Uhlaziyo lwesikhokelo sakho kwi-encryption epheleleyo yediski kwi-RuNet V0.2.
Iqhinga leCowboy:
[A] Windows 7 uguqulelo oluntsonkothileyo lwenkqubo efakiweyo;
[B] GNU/Linux ufihlo lwebhloko yenkqubo (Debian) inkqubo efakiweyo (kubandakanya / ukuqala);
[C] ukucwangciswa kwe-GRUB2, ukukhuselwa kwe-bootloader kunye nesignesha yedijithali / ukuqinisekiswa / i-hashing;
[D] ukuhlutha—ukutshatyalaliswa kwedatha engafihlwanga;
[E] ugcino jikelele lwe-OS efihliweyo;
[F] ukuhlaselwa <kwinqaku [C6]> ekujoliswe kuyo - i-GRUB2 bootloader;
[G]amaxwebhu aluncedo.
╭───Scheme #igumbi 40# :
├──╼ Windows 7 efakiweyo - uguqulelo olupheleleyo lwenkqubo, ayifihlwanga;
├──╼ GNU/Linux ifakiwe (I-Debian kunye nonikezelo lwe-derivative) - uguqulelo olupheleleyo lwenkqubo, ayifihlwanga(/, ukuquka / ukuqala; tshintshanisa);
├──╼ izilayishi ezizimeleyo: I-VeraCrypt bootloader ifakwe kwi-MBR, i-GRUB2 i-bootloader ifakwe kwi-partition eyandisiweyo;
├──╼akukho kufakelo lwe-OS/ufakelo olufunekayo;
└──╼i-cryptographic software esetyenzisiweyo: VeraCrypt; i-Crypsetup; GnuPG; Seahorse; Hashdeep; I-GRUB2 isimahla/isimahla.
Iskimu esingentla sisombulula ngokuyinxenye ingxaki "ye-boot ekude kwi-flash drive", ikuvumela ukuba ujabulele i-OS efihliweyo yeWindows / Linux kunye nokutshintshiselana ngedatha ngokusebenzisa "itshaneli efihliweyo" ukusuka kwi-OS enye ukuya kwenye.
I-odolo yokuqalisa iPC (enye yokhetho):
- ukuvula umatshini;
- ukulayisha iVeraCrypt bootloader (ukufaka igama eligqithisiweyo elichanekileyo liza kuqhubeka ukuqalisa Windows 7);
- ukucofa iqhosha elithi "Esc" liza kulayisha i-GRUB2 bootloader;
- GRUB2 umlayishi wesiqalo (khetha unikezelo/GNU/Linux/CLI), iya kufuna ukuqinisekiswa kwe-GRUB2 superuser <login/password>;
- emva kokuqinisekiswa okuyimpumelelo kunye nokukhethwa konikezelo, kuya kufuneka ufake igama lokugqithisa ukuze uvule "/boot/initrd.img";
- emva kokufaka amagama ayimfihlo angenampazamo, i-GRUB2 iya "kufuna" ukungena kwegama lokugqitha (okwesithathu, igama lokugqitha le-BIOS okanye igama eligqithisiweyo leakhawunti yomsebenzisi ye-GNU/Linux - ungacingi) ukuvula nokuqalisa i-GNU/Linux OS, okanye uguqulelo oluzenzekelayo lweqhosha eliyimfihlo (amagama ayimfihlo amabini + isitshixo, okanye igama eliyimfihlo + isitshixo);
- ungenelelo lwangaphandle kuqwalaselo lwe-GRUB2 luya kumisa inkqubo ye-GNU/Linux yokuqalisa.
Yingxaki? Kulungile, masihambe sizenzele iinkqubo.
Xa ukwahlula i-hard drive (itafile ye-MBR) I-PC ayinakuba nezahlulo ezingundoqo ezi-4, okanye i-3 engundoqo kunye neyongeziweyo, kunye nommandla ongabiwanga. Icandelo elongeziweyo, ngokungafaniyo nelona liphambili, linokuqulatha amacandelwana (ukuqhuba okusengqiqweni=isahlulo esandisiweyo). Ngamanye amagama, "isahlulelo esandisiweyo" kwi-HDD sithatha indawo ye-LVM yomsebenzi okhoyo: uguqulelo olupheleleyo lwenkqubo. Ukuba idiski yakho yahlulwe kwizahlulo ezi-4 eziphambili, kufuneka usebenzise i-lvm, okanye uguqule (ngokufomatha) icandelo ukusuka kwintloko ukuya phambili, okanye usebenzise ngobulumko onke amacandelo amane kwaye ushiye yonke into njengoko injalo, ukufumana isiphumo esifunekayo. Nokuba unesahlulelo esinye kwidiski yakho, iGparted iya kukunceda ukwahlulahlule iHDD yakho (amacandelo awongezelelweyo) ngaphandle kokulahleka kwedatha, kodwa kusekho isohlwayo esincinci kwizenzo ezinjalo.
Iskimu soyilo lwe-hard drive, ngokubhekiselele kuyo yonke inqaku iya kuthethwa ngomlomo, iboniswe kwitheyibhile engezantsi.
Itheyibhile (iNombolo yoku-1) yezahlulo ze-1TB.
Kufuneka ube nento efanayo.
sda1 - isahlulo esiphambili No. 1 NTFS (encrypted);
sda2 - umakishi wecandelo elongeziweyo;
sda6 - idiski enengqondo (ine-GRUB2 bootloader efakiweyo);
sda8 - swap (ifayile yokutshintsha efihliweyo / hayi rhoqo);
sda9 - uvavanyo lwediski enengqondo;
sda5 - idiski enengqondo kubanomdla;
sda7 - GNU/Linux OS (i-OS edluliselweyo kwidiski ene-encrypted logic);
sda3 - ulwahlulo oluphambili No. 2 nge Windows 7 OS (encrypted);
sda4 - icandelo eliphambili Nombolo 3 (iqulethe i-GNU/Linux engafihlwanga, esetyenziselwa ugcino/ayisoloko).
[A] Windows 7 System Block Encryption
A1. VeraCrypt
Khuphela kwi , okanye kwisipili uguqulelo lofakelo lweVeraCrypt cryptographic software (ngexesha lokupapashwa kwenqaku v1.24-Update3, inguqulelo ephathekayo yeVeraCrypt ayifanelekanga kwi-encryption yenkqubo). Jonga itshekhisum yesoftware ekhutshelweyo
$ Certutil -hashfile "C:VeraCrypt Setup 1.24.exe" SHA256
kwaye uthelekise umphumo kunye ne-CS efakwe kwiwebhusayithi yomphuhlisi weVeraCrypt.
Ukuba isoftware yeHashTab ifakiwe, kulula ngakumbi: RMB (Useto lweVeraCrypt 1.24.exe)-properties - hash sum of files.
Ukuqinisekisa utyikityo lwenkqubo, isoftwe kunye nomphuhlisi weqhosha likawonke-wonke le pgp kufuneka lifakwe kwinkqubo. ; .
A2. Ukufakela/ukuqhuba isoftware yeVeraCrypt enamalungelo omlawuli
A3. Ukukhetha inkqubo yoguqulelo oluntsonkothileyo iparameters yesahlulelo esisebenzayoI-VeraCrypt-INkqubo-Inkqubo yokufihla isahlulelo/idisk-Eqhelekileyo-Eyona nto iQhingayo-I-encrypt Windows system partition-Multiboot- (isilumkiso: "Abasebenzisi abangenamava abakhuthazwa ukuba basebenzise le ndlela" kwaye oku kuyinyani, siyavuma "Ewe") – Idiski yokuqalisa (“ewe”, nokuba akunjalo, sekunjalo “ewe”) Inani leediski zenkqubo "2 okanye ngaphezulu" - Iinkqubo ezininzi kwidisk enye "Ewe" -I-Non-Windows bootloader "Hayi" (enyanisweni, "Ewe," kodwa iVeraCrypt/GRUB2 abalayishi besiqalo abayi kwabelana nge-MBR phakathi kwabo; ngokuthe ngqo, kuphela elona candelo lincinci lekhowudi yomlayishi ogciniweyo kwi-MBR/eyokuqala ingoma, eyona ndawo iphambili kuyo ibekwe ngaphakathi kwesixokelelwano sefayile) I-Multiboot-Useto lofihlo...
Ukuba uyatenxa kula manyathelo angasentla (ibhlokhi inkqubo yoguqulelo oluntsonkothileyo), emva koko iVeraCrypt iya kukhupha isilumkiso kwaye ayiyi kukuvumela ukuba ubethelele isahlulelo.
Kwinqanaba elilandelayo ekukhuseleni idatha ekujoliswe kuyo, qhuba "Uvavanyo" kwaye ukhethe i-algorithm ye-encryption. Ukuba une-CPU yakudala, ngoko ke eyona algorithm ekhawulezayo yofihlo iya kuba yi-Twofish. Ukuba i-CPU inamandla, uya kuqaphela umehluko: i-encryption ye-AES, ngokweziphumo zovavanyo, iya kuba ngamaxesha amaninzi ngokukhawuleza kunabakhuphisana nabo be-crypto. I-AES yi-algorithm ye-encryption eyaziwayo; i-hardware yee-CPU zanamhlanje zenzelwe ngokukodwa "imfihlo" kunye "nokukhwabanisa."
IVeraCrypt ixhasa ukukwazi ukufihla iidiski kwi-AES cascade(Iintlanzi ezimbini)/kunye nezinye iindibaniselwano. Kwisiseko esidala se-Intel CPU kwiminyaka elishumi eyadlulayo (ngaphandle kwenkxaso yehardware yeAES, A/T cascade encryption) Ukuhla kokwenziwa komsebenzi akubonakali. (ye-AMD CPUs zexesha elifanayo/~iparamitha, ukusebenza kucuthwe kancinci). I-OS isebenza ngokuguquguqukayo kwaye ukusetyenziswa kwemithombo yoguqulelo olucacileyo alubonakali. Ngokwahlukileyo, umzekelo, kukho ukwehla okubonakalayo ekusebenzeni ngenxa yemeko yedesktop engazinzanga efakiweyo Mate v1.20.1 (okanye v1.20.2 andikhumbuli ncam) kwi-GNU/Linux, okanye ngenxa yokusebenza kwenkqubo yetelemetry kwi-Windows7↑. Ngokuqhelekileyo, abasebenzisi abanamava baqhuba iimvavanyo zokusebenza kwe-hardware ngaphambi kokubethelwa. Umzekelo, kwi-Aida64/Sysbench/systemd-analyse blame ithelekiswa neziphumo zovavanyo olufanayo emva kokufihla inkqubo, ngaloo ndlela bephikisa intsomi yabo yokuba “ugcino lwenkqubo luyingozi.” Ukucotha komtshini kunye nokuphazamiseka kuyabonakala xa uxhasa / ubuyisela idatha efihliweyo, kuba "ukugcinwa kwedatha yenkqubo" yokusebenza ngokwayo ayilinganiswanga kwi-ms, kwaye ezo zifanayo <decrypt / encrypt on fly> zongezwa. Ekugqibeleni, umsebenzisi ngamnye ovunyelwe ukuba acule kunye ne-cryptography ibhalansi i-encryption algorithm ngokuchasene nokwaneliseka kwemisebenzi ekhoyo, inqanaba labo le-paranoia, kunye nokulula kokusetyenziswa.
Kungcono ukushiya iparamitha ye-PIM njengento engagqibekanga, ukuze xa ulayisha i-OS akufuneki ukuba ufake amaxabiso achanekileyo ngexesha ngalinye. IVeraCrypt isebenzisa inani elikhulu lokuphindaphinda ukwenza "i-hash ecothayo" ngokwenene. Ukuhlaselwa kwe "crypto snail" enjalo usebenzisa i-Brute force / i-rainbow table tables indlela yenza ingqiqo kuphela ngegama elifutshane "elilula" kunye noluhlu lwe-charset yexhoba. Ixabiso lokuhlawulela amandla ephasiwedi kukulibaziseka ekungeniseni igama eligqithisiweyo elichanekileyo xa ulayisha i-OS. (ukunyusa imiqulu yeVeraCrypt kwi-GNU/Linux kukhawuleza kakhulu).
