Mhle imini nobusuku bonke! Esi sithuba siya kuba luncedo kwabo basebenzisa ufihlo lwedatha ye-LUKS kwaye bafuna ukucofa iidiski phantsi kweLinux (iDebian, Ubuntu) kwi. inqanaba lokuguqulelwa kokuntsonkotha kokwahlulwa kweengcambu. Kwaye andizange ndilufumane ulwazi olunjalo kwi-Intanethi.
Kutshanje, ngokunyuka kwenani leediski kwiishelufu, ndiye ndadibana nengxaki yokukhupha iidiski usebenzisa indlela engaphezulu kweyaziwa nge/etc/crypttab. Ngokomntu, ndigxininisa iingxaki ezimbalwa ngokusebenzisa le ndlela, oko kukuthi ifayile ifundwe kuphela emva kokulayisha (ukunyusa) isahlulelo seengcambu, echaphazela kakubi ukuthathwa kwempahla ngaphandle kwe-ZFS, ngakumbi ukuba ziqokelelwe kwizahlulo zesixhobo se *_crypt, okanye uhlaselo lwe-mdadm nalo luqokelelwe kwizahlulo. Sonke siyazi ukuba ungasebenzisa ukwahlulwa kwizikhongozeli ze-LUKS, akunjalo? Kwaye kwakhona ingxaki yokuqalisa kwangethuba kwezinye iinkonzo, xa kungekabikho luhlu, kwaye se benzisa Sele ndifuna into (ndisebenza neProxmox VE 5.x edibeneyo kunye neZFS phezu kweSCSI).
Kancinci malunga neZFSoverISCSII-iSCSI indisebenzela nge-LIO, kwaye eneneni, xa i-iscsi ekujoliswe kuyo iqala kwaye ingaboni izixhobo ze-ZVOL, isusa ngokulula kuqwalaselo, oluthintela iinkqubo zeendwendwe ukuba ziqale. Yiyo loo nto, nokuba kukubuyisela ugcino lwefayile ye-json, okanye ukongeza ngesandla izixhobo kunye nabachongi beVM nganye, eyoyikeka ngokulula xa kukho uninzi loomatshini abanjalo kwaye uqwalaselo ngalunye lunedisk engaphezulu kwe-1.
Kwaye umbuzo wesibini endiya kuwuqwalasela yindlela yokuqhawula (le ngongoma ephambili yenqaku). Kwaye siza kuthetha ngale nto ingezantsi, yiya kwi-cut!
Amaxesha amaninzi kwi-Intanethi basebenzisa ifayile engundoqo (eyongezwa ngokuzenzekelayo kwi-slot kunye nomyalelo - i-cryptsetup luksAddKey), okanye kwiimeko ezinqabileyo (kukho ulwazi oluncinci kakhulu kwi-intanethi yolwimi lwesiRashiya) - i-script decrypt_derived, /lib/cryptsetup/script/ (ngokuqinisekileyo, kukho ezinye iindlela, kodwa ndisebenzise ezi zimbini, ezakha isiseko senqaku). Ndikwazamile ukwenza kusebenze ukuzimela ngokupheleleyo emva kokuqalisa ngokutsha, ngaphandle kwemiyalelo eyongezelelweyo kwikhonsoli, ukuze yonke into βisukeβ kum ngoko nangoko. Ngoko ke, kutheni ulinda? -
Masiqalise!
Sithatha inkqubo, umzekelo iDebian, efakwe kwi-sda3_crypt crypto partition kunye neshumi elinesibini lediski ezilungele ukubethelwa kwaye zenze nantoni na enqwenelwa yintliziyo yakho. Sinebinzana eliphambili (i-passphrase) yokuvula i-sda3_crypt kwaye ivela kweli candelo ukuba siya kususa "i-hash" yegama eliyimfihlo kwinkqubo esebenzayo (ekhutshiweyo) kwaye uyongeze kwezinye iidiski. Yonke into isisiseko, kwi-console esiyenzayo:
/lib/cryptsetup/scripts/decrypt_derived sda3_crypt | cryptsetup luksFormat /dev/sdXapho uX iziidiski zethu, izahlulo, njl.
