Nautilus - le tsona li ile tsa hlokomeloa khoebong ena e litšila) ha e le hantle e ne e e-na le bothata ba bohlokoa: mosebetsi oa "ho hloekisa sebaka sa mahala". e sebetsa ka phoso ho li-drive tsa HDD/Flash (ntfs/ext4). Software ea mofuta ona, ha e hlakola sebaka sa mahala, ha e fetole disk eohle, joalo ka ha basebelisi ba bangata ba nahana. Le ba bang (tse ngata) data e hlakotsoeng ea OS/software e nka data ena e le data e sa hlakoloang / ea mosebelisi mme ha e hloekisa "OSP" e tlola lifaele tsena. Bothata ke hore ka mor'a nako e telele joalo, ho hloekisa disk "hlakolwa difaele" ka a hlaphoheloa esita le ka mor'a ho feta 3+ ho hlakola disk.
Ho GNU/Linux ho Bleachbit 2.0-2 Mesebetsi ea ho hlakola lifaele le li-directory ka ho sa feleng e sebetsa ka botšepehi, empa e sa hlakole sebaka sa mahala. Ho bapisa: ho Windows ho CCleaner mosebetsi oa "OSP for ntfs" o sebetsa hantle, 'me Molimo a ke ke a khona ho bala data e hlakotsoeng.
'Me kahoo, ho tlosa ka ho feletseng "ho inehela" data ea khale e sa ngolisoang, Bleachbit e hloka phihlello e tobileng ho data ena, ebe, sebelisa mosebetsi oa "hlakola lifaele/directory" ka ho sa feleng.
Ho tlosa "lifaele tse hlakotsoeng ka lisebelisoa tse tloaelehileng tsa OS" ho Windows, sebelisa CCleaner/BB ka mosebetsi oa "OSP". Ho GNU/Linux ka bothata bona (hlakola lifaele tse hlakotsoeng) o hloka ho ikwetlisa ka bowena (ho hlakola data + teko e ikemetseng ea ho e khutlisa mme ha oa lokela ho itšetleha ka mofuta oa software (haeba e se bookmark, ebe ke phoso)), feela tabeng ena u tla khona ho utloisisa mochine oa bothata bona le ho tlosa data hlakolwa ka ho feletseng.
Ha ke so leke Bleachbit v3.0, mohlomong bothata bo se bo lokisitsoe.
Bleachbit v2.0 e sebetsa ka botšepehi.
Mothating ona, ho hlakola disk ho felile.
[E] Backup ea Universal ea OS e patiloeng
Mosebelisi e mong le e mong o na le mokhoa oa hae oa ho boloka data, empa data e patiloeng ea System OS e hloka mokhoa o fapaneng hanyane oa mosebetsi. Software e kopaneng, joalo ka Clonezilla le software e ts'oanang, e ke ke ea sebetsa ka kotloloho le data e patiloeng.
Polelo ea bothata ba ho boloka lisebelisoa tsa block block:
- bokahohle - algorithm e tšoanang ea bekapo/software bakeng sa Windows/Linux;
- bokhoni ba ho sebetsa ka har'a khomphutha le leha e le efe e phelang ea usb GNU/Linux ntle le tlhokahalo ea lisebelisoa tse eketsehileng tsa software (empa o ntse o khothaletsa GUI);
- tšireletseho ea likopi tsa "backup" - "litšoantšo" tse bolokiloeng li tlameha ho ngolisoa / ho sireletsoa ka password;
- boholo ba data e patiloeng e tlameha ho lumellana le boholo ba data ea sebele e kopitsoang;
- tlhahiso e bonolo ea lifaele tse hlokahalang ho tsoa kopi ea backup (ha ho na tlhoko ea ho hlakola karolo eohle pele).
Mohlala, bekapo / khutlisetsa ka "dd" utility
dd if=/dev/sda7 of=/путь/sda7.img bs=7M conv=sync,noerror
dd if=/путь/sda7.img of=/dev/sda7 bs=7M conv=sync,noerrorE lumellana le hoo e batlang e le lintlha tsohle tsa mosebetsi, empa ho ea ka ntlha ea 4 ha e eme ho nyatsuoa, kaha e kopitsa karolo eohle ea disk partition, ho kenyelletsa le sebaka sa mahala - ha se thahasellise.
