O dara ọjọ ati alẹ gbogbo eniyan! Ifiweranṣẹ yii yoo wulo fun awọn ti o lo fifi ẹnọ kọ nkan data LUKS ati pe o fẹ lati pa awọn disiki kuro labẹ Linux (Debian, Ubuntu) lori ipele ti decryption ti awọn root ipin. Ati pe Emi ko le rii iru alaye bẹ lori Intanẹẹti.
Laipẹ, pẹlu ilosoke ninu nọmba awọn disiki ninu awọn selifu, Mo pade iṣoro ti discrypting disiki nipa lilo ọna ti a mọ ju daradara lọ nipasẹ /etc/crypttab. Tikalararẹ, Mo ṣe afihan awọn iṣoro diẹ pẹlu lilo ọna yii, eyun pe a ka faili naa nikan lẹhin ikojọpọ (iṣagbesori) awọn root ipin, eyi ti o ni odi ni ipa lori awọn agbewọle ZFS, ni pataki ti wọn ba gba lati awọn ipin lori ẹrọ * _crypt, tabi awọn igbogun ti mdadm tun gba lati awọn ipin. Gbogbo wa mọ pe o le lo ipin lori awọn apoti LUKS, otun? Ati tun iṣoro ti ibẹrẹ ibẹrẹ ti awọn iṣẹ miiran, nigbati ko si awọn eto sibẹsibẹ, ati lilo Mo nilo nkankan tẹlẹ (Mo n ṣiṣẹ pẹlu iṣupọ Proxmox VE 5.x ati ZFS lori iSCSI).
Diẹ diẹ nipa ZFSoverISCSIiSCSI ṣiṣẹ fun mi nipasẹ LIO, ati ni otitọ, nigbati ibi-afẹde iscsi bẹrẹ ati ko rii awọn ẹrọ ZVOL, o yọ wọn kuro ni atunto, eyiti o ṣe idiwọ awọn eto alejo lati bata. Nitorinaa, boya mimu-pada sipo faili json afẹyinti, tabi ṣafikun awọn ẹrọ pẹlu ọwọ pẹlu awọn idamọ ti VM kọọkan, eyiti o jẹ ẹru lasan nigbati awọn dosinni ti iru awọn ẹrọ ba wa ati iṣeto kọọkan ni diẹ sii ju 1 disk.
Ati ibeere keji ti Emi yoo ronu ni bii o ṣe le sọ dicrypt (eyi ni aaye pataki ti nkan naa). Ati pe a yoo sọrọ nipa eyi ni isalẹ, lọ si gige!
Ni ọpọlọpọ igba lori Intanẹẹti wọn lo faili bọtini kan (eyiti a ṣafikun laifọwọyi si iho pẹlu aṣẹ - cryptsetup luksAddKey), tabi ni awọn imukuro to ṣọwọn (alaye kekere wa lori Intanẹẹti ti Russian) - iwe afọwọkọ decrypt_derived, ti o wa ninu / lib/cryptsetup/script/ (dajudaju, awọn ọna miiran wa, ṣugbọn Mo lo awọn meji wọnyi, eyiti o ṣẹda ipilẹ ti nkan naa). Mo tun tiraka fun imuṣiṣẹ adaṣe ni kikun lẹhin awọn atunbere, laisi awọn aṣẹ afikun eyikeyi ninu console, ki ohun gbogbo le “mu kuro” fun mi lẹsẹkẹsẹ. Nitorina, kilode ti o duro? -
Jẹ ki a bẹrẹ!
A ro pe eto kan, fun apẹẹrẹ Debian, ti fi sori ẹrọ lori ipin sda3_crypt crypto ati awọn disiki mejila ti o ṣetan lati encrypt ati ṣẹda ohunkohun ti ọkan rẹ fẹ. A ni gbolohun bọtini kan (ọrọ igbaniwọle) lati ṣii sda3_crypt ati pe o wa lati apakan yii a yoo yọ “hash” ti ọrọ igbaniwọle kuro lori eto ṣiṣiṣẹ (decrypted) ati ṣafikun si awọn disiki miiran. Ohun gbogbo jẹ alakọbẹrẹ, ninu console a ṣiṣẹ:
/lib/cryptsetup/scripts/decrypt_derived sda3_crypt | cryptsetup luksFormat /dev/sdXnibiti X jẹ awọn disiki wa, awọn ipin, ati bẹbẹ lọ.