Isoftware yasimahla yokuphumeza uhlaselo lwamandla akhohlakeleyo (khupha ibinzana logqitho kwiVeraCrypt/LUKS kwisihloko sediski) Hashcat. UJohn the Ripper akayazi indlela "yokuqhekeza iVeracrypt", kwaye xa usebenza ne-LUKS akayiqondi i-Twofish cryptography.
Ngenxa yamandla e-cryptographic e-encryption algorithms, ii-cypherpunks ezingenakunqandeka ziphuhlisa isofthiwe kunye ne-vector yokuhlasela eyahlukileyo. Umzekelo, ukukhupha imethadatha/izitshixo kwi-RAM (i-boot ebandayo / uhlaselo oluthe ngqo kwimemori), Kukho isoftware ekhethekileyo esimahla nengeyosimahla kwezi njongo.
Emva kokugqiba ukuseta / ukuvelisa "imethadatha eyodwa" yesahlulelo esisebenzayo esifihliweyo, iVeraCrypt iya kunika ukuqalisa kwakhona iPC kwaye ivavanye ukusebenza komlayishi wayo wokuqala. Emva kokuqalisa/ukuqalisa iWindows, iVeraCrypt iya kulayisha kwimowudi yokulinda, ekuphela kwento eseleyo kukuqinisekisa inkqubo yofihlo-Y.
Kwinqanaba lokugqibela loguqulelo lwenkqubo, iVeraCrypt iya kunikela ngokwenza ikopi yokugcina yentloko yesahlulelo esifihliweyo esisebenzayo ngendlela ye "veracrypt rescue disk.iso" - oku kufuneka kwenziwe - kule software umsebenzi onjalo uyimfuneko (kwi-LUKS, njengemfuneko - oku ngelishwa kushiyiwe, kodwa kugxininiswe kumaxwebhu). Idiski yokuhlangula iya kuba luncedo kuye wonke umntu, kwaye ngamanye amaxesha ngaphezulu kwesinye. Ilahleko (iheader/MBR bhala kwakhona) ikopi yogcino lweheader iyakwala ngokusisigxina ufikelelo kwisahlulelo esifihliweyo nge-OS Windows.
A4. Ukwenza iVeraCrypt yokuhlangula i-USB/idiskiNgokungagqibekanga, iVeraCrypt inikezela ngokutshisa "~ 2-3MB yemetadata" kwiCD, kodwa ayingabo bonke abantu abanediski okanye iiDWD-ROM drives, kunye nokudala i-flash drive ye-bootable "i-VeraCrypt Rescue disk" iya kuba yinto emangalisayo kwabanye: I-Rufus / GUIdd-ROSA ImageWriter kunye nenye isoftware efanayo ayiyi kukwazi ukujamelana nomsebenzi, kuba ukongeza ukukopisha imethadatha ye-offset kwi-flash drive, kufuneka ukopishe / unamathisele umfanekiso ngaphandle kwenkqubo yefayile ye-USB drive, ngokufutshane, khuphela ngokuchanekileyo i-MBR / indlela eya kwikhonkco lokutshixo. Unokwenza i-flash drive evulelekileyo esuka kwi-GNU/Linux OS usebenzisa i-"dd" eluncedo, ujonge olu phawu.
Ukudala idiski yokuhlangula kwindawo yeWindows yahlukile. Umphuhlisi weVeraCrypt akazange afake isisombululo kule ngxaki kwigosa ngokuthi "idiski yokuhlangula", kodwa iphakamise isisombululo ngendlela eyahlukileyo: wathumela isofthiwe eyongezelelweyo yokwenza "idiski yokuhlangula i-usb" yokufikelela ngokukhululekile kwiforum yakhe yeVeraCrypt. Umgcini-zinkcukacha wale software yeWindows "uyila idiski yokuhlangula i-usb veracrypt". Emva kokugcina i-disk.iso yokuhlangula, inkqubo yokubethelwa kwenkqubo yebhloko yecandelo elisebenzayo liya kuqala. Ngexesha le-encryption, ukusebenza kwe-OS akuyeki ukuqalisa kwakhona kwePC akudingekile. Ekugqityweni komsebenzi woguqulelo oluntsonkothileyo, ulwahlulo olusebenzayo lunoguqulelo oluntsonkothileyo kwaye lunokusetyenziswa. Ukuba i-VeraCrypt bootloader ayibonakali xa uqala iPC, kwaye umsebenzi wokubuyisela i-header awuncedi, emva koko khangela iflegi "yokuqalisa", kufuneka imiselwe kwisahlulo apho iWindows ikhona. (kungakhathaliseki ukuba i-encryption kunye nezinye i-OS, jonga i-table No. 1).
Oku kugqiba inkcazo yenkqubo yebhloko yoguqulelo oluntsonkothileyo ngeWindows OS.
[B]LUKS. GNU/Linux uguqulelo oluntsonkothileyo (~Debian) ifakiwe OS. I-algorithm kunye naManyathelo
Ukuze uguqulele ngokuntsonkothileyo iDebian efakiweyo/unikezelo oluphuma kuyo, kufuneka wenze imephu yesahlulelo esilungisiweyo kwisixhobo sebhloko esinenyani, siyigqithisele kwidisk efakwe kwimephu ye-GNU/Linux, kwaye ufake/uqwalasele iGRUB2. Ukuba awunayo iseva yentsimbi engenanto, kwaye uyalixabisa ixesha lakho, ngoko kufuneka usebenzise i-GUI, kwaye uninzi lwemiyalelo ye-terminal echazwe ngezantsi yenzelwe ukuba iqhutywe kwi "Chuck-Norris mode".
B1. Ukuqalisa iPC kwi-usb ephilayo GNU/Linux
"Yenza uvavanyo lwe-crypto yokusebenza kwehardware"
lscpu && сryptsetup benchmark
Ukuba ungumnikazi onoyolo wemoto enamandla kunye nenkxaso ye-AES ye-hardware, ngoko amanani aya kufana necala lasekunene le-terminal;
B2. Ukwahlulahlula kwidiski. ukunyusa/ukufomatha fs logical disk HDD ukuya Ext4 (Gparted)
B2.1. Ukwenza iheader efihliweyo ye-sda7Ndiza kuchaza amagama ezahlulo, apha nangaphezulu, ngokuhambelana netafile yam yokwahlula eposwe ngasentla. Ngokobeko lwediski yakho, kufuneka ufake endaweni yamagama akho okwahlula.
IMaphu yokuFihliswa kweNqanaba yokuQhuba (/dev/sda7> /dev/mapper/sda7_crypt).
#Ukwenziwa lula kwecandelo "LUKS-AES-XTS"
cryptsetup -v -y luksFormat /dev/sda7Khetha:
* luksFormat - ukuqaliswa kwesihloko se-LUKS;
* -y -ibinzana lokugqithisa (hayi isitshixo / ifayile);
* -v -ukuthetha (ukubonisa ulwazi kwi-terminal);
* /dev/sda7 - idiski yakho esengqiqweni ukusuka kwisahlulelo esongeziweyo (apho kucwangciswe khona ukudlulisela/ukufihla i-GNU/Linux).
Uguqulelo oluntsonkothileyo oluhlala lukhona <LUKS1: aes-xts-plain64, Isitshixo: 256 bits, LUKS header hashing: sha256, RNG: /dev/urandom> (kuxhomekeke kwinguqulelo ye-cryptsetup).
#Проверка default-алгоритма шифрования
cryptsetup --help #самая последняя строка в выводе терминала.Ukuba akukho nkxaso ye-hardware ye-AES kwi-CPU, ukhetho olungcono luya kuba kukudala i-"LUKS-Twofish-XTS-partition" eyandisiweyo.
B2.2. Imveliso ephucukileyo ye "LUKS-Twofish-XTS-partition"
cryptsetup luksFormat /dev/sda7 -v -y -c twofish-xts-plain64 -s 512 -h sha512 -i 1500 --use-urandom
Khetha:
* luksFormat - ukuqaliswa kwesihloko se-LUKS;
* /dev/sda7 yidiski yakho entsonkothileyo yexesha elizayo;
* -v ukuthetha ngamazwi;
* -y ibinzana lokugqithisa;
* -c khetha i-algorithm ye-encryption yedatha;
* -s ubungakanani beqhosha lofihlo;
* -h hashing algorithm / crypto function, RNG esetyenzisiweyo (--sebenzisa-urandom) ukuvelisa isitshixo esisodwa soguqulelo oluntsonkothileyo/loguqulelo oluntsonkothileyo lweheader yedisk enengqiqo, isitshixo esisentloko sesibini (XTS); isitshixo esinamandla esahlukileyo esigcinwe kwiheader efihliweyo, isitshixo seXTS yesibini, yonke le metadata kunye nenkqubo yoguqulelo oluntsonkothileyo, usebenzisa isitshixo esikhulu kunye nesitshixo sesibini seXTS, ufihlo/ukucima nayiphi na idata kulwahlulo. (ngaphandle kwesihloko secandelo) igcinwe kwi ~ 3MB kwindawo ekhethiweyo yediski enzima.
* -i iiterations kwi-milliseconds, endaweni ye "imali" (ukulibaziseka kwexesha xa kusetyenzwa ibinzana lokugqithisa lichaphazela ukulayishwa kwe-OS kunye namandla e-cryptographic of keys). Ukugcina ibhalansi yamandla e-cryptographic, kunye negama lokugqitha elilula elifana ne "Russian" kufuneka unyuse i -(i) ixabiso ngegama lokugqitha elintsonkothileyo elifana ne "?8dƱob/øfh" ixabiso linokwehliswa.
* -use-urandom random number generator, yenza izitshixo kunye netyuwa.
Emva kwemephu yecandelo sda7> sda7_crypt (umsebenzi uyakhawuleza, kuba iheader efihliweyo yenziwe nge ~3 MB yemetadata kwaye kuphelele apho), kufuneka ufomethe kwaye unyuse inkqubo yefayile ye sda7_crypt.
B2.3. Ukuthelekisa
cryptsetup open /dev/sda7 sda7_crypt
#выполнение данной команды запрашивает ввод секретной парольной фразы.
iinketho:
* vula - thelekisa icandelo "negama";
* /dev/sda7 -logical disk;
* sda7_crypt - imephu yegama elisetyenziselwa ukunyusa isahlulelo esifihliweyo okanye ukuyiqalisa xa i-OS iqala.
B2.4. Ukufomatha inkqubo yefayile ye sda7_crypt kwi ext4. Ukunyuswa kwediski kwi-OS(Qaphela: awuyi kukwazi ukusebenza nge-encrypted partition kwi-Gparted)
#форматирование блочного шифрованного устройства
mkfs.ext4 -v -L DebSHIFR /dev/mapper/sda7_crypt
iinketho:
* -v -ukuthetha;
* -L - ileyibhile yokuqhuba (eboniswa kuMhloli phakathi kwezinye iidrive).
Okulandelayo, kufuneka unyuse isixhobo sebhloko esifihliweyo /dev/sda7_crypt kwinkqubo
mount /dev/mapper/sda7_crypt /mntUkusebenza ngeefayile kwi/mnt kwifolda kuya kufihla/ukucoca ngokuzenzekelayo idatha kwi-sda7.
Kulunge ngakumbi ukwenza imephu kwaye unyuse isahlulelo kwi-Explorer (nautilus/caja GUI), isahlulelo siya kuba sele sikuluhlu lokukhetha idisk, okushiyekileyo kukungenisa ibinzana logqitho ukuvula/ukucofa idiski. Igama elihambelanayo liya kukhethwa ngokuzenzekelayo kwaye hayi "sda7_crypt", kodwa into efana ne /dev/mapper/Luks-xx-xx...