Mohlala, bekapo ea GNU/Linux ka polokelo ea litaba [tar" | gpg] e loketse, empa bakeng sa bekapo ea Windows o hloka ho batla tharollo e 'ngoe - ha e khahlise.
E1. Backup ea Universal Windows / Linux. Kopanya rsync (Grsync)+VeraCrypt bophahamo ba modumoAlgorithm ea ho etsa kopi ea backup:
- ho theha setshelo se patiloeng (bolumo/faele) VeraCrypt bakeng sa OS;
- fetisetsa / amahanya OS ho sebelisa Rsync software ka har'a VeraCrypt crypto setshelo;
- ha ho hlokahala, kenya molumo oa VeraCrypt ho www.
Ho theha setshelo sa VeraCrypt se kentsoeng se na le litšobotsi tsa sona:
ho theha molumo o matla (tlhahiso ea DT e fumaneha feela Windows, e ka sebelisoa le ho GNU/Linux);
ho theha molumo o tloaelehileng, empa ho na le tlhokahalo ea "sebopeho sa paranoid" (ho ea ka moqapi) – sebopeho sa setshelo.
Molumo o matla o bōptjoa hoo e batlang e le hang-hang ho Windows, empa ha u kopitsa data ho tloha GNU/Linux> VeraCrypt DT, tshebetso e akaretsang ea ts'ebetso ea ho boloka e fokotseha haholo.
Molumo o tloaelehileng oa 70 GB Twofish oa etsoa (ha re re, ka karolelano matla a PC) ho HDD ~ ka halofo ea hora (ho hlakola lintlha tsa khale tsa setshelo ka pase e le 'ngoe ke ka lebaka la litlhoko tsa ts'ireletso). Mosebetsi oa ho fomata molumo ka potlako ha o o bopa o tlositsoe ho VeraCrypt Windows/Linux, kahoo ho theha setshelo ho ka khoneha feela ka "ho ngola hape-pase e le 'ngoe" kapa ho theha molumo o fokolang oa ts'ebetso.
Etsa molumo o tloaelehileng oa VeraCrypt (eseng dynamic/ntfs), ha hoa lokela ho ba le mathata.
Lokisa/etsa/ bula setshelo ho VeraCrypt GUI> GNU/Linux live usb (bolumo e tla isoa ho / media/veracrypt2, bophahamo ba Windows OS bo tla kenngoa ho /media/veracrypt1). Ho theha backup e patiloeng ea Windows OS ho sebelisa GUI rsync (grsync)ka ho hlahloba mabokose.
Emela hore ts'ebetso e phethe. Hang ha bekapo e felile, re tla ba le faele e le 'ngoe e patiloeng.
Ka mokhoa o ts'oanang, etsa kopi ea "backup" ea GNU/Linux OS ka ho hlakola lebokose la "Windows compatibility" ho rsync GUI.
Hlokomela! theha setshelo sa Veracrypt bakeng sa "backup ea GNU/Linux" ho sistimi ea faele ext4. Haeba u etsa bekapo ho setshelo sa ntfs, joale ha u khutlisetsa kopi e joalo, u tla lahleheloa ke litokelo / lihlopha tsohle ho data eohle ea hau.
O ka etsa lits'ebetso tsohle ho terminal. Likhetho tsa mantlha tsa rsync:
* -g - boloka lihlopha;
* -P -tsoelopele - boemo ba nako e sebelisitsoeng ho sebetsa faeleng;
* -H - kopitsa li-hardlink joalo ka ha li le joalo;
* -a -a -archive mode (lifolakha tse ngata tsa rlptgoD);
* -v -ho bua.
Haeba u batla ho kenya "Windows VeraCrypt volume" ka khomphutha ho software ea cryptsetup, u ka etsa alias (su)
echo "alias veramount='cryptsetup open --veracrypt --tcrypt-system --type tcrypt /dev/sdaX Windows_crypt && mount /dev/mapper/ Windows_crypt /media/veracrypt1'" >> .bashrc && bash
Hona joale taelo ea "litšoantšo tse ngata" e tla u susumelletsa hore u kenye poleloana, 'me molumo oa tsamaiso ea Windows o kentsoeng o tla kenngoa ho OS.
