Kubuyekezwe umhlahlandlela siqu ekubetheleni kwediski eligcwele ku-RuNet V0.2.
Isu le-Cowboy:
[A] Ukubethelwa kwe-Windows 7 block yesistimu efakