kdpv-Reuters
Ukuba urenta iseva, ngoko awunalo ulawulo olupheleleyo kuyo. Oku kuthetha ukuba nangaliphi na ixesha abantu abaqeqeshwe ngokukodwa banokuza kwihostele kwaye bakucele ukuba unikeze nayiphi na idatha yakho. Kwaye umnini-hostela uya kuzibuyisela ukuba ibango lenziwe ngokusemthethweni ngokomthetho.
Awufuni ngokwenene ukuba iilog zeseva yakho yewebhu okanye idatha yomsebenzisi ivuze nakubani na. Akunakwenzeka ukwakha ukhuselo olufanelekileyo. Kuphantse ukuba akunakwenzeka ukuzikhusela kwihostele engumnini we-hypervisor kwaye ikubonelela ngomatshini obonakalayo. Kodwa mhlawumbi kuya kwenzeka ukunciphisa ingozi kancinane. Ukufihla iimoto ezirentwayo akuloncedo njengoko kubonakala xa uqala nje. Kwangaxeshanye, makhe sijonge izoyikiso zokutsalwa kwedatha kwiiseva ezibonakalayo.
Imodeli yosongelo
Njengomthetho, umninimzi uya kuzama ukukhusela umdla womxhasi kangangoko kunokwenzeka ngokomthetho. Ukuba ileta evela kwabasemagunyeni icele kuphela iilogi zofikelelo, umamkeli akasayi kubonelela ngeendawo zokulahla zonke oomatshini bakho abaneedatha. Ubuncinane akufanelekanga. Ukuba bacela yonke idatha, umgcini-mgcini uya kukopisha iidiski ezibonakalayo kunye nazo zonke iifayile kwaye awuyi kuyazi malunga nayo.
Nokuba yeyiphi na imeko, eyona njongo yakho kukwenza uhlaselo lube nzima kakhulu kwaye lubiza kakhulu. Ngokuqhelekileyo kukho iindlela ezintathu zokhetho eziphambili.
Esemthethweni
Amaxesha amaninzi, ileta yephepha ithunyelwa kwiofisi esemthethweni yehostele kunye nemfuno yokubonelela ngedatha eyimfuneko ngokuhambelana nommiselo ofanelekileyo. Ukuba yonke into yenziwe ngokuchanekileyo, umgcini-mgcini unika iilogi zokufikelela eziyimfuneko kunye nezinye iinkcukacha kumagunya asemthethweni. Ngokuqhelekileyo bacela nje ukuba uthumele idatha efunekayo.
Ngamanye amaxesha, ukuba kuyimfuneko, abameli bee-arhente zokunyanzeliswa komthetho beza kwiziko ledatha ngokwabo. Umzekelo, xa uneseva yakho ezinikeleyo kunye nedatha evela apho inokuthatyathwa ngokwasemzimbeni kuphela.
Kuwo onke amazwe, ukufumana ukufikelela kwipropati yangasese, ukwenza uphando kunye neminye imisebenzi kufuna ubungqina bokuba idatha ingaba nolwazi olubalulekileyo lophando lolwaphulo-mthetho. Ukongezelela, iwaranti yokukhangela eyenziwa ngokuhambelana nayo yonke imimiselo iyafuneka. Kusenokubakho ama-nuances anxulumene nezinto ezikhethekileyo zomthetho wengingqi. Into ephambili okufuneka uyiqonde kukuba ukuba indlela esemthethweni ichanekile, abameli beziko ledatha abayi kuvumela nabani na ukuba adlule ekungeneni.
Ngaphezu koko, kumazwe amaninzi awukwazi ukukhupha izixhobo zokusebenza. Ngokomzekelo, eRashiya, de kube sekupheleni kwe-2018, ngokweSiqendu 183 seKhowudi yeNkqubo yoLwaphulo-mthetho ye-Russian Federation, inxalenye ye-3.1, kwaqinisekiswa ukuba ngexesha lokubanjwa, ukubanjwa kwemithombo yogcino lwe-elektroniki kwenziwa ngokuthatha inxaxheba. yengcaphephe. Ngesicelo somnini wezomthetho wemithombo yogcino lwe-elektroniki oluthinjiweyo okanye umnini wolwazi oluqulethwe kubo, ingcali ethatha inxaxheba ekuthinjweni, phambi kwamangqina, ikopi ingcaciso evela kumajelo ogcino ombane athathiweyo ukuya kwamanye amajelo ogcino ombane.