Emva kokubethela iidiski nge-hash kwibinzana lethu eliphambili, kufuneka ufumane i-UUID okanye i-ID - kuxhomekeke ekubeni ngubani osetyenziselwa ntoni. Sithatha idatha kwi-/dev/disk/by-uuid kunye ne-id, ngokulandelanayo.
Inqanaba elilandelayo lilungiselela iifayile kunye nezikripthi ezincinci zemisebenzi ekufuneka siyisebenze, masiqhubeke:
cp -p /usr/share/initramfs-tools/hooks/cryptroot /etc/initramfs-tools/hooks/
cp -p /usr/share/initramfs-tools/scripts/local-top/cryptroot /etc/initramfs-tools/scripts/local-top/ngakumbi
touch /etc/initramfs-tools/hooks/decrypt && chmod +x /etc/initramfs-tools/hooks/decryptImixholo ye../decrypt
#!/bin/sh
cp -p /lib/cryptsetup/scripts/decrypt_derived "$DESTDIR/bin/decrypt_derived"ngakumbi
touch /etc/initramfs-tools/hooks/partcopy && chmod +x /etc/initramfs-tools/hooks/partcopyImixholo ../partcopy
#!/bin/sh
cp -p /sbin/partprobe "$DESTDIR/bin/partprobe"
cp -p /lib/x86_64-linux-gnu/libparted.so.2 "$DESTDIR/lib/x86_64-linux-gnu/libparted.so.2"
cp -p /lib/x86_64-linux-gnu/libreadline.so.7 "$DESTDIR/lib/x86_64-linux-gnu/libreadline.so.7"kancinci ngakumbi
touch /etc/initramfs-tools/scripts/local-bottom/partprobe && chmod +x /etc/initramfs-tools/scripts/local-bottom/partprobeImixholo ../partprobe
#!/bin/sh
$DESTDIR/bin/partprobekwaye okokugqibela, phambi kohlaziyo-initramfs, kufuneka uhlele ifayile /etc/initramfs-tools/scripts/local-top/cryptroot, ukuqala kumgca ~360, iqhekeza lekhowudi engezantsi.
Okwangempela
# decrease $count by 1, apparently last try was successful.
count=$(( $count - 1 ))
message "cryptsetup ($crypttarget): set up successfully"
break
uze uyizise kolu hlobo
Ihlelwe
# decrease $count by 1, apparently last try was successful.
count=$(( $count - 1 ))
/bin/decrypt_derived $crypttarget | cryptsetup luksOpen /dev/disk/by-uuid/ *CRYPT_MAP*
/bin/decrypt_derived $crypttarget | cryptsetup luksOpen /dev/disk/by-id/ *CRYPT_MAP*
message "cryptsetup ($crypttarget): set up successfully"
breakQaphela ukuba i-UUID okanye i-ID ingasetyenziswa apha. Into ephambili kukuba abaqhubi abayimfuneko kwizixhobo ze-HDD / SSD zongezwa kwi /etc/initramfs-tools/modules. Ungafumanisa ukuba ngowuphi umqhubi osetyenziswayo nomyalelo udevadm ulwazi -a -n /dev/sdX | egrep 'khangela|DRIVE'.
Ngoku ukuba sigqibile kwaye zonke iifayile zisendaweni, siqhuba ukuhlaziya-initramfs -u -k zonke -v, ekugawulweni kwemithi akufunekanga ukuba iimpazamo kusetyenziso lwemibhalo yethu. Siqalisa kwakhona, faka ibinzana eliphambili kwaye ulinde kancinci, kuxhomekeke kwinani leediski. Okulandelayo, inkqubo iya kuqalisa kwaye kwinqanaba lokugqibela lokuqalisa, oko kukuthi, emva βkokunyusaβ isahlulelo seengcambu, umyalelo wepartprobe uya kwenziwa - uya kufumana kwaye uthabathe zonke izahlulo ezenziweyo kwizixhobo ze-LUKS kunye naluphi na uluhlu, nokuba yi-ZFS okanye mdadm, ziya kudityaniswa ngaphandle kweengxaki! Kwaye konke oku phambi kokulayisha iinkonzo eziphambili ezifuna ezi disks/arrays.
hlaziya1: Njani , le ndlela isebenza kuphela kwi-LUKS1.
umthombo: www.habr.com