'Mapa/Mount VeraCrypt system volume in cryptsetup command
cryptsetup open --veracrypt --tcrypt-system --type tcrypt /dev/sdaX Windows_crypt
mount /dev/mapper/Windows_crypt /mnt'Mapa/Mount VeraCrypt partition/container ka taelo ea cryptsetup
cryptsetup open --veracrypt --type tcrypt /dev/sdaY test_crypt
mount /dev/mapper/test_crypt /mntSebakeng sa li-alias, re tla eketsa (sengoloa ho qala) molumo oa sistimi e nang le Windows OS le disk e kentsoeng ka mokhoa o hlakileng oa ntfs ho qala GNU/Linux.
Theha mongolo 'me u o boloke ho ~/VeraOpen.sh
printf 'Ym9i' | base64 -d | cryptsetup open --veracrypt --tcrypt-system --type tcrypt /dev/sda3 Windows_crypt && mount /dev/mapper/Windows_crypt /media/Winda7 #декодируем пароль из base64 (bob) и отправляем его на запрос ввода пароля при монтировании системного диска ОС Windows.
printf 'Ym9i' | base64 -d | cryptsetup open --veracrypt --type tcrypt /dev/sda1 ntfscrypt && mount /dev/mapper/ntfscrypt /media/КонтейнерНтфс #аналогично, но монтируем логический диск ntfs.
Re aba litokelo tse "nepahetseng":
sudo chmod 100 /VeraOpen.shEtsa lifaele tse peli tse tšoanang (lebitso le le leng!) ho /etc/rc.local le ~/etc/init.d/rc.local
Ho tlatsa lifaele
#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will «exit 0» on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.
sh -c "sleep 1 && '/VeraOpen.sh'" #после загрузки ОС, ждём ~ 1с и только потом монтируем диски.
exit 0Re aba litokelo tse "nepahetseng":
sudo chmod 100 /etc/rc.local && sudo chmod 100 /etc/init.d/rc.local Ho joalo, joale ha re kenya GNU / Linux ha ho hlokahale hore re kenye li-passwords ho kenya li-disk tse kentsoeng tsa ntfs, li-disk li kenngoa ka bohona.
Tlhahiso e khuts'oane ka se hlalositsoeng ka holimo serapeng sa E1 mohato ka mohato (empa hona joale bakeng sa OS GNU/Linux)
1) Etsa molumo ho fs ext4> 4gb (bakeng sa faele) Linux ho Veracrypt [Cryptbox].
2) Qala hape ho phela usb.
3) ~$ cryptsetup bula /dev/sda7 Lunux #mapping partition encrypted.
4) ~$ thaba /dev/mapper/Linux /mnt #mount karohano e patiloeng ho /mnt.
5) ~$ mkdir mnt2 #ho theha bukana bakeng sa bekapo e tlang.
6) ~$ cryptsetup bula -veracrypt -type tcrypt ~/CryptoBox CryptoBox && mount /dev/mapper/CryptoBox /mnt2 #Mapa molumo oa Veracrypt o bitsoang "CryptoBox" 'me u phahamise CryptoBox ho /mnt2.
7) ~$ rsync -avlxhHX -tsoelopele /mnt /mnt2/ #backup ts'ebetso ea karohano e patiloeng ho molumo oa Veracrypt o kentsoeng.
(ts/s/ Hlokomela! Haeba u fetisetsa GNU/Linux e patiloeng ho tloha mohahong o mong ho ea ho o mong, mohlala, Intel> AMD (ke hore, ho tsamaisa bekapo ho tloha karolong e 'ngoe e patiloeng ho ea karolong e 'ngoe e kentsoeng ea Intel> AMD), U seke oa lebala Kamora ho fetisetsa OS e patiloeng, hlophisa senotlolo sa sebaka sa lekunutu sebakeng sa password, mohlomong. senotlolo se fetileng ~/etc/skey - ha e sa tla lekana karohano e 'ngoe e patiloeng,' me ha ho bohlale ho theha senotlolo se secha "cryptsetup luksAddKey" ho tsoa tlasa chroot - glitch e ka etsahala, feela ka ~/etc/crypttab hlalosa "/ etc/skey" ka nakoana "ha ho letho" ", ka mor'a ho tsosolosa le ho kena ka har'a OS, tsosolosa senotlolo sa hau sa sephiri sa wildcard hape).
Joalo ka li-veteran tsa IT, hopola ho etsa li-backups tsa lihlooho tsa likarolo tse kentsoeng tsa Windows/Linux OS, kapa encryption e tla u fetohela.