Emva koko, ngelishwa, le ngongoma yasuswa kwinqaku.
Imfihlo kunye nengekho semthethweni
Le sele iyindawo yomsebenzi wamaqabane aqeqeshwe ngokukodwa avela kwi-NSA, FBI, MI5 kunye neminye imibutho eneleta ezintathu. Amaxesha amaninzi, umthetho wamazwe unika amagunya abanzi kakhulu kumacandelo anjalo. Ngaphezu koko, kukho phantse kusoloko kukho ukuvalwa kwezomthetho kuko nakuphi na ukubhengezwa ngokuthe ngqo okanye ngokungathanga ngqo kwenyani yentsebenziswano kunye neearhente zonyanzeliso lomthetho. Kukho iintlobo ezifanayo eRashiya .
Kwimeko yosongelo olunjalo kwidatha yakho, ngokuqinisekileyo baya kukhutshwa. Ngaphaya koko, ukongeza ekubambeni okulula, yonke i-arsenal engekho semthethweni ye-backdoors, ubuthathaka beentsuku zero, ukutsalwa kwedatha kwi-RAM yomatshini wakho wenyani, kunye nolunye ulonwabo lunokusetyenziswa. Kule meko, umnini-hostela uya kunyanzeleka ukuba ancedise iingcali zokuthotyelwa komthetho kangangoko kunokwenzeka.
Umsebenzi ongathembekanga
Asingabo bonke abantu abalungileyo ngokulinganayo. Omnye wabalawuli beziko ledatha unokugqiba ukwenza imali eyongezelelweyo kwaye athengise idatha yakho. Olunye uphuhliso luxhomekeke kumandla akhe nasekufikeleleni kwakhe. Eyona nto icaphukisayo kukuba umlawuli onokufikelela kwi-console ye-virtualization unolawulo olupheleleyo koomatshini bakho. Ungasoloko uthatha umfanekiso okhawulezayo kunye nayo yonke imixholo ye-RAM kwaye emva koko uyifunde kancinci.
I-VDS
Ke unomatshini wenyani owunikwe ngumgcini. Ungayenza njani i-encryption ukuze uzikhusele? Enyanisweni, akukho nto. Ngapha koko, kwanomncedisi ozinikeleyo womnye umntu unokugqiba ukuba ngumatshini obonakalayo apho izixhobo eziyimfuneko zifakwa khona.
Ukuba umsebenzi wenkqubo ekude ayikokugcina idatha nje, kodwa ukwenza izibalo, ngoko ke inketho eyodwa yokusebenza ngomatshini ongathembekanga iyakuba kukuphumeza. . Kule meko, inkqubo iya kwenza izibalo ngaphandle kokukwazi ukuqonda ukuba yintoni kanye eyenzayo. Ngelishwa, iindleko ezingaphezulu zokuphumeza uguqulelo oluntsonkothileyo ziphezulu kangangokuba ukusetyenziswa kwazo okubonakalayo kulinganiselwe ngoku kwimisebenzi emxinwa kakhulu.
Kwaye, okwangoku xa umatshini obonakalayo usebenza kwaye wenza ezinye izenzo, zonke iivolumu ezifihliweyo zikwimeko efikelelekayo, ngaphandle koko i-OS ayinakukwazi ukusebenza nabo. Oku kuthetha ukuba ukufikelela kwi-console ye-virtualization, unokuhlala uthatha i-snapshot yomatshini oqhubayo kwaye ukhuphe zonke izitshixo kwi-RAM.
Abathengisi abaninzi baye bazama ukucwangcisa i-hardware encryption ye-RAM ukwenzela ukuba nomnini-hostela akakwazi ukufikelela kule datha. Ngokomzekelo, iteknoloji ye-Intel Software Guard Extensions, eququzelela iindawo kwindawo yedilesi ebonakalayo ekhuselweyo ekufundeni nasekubhaleni ngaphandle kwale ndawo ngezinye iinkqubo, kubandakanywa ne-kernel yenkqubo yokusebenza. Ngelishwa, awuyi kukwazi ukuthembela ngokupheleleyo kwezi teknoloji, kuba uya kulinganiselwa kumatshini wakho wenyani. Ukongeza, imizekelo esele yenziwe kakade yale teknoloji. Nangona kunjalo, ukubethelwa koomatshini benyani akukho njongo njengoko kunokubonakala.