B2.5. Ugcino lweheader yeDisc (~3MB metadata)Enye yezona zininzi kubalulekile imisebenzi ekufuneka yenziwe ngaphandle kokulibazisa - ikopi yokugcina ye "sda7_crypt" header. Ukuba ubhala ngaphezulu/uwonakalisa isihloko (umzekelo, ukufaka i-GRUB2 kwisahlulo se-sda7, njl.), idatha efihliweyo iya kulahleka ngokupheleleyo ngaphandle kokukwazi ukuyibuyisela kwakhona, kuba kuya kuba nzima ukuvelisa kwakhona izitshixo ezifanayo;
#Бэкап заголовка раздела
cryptsetup luksHeaderBackup --header-backup-file ~/Бэкап_DebSHIFR /dev/sda7
#Восстановление заголовка раздела
cryptsetup luksHeaderRestore --header-backup-file <file> <device>
iinketho:
* luksHeaderBackup —header-backup-file -backup command;
* luksHeaderRestore —header-backup-file -restore command;
* ~/Backup_DebSHIFR - ifayile yokugcina;
* /dev/sda7 - isahlulelo esisentloko yediski efihliweyo ikopi yogcino izakugcinwa.
Kweli nyathelo <ukudala kunye nokuhlela isahlulelo esifihliweyo> sigqityiwe.
B3. Ukuhambisa i-GNU/Linux OS (sda4) kwisahlulelo esifihliweyo (sda7)
Yenza ifolda /mnt2 (Qaphela - sisasebenza kunye ne-usb ephilayo, i-sda7_crypt ifakwe kwi /mnt), kwaye unyuse iGNU/Linux yethu kwi/mnt2, efuna ukuguqulelwa ngokuntsonkothileyo.
mkdir /mnt2
mount /dev/sda4 /mnt2
Senza ugqithiso oluchanekileyo lwe-OS sisebenzisa isoftware yeRsync
rsync -avlxhHX --progress /mnt2/ /mntIinketho zeRsync zichazwe kumhlathi E1.
Okulandelayo, iyimfuneko Ukwahlula isahlulelo sediski esinengqondo
e4defrag -c /mnt/ #после проверки, e4defrag выдаст, что степень дефрагментации раздела~"0", это заблуждение, которое может вам стоить существенной потери производительности!
e4defrag /mnt/ #проводим дефрагментацию шифрованной GNU/Linux
Yenza umthetho: yenza i-e4defrag kwi-encrypted GNU/LINux amaxesha ngamaxesha ukuba uneHDD.
Ugqithiso kunye nongqamaniso [GNU/Linux > GNU/Linux-encrypted] lugqityiwe kweli nyathelo.
NGE 4. Ukumisela i-GNU/Linux kwisahlulelo esifihliweyo se-sda7
Emva kokudlulisela ngempumelelo i-OS / dev/sda4> /dev/sda7, kufuneka ungene kwi-GNU/Linux kwisahlulelo esifihliweyo kwaye wenze uqwalaselo olongezelelweyo. (ngaphandle kokuphinda uqalise iPC) ngokunxulumene nenkqubo efihliweyo. Oko kukuthi, yiba kwi-usb ephilayo, kodwa yenza imiyalelo "enxulumene nengcambu ye-OS efihliweyo." "I-chroot" iya kulinganisa imeko efanayo. Ukufumana ngokukhawuleza ulwazi malunga nokuba yeyiphi i-OS osebenza nayo ngoku (iguqulelwe ngokuntsonkothileyo okanye hayi, ukusukela ukuba idatha kwi-sda4 kunye ne-sda7 zilungelelanisiwe), yenza ukuba i-OS isebenze. Yenza kubalawuli beengcambu (sda4/sda7_crypt) iifayile zesiphawuli ezingenanto, umzekelo, /mnt/encryptedOS kunye /mnt2/decryptedOS. Khangela ngokukhawuleza ukuba yeyiphi i-OS okuyo (kubandakanywa nekamva):
ls /<Tab-Tab>B4.1. "Ukulinganisa ukungena kwi-OS efihliweyo"
mount --bind /dev /mnt/dev
mount --bind /proc /mnt/proc
mount --bind /sys /mnt/sys
chroot /mnt
B4.2. Ukuqinisekisa ukuba umsebenzi wenziwa ngokuchasene nenkqubo efihliweyo
ls /mnt<Tab-Tab>
#и видим файл "/шифрованнаяОС"
history
#в выводе терминала должна появиться история команд su рабочей ОС.B4.3. Ukudala/ukuqwalasela utshintsho olufihliweyo, ukuhlela i-crypttab/fstabEkubeni ifayile yokutshintsha ifomatiwe ngalo lonke ixesha i-OS iqala, akukho ngqiqweni ukuyila kunye nokutshintshela kwimephu kwidiski enengqiqo ngoku, kwaye uchwetheze imiyalelo njengoko kumhlathi B2.2. KuTshintsho, izitshixo zayo zethutyana zoguqulelo oluntsonkothileyo ziya kwenziwa ngokuzenzekelayo ekuqaleni ngalunye. Umjikelo wobomi bezitshixo zokutshintsha: ukuhla/ukunganyuki ukwahlulahlula (+ukucoca RAM); okanye uqalise kwakhona i-OS. Ukumisela utshintshiselwano, ukuvula ifayile enoxanduva lokucwangciswa kwezixhobo ezifihliweyo zebhloko (efana nefayile ye-fstab, kodwa inoxanduva lwe-crypto).
nano /etc/crypttab siyahlela
#"igama ekujoliswe kulo" "isixhobo somthombo" "ifayile yesitshixo" "iinketho"
swap /dev/sda8 /dev/urandom swap,cipher=twofish-xts-plain64,size=512,hash=sha512
Khetha
* tshintshisa - igama elifakwe kwimaphu xa uguqulela ikhowudi /dev/mapper/swap.
* /dev/sda8 - sebenzisa isahlulelo sakho esinengqiqo ukuze utshintshe.
* /dev/urandom-ijenereyitha yezitshixo ezifihliweyo ezingaqhelekanga zokutshintsha (nge-OS entsha yokuqalisa, amaqhosha amatsha enziwa). I-generator / dev / urandom i-jeneretha ingaphantsi kwe-random kune / dev / random, emva kokuba yonke / i-dev / i-random isetyenziswe xa isebenza kwiimeko eziyingozi ze-paranoid. Xa ulayisha i-OS, /dev/random iyacotha ukulayisha kangangemizuzu emininzi ± (jonga inkqubo-uhlahlelo).
* swap,cipher=twofish-xts-plain64,size=512,hash=sha512: -isahlulelo siyazi ukuba sitshintshiwe kwaye sifomathwe “ngokungqinelanayo”; uguqulelo oluntsonkothileyo.
#Открываем и правим fstab
nano /etc/fstab
siyahlela
# Ukutshintsha bekukho kwi / dev / sda8 ngexesha lofakelo
/dev/mapper/swap akukho nanye swap sw 0 0
/dev/mapper/swap ligama elamiselwa kwicrypttab.
Utshintshiselwano olunoguqulelo oluntsonkothileyo
Ukuba ngesizathu esithile awufuni ukuyeka ulwahlulo olupheleleyo lwefayile yokutshintsha, ngoko ungaya enye indlela kunye nendlela engcono: ukwenza ifayile yokutshintsha kwifayile kwisahlulelo esifihliweyo kunye ne-OS.
fallocate -l 3G /swap #создание файла размером 3Гб (почти мгновенная операция)
chmod 600 /swap #настройка прав
mkswap /swap #из файла создаём файл подкачки
swapon /swap #включаем наш swap
free -m #проверяем, что файл подкачки активирован и работает
printf "/swap none swap sw 0 0" >> /etc/fstab #при необходимости после перезагрузки swap будет постоянныйUhlengahlengiso lwesahlulelo solungiselelo lugqityiwe.
B4.4. Ukumisela i-GNU/Linux efihliweyo (uhlela iifayile ze-crypttab/fstab)Ifayile ye/etc/crypttab, njengoko ibhaliwe ngasentla, ichaza izixhobo zebhloko ezifihliweyo eziqwalaselwe ngexesha lokuqalisa inkqubo.
#правим /etc/crypttab
nano /etc/crypttab
ukuba ufanise icandelo sda7>sda7_crypt njengoko kumhlathi B2.1
# "igama ekujoliswe kulo" "isixhobo somthombo" "ifayile engundoqo" "iinketho"
sda7_crypt UUID=81048598-5bb9-4a53-af92-f3f9e709e2f2 none luks
ukuba ufanise icandelo sda7>sda7_crypt njengoko kumhlathi B2.2
# "igama ekujoliswe kulo" "isixhobo somthombo" "ifayile engundoqo" "iinketho"
sda7_crypt UUID=81048598-5bb9-4a53-af92-f3f9e709e2f2 none cipher=twofish-xts-plain64,size=512,hash=sha512
ukuba uthelekise i sda7>sda7_crypt icandelo njengakumhlathi B2.1 okanye B2.2, kodwa awufuni kungenisa kwakhona igama lokugqitha ukuze uvule kwaye uvule i-OS, ngoko endaweni yegama lokugqitha ungabeka endaweni yesitshixo esiyimfihlo/ifayile engaqhelekanga.
# "igama ekujoliswe kulo" "isixhobo somthombo" "ifayile engundoqo" "iinketho"
sda7_crypt UUID=81048598-5bb9-4a53-af92-f3f9e709e2f2 /etc/skey luks
inkcazelo
* akukho nanye - inika ingxelo yokuba xa ulayisha i-OS, ukungena kwigama lokugqithisa eliyimfihlo kuyafuneka ukuze uvule ingcambu.
* UUID - isichongi sokwahlulahlula. Ukufumana isazisi sakho, chwetheza kwitheminali (khumbuza ukuba ukususela ngeli xesha ukuya phambili, usebenza kwi-terminal kwindawo ye-chroot, kwaye kungekhona kwenye i-terminal ye-usb ephilayo).
fdisk -l #проверка всех разделов
blkid #должно быть что-то подобное
/dev/sda7: UUID=«81048598-5bb9-4a53-af92-f3f9e709e2f2» TYPE=«crypto_LUKS» PARTUUID=«0332d73c-07»
/dev/mapper/sda7_crypt: LABEL=«DebSHIFR» UUID=«382111a2-f993-403c-aa2e-292b5eac4780» TYPE=«ext4»
lo mgca uyabonakala xa ucela i-blkid kwi-terminal ye-usb ephilayo ene-sda7_crypt inyuswa).
Uthatha i-UUID kwi-sdaX yakho (hayi sdaX_crypt!, UUID sdaX_crypt - iya kushiywa ngokuzenzekelayo xa uvelisa i-grub.cfg config).
* cipher=twofish-xts-plain64,size=512,hash=sha512 -luks encryption kwimowudi ephambili.
* /etc/skey - ifayile eyimfihlo eyimfihlo, efakwe ngokuzenzekelayo ukuvula i-OS boot (endaweni yokufaka igama eliyimfihlo le-3). Ungakhankanya nayiphi na ifayile ukuya kwi-8MB, kodwa idatha iya kufundwa <1MB.
#Создание "генерация" случайного файла <секретного ключа> размером 691б.
head -c 691 /dev/urandom > /etc/skey
#Добавление секретного ключа (691б) в 7-й слот заголовка luks
cryptsetup luksAddKey --key-slot 7 /dev/sda7 /etc/skey#Проверка слотов "пароли/ключи luks-раздела"
cryptsetup luksDump /dev/sda7
Iya kujongeka ngolu hlobo:
(yenza ngokwakho kwaye uzibonele).
cryptsetup luksKillSlot /dev/sda7 7 #удаление ключа/пароля из 7 слота/etc/fstab iqulethe ulwazi oluchazayo malunga neenkqubo ezahlukeneyo zefayile.
#Правим /etc/fstab
nano /etc/fstab
# "inkqubo yefayile" "indawo yokunyuka" "uhlobo" "iinketho" "lahla" "dlula"
# / yayiku / dev / sda7 ngexesha lofakelo
/dev/mapper/sda7_crypt / ext4 errors=remount-ro 0 1
ukhetho
* /dev/mapper/sda7_crypt - igama lemephu ye-sda7>sda7_crypt, echazwe kwifayile /etc/crypttab.
Ucwangciso lwe-crypttab/fstab lugqityiwe.
B4.5. Ukuhlela iifayile zoqwalaselo. Umzuzu ophambiliB4.5.1. Ukuhlela uqwalaselo /etc/initramfs-tools/conf.d/resume
#Если у вас ранее был активирован swap раздел, отключите его.
nano /etc/initramfs-tools/conf.d/resume
kwaye uphawule ngaphandle (ukuba ikhona) "#" umgca "qalisa kwakhona". Ifayile kufuneka ingabi nanto.