Lẹhin fifi ẹnọ kọ nkan awọn disiki pẹlu hash lati gbolohun bọtini wa, o nilo lati wa UUID tabi ID - da lori tani o lo si kini. A gba data lati /dev/disk/nipasẹ-uuid ati nipasẹ-id, lẹsẹsẹ.
Ipele ti o tẹle ni ngbaradi awọn faili ati awọn iwe afọwọkọ kekere fun awọn iṣẹ ti a nilo lati ṣiṣẹ, jẹ ki a tẹsiwaju:
cp -p /usr/share/initramfs-tools/hooks/cryptroot /etc/initramfs-tools/hooks/
cp -p /usr/share/initramfs-tools/scripts/local-top/cryptroot /etc/initramfs-tools/scripts/local-top/siwaju sii
touch /etc/initramfs-tools/hooks/decrypt && chmod +x /etc/initramfs-tools/hooks/decryptAwọn akoonu ti ../decrypt
#!/bin/sh
cp -p /lib/cryptsetup/scripts/decrypt_derived "$DESTDIR/bin/decrypt_derived"siwaju sii
touch /etc/initramfs-tools/hooks/partcopy && chmod +x /etc/initramfs-tools/hooks/partcopyAwọn akoonu ../partcopy
#!/bin/sh
cp -p /sbin/partprobe "$DESTDIR/bin/partprobe"
cp -p /lib/x86_64-linux-gnu/libparted.so.2 "$DESTDIR/lib/x86_64-linux-gnu/libparted.so.2"
cp -p /lib/x86_64-linux-gnu/libreadline.so.7 "$DESTDIR/lib/x86_64-linux-gnu/libreadline.so.7"diẹ diẹ sii
touch /etc/initramfs-tools/scripts/local-bottom/partprobe && chmod +x /etc/initramfs-tools/scripts/local-bottom/partprobeAwọn akoonu ../partprobe
#!/bin/sh
$DESTDIR/bin/partprobeati nikẹhin, ṣaaju imudojuiwọn-initramfs, o nilo lati ṣatunkọ faili /etc/initramfs-tools/scripts/local-top/cryptroot, ti o bẹrẹ lati laini ~360, koodu kan ni isalẹ
Atilẹba
# decrease $count by 1, apparently last try was successful.
count=$(( $count - 1 ))
message "cryptsetup ($crypttarget): set up successfully"
break
ki o si mu wa si fọọmu yii
Ṣatunkọ
# decrease $count by 1, apparently last try was successful.
count=$(( $count - 1 ))
/bin/decrypt_derived $crypttarget | cryptsetup luksOpen /dev/disk/by-uuid/ *CRYPT_MAP*
/bin/decrypt_derived $crypttarget | cryptsetup luksOpen /dev/disk/by-id/ *CRYPT_MAP*
message "cryptsetup ($crypttarget): set up successfully"
breakAkiyesi pe boya UUID tabi ID le ṣee lo nibi. Ohun akọkọ ni pe awọn awakọ pataki fun awọn ẹrọ HDD/SSD ti wa ni afikun si /etc/initramfs-tools/modules. O le wa iru awakọ ti o lo pẹlu aṣẹ naa udevadm info -a -n /dev/sdX | egrep 'nwa|OLUWAkọ'.
Bayi pe a ti pari ati gbogbo awọn faili wa ni aaye, a nṣiṣẹ imudojuiwọn-initramfs -u -k gbogbo -v, ni wíwọlé ko gbodo je awọn aṣiṣe ni ipaniyan awọn iwe afọwọkọ wa. A tun bẹrẹ, tẹ gbolohun ọrọ sii ki o duro diẹ, da lori nọmba awọn disiki. Nigbamii ti, eto naa yoo bẹrẹ ati ni ipele ikẹhin ti ibẹrẹ, eyun lẹhin “iṣagbesori” ipin root, aṣẹ partprobe yoo ṣee ṣe - yoo wa ati gbe gbogbo awọn ipin ti o ṣẹda lori awọn ẹrọ LUKS ati awọn eto eyikeyi, jẹ ZFS tabi mdadm, yoo pejọ laisi awọn iṣoro! Ati gbogbo eyi ṣaaju ki o to ikojọpọ awọn ifilelẹ ti awọn iṣẹ ti o nilo awọn wọnyi disks / orun.
imudojuiwọn1: Bawo , ọna yii ṣiṣẹ nikan fun LUKS1.
orisun: www.habr.com