Sifihla idatha kwi-VDS
Mandenze ugcino ngoko nangoko ukuba yonke into esiyenzayo ngezantsi ayithethi kukhuseleko olupheleleyo. I-hypervisor iya kukuvumela ukuba wenze iikopi eziyimfuneko ngaphandle kokuyeka inkonzo kwaye ngaphandle kokuqaphela kwakho.
- Ukuba, ngesicelo, umgcini-mgcini udlulisela umfanekiso "obandayo" womatshini wakho wenyani, ngoko ukhuselekile. Le yeyona meko ixhaphakileyo.
- Ukuba umgcini-mgcini ukunika umfanekiso opheleleyo womatshini obalekayo, ke yonke into imbi kakhulu. Yonke idatha iya kufakwa kwisistim ngendlela ecacileyo. Ukongeza, kuya kwenzeka ukukrazula kwi-RAM ukukhangela izitshixo zabucala kunye nedatha efanayo.
Ngokungagqibekanga, ukuba usebenzise i-OS kumfanekiso we-vanilla, umgcini-mgcini akanalo ukufikelela kweengcambu. Ungasoloko unyusa imidiya ngomfanekiso wokuhlangula kwaye utshintshe igama eligqithisiweyo lengcambu ngokukrola imekobume yomatshini wenyani. Kodwa oku kuya kufuna ukuqalisa kwakhona, okuya kuqatshelwa. Kwaye, zonke izahlulo ezinyusiweyo ezifihliweyo ziya kuvalwa.
Nangona kunjalo, ukuba ukuthunyelwa komatshini obonakalayo akuveli kumfanekiso we-vanilla, kodwa kulungiselelwe kwangaphambili, ngoko umninimzi unokongeza i-akhawunti enelungelo lokuncedisa kwimeko engxamisekileyo kumxhasi. Umzekelo, ukutshintsha igama eligqithisiweyo eliyingcambu.
Nokuba kwimeko ye-snapshot epheleleyo, ayizizo zonke izinto ezibuhlungu. Umhlaseli akazukufumana iifayile ezifihliweyo ukuba uzinyusile ukusuka kwindlela yefayile ekude yomnye umatshini. Ewe, ngokwethiyori, ungakhetha ukulahla i-RAM kwaye ukhuphe izitshixo zokufihla apho. Kodwa ekusebenzeni oku akuyinto encinci kwaye akunakwenzeka ukuba inkqubo iya kuhamba ngaphaya kokudluliselwa kwefayile elula.
Odola imoto
Ngeenjongo zethu zovavanyo, sithatha umatshini olula . Asidingi izixhobo ezininzi, ngoko siya kuthatha ukhetho lokuhlawula i-megahertz kunye ne-traffic echithwe ngokwenene. Kwanele nje ukudlala ngeenxa zonke.
I-dm-crypt yakudala yayo yonke isahlulelo ayizange isuke. Ngokungagqibekanga, idiski inikwe kwisiqwenga esinye, enengcambu yesahlulelo sonke. Ucutha isahlulelo se-ext4 kwingcambu-nye inyuswe sisitena esiqinisekisiweyo endaweni yendlela yefayile. Ndazama) Intambula ayizange incede.
Ukwenza i-container ye-crypto
Ke ngoko, asiyi kubethelela isahlulelo sonke, kodwa siya kusebenzisa izikhongozeli zefayile ze-crypto, ezizezi ziphicothiweyo kunye nezithembekileyo zeVeraCrypt. Ngeenjongo zethu oku kwanele. Okokuqala, sikhupha kwaye sifake iphakheji kunye nenguqulo ye-CLI kwiwebhusayithi esemthethweni. Ungajonga utyikityo ngaxeshanye.