B4.5.2. Ukuhlela i-config /etc/initramfs-tools/conf.d/cryptsetup
nano /etc/initramfs-tools/conf.d/cryptsetupkufuneka ihambelane
# /etc/initramfs-tools/conf.d/cryptsetup
CRYPTSETUP=ewe
thumela ngaphandle CRYPTSETUP
B4.5.3. Ukuhlela /etc/default/grub config (olu qwalaselo lunoxanduva lokukwazi ukuvelisa i-grub.cfg xa usebenza ngoguqulelo oluntsonkothileyo/lokuqalisa)
nano /etc/default/grub
yongeza umgca “GRUB_ENABLE_CRYPTODISK=y”
ixabiso 'y', i-grub-mkconfig kunye ne-grub-fake iyakukhangela iidrive ezifihliweyo kwaye ivelise imiyalelo eyongezelelweyo efunekayo ukufikelela kuzo ngexesha lokuqala. (insmods ).
kufuneka kubekho ukufana
I-GRUB_DEFAULT = 0
GRUB_TIMEOUT = 1
GRUB_DISTRIBUTOR=`lsb_release -i -s 2> /dev/null || echo Debian`
GRUB_CMDLINE_LINUX_DEFAULT="acpi_backlight=vendor"
GRUB_CMDLINE_LINUX="i-splash ethuleyo noautomount"
GRUB_ENABLE_CRYPTODISK=y
B4.5.4. Ukuhlela i-config /etc/cryptsetup-initramfs/conf-hook
nano /etc/cryptsetup-initramfs/conf-hook
khangela ukuba umgca uphawule ngaphandle <#>.
Kwixesha elizayo (kwaye nangoku, le parameter ayisayi kuba nayo nayiphi na intsingiselo, kodwa ngamanye amaxesha iphazamisana nokuhlaziya umfanekiso we-initrd.img).
B4.5.5. Ukuhlela i-config /etc/cryptsetup-initramfs/conf-hook
nano /etc/cryptsetup-initramfs/conf-hookyongeza
KEYFILE_PATTERN=”/etc/skey”
UMASK=0077
Oku kuya kupakisha isitshixo esiyimfihlo "isitshixo" kwi initrd.img, isitshixo siyafuneka ukuvula ingcambu xa iibhutsi ze-OS (ukuba awufuni ukufaka igama eligqithisiweyo kwakhona, iqhosha elithi "skey" lifakwe endaweni yemoto).
B4.6. Hlaziya /boot/initrd.img [uguqulelo]Ukupakisha iqhosha eliyimfihlo kwi-initrd.img kwaye usebenzise izilungiso ze-cryptsetup, hlaziya umfanekiso
update-initramfs -u -k all
xa uhlaziya initrd.img (njengoko besithi "Kuyenzeka, kodwa akuqinisekanga") izilumkiso ezinxulumene ne-cryptsetup ziya kuvela, okanye, umzekelo, isaziso malunga nokulahleka kweemodyuli zeNvidia - oku kuqhelekileyo. Emva kokuhlaziya ifayile, khangela ukuba ihlaziywe ngokwenene, bona ixesha (ngokunxulumene nokusingqongileyo kwe-chroot./boot/initrd.img). Nceda nceda! ngaphambi kokuba [uhlaziyo-initramfs -u -k konke] qiniseka ukuba ukhangele ukuba i-cryptsetup ivuliwe /dev/sda7 sda7_crypt - eli ligama elivelayo kwi/etc/crypttab, kungenjalo emva kokuqalisa kwakhona kuya kubakho impazamo yebhokisi exakekileyo)
Kweli nqanaba, ukuseta iifayile zoqwalaselo kugqityiwe.
[C] Ukufakela kunye nokuqwalasela i-GRUB2 / uKhuselo
C1. Ukuba kuyimfuneko, fomata isahlulelo esizinikeleyo somlayishi (isahlulelo sifuna ubuncinci be-20MB)
mkfs.ext4 -v -L GRUB2 /dev/sda6C2. Nyuka /dev/sda6 ukuya /mntNgoko sisebenza kwi-chroot, ngoko ke akuyi kubakho /mnt2 ulawulo kwingcambu, kwaye i/mnt ifolda iya kuba ingenanto.
nyusa isahlulelo se-GRUB2
mount /dev/sda6 /mntUkuba unoguqulelo oludala lweGRUB2 efakiweyo, kwi/mnt/boot/grub/i-386-pc directory (elinye iqonga linokwenzeka, umzekelo, hayi “i386-pc”) akukho iimodyuli ze-crypto (ngokufutshane, incwadi eneenkcukacha kufuneka iqulathe iimodyuli, kuquka ezi .mod: cryptodisk; luks; gcry_twofish; gcry_sha512; signature_test.mod), kule meko, i-GRUB2 idinga ukushukunyiswa.
apt-get update
apt-get install grub2
Kubalulekile! Xa uhlaziya iphakheji ye-GRUB2 kwindawo yokugcina, xa ubuzwa "malunga nokukhetha" apho ufaka khona i-bootloader, kufuneka ukwale ukufakela. (isizathu-zama ukufaka iGRUB2-kwi-"MBR" okanye kwi-usb ephilayo). Ngaphandle koko uya konakalisa iVeraCrypt header/loader. Emva kokuhlaziya iiphakheji ze-GRUB2 kunye nokukhansela ukufakela, umlayishi we-boot kufuneka afakwe ngesandla kwi-logical disk, kwaye kungekhona kwi-MBR. Ukuba indawo yakho yokugcina inenguqulelo yakudala ye-GRUB2, zama ivela kwiwebhusayithi esemthethweni-awukhange uyijonge (isebenze ngeGRUB 2.02 ~ BetaX izilayishi zokuqalisa).
C3. Ukufaka i-GRUB2 kwisahlulo esandisiweyo [sda6]Kufuneka ube nesahlulelo esinyusiweyo [umba C.2]
grub-install --force --root-directory=/mnt /dev/sda6
ukhetho
* -force - ufakelo lwe-bootloader, ugqitha zonke izilumkiso eziphantse zihlale zikhona kunye nofakelo lwebhloko (iflegi efunekayo).
* --root-directory - ufakelo lolawulo kwingcambu ye sda6.
* /dev/sda6 - isahlulo sakho se-sdaХ (ungaphoswa <isithuba> phakathi kwe/mnt/dev/sda6).
C4. Ukwenza ifayile yoqwalaselo [grub.cfg]Ulibale malunga nomyalelo othi "uhlaziyo-grub2", kwaye usebenzise umyalelo opheleleyo wokuvelisa ifayile
grub-mkconfig -o /mnt/boot/grub/grub.cfg
emva kokugqiba isizukulwana/uhlaziyo lwefayile ye grub.cfg, isiphelo sendlela kufuneka siqulathe iilayini nge OS efunyenwe kwidiski. ("i-grub-mkconfig" mhlawumbi iya kufumana kwaye ithathe i-OS kwi-usb ephilayo, ukuba une-flash drive ye-multiboot Windows 10 kunye neqela losasazo oluphilayo - oku kuqhelekile). Ukuba i-terminal "ayinanto" kwaye ifayile ye "grub.cfg" ayenziwanga, ke oku kuyafana xa kukho i-GRUB bugs kwinkqubo. (kwaye kusenokwenzeka ukuba ngumlayishi osuka kwisebe lovavanyo logcino), phinda ufake i-GRUB2 kwimithombo ethembekileyo.
Ukufakela "ubumbeko olulula" kunye nokusekwa kwe-GRUB2 kugqityiwe.
C5. Ubungqina bovavanyo lwe-GNU/Linux OS efihliweyoSigqibezela umsebenzi we-crypto ngokuchanekileyo. Ushiya ngobuchule i-GNU/Linux efihliweyo (phuma kwindawo yechroot).
umount -a #размонтирование всех смонтированных разделов шифрованной GNU/Linux
Ctrl+d #выход из среды chroot
umount /mnt/dev
umount /mnt/proc
umount /mnt/sys
umount -a #размонтирование всех смонтированных разделов на live usb
reboot
Emva kokuqalisa kwakhona iPC, iVeraCrypt bootloader kufuneka ilayishe.
*Ukufaka igama lokugqitha lesahlulelo esisebenzayo kuya kuqalisa ukulayisha iiWindows.
* Ukucofa iqhosha elithi "Esc" liza kudlulisela ulawulo kwi-GRUB2, ukuba ukhetha i-GNU/Linux efihliweyo - igama eliyimfihlo (sda7_crypt) liya kufunwa ukuvula /boot/initrd.img (ukuba i-grub2 ibhala uuid "ayifunyanwanga" - oku ku ingxaki nge-bootloader ye-grub2, kufuneka iphinde ifakwe, umzekelo, ukusuka kwisebe lovavanyo / isitali njl.
* Ngokuxhomekeke kwindlela oyilungiselele ngayo inkqubo (jonga umhlathi B4.4/4.5), emva kokufaka igama eligqithisiweyo elichanekileyo ukuvula umfanekiso /boot/initrd.img, uya kufuna igama eliyimfihlo ukulayisha i-OS kernel/root, okanye imfihlo. isitshixo siya kutshintshwa ngokuzenzekelayo " skey ", ukususa imfuneko yokuphinda ufake igama lokugqithisa.
(isikrini "ukutshintsha okuzenzekelayo kweqhosha eliyimfihlo").
*Okulandelayo kuya kuba yinkqubo eqhelekileyo yokulayisha i-GNU/Linux ngoqinisekiso lweakhawunti yomsebenzisi.
*Emva kokugunyaziswa komsebenzisi kunye nokungena kwi-OS, kufuneka uhlaziye kwakhona /boot/initrd.img kwakhona (jonga i-B4.6).
update-initramfs -u -k allKwaye kwimeko yemigca eyongezelelweyo kwimenyu ye-GRUB2 (ukusuka kwi-OS-m yokulanda nge-usb ephilayo) zilahleni
mount /dev/sda6 /mnt
grub-mkconfig -o /mnt/boot/grub/grub.cfg
Isishwankathelo esikhawulezayo se-GNU/Linux ufihlo lwenkqubo:
- I-GNU/Linuxinux iguqulelwe ngokuntsonkothileyo ngokupheleleyo, kuquka i/boot/kernel kunye ne-initrd;
- iqhosha eliyimfihlo lipakishwe kwi initrd.img;
- iskimu sogunyaziso lwangoku (ingenisa igama lokugqitha ukuvula i initrd; igama lokugqitha/isitshixo ukuqala i OS; igama lokugqitha lokugunyazisa i akhawunti ye Linux).
"Uqwalaselo olulula lwe-GRUB2" ubhalo lwenkqubo yolwahlulo lwebhloko lugqityiwe.
C6. Ubume be-GRUB2 obuphezulu. Ukukhuselwa kwe-Bootloader ngotyikityo lwedijithali + ukhuseleko lokuqinisekisaI-GNU/Linux iguqulelwe ngokuntsonkothileyo, kodwa i-bootloader ayinakuguqulelwa ngokuntsonkothileyo - le meko ichazwa yi-BIOS. Ngesi sizathu, i-boot eshicilelwe ngetyathanga ye-GRUB2 ayinakwenzeka, kodwa i-boot elula enetyathanga iyenzeka/iyafumaneka, kodwa ngokwembono yokhuseleko ayiyomfuneko [bona. P. F].
Kwi-GRUB2 "esichengeni", abaphuhlisi baphumeze "utyikityo / ukuqinisekiswa" kwe-algorithm yokukhusela i-bootloader.
- Xa i-bootloader ikhuselwe "ngomsayino wayo wedijithali," ukulungiswa kwangaphandle kweefayile, okanye umzamo wokulayisha iimodyuli ezongezelelweyo kule bootloader, kuya kukhokelela kwinkqubo yokuqalisa ivaliwe.
- Xa ukhusela i-bootloader ngokuqinisekiswa, ukuze ukhethe ukulayisha ukusabalalisa, okanye ufake imiyalelo eyongezelelweyo kwi-CLI, kuya kufuneka ukuba ufake i-login kunye negama lokugqitha le-superuser-GRUB2.