Mothating ona, bekapo ea OS e encrypted e phethetsoe.
[F] Tlhaselo ho GRUB2 bootloader
Sheba lintlhaHaeba u sirelelitse bootloader ea hau ka signature ea dijithale le/kapa netefatso (sheba ntlha C6.), joale sena se ke ke sa sireletsa khahlanong le ho fihlella 'meleng. Lintlha tse patiloeng li ntse li sa fumanehe, empa ts'ireletso e tla fetisoa (seta bocha tšireletso ea signature ea dijithale) GRUB2 e lumella cyber-villain ho kenya khoutu ea hae ho bootloader ntle le ho tsosa lipelaelo. (ntle le haeba mosebelisi a hlokomela boemo ba bootloader ka bowena, kapa a tla le khoutu ea hae e matla ea mongolo oa grub.cfg).
Tlhaselo algorithm. Mohlakodi
* Boots PC ho tloha ho usb e phelang. Phetoho efe kapa efe (motlōli) lifaele li tla tsebisa mong'a 'nete oa PC mabapi le ho kenella ka har'a bootloader. Empa e bonolo reinstallation ea GRUB2 boloka grub.cfg (le bokhoni bo latelang ba ho e hlophisa) e tla lumella mohlaseli ho hlophisa lifaele life kapa life (boemong bona, ha o kenya GRUB2, mosebeletsi oa sebele a ke ke a tsebisoa. Boemo bo tšoana <0>)
* E theha karohano e sa ngolisoang, e boloka "/mnt/boot/grub/grub.cfg".
* E kenya bootloader hape (ho tlosa "perskey" setšoantšong sa core.img)
grub-install --force --root-directory=/mnt /dev/sda6
* E khutlisetsa "grub.cfg"> "/mnt/boot/grub/grub.cfg", e e hlophise ha ho hlokahala, mohlala, ho eketsa mojule oa hau "keylogger.mod" foldareng e nang le li-module tsa loader, ho "grub.cfg" > mola "insmod keylogger". Kapa, ka mohlala, haeba sera se bolotsana, ka mor'a ho tsosolosa GRUB2 (masaeno kaofela a ntse a le teng) e haha setšoantšo se seholo sa GRUB2 se sebelisa "grub-mkimage ka khetho (-c)." Khetho ea "-c" e tla u lumella ho kenya config pele u kenya "grub.cfg" e kholo. Setlhophiso se ka ba le mola o le mong feela: ho fetisetsoa ho "modern.cfg" efe kapa efe, e tsoakiloeng, mohlala, le ~ lifaele tse 400. (li-module+signatures) ka foldareng "/boot/grub/i386-pc". Tabeng ena, mohlaseli a ka kenya khoutu e sa lumellaneng le li-modules tsa mojaro ntle le ho ama "/boot/grub/grub.cfg", esita le haeba mosebedisi a sebelisitse "hashsum" faeleng mme a e bontša ka nakoana skrineng.
Mohlaseli a ke ke a hloka ho senya GRUB2 superuser login / password; o tla hloka feela ho kopitsa mela (e ikarabella bakeng sa netefatso) "/boot/grub/grub.cfg" ho "modern.cfg" ea hau
seta li-superuser = "motso"
password_pbkdf2 root grub.pbkdf2.sha512.10000.DE10E42B01BB6FEEE46250FC5F9C3756894A8476A7F7661A9FFE9D6CC4D0A168898B98C34EBA210F46FC10985CE28277D0563F74E108FCE3ACBD52B26F8BA04D.27625A4D30E4F1044962D3DD1C2E493EF511C01366909767C3AF9A005E81F4BFC33372B9C041BE9BA904D7C6BB141DE48722ED17D2DF9C560170821F033BCFD8
'Me mong'a PC o ntse a tla netefatsoa e le GRUB2 superuser.
Ho kenya ketane (bootloader e kenya bootloader e 'ngoe), joalokaha ke ngotse ka holimo, ha e utloahale (e etselitsoe merero e fapaneng). Bootloader e encrypted e ke ke ea kengoa ka lebaka la BIOS (boot boot restart GRUB2> encrypted GRUB2, phoso!). Leha ho le joalo, haeba u ntse u sebelisa mohopolo oa ho kenya ketane, u ka ba le bonnete ba hore ke eona e patiloeng e ntseng e laeloa. (ha ea ntlafatsoa) "grub.cfg" ho tsoa karolong e patiloeng. Hape sena ke maikutlo a fosahetseng a tšireletso, hobane ntho e 'ngoe le e' ngoe e bontšitsoeng ho "grub.cfg" e patiloeng (ho kenya mojule) ho kenyelletsa li-module tse kentsoeng ho tsoa ho GRUB2 e sa ngolisoang.