wget https://launchpad.net/veracrypt/trunk/1.24-update4/+download/veracrypt-console-1.24-Update4-Ubuntu-18.04-amd64.deb
dpkg -i veracrypt-console-1.24-Update4-Ubuntu-18.04-amd64.deb
Ngoku siza kwenza isikhongozeli ngokwaso kwenye indawo kwikhaya lethu ukuze sikwazi ukuyibeka ngesandla xa siqala ngokutsha. Kukhetho lokusebenzisana, seta ubungakanani besikhongozeli, igama lokugqitha kunye ne-encryption algorithms. Unokukhetha i-patriotic cipher Grasshopper kunye nomsebenzi we-Stribog hash.
veracrypt -t -c ~/my_super_secretNgoku masifake i-nginx, sinyuse isikhongozeli kwaye sigcwalise ngolwazi oluyimfihlo.
mkdir /var/www/html/images
veracrypt ~/my_super_secret /var/www/html/images/
wget https://upload.wikimedia.org/wikipedia/ru/2/24/Lenna.pngMasilungise kancinci /var/www/html/index.nginx-debian.html ukufumana iphepha elifunekayo kwaye ungalijonga.
Qhagamshela kwaye ujonge
I-container ifakwe, idatha iyafikeleleka kwaye ithunyelwe.
Kwaye nanku umatshini emva kokuqalisa kwakhona. Idatha igcinwe ngokukhuselekileyo kwi ~/my_super_secret.
Ukuba uyayifuna ngenene kwaye uyayifuna i-hardcore, ngoko unokubethelela i-OS yonke ukuze xa uyiqalisa kwakhona ifuna ukudibanisa nge-ssh kunye nokufaka igama eligqithisiweyo. Oku kuya kwanela kwimeko yokurhoxisa nje "idatha ebandayo". Apha kunye ne-remote disk encryption. Nangona kwimeko ye-VDS kunzima kwaye kuninzi.
Intsimbi engenanto
Akulula kangako ukufaka eyakho iseva kwiziko ledatha. Ukuzinikela komnye umntu kunokujika kube ngumatshini wenyani apho zonke izixhobo zithunyelwa khona. Kodwa into enomdla malunga nokukhusela iqala xa unethuba lokubeka iseva yakho yomzimba ethembekileyo kwiziko ledatha. Apha ungasebenzisa ngokupheleleyo idm-crypt, VeraCrypt okanye naluphi na olunye uguqulelo oluntsonkothileyo olukhethayo.
Kufuneka uqonde ukuba ukuba uguqulelo oluntsonkothileyo luphunyeziwe, umncedisi akazukwazi ukuphinda aphinde abuyele emva kokuba eqale ngokutsha. Kuya kufuneka ukuphakamisa uxhumano kwi-IP-KVM yendawo, i-IPMI okanye enye i-interface efanayo. Emva koko sifaka ngesandla isitshixo esiyinkosi. Iskimu sibukeka sinjalo-ngoko ngokuqhubekayo kunye nokunyamezela impazamo, kodwa akukho zikhetho ezikhethekileyo ukuba idatha ixabiseke kakhulu.
Imodyuli yoKhuseleko lweNcipher nShield F3
Inketho ethambileyo ithatha ukuba idatha ifihliwe kwaye isitshixo sibekwe ngokuthe ngqo kwiseva ngokwayo kwi-HSM ekhethekileyo (iModyuli yoKhuseleko lweHardware). Njengomthetho, ezi zixhobo ezisebenzayo kakhulu ezingaboneleli kuphela i-cryptography ye-hardware, kodwa zineendlela zokubona iinzame zokugqekeza. Ukuba umntu uqala ukugqogqa iseva yakho ngegrinder ye-engile, i-HSM enombane ozimeleyo iya kusetha kwakhona izitshixo ezigcina kwimemori yayo. Umhlaseli uya kufumana i-mincemeat efihliweyo. Kule meko, ukuqalisa kwakhona kunokwenzeka ngokuzenzekelayo.
Ukususa izitshixo lukhetho olukhawulezayo nolunobuntu ngakumbi kunokusebenzisa ibhombu ye-thermite okanye i-electromagnetic arrester. Kwizixhobo ezinjalo, uya kubethwa ixesha elide kakhulu ngabamelwane bakho kwi-rack kwiziko ledatha. Ngaphezu koko, kwimeko yokusetyenziswa uguqulelo oluntsonkothileyo kumajelo eendaba ngokwawo, awunamava angaphezulu. Konke oku kwenzeka ngokungafihlisiyo kwi-OS. Enyanisweni, kule meko kufuneka uthembele kwi-Samsung enemiqathango kwaye unethemba lokuba ine-AES256 ethembekileyo, kwaye kungekhona i-banal XOR.