C6.1. Ukhuseleko lokuqinisekisa i-BootloaderKhangela ukuba usebenza kwi-terminal kwi-OS efihliweyo
ls /<Tab-Tab> #обнаружить файл-маркерyenza igama eligqithisiweyo lomsebenzisi ophezulu ukuze ugunyaziswe kwi-GRUB2
grub-mkpasswd-pbkdf2 #введите/повторите пароль суперпользователя. Fumana igama lokugqitha. Into efana nale
grub.pbkdf2.sha512.10000.DE10E42B01BB6FEEE46250FC5F9C3756894A8476A7F7661A9FFE9D6CC4D0A168898B98C34EBA210F46FC10985CE28277D0563F74E108FCE3ACBD52B26F8BA04D.27625A4D30E4F1044962D3DD1C2E493EF511C01366909767C3AF9A005E81F4BFC33372B9C041BE9BA904D7C6BB141DE48722ED17D2DF9C560170821F033BCFD8
nyusa isahlulelo seGRUB
mount /dev/sda6 /mnt hlela uqwalaselo
nano -$ /mnt/boot/grub/grub.cfg
khangela uphendlo lwefayile ukuba akukho ziflegi naphi na kwi "grub.cfg" ("-unrestricted" "-user",
yongeza ekugqibeleni (phambi komgca ### END /etc/grub.d/41_custom ###)
"seta superusers = "ingcambu"
password_pbkdf2 ingcambu yehashi."
Ifanele ibe yinto enje
# Le fayile ibonelela ngendlela elula yokongeza amangeno emenyu yesiko. Chwetheza ngokulula i
# amangeno emenyu ofuna ukuwongeza emva kolu luvo. Lumka ungatshintshi
# the 'exec umsila' umgca ongentla.
### ISIPHELO /etc/grub.d/40_custom ###### QALISA /etc/grub.d/41_custom ###
ukuba [-f ${config_directory}/custom.cfg ]; ngoko
umthombo ${config_directory}/custom.cfg
elif [ -z "${config_directory}" -a -f $prefix/custom.cfg ]; ngoko
umthombo i-$ prefix/custom.cfg;
fi
seta superusers = "ingcambu"
password_pbkdf2 root grub.pbkdf2.sha512.10000.DE10E42B01BB6FEEE46250FC5F9C3756894A8476A7F7661A9FFE9D6CC4D0A168898B98C34EBA210F46FC10985CE28277D0563F74E108FCE3ACBD52B26F8BA04D.27625A4D30E4F1044962D3DD1C2E493EF511C01366909767C3AF9A005E81F4BFC33372B9C041BE9BA904D7C6BB141DE48722ED17D2DF9C560170821F033BCFD8
### ISIPHELO /etc/grub.d/41_custom ###
#
Ukuba uhlala usebenzisa umyalelo othi "grub-mkconfig -o /mnt/boot/grub/grub.cfg" kwaye awufuni ukwenza utshintsho kwi grub.cfg ngalo lonke ixesha, ngenisa le migca ingasentla. (Ngena: Igama lokugqithisa) kwiskripthi somsebenzisi we-GRUB ezantsi kakhulu
nano /etc/grub.d/41_custom ikati <<EOF
seta superusers = "ingcambu"
password_pbkdf2 root grub.pbkdf2.sha512.10000.DE10E42B01BB6FEEE46250FC5F9C3756894A8476A7F7661A9FFE9D6CC4D0A168898B98C34EBA210F46FC10985CE28277D0563F74E108FCE3ACBD52B26F8BA04D.27625A4D30E4F1044962D3DD1C2E493EF511C01366909767C3AF9A005E81F4BFC33372B9C041BE9BA904D7C6BB141DE48722ED17D2DF9C560170821F033BCFD8
EOF
Xa uvelisa i-config "grub-mkconfig -o /mnt/boot/grub/grub.cfg", imigca enoxanduva lokuqinisekisa iya kongezwa ngokuzenzekelayo kwi-grub.cfg.
Eli nyathelo ligqibezela ukuseta uqinisekiso lwe-GRUB2.
C6.2. Ukukhuselwa kwe-Booloader ngesignesha yedijithaliKucingelwa ukuba sele unalo isitshixo sakho sobhalo lwe pgp (okanye wenze isitshixo esinjalo). Inkqubo kufuneka ibe ne-cryptographic software efakiweyo: gnuPG; kleopatra/GPA; Seahorse. Isoftware yeCrypto iya kwenza ubomi bakho bube lula kuyo yonke imiba enjalo. I-Seahorse - inguqu ezinzileyo yephakheji 3.14.0 (iinguqulelo eziphezulu, umzekelo, V3.20, zineziphene kwaye zineempazamo ezibalulekileyo).
Iqhosha le PGP lifuna ukwenziwa/laziswa/longezwe kuphela kwimekobume ye su!
Yenza isitshixo sofihlo lomntu siqu
gpg - -gen-keyThumela isitshixo sakho
gpg --export -o ~/perskeyNyusa idiski yengqiqo kwi-OS ukuba ayikanyuswa
mount /dev/sda6 /mnt #sda6 – раздел GRUB2coca isahlulelo se-GRUB2
rm -rf /mnt/Faka i-GRUB2 kwi-sda6, ubeke isitshixo sakho sabucala kumfanekiso ophambili we-GRUB "core.img"
grub-install --force --modules="gcry_sha256 gcry_sha512 signature_test gcry_dsa gcry_rsa" -k ~/perskey --root-directory=/mnt /dev/sda6
ukhetho
* --force - faka i-bootloader, ugqitha zonke izilumkiso ezihlala zikhona (iflegi efunekayo).
* —imodyuli = "gcry_sha256 gcry_sha512 signature_test gcry_dsa gcry_rsa" - iyalela i-GRUB2 ukuba ilayishe kwangaphambili iimodyuli eziyimfuneko xa iPC iqala.
* -k ~/perskey -indlela eya “kwiqhosha lePGP” (emva kokupakisha isitshixo kumfanekiso, inokususwa).
* -ingcambu-uluhlu -seta ulawulo lwesiqalo kwingcambu ye sda6
/dev/sda6-isahlulo sakho se-sdaX.
Ukuvelisa/ukuhlaziya i-grub.cfg
grub-mkconfig -o /mnt/boot/grub/grub.cfgYongeza umgca "trust / boot/grub/perskey" ukuya ekupheleni kwefayile "grub.cfg" (ukusetyenziswa ngamandla kweqhosha le-pgp.) Ekubeni sifake i-GRUB2 kunye neeseti zeemodyuli, kubandakanywa nemodyuli yesignesha "signature_test.mod", oku kuphelisa isidingo sokongeza imiyalelo efana ne "set check_signatures=enforce" kwi-config.
Ifanele ibonakale into enje (imigca yokuphela kwifayile ye-grub.cfg)
### QALISA /etc/grub.d/41_custom ###
ukuba [-f ${config_directory}/custom.cfg ]; ngoko
umthombo ${config_directory}/custom.cfg
elif [ -z "${config_directory}" -a -f $prefix/custom.cfg ]; ngoko
umthombo i-$ prefix/custom.cfg;
fi
themba /boot/grub/perskey
seta superusers = "ingcambu"
password_pbkdf2 root grub.pbkdf2.sha512.10000.DE10E42B01BB6FEEE46250FC5F9C3756894A8476A7F7661A9FFE9D6CC4D0A168898B98C34EBA210F46FC10985CE28277D0563F74E108FCE3ACBD52B26F8BA04D.27625A4D30E4F1044962D3DD1C2E493EF511C01366909767C3AF9A005E81F4BFC33372B9C041BE9BA904D7C6BB141DE48722ED17D2DF9C560170821F033BCFD8
### ISIPHELO /etc/grub.d/41_custom ###
#
Indlela eya kwi "/ boot / grub / perskey" ayifuni ukuboniswa kwisahlulelo esithile sediski, umzekelo i-hd0,6 ye-bootloader ngokwayo, "ingcambu" yindlela engagqibekanga yokwahlula apho i-GRUB2 ifakwe khona (jonga isethi ukubola=..).
Ukutyikitya iGRUB2 (zonke iifayile kuzo zonke / abalawuli beGRUB) ngesitshixo sakho "perskey".
Isisombululo esilula malunga nendlela yokusayina (ye-nautilus/caja explorer): faka ulwandiso lwe "seahorse" lwe-Explorer kwindawo yokugcina. Isitshixo sakho kufuneka sifakwe kwindawo ye-su.
Vula i-Explorer nge-sudo "/ mnt/boot"-RMB-sign. Kwiskrini ibonakala ngolu hlobo
Isitshixo ngokwaso sithi "/mnt/boot/grub/perskey" (ikopi kwi-grub directory) nayo kufuneka isayinwe ngotyikityo lwakho. Khangela ukuba i [*.sig] imisayino yefayile iyavela kulawulo/kubalawuli abangaphantsi.
Ukusebenzisa indlela echazwe ngasentla, sayina "/boot" (i-kernel yethu, initrd). Ukuba ixesha lakho lixabisa nantoni na, ke le ndlela iyayiphelisa imfuneko yokubhala iskripthi se-bash ukusayina "iifayile ezininzi."
Ukususa yonke imisayino yesilayishi se-boot (ukuba kukho into engahambi kakuhle)
rm -f $(find /mnt/boot/grub -type f -name '*.sig')Ukuze ungasayini i-bootloader emva kokuhlaziya inkqubo, simisa zonke iiphakheji zokuhlaziya ezinxulumene ne-GRUB2.
apt-mark hold grub-common grub-pc grub-pc-bin grub2 grub2-commonEli nyathelo <khusela i-bootloader ngesignesha yedijithali> uqwalaselo oluphambili lwe-GRUB2 lugqityiwe.
C6.3. Ubungqina bovavanyo lwe-GRUB2 bootloader, ekhuselwe ngumsayino wedijithali kunye nokuqinisekiswaGRUB2. Xa ukhetha naluphi na unikezelo lwe-GNU/Linux okanye ungenisa i-CLI (umgca womyalelo) Ugunyaziso lwabasebenzisi abakhulu luya kufuneka. Emva kokufaka igama lomsebenzisi elichanekileyo/igama lokugqitha, uya kufuna igama eligqithisiweyo le-initrd
Umfanekiso weskrini wokuqinisekiswa okuyimpumelelo kwe-GRUB2 superuser.
Ukuba uphazamisa nayiphi na iifayile ze-GRUB2 / wenze utshintsho kwi-grub.cfg, okanye ucime ifayile / utyikityo, okanye ulayishe imodyuli engalunganga. I-GRUB2 iyakumisa ukulayisha.
Umfanekiso weskrini, umzamo wokuphazamisa i-GRUB2 "ngaphandle".
Ngexesha "okuqhelekileyo" ukuqala "ngaphandle kokungena", ikhowudi yokuphuma kwesistim imeko ngu "0". Ke ngoko, akwaziwa ukuba ukhuseleko luyasebenza okanye hayi (oko kukuthi, "kunye okanye ngaphandle kokhuseleko lomsayino we-bootloader" ngexesha lokulayisha okuqhelekileyo isimo siyafana "0" - oku kubi).
Ulujonga njani ukhuseleko lomsayino wedijithali?
Indlela engafanelekanga yokujonga: inkohliso / ukususa imodyuli esetyenziswa yi-GRUB2, umzekelo, susa utyikityo luks.mod.sig kwaye ufumane impazamo.
Indlela echanekileyo: yiya kwi-CLI ye-bootloader kwaye uchwetheze umyalelo
trust_list
Ekuphenduleni, kufuneka ufumane i-fingerprint "perskey"; ukuba isimo sithi "0," ngoko ukukhuselwa kwesiginesha akusebenzi, jonga kabini umhlathi C6.2.
Kule nyathelo, ulungelelwaniso oluphezulu "Ukukhusela i-GRUB2 ngesignesha yedijithali kunye nokuqinisekiswa" kugqityiwe.
C7 Enye indlela yokukhusela i-GRUB2 bootloader usebenzisa i-hashing"I-CPU Boot Loader Protection / Authentication" indlela echazwe ngasentla yeklasikhi. Ngenxa yokungafezeki kwe-GRUB2, kwiimeko ze-paranoid ziyakwazi ukuhlaselwa ngokwenene, endiya kunika ngezantsi kumhlathi [F]. Ukongeza, emva kokuhlaziya i-OS/kernel, i-bootloader kufuneka isayinwe kwakhona.