Haeba u batla ho hlahloba sena, fana ka / encrypting e 'ngoe ea karohano sdaY, kopitsa GRUB2 ho eona (ts'ebetso ea grub-install karohanong e patiloeng ha e khonehe) le ho "grub.cfg" (setlhophiso se sa ngolisoang) fetola mela e kang ena
menuentry 'GRUBx2' --class parrot --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-simple-382111a2-f993-403c-aa2e-292b5eac4780' {
load_video
insmod gzio
haeba [ x$grub_platform = xxen]; ebe insmod xzio; insmod lzopio; fi
khomotso_kamohelo
insmod cryptodisk
insmod lux
insmod gcry_twofish
insmod gcry_twofish
insmod gcry_sha512
insmod ext2
cryptomount -u 15c47d1c4bd34e5289df77bcf60ee838
set root=’cryptouuid/15c47d1c4bd34e5289df77bcf60ee838′
e tloaelehileng /boot/grub/grub.cfg
}
likhoele
* insmod - ho kenya li-module tse hlokahalang bakeng sa ho sebetsa ka disk e patiloeng;
* GRUBx2 - lebitso la mohala o bontšitsoeng ho GRUB2 boot menu;
* cryptomount -u 15c47d1c4bd34e5289df77bcf60ee838 -bona. fdisk -l (sda9);
* seta motso - kenya motso;
* e tloaelehileng /boot/grub/grub.cfg - faele ea tlhophiso e sebetsang sebakeng sa karohano e patiloeng.
Kholiseho ea hore ke "grub.cfg" e kentsoeng e kentsoeng ke karabo e ntle ea ho kenya phasewete / ho notlolla "sdaY" ha u khetha mola "GRUBx2" ho menu ea GRUB.
Ha u sebetsa ho CLI, e le hore u se ke ua ferekana ('me u hlahlobe hore na "set root" tikoloho e fapaneng e sebetsa), etsa lifaele tsa token tse se nang letho, mohlala, karolong e kentsoeng "/shifr_grub", karolong e sa ngolisoang "/noshifr_grub". Ho hlahloba CLI
cat /Tab-TabJoalokaha ho boletsoe ka holimo, sena se ke ke sa thusa khahlanong le ho khoasolla li-module tse kotsi haeba li-module tse joalo li qetella li le ho PC ea hau. Ka mohlala, keylogger e tla khona ho boloka li-keystrokes ho faele le ho e kopanya le lifaele tse ling ho "~/i386" ho fihlela e kopitsoa ke mohlaseli ea nang le phihlelo ea 'mele ho PC.
Mokhoa o bonolo oa ho netefatsa hore ts'ireletso ea signature ea dijithale e sebetsa ka mafolofolo (ha e so hlophisoa bocha), 'me ha ho motho ea kileng a hlasela bootloader, kenya taelo ho CLI
list_trusted
ha re arabela re fumana kopi ea "perskey" ea rona, kapa ha re fumane letho haeba re hlaseloa (o boetse o hloka ho hlahloba "set check_signatures=enforce").
Phoso e kholo ea mohato ona ke ho kenya litaelo ka letsoho. Haeba u eketsa taelo ena ho "grub.cfg" 'me u sireletsa config ka signature ea digital, joale tlhahiso ea pele ea setšoantšo sa senotlolo skrineng e khutšoanyane haholo ka nako,' me u ka 'na ua se ke ua ba le nako ea ho bona tlhahiso ka mor'a ho kenya GRUB2. .
Ha ho na motho ka ho khetheha ea ka etsang tleleime ho: moqapi ho ea hae temana ea 18.2 e phatlalatsa ka molao
"Hlokomela hore leha e na le ts'ireletso ea password ea GRUB, GRUB ka boeona e ke ke ea thibela motho ea nang le phihlello ea 'mele ea mochini ho fetola sebopeho sa mochini oo (mohlala, Coreboot kapa BIOS) ho etsa hore mochini o qale ho tsoa ho sesebelisoa se fapaneng (se laoloang ke bahlaseli). GRUB ke sehokelo se le seng feela sa ketane e sireletsehileng ea boot."