Kwangaxeshanye, akufuneki silibale ukuba onke amazibuko angeyomfuneko kufuneka akhubazeke ngokwasemzimbeni okanye agcwaliswe nje ngecompound. Ngaphandle koko, unika abahlaseli ithuba lokuphumeza . Ukuba unePCI Express okanye iThunderbolt ephuma ngaphandle, kubandakanya i-USB ngenkxaso yayo, usengozini. Umhlaseli uya kukwazi ukwenza uhlaselo ngala mazibuko kwaye afumane ukufikelela ngokuthe ngqo kwimemori ngezitshixo.
Kwinguqulelo entsonkothileyo kakhulu, umhlaseli uya kukwazi ukwenza uhlaselo lwe-boot ebandayo. Kwangaxeshanye, igalela nje inxenye elungileyo yenitrogen engamanzi kwiseva yakho, ngokurhabaxa isusa inkumbulo enomkhenkce kwaye ikhuphe inkunkuma kuzo zonke izitshixo. Ngokuqhelekileyo, i-spray yokupholisa rhoqo kunye neqondo lokushisa elijikelezayo -50 degrees kwanele ukwenza uhlaselo. Kukwakho nokhetho oluchaneke ngakumbi. Ukuba awukhange ukhubaze ukulayisha kwizixhobo zangaphandle, ke i-algorithm yomhlaseli iya kuba lula ngakumbi:
- Friza izinti zememori ngaphandle kokuvula ityala
- Qhagamshela i-USB flash drive yakho
- Sebenzisa izinto eziluncedo ezikhethekileyo ukususa idatha kwi-RAM eye yasinda ekuqaliseni kwakhona ngenxa yomkhenkce.
Yahlulahlula kwaye woyise
Kulungile, sinoomatshini kuphela, kodwa ndingathanda ngandlela ithile ukunciphisa umngcipheko wokuvuza kwedatha.
Unako, ngokomgaqo, ukuzama ukuhlaziya i-architecture kwaye usasaze ukugcinwa kwedatha kunye nokucubungula kwiindawo ezahlukeneyo. Ngokomzekelo, i-frontend enezitshixo zokubethela ivela kwi-host kwiRiphabhliki yaseCzech, kunye ne-backend enedatha efihliweyo kwenye indawo eRashiya. Kwimeko yovavanyo oluqhelekileyo lokuhlutha, akunakwenzeka ukuba ii-arhente zogcino-mthetho zikwazi ukwenza oku ngaxeshanye kwiindawo ezahlukeneyo zolawulo. Kwaye, oku kuyasiqinisekisa ngokuyinxenye ngokuchasene nemeko yokuthatha umfanekiso omfutshane.
Ewe, okanye unokuqwalasela ukhetho olusulungekileyo ngokupheleleyo-Ukuphela kokuya kwisiphelo sokufihlakala. Ngokuqinisekileyo, oku kudlula umda wenkcazo kwaye ayithethi ukwenza izibalo kwicala lomatshini okude. Nangona kunjalo, olu lukhetho olwamkelekileyo ngokugqibeleleyo xa kuziwa ekugcineni kunye nokuvumelanisa idatha. Umzekelo, oku kuphunyezwa ngokulula kwi-Nextcloud. Kwangaxeshanye, ungqamaniso, uguqulelo kunye nezinye izinto ezikwicala leseva aziyi kuhamba.
Iyonke
Akukho zinkqubo zikhuseleke ngokugqibeleleyo. Usukelo kukwenza uhlaselo lube nexabiso elingakumbi kunenzuzo enokwenzeka.
Ukunciphisa okunye kwimingcipheko yokufikelela kwidatha kwisayithi ebonakalayo kunokufezekiswa ngokudibanisa i-encryption kunye nokugcinwa okwahlukileyo kunye ne-hosters ezahlukeneyo.
Ukhetho oluthembekileyo ngakumbi okanye olungaphantsi kukusebenzisa iseva yakho yehardware.
Kodwa umnini-hostela kusafuneka athenjwe ngenye indlela okanye enye. Ishishini lonke lixhomekeke koku.
umthombo: www.habr.com