Ukukhusela i-GRUB2 bootloader usebenzisa i-hashing
Izinto eziluncedo ngaphezu kweeklasikhi:
- Inqanaba eliphezulu lokuthembeka (i-hashing/uqinisekiso lwenzeka kuphela kwisixhobo sendawo esifihliweyo. Isahlulo sonke esabiweyo phantsi kwe-GRUB2 silawulwa kulo naluphi na utshintsho, kwaye yonke enye into ifihliwe; kwi-classic scheme kunye nokhuseleko lomlayishi we-CPU / Uqinisekiso, iifayile kuphela ezilawulwayo, kodwa azikhululekile. indawo, apho "into" into embi" inokongezwa).
- Ukuloga ngokuntsonkothileyo (ilog yobuqu efundekayo efundeka ngumntu iyongezwa kwisikim).
- Ukukhawuleza (ukhuseleko / ukuqinisekiswa kwesahlulo esipheleleyo esabelwe i-GRUB2 kwenzeka ngokukhawuleza).
- Ukuzenzekela kuzo zonke iinkqubo ze-cryptographic.
Ukungalungi phezu kweeklasikhi.
- Ubuqhophololo bokutyikitya (ngokwethiyori, kuyenzeka ukufumana ungqubano olunikiweyo lwe-hash).
- Ukonyuka kwinqanaba lobunzima (xa kuthelekiswa neklasikhi, izakhono ezincinci kwi-GNU/Linux OS ziyafuneka).
Isebenza njani i-GRUB2/partition hashing idea
Ukwahlula kwe-GRUB2 "isayiniwe" xa iibhuthi ze-OS, ulwahlulo lomlayishi we-boot lukhangelwe ukuguquguquka, lulandelwa ngokungena kwindawo ekhuselekileyo (encrypted). Ukuba i-bootloader okanye ulwahlulo lwayo lusengozini, ukongeza kwilog yokungena, oku kulandelayo kuqalisiwe:
Into.
Itshekhi efanayo iyenzeka kane ngosuku, engalayishi izixhobo zenkqubo.
Ukusebenzisa umyalelo othi "-$ check_GRUB", ukukhangela kwangoko kwenzeka nangaliphi na ixesha ngaphandle kokungena, kodwa ngolwazi oluphuma kwi-CLI.
Usebenzisa umyalelo othi “-$ sudo signature_GRUB”, i-GRUB2 bootloader/isahlulelo sisayinwa ngoko nangoko kunye nokugawulwa kwayo okuhlaziyiweyo. (kuyimfuneko emva kohlaziyo lwe-OS/boot), kwaye ubomi buyaqhubeka.
Ukuphunyezwa kwendlela ye-hashing ye-bootloader kunye necandelo layo
0) Masisayine i-GRUB bootloader/isahlulo ngokuqala ngokuyinyusa kwi/media/username
-$ hashdeep -c md5 -r /media/username/GRUB > /podpis.txt1) Senza umbhalo ngaphandle kolwandiso kwingcambu ye-OS efihliweyo ~/podpis, sebenzisa amalungelo okhuseleko ayimfuneko angama-744 kunye nokhuseleko olungenangqondo kuyo.
Ukuzalisa imixholo yayo
#!/bin/bash
#Проверка всего раздела выделенного под загрузчик GRUB2 на неизменность.
#Ведется лог "о вторжении/успешной проверке каталога", короче говоря ведется полный лог с тройной вербализацией. Внимание! обратить взор на пути: хранить ЦП GRUB2 только на зашифрованном разделе OS GNU/Linux.
echo -e "******************************************************************n" >> '/var/log/podpis.txt' && date >> '/var/log/podpis.txt' && hashdeep -vvv -a -k '/podpis.txt' -r '/media/username/GRUB' >> '/var/log/podpis.txt'
a=`tail '/var/log/podpis.txt' | grep failed` #не использовать "cat"!!
b="hashdeep: Audit failed"
#Условие: в случае любых каких-либо изменений в разделе выделенном под GRUB2 к полному логу пишется второй отдельный краткий лог "только о вторжении" и выводится на монитор мигание gif-ки "warning".
if [[ "$a" = "$b" ]]
then
echo -e "****n" >> '/var/log/vtorjenie.txt' && echo "vtorjenie" >> '/var/log/vtorjenie.txt' && date >> '/var/log/vtorjenie.txt' & sudo -u username DISPLAY=:0 eom '/warning.gif'
fiQhuba iscript ukusuka su, i-hashing ye-GRUB isahlulelo kunye ne-bootloader yayo iya kukhangelwa, gcina ilog.
Masenze okanye sikope, umzekelo, "ifayile enobungozi" [virus.mod] kwisahlulelo seGRUB2 kwaye siqhube iskena/uvavanyo lwexeshana:
-$ hashdeep -vvv -a -k '/podpis.txt' -r '/media/username/GRUBI-CLI kufuneka ibone ukuhlaselwa kwenqaba yethu-#Ilog elungisiweyo kwi-CLI
Ср янв 2 11::41 MSK 2020
/media/username/GRUB/boot/grub/virus.mod: Moved from /media/username/GRUB/1nononoshifr
/media/username/GRUB/boot/grub/i386-pc/mda_text.mod: Ok
/media/username/GRUB/boot/grub/grub.cfg: Ok
hashdeep: Audit failed
Input files examined: 0
Known files expecting: 0
Files matched: 325
Files partially matched: 0
Files moved: 1
New files found: 0
Known files not found: 0
#Njengoko ubona, "Iifayile zisusiwe: 1 kwaye uPhicotho aluphumelelanga" luyavela, okuthetha ukuba itshekhi ayiphumelelanga.
Ngenxa yobume besahlulelo esivavanywayo, endaweni yokuthi "iifayile ezintsha zifunyenwe"> "Iifayile zisusiwe"
2) Beka i-gif apha > ~/warning.gif, seta iimvume ku-744.
3) Ukuqwalasela i-fstab ukunyusa ngokuzenzekela isahlulelo se-GRUB ekuqaleni
-$ sudo nano /etc/fstabLABEL=GRUB /imidiya/igama lomsebenzisi/GRUB ext4 imiqobo 0 0
4) Ukujikeleza ilog
-$ sudo nano /etc/logrotate.d/podpis /var/log/podpis.txt {
mihla le
jikelezisa 50
ubukhulu be-5M
Umhla womhla
cindezela
ukulibazisa
olddir /var/log/old
}/var/log/vtorjenie.txt {
ngenyanga
jikelezisa 5
ubukhulu be-5M
Umhla womhla
olddir /var/log/old
}
5) Yongeza umsebenzi kwicron
-$ sudo crontab -e'/umrhumo'
0 */6 * * * '/podpis
6) Ukudala iziteketiso ezisisigxina
-$ sudo su
-$ echo "alias подпись_GRUB='hashdeep -c md5 -r /media/username/GRUB > /podpis.txt'" >> /root/.bashrc && bash
-$ echo "alias проверка_GRUB='hashdeep -vvv -a -k '/podpis.txt' -r /media/username/GRUB'" >> .bashrc && bash
Emva kohlaziyo lwe-OS -$ apt-get upgrade sayina kwakhona isahlulelo sethu se-GRUB
-$ подпись_GRUB
Ngeli xesha, ukhuseleko lwe-hashing lwesahlulelo se-GRUB lugqityiwe.
[D] Ukosula-ukutshatyalaliswa kwedatha engafihlwanga
Zicime ngokupheleleyo iifayile zakho kangangokuba “kwanoThixo akanakuzifunda,” ngokutsho kwesithethi saseMzantsi Carolina uTrey Gowdy.
Njengesiqhelo, kukho "iintsomi kunye ", malunga nokubuyisela idatha emva kokuba icinyiwe kwi-hard drive. Ukuba uyakholelwa kubugqwirha, okanye ulilungu lewebhu kaGqr kwaye awuzange uzame ukubuyisela idatha emva kokuba icinyiwe / ibhalwe ngaphezulu (umzekelo, ukubuyisela usebenzisa i-R-studio), ke indlela ecetywayo ayinakwenzeka ukuba ihambelane nawe, sebenzisa oko kukufutshane nawe.
Emva kokudlulisela ngempumelelo i-GNU/Linux kwisahlulelo esifihliweyo, ikopi endala kufuneka icinywe ngaphandle kokuba nokwenzeka kokubuyisela idatha. Indlela yokucoca jikelele: isoftware yeWindows/Linux yasimahla yesoftware yeGUI .
Ngokukhawuleza fomata icandelo, idatha ekufuneka itshatyalaliswe (nge-Gparted) Qalisa iBleachBit, khetha "Coca indawo yasimahla" - khetha isahlulelo (i-sdaX yakho nekopi yangaphambili ye-GNU/Linux), inkqubo yokuhlubula iya kuqalisa. I-BleachBit - yosula idiski kwipasi enye - yile nto "siyifunayo", Kodwa! Oku kusebenza kuphela kwithiyori ukuba ufomathe idiski kwaye wayicoca kwisoftware yeBB v2.0.
Ukuqwalasela! I-BB isula idiski, ishiya imetadata; (I-Ccleaner - ayishiyi i-metadata).
Kwaye intsomi malunga nethuba lokubuyisela idatha ayikho intsomi ngokupheleleyo.I-Bleachbit V2.0-2 yangaphambili iphakheji ye-OS Debian engazinzanga (kunye nayiphi na enye isoftware efanayo: gcwalisa; sula-iNautilus - nazo zaqatshelwa kweli shishini limdaka) eneneni yayinempazamo ebalulekileyo: umsebenzi "wokucoca indawo ekhululekileyo". isebenza ngokungalunganga kwi-HDD/Flash drives (ntfs/ext4). Isoftware yolu hlobo, xa ucoca indawo yasimahla, ayibhali idiski yonke, njengoko abasebenzisi abaninzi becinga. Kwaye abanye (Ezininzi) idatha ecinyiweyo ye-OS/software ithatha le datha njengedatha engacinywanga/yomsebenzisi kwaye xa ucoca “i-OSP” iyatsiba ezi fayile. Ingxaki kukuba emva kwexesha elide, ukucoca idiski "iifayile ezicinyiweyo" zinokufunyanwa kwakhona nasemva kokuba 3+ ukudlula yosula idiski.
Kwi-GNU/Linux eBleachbit 2.0-2 Imisebenzi yokucima ngokusisigxina iifayile kunye nabalawuli basebenza ngokuthembekileyo, kodwa kungekhona ukucima indawo yamahhala. Ukuthelekisa: kwi-Windows kwi-CCleaner umsebenzi we-"OSP ye-ntfs" usebenza ngokufanelekileyo, kwaye ngokwenene uThixo akayi kukwazi ukufunda idatha ecinyiweyo.
Kwaye ke, ukususa ngokupheleleyo "ukulalanisa" idatha endala engafihlwanga, I-Bleachbit idinga ukufikelela ngokuthe ngqo kule datha, emva koko, sebenzisa "cima ngokusisigxina iifayile/abalawuli" umsebenzi.
Ukususa "iifayile ezicinyiweyo usebenzisa izixhobo eziqhelekileyo ze-OS" kwi-Windows, sebenzisa i-CCleaner / BB kunye nomsebenzi we "OSP". Kwi-GNU/Linux phezu kwale ngxaki (cima iifayile ezicinyiweyo) kufuneka uziqhelanise wedwa (ukucima idatha + umzamo ozimeleyo wokuyibuyisela kwaye akufanele uthembele kuguqulelo lwesoftware (ukuba asiyoncwadi egciniweyo, ke ibug)), kule meko kuphela uya kuba nako ukuqonda indlela le ngxaki kwaye ulahle idatha ecinyiweyo ngokupheleleyo.
Andikhange ndiyivavanye iBleachbit v3.0, ingxaki inokuba sele ilungisiwe.
I-Bleachbit v2.0 isebenza ngokunyanisekileyo.
Kweli nyathelo, ukusula idisk kugqityiwe.