GRUB2 e imetsoe haholo ke mesebetsi e ka fanang ka maikutlo a ts'ireletso ea bohata, 'me tsoelo-pele ea eona e se e fetile MS-DOS mabapi le ts'ebetso, empa ke bootloader feela. Hoa makatsa hore ebe GRUB2 - "hosasane" e ka fetoha OS, le mechini ea bootable ea GNU/Linux bakeng sa eona.
Video e khuts'oane e mabapi le kamoo ke setang ts'ireletso ea signature ea dijithale ea GRUB2 mme ke phatlalalitse ho kenella ha ka ho mosebelisi oa 'nete. (Ke ile ka u tšosa, empa ho e-na le se bontšitsoeng videong, u ka ngola khoutu e se nang kotsi e se nang kotsi/.mod).
Qeto:
1) Thibela encryption ea Windows e bonolo ho e kenya ts'ebetsong, mme ts'ireletso ka password e le 'ngoe e bonolo ho feta ts'ireletso e nang le li-password tse' maloa tse nang le encryption ea GNU / Linux block system, ho bua ka toka: ea morao-rao e iketselitse.
2) Ke ngotse sengoloa e le se loketseng le se qaqileng bonolo Tataiso ea ho encryption ea disk e felletseng VeraCrypt/LUKS ntlong e le 'ngoe mochini, e leng eona e ntle ka ho fetisisa ho RuNet (IMHO). Tataiso ke> litlhaku tse 50k ka nako e telele, kahoo ha ea ka ea akaretsa likhaolo tse ling tse thahasellisang: li-cryptographer tse nyamelang / li bolokang moriting; mabapi le taba ea hore libukeng tse fapaneng tsa GNU / Linux ba ngola hanyane / ha ba ngole ka li-cryptography; mabapi le Article 51 ea Molaotheo oa Russia Federation; O / thibela , mabapi le hore na ke hobane'ng ha u lokela ho ngolisa "motso / boot". Tataiso e ile ea bonahala e le ngata haholo, empa e qaqileng. (e hlalosa le mehato e bonolo), ka lehlakoreng le leng, sena se tla u bolokela nako e ngata ha u fihla ho "encryption ea sebele".
3) Ts'ebeliso e felletseng ea disk e entsoe ho Windows 7 64; GNU/Linux Parrot 4x; GNU/Debian 9.0/9.5.
4) Phethahatso e atlehileng tlhaselo ka ea hau GRUB2 bootloader.
5) Thupelo e bōpiloe ho thusa batho bohle ba paranoid ba CIS, moo ho sebetsa ka encryption ho lumelloang boemong ba molao. 'Me haholo-holo bakeng sa ba batlang ho hlahisa encryption e feletseng ea disk ntle le ho senya mekhoa ea bona e hlophisitsoeng.
6) Ke ntlafalitse le ho ntlafatsa bukana ea ka, e sebetsang ka 2020.
[G] Litokomane tse sebetsang
- (Hlakola 2012 RU)
- /usr/share/doc/cryptsetup(-run) [mohloli oa lehae] (litokomane tse qaqileng tsa semmuso mabapi le ho theha encryption ea GNU/Linux u sebelisa cryptsetup)
- (litokomane tse khutšoane mabapi le ho theha encryption ea GNU/Linux u sebelisa cryptsetup)
- (litokomane tsa archlinux)
- (leqephe la monna oa khale)
- (leqephe la monna oa khale)
- .
Tags: encryption e feletseng ea disk, partition encryption, Linux full disk encryption, LUKS1 full system encryption.
Ke basebelisi ba ngolisitsoeng feela ba ka kenyang letsoho phuputsong. ka kopo.
A na ua ngola?
-
17,1%Ke encrypt sohle seo nka se khonang. Ke tsielehile.14
-
34,2%Ke patala data ea bohlokoa feela.28
-
14,6%Ka nako e 'ngoe kea patala, ka linako tse ling kea lebala.12
-
34,2%Che, ha ke ngotse, ha ho bonolo ebile ho theko e boima.28
Basebelisi ba 82 ba ile ba khetha. Basebelisi ba 22 ba ile ba hana.
Source: www.habr.com