[E] Ugcino olupheleleyo lwe-OS efihliweyo
Umsebenzisi ngamnye unendlela yakhe yokugcina idatha, kodwa idatha ye-System OS efihliweyo ifuna indlela eyahlukileyo kancinane kumsebenzi. Isoftware edityanisiweyo, efana neClonezilla kunye nesoftware efanayo, ayinakusebenza ngokuthe ngqo ngedatha efihliweyo.
Ingxelo yengxaki yogcino lwezixhobo zebhloko ezifihliweyo:
- jikelele - i-algorithm efanayo yogcino/isoftware yeWindows/Linux;
- ukukwazi ukusebenza kwikhonsoli ngayo nayiphi na i-usb ye-GNU/Linux ephilayo ngaphandle kwesidingo sokhuphelo olongezelelweyo lwesoftware (kodwa usacebisa i-GUI);
- ukhuseleko lweekopi ezigcinwayo - "imifanekiso" egciniweyo kufuneka iguqulelwe ngokuntsonkothileyo/i-password-ikhuselwe;
- ubungakanani bedatha efihliweyo kufuneka ihambelane nobukhulu bedatha eyiyo ekotshwayo;
- utsalo olufanelekileyo lweefayile eziyimfuneko kwikopi yokugcina (akukho mfuneko yokususa ukuntsonkotha kwecandelo lonke kuqala).
Umzekelo, ugcino/ukubuyisela usebenzisa "dd" into eluncedo
dd if=/dev/sda7 of=/путь/sda7.img bs=7M conv=sync,noerror
dd if=/путь/sda7.img of=/dev/sda7 bs=7M conv=sync,noerrorIhambelana phantse nawo onke amanqaku omsebenzi, kodwa ngokubhekiselele kwinqaku lesi-4 aliyi kugxeka, kuba ikopisha yonke i-disk partition, kubandakanywa nendawo yamahhala - ayinomdla.
Umzekelo, ugcino lwe-GNU/Linux ngogcino vimba [tar" | gpg] ilungile, kodwa kwiWindows backup kufuneka ujonge esinye isisombululo-ayisiniki mdla.
E1. Universal Windows/Linux backup. Ikhonkco rsync (Grsync)+VeraCrypt umthamoI-algorithm yokwenza ikopi yokugcina:
- ukwenza isikhongozeli esifihliweyo (umthamo/ifayile) iVeraCrypt ye-OS;
- ukudlulisa / ukuvumelanisa i-OS usebenzisa i-software ye-Rsync kwi-container ye-crypto ye-VeraCrypt;
- ukuba kuyimfuneko, ukulayisha ivolumu yeVeraCrypt kwi-www.
Ukwenza isikhongozeli esifihliweyo seVeraCrypt sineempawu zayo:
ukudala umthamo oguqukayo (ukwenziwa kwe-DT kufumaneka kuphela kwi-Windows, ingasetyenziswa kwi-GNU/Linux);
ukudala umthamo oqhelekileyo, kodwa kukho imfuneko ye "paranoid character" (ngokomphuhlisi) – ukufomatha isikhongozeli.
Umthamo oguquguqukayo wenziwa phantse kwangoko kwiWindows, kodwa xa ukopisha idatha kwi-GNU/Linux> VeraCrypt DT, ukusebenza ngokubanzi komsebenzi wogcino kuncipha kakhulu.
Umthamo oqhelekileyo we-70 GB we-Twofish uyadalwa (masithi, kumndilili wamandla ePC) ukuya kwiHDD ~ kwisiqingatha seyure (ukubhala phezu kwedatha yesikhongozeli sangaphambili kwipasi enye kungenxa yeemfuno zokhuseleko). Umsebenzi wokufometha ngokukhawuleza ivolumu xa uyidala isusiwe kwi-VeraCrypt Windows / Linux, ngoko ke ukudala isitya sinokwenzeka kuphela "ngokubhala kwakhona i-password enye" okanye ukudala umthamo oguqukayo ophantsi.
Yenza umthamo oqhelekileyo weVeraCrypt (hayi dynamic/ntfs), akufuneki kubekho naziphi na iingxaki.
Qwalasela/yenza/vula isikhongozeli kwiVeraCrypt GUI> GNU/Linux live usb (ivolumu iya kunyuswa ngokuzenzekela ukuya kwi/media/veracrypt2, umthamo weWindows OS uya kunyuswa kwi/media/veracrypt1). Ukwenza ugcino olufihliweyo lweWindows OS usebenzisa i-GUI rsync (grsync)ngokujonga iibhokisi.
Linda ukuba inkqubo igqitywe. Nje ukuba ugcino lugqityiwe, siya kuba nefayile enye efihliweyo.
Ngokufanayo, yenza ikopi yogcino lwe-GNU/Linux OS ngokungajongi "ukuhambelana kweWindows" kwibhokisi yokukhangela kwi-rsync GUI.
Ukuqwalasela! yenza isikhongozeli seVeracrypt se "GNU/Linux backup" kwinkqubo yefayile ext4. Ukuba wenza ugcino kwisikhongozeli se-ntfs, ngoko xa ubuyisela ikopi enjalo, uya kuphulukana nawo onke amalungelo/amaqela kuyo yonke idatha yakho.
Yonke imisebenzi inokuqhutywa kwi-terminal. Iinketho ezisisiseko ze-rsync:
* -g -gcina amaqela;
* -P -inkqubela - ubume bexesha elichithwe ekusebenzeni kwifayile;
* -H - khuphela ii-hardlinks njengoko zinjalo;
* -a -imo yogcino (iiflegi zerlptgoD ezininzi);
* -v -ukuthetha.
Ukuba ufuna ukunyusela "iVolumu yeVeraCrypt yeWindows" usebenzisa ikhonsoli kwisoftware ye-cryptsetup, unokwenza isibizo (su)
echo "alias veramount='cryptsetup open --veracrypt --tcrypt-system --type tcrypt /dev/sdaX Windows_crypt && mount /dev/mapper/ Windows_crypt /media/veracrypt1'" >> .bashrc && bash
Ngoku umyalelo "wemifanekiso" uya kukukhuthaza ukuba ufake ibinzana lokugqithisa, kwaye ivolumu yenkqubo efihliweyo yeWindows iya kufakwa kwi-OS.
Imephu/yenyuka iVolumu yenkqubo yeVeraCrypt kumyalelo we-cryptsetup
cryptsetup open --veracrypt --tcrypt-system --type tcrypt /dev/sdaX Windows_crypt
mount /dev/mapper/Windows_crypt /mntImephu/intaba yeVeraCrypt isahlulelo/isiqulathi kumyalelo we-cryptsetup
cryptsetup open --veracrypt --type tcrypt /dev/sdaY test_crypt
mount /dev/mapper/test_crypt /mntEndaweni yesibizo, siyakongeza (iskripthi sokuqalisa) umthamo wenkqubo eneWindows OS kunye nediski efihliweyo enengqiqo yentfs kwisiqalo seGNU/Linux.
Yenza iscript kwaye usigcine kwi ~/VeraOpen.sh
printf 'Ym9i' | base64 -d | cryptsetup open --veracrypt --tcrypt-system --type tcrypt /dev/sda3 Windows_crypt && mount /dev/mapper/Windows_crypt /media/Winda7 #декодируем пароль из base64 (bob) и отправляем его на запрос ввода пароля при монтировании системного диска ОС Windows.
printf 'Ym9i' | base64 -d | cryptsetup open --veracrypt --type tcrypt /dev/sda1 ntfscrypt && mount /dev/mapper/ntfscrypt /media/КонтейнерНтфс #аналогично, но монтируем логический диск ntfs.
Sisasaza amalungelo "achanekileyo":
sudo chmod 100 /VeraOpen.shYenza iifayile ezimbini ezifanayo (igama elifanayo!) kwi /etc/rc.local kunye ~/etc/init.d/rc.local
Ukuzalisa iifayile
#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will «exit 0» on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.
sh -c "sleep 1 && '/VeraOpen.sh'" #после загрузки ОС, ждём ~ 1с и только потом монтируем диски.
exit 0Sisasaza amalungelo "achanekileyo":
sudo chmod 100 /etc/rc.local && sudo chmod 100 /etc/init.d/rc.local Yiyo loo nto, ngoku xa ulayisha i-GNU/Linux akufuneki ukuba sifake amagama ayimfihlo ukuze sinyuse iidiski ezifihliweyo zentfs, iidiski zixhonywe ngokuzenzekelayo.
Inqaku ngokufutshane malunga nokuchazwe ngasentla kumhlathi E1 inyathelo ngenyathelo (kodwa ngoku kwi-OS GNU/Linux)
1) Yenza umthamo kwi-fs ext4 > 4gb (yefayile) Linux kwiVeracrypt [Cryptbox].
2) Qalisa kwakhona ukuze uphile usb.
3) ~$ cryptsetup vula /dev/sda7 Lunux #mapping encrypted partition.
4) ~$ nyusa /dev/mapper/Linux /mnt #nyusa isahlulelo esifihliweyo ukuya ku/mnt.
5) ~$ mkdir mnt2 #ukudala uvimba wogcino lwexesha elizayo.
6) ~$ cryptsetup evulekileyo -veracrypt -uhlobo lwe-tcrypt ~/CryptoBox CryptoBox && mount /dev/mapper/CryptoBox /mnt2 #Map ivolumu yeVeracrypt egama lingu "CryptoBox" kwaye unyuse i-CryptoBox ukuya /mnt2.
7) ~$ rsync -avlxhHX —inkqubela phambili /mnt /mnt2/ #ugcino lokusebenza lwesahlulelo esifihliweyo kumthamo weVeracrypt ofihliweyo.
(p/s/ Ukuqwalasela! Ukuba uthumela i-GNU/Linux efihliweyo ukusuka kuyilo/umatshini omnye ukuya komnye, umzekelo, i-Intel> AMD (oko kukuthi, ukuhambisa i-backup ukusuka kwesinye isahlulelo esifihliweyo ukuya kwesinye esifihliweyo se-Intel> isahlulelo se-AMD), Sukulibala Emva kokudlulisela i-OS efihliweyo, hlela iqhosha lebambela eliyimfihlo endaweni yegama eligqithisiweyo, mhlawumbi. iqhosha langaphambili ~/etc/skey - alisayi kuphinda lilingane nesinye isahlulelo esifihliweyo, kwaye ayicebisi ukwenza isitshixo esitsha “cryptsetup luksAddKey” phantsi kwe chroot-i-glitch iyenzeka, kwi ~/etc/crypttab khankanya endaweni yokuba "/ etc/skey" okwethutyana "akukho" ", emva kokuphinda uqalise kwaye ungene kwi-OS, yenza kwakhona isitshixo sakho sekhadi lasendle eliyimfihlo kwakhona).
Njengamagqala e-IT, khumbula ukwenza ngokwahlukeneyo ii-backups zeeheader ezifihliweyo zeWindows/Linux OS, okanye uguqulelo oluntsonkothileyo luya kunijikela.
Kweli nyathelo, ugcino lwe-OS efihliweyo lugqityiwe.
[F] Uhlaselo kwi-GRUB2 bootloader
Jonga iinkcukachaUkuba uye wakhusela i-bootloader yakho ngotyikityo lwedijithali kunye/okanye uqinisekiso (jonga inqaku C6.), ke oku akuyi kukhusela ukufikelela ngokomzimba. Idatha efihliweyo iya kuhlala ingafikeleleki, kodwa ukhuseleko luya kugqitha (seta kwakhona ukhuseleko lomsayino wedijithali) I-GRUB2 ivumela i-cyber-villain ukuba ifake ikhowudi yayo kwi-bootloader ngaphandle kokuphakamisa ukukrokra. (ngaphandle kokuba umsebenzisi ujonge imo ye-bootloader ngesandla, okanye beze nekhowudi yabo eyomeleleyo yeskripthi se-grub.cfg).
Uhlaselo algorithm. Umngeneleli
* Iibhutsi zePC kwi-usb ephilayo. Naluphi na utshintsho (umaphuli-mthetho) iifayile ziya kwazisa umnini wokwenyani wePC malunga nokungena kwi-bootloader. Kodwa ukufakwa kwakhona okulula kwe-GRUB2 ukugcina i-grub.cfg (kunye nokubanakho okulandelayo ukuyihlela) izakuvumela umhlaseli ukuba ahlele naziphi na iifayile (kule meko, xa ulayisha i-GRUB2, umsebenzisi wokwenene akayi kwaziswa. Ubume bufana <0>)
* Ifaka isahlulelo esingafihlwanga, sigcina “/mnt/boot/grub/grub.cfg”.
* Ibuyisela i-bootloader (ukususa "perskey" kumfanekiso we-core.img)
grub-install --force --root-directory=/mnt /dev/sda6
* Ibuyisela "grub.cfg"> "/mnt/boot/grub/grub.cfg", ihlele ukuba kuyimfuneko, umzekelo, ukongeza imodyuli yakho "keylogger.mod" kwisiqulathi seemodyuli zomlayishi, kwi "grub.cfg" > umgca "insmod keylogger". Okanye, umzekelo, ukuba utshaba lunamaqhinga, emva kokubuyisela i-GRUB2 (zonke iisignesha zihlala zisendaweni) yakha umfanekiso ophambili weGRUB2 usebenzisa "grub-mkimage ngenketho (-c)." Ukhetho "-c" luyakuvumela ukuba ulayishe uqwalaselo lwakho phambi kokulayisha eyona "grub.cfg". Uqwalaselo lunokuba nomgca omnye: ukwalathiswa kwakhona kuyo nayiphi na i "modern.cfg", ixutywe, umzekelo, kunye ~ 400 iifayile. (iimodyuli+imisayino) kwifolda "/boot/grub/i386-pc". Kule meko, umhlaseli unokufaka ikhowudi engafanelekanga kwaye alayishe iimodyuli ngaphandle kokuchaphazela "/boot/grub/grub.cfg", nokuba umsebenzisi usebenzise "hashsum" kwifayile kwaye wayibonisa okwethutyana kwisikrini.
Umhlaseli akayi kufuna ukukrazula i-GRUB2 yokungena kwi-superuser/password uya kufuna nje ukukopa imigca (unoxanduva lokuqinisekisa) "/boot/grub/grub.cfg" kwi "modern.cfg" yakho
seta superusers = "ingcambu"
password_pbkdf2 root grub.pbkdf2.sha512.10000.DE10E42B01BB6FEEE46250FC5F9C3756894A8476A7F7661A9FFE9D6CC4D0A168898B98C34EBA210F46FC10985CE28277D0563F74E108FCE3ACBD52B26F8BA04D.27625A4D30E4F1044962D3DD1C2E493EF511C01366909767C3AF9A005E81F4BFC33372B9C041BE9BA904D7C6BB141DE48722ED17D2DF9C560170821F033BCFD8
Kwaye umnini wePC useza kuqinisekiswa njengomphathi omkhulu we-GRUB2.
Ukulayishwa kwekhonkco (i-bootloader ilayisha enye i-bootloader), njengoko ndibhale ngasentla, ayinangqiqo (yenzelwe injongo eyahlukileyo). Isilayishi sekhompyutha esinoguqulelo oluntsonkothileyo asinakulayishwa ngenxa ye-BIOS (i-boot chain iqalisa kwakhona i-GRUB2> i-GRUB2 efihliweyo, impazamo!). Nangona kunjalo, ukuba usasebenzisa umbono wokulayisha ngekhonkco, unokuqiniseka ukuba yeyona ifihliweyo ilayishwayo. (ayiphuculwanga) "grub.cfg" ukusuka kwisahlulelo esifihliweyo. Kwaye oku kuyimvakalelo yobuxoki yokhuseleko, kuba yonke into eboniswe kwi-encrypted "grub.cfg" (ukulayisha imodyuli) yongeza kwiimodyuli ezilayishwe kwi-GRUB2 engafihlwanga.
Ukuba ufuna ukukhangela oku, emva koko wabele/ufihle enye isahlulelo sdaY, khuphela iGRUB2 kuyo (umsebenzi wokufaka igrub kwisahlulelo esifihliweyo akwenzeki) kunye nakwi "grub.cfg" (uqwalaselo olungafihlwanga) tshintsha imigca efana nale
menuentry 'GRUBx2' --class isikhwenene --class gnu-linux --class gnu --class os $ menuentry_id_option 'gnulinux-simple-382111a2-f993-403c-aa2e-292b5eac4780' {
layisha_ividiyo
insmod gzio
ukuba [ x$grub_platform = xxen]; emva koko insmod xzio; insmod lzopio; iFi
insmod inxalenye_msdos
insmod cryptodisk
insmod lux
insmod gcry_twofish
insmod gcry_twofish
insmod gcry_sha512
insmod ext2
cryptomount -u 15c47d1c4bd34e5289df77bcf60ee838
set root=’cryptouuid/15c47d1c4bd34e5289df77bcf60ee838′
eqhelekileyo /boot/grub/grub.cfg
}
Imitya
* insmod - ukulayisha iimodyuli eziyimfuneko ekusebenzeni ngediski efihliweyo;
* I-GRUBx2 - igama lomgca oboniswe kwimenyu ye-GRUB2 yokuqalisa;
* cryptomount -u 15c47d1c4bd34e5289df77bcf60ee838 -bona. fdisk -l (sda9);
* misela ingcambu - ingcambu yokufaka;
* eqhelekileyo /boot/grub/grub.cfg - ifayile yoqwalaselo ephunyezwayo kwisahlulelo esifihliweyo.
Ukuzithemba ukuba yi-encrypted "grub.cfg" elayishiweyo yimpendulo efanelekileyo yokufaka igama eliyimfihlo / ukuvula "sdaY" xa ukhetha umgca "GRUBx2" kwimenyu ye-GRUB.
Xa usebenza kwi-CLI, ukuze ungabhideki (kwaye khangela ukuba i "set root" imo eguquguqukayo isebenzile), dala iifayile zomqondiso ezingenanto, umzekelo, kwicandelo elifihliweyo "/shifr_grub", kwicandelo elingabhalwanga "/noshifr_grub". Ukujonga kwi-CLI
cat /Tab-TabNjengoko kuphawuliwe ngasentla, oku akuyi kunceda ngokuchasene nokukhuphela iimodyuli ezinobungozi ukuba iimodyuli ezinjalo ziphelela kwiPC yakho. Ngokomzekelo, i-keylogger eya kukwazi ukugcina ii-keystrokes kwifayile kwaye ixube kunye nezinye iifayile kwi-"~ / i386" ide ikhutshwe ngumhlaseli ngokufikelela ngokomzimba kwi-PC.
Eyona ndlela ilula yokuqinisekisa ukuba ukhuseleko lomsayino wedijithali lusebenza ngokusebenzayo (ayiphinda isetyenziswe), kwaye akukho mntu uhlasele i-bootloader, faka umyalelo kwi-CLI
list_trusted
ekuphenduleni sifumana ikopi ye "perskey" yethu, okanye asifumani nto xa sihlaselwa (ukwafuneka ujonge "seta check_signatures=enforce").
Isithintelo esibalulekileyo seli nyathelo kukufaka imiyalelo ngesandla. Ukuba wongeza lo myalelo kwi "grub.cfg" kwaye ukhusele uqwalaselo kunye nesignesha yedijithali, ngoko imveliso yokuqala ye-snapshot yesitshixo kwisikrini ifutshane kakhulu ngexesha, kwaye awunakuba nexesha lokubona imveliso emva kokulayisha i-GRUB2. .
Akukho mntu uza kwenza amabango kuye: umphuhlisi kweyakhe igatya 18.2 libhengeza ngokusesikweni
“Qaphela ukuba nangokukhuselwa kwephasiwedi ye-GRUB, i-GRUB ngokwayo ayinakunqanda umntu onokufikelela ngokwasemzimbeni kumatshini ekubeni atshintshe i-firmware yomatshini (umzekelo, iCoreboot okanye i-BIOS) uqwalaselo ukubangela umatshini ukuba uqalise isixhobo esahlukileyo (esilawulwa ngumhlaseli). I-GRUB yeyona nto ilungileyo kwikhonkco elinye kuphela kwikhonkco elikhuselekileyo le-boot.
I-GRUB2 ilayishwe kakhulu ngemisebenzi enokunika ingqiqo yokhuseleko lobuxoki, kwaye uphuhliso lwayo sele lugqithise i-MS-DOS ngokwemigaqo yokusebenza, kodwa i-bootloader nje. Kuyahlekisa ukuba i-GRUB2 - "ngomso" inokuba yi-OS, kunye noomatshini abasebenzayo be-GNU/Linux bayo.
Ividiyo emfutshane malunga nendlela endiluseta ngayo kwakhona ukhuseleko lwedijithali lwe-GRUB2 kwaye ndibhengeze ukungena kwam kumsebenzisi wokwenyani. (Ndikoyike, kodwa endaweni yoko kuboniswe kwividiyo, ungabhala ikhowudi engenabungozi engenabungozi/.mod).
Izigqibo:
I-1) I-encryption ye-block encryption ye-Windows kulula ukuyiphumeza, kwaye ukukhuselwa nge-password enye kulungele ngakumbi kunokukhusela amagama ayimfihlo kunye ne-GNU / Linux block system encryption, ukuba ilungile: le yokugqibela izenzekelayo.
2) Ndabhala inqaku njengento efanelekileyo kwaye ineenkcukacha elula Isikhokelo soguqulelo olupheleleyo lwediski yeVeraCrypt/LUKS kwikhaya elinye kumatshini, eyona ingcono kakhulu kwiRuNet (IMHO). Isikhokelo si> 50k abalinganiswa ubude, ngoko asizange sihlanganise izahluko ezinomdla: abadwebi be-cryptographers abanyamalalayo / abagcina emthunzini; malunga nenyaniso yokuba iincwadi ezahlukeneyo ze-GNU / Linux zibhala kancinci / zingabhali malunga ne-cryptography; malunga neSiqendu 51 soMgaqo-siseko weRussian Federation; O /ukuvalwa , malunga nokuba kutheni ufuna ukufihla "ingcambu / i-boot". Isikhokelo siye sabonakala sibanzi, kodwa sineenkcukacha. (ichaza namanyathelo alula), kwakhona, oku kuya kukugcina ixesha elininzi xa ufika "kwi-encryption yangempela".
3) Ubhalo olupheleleyo lwediski lwenziwa kwi-Windows 7 64; GNU/Linux Parrot 4x; GNU/Debian 9.0/9.5.
4) Iphunyezwe uhlaselo oluyimpumelelo kwi wakhe I-GRUB2 i-bootloader.
I-5) I-Tutorial yadalwa ukunceda bonke abantu be-paranoid kwi-CIS, apho ukusebenza kunye ne-encryption kuvunyelwe kwinqanaba lomthetho. Kwaye ngokuyintloko kwabo bafuna ukukhupha ufihlo lwediski epheleleyo ngaphandle kokudiliza iinkqubo zabo ezimiselweyo.
6) Ndiphinde ndasebenza kwaye ndahlaziywa incwadana yam, efanelekileyo ngo-2020.
[G] Amaxwebhu aluncedo
- (Februwari 2012 RU)
- /usr/share/doc/cryptsetup(-run) [isixhobo sendawo] (amaxwebhu asemthethweni aneenkcukacha zokucwangcisa i-GNU/Linux ufihlo usebenzisa i-cryptsetup)
- (amaxwebhu amafutshane ngokucwangcisa i-GNU/Linux ufihlo usebenzisa i-cryptsetup)
- (amaxwebhu archlinux)
- (iphepha lomntu we-arch)
- (iphepha lomntu we-arch)
- .
Iithegi: ufihlo lwedisk epheleleyo, ufihlo lwesahlulelo, ufihlo lwedisk epheleleyo yeLinux, LUKS1 ufihlo lwenkqubo epheleleyo.
Ngabasebenzisi ababhalisiweyo kuphela abanokuthatha inxaxheba kuphando. , ndiyacela.
Ngaba uyaguqulela?
-
17,1%Ndifihla yonke into endinokuyenza. Ndingumntu ophambeneyo.14
-
34,2%Ndifihla kuphela idatha ebalulekileyo.28
-
14,6%Ngamanye amaxesha ndiyafihla, ngamanye amaxesha ndiyalibala.12
-
34,2%Hayi, andiyifihli, ayilunganga kwaye iyabiza.28
82 abasebenzisi bavoti. Abasebenzisi aba-22 abakhange.
umthombo: www.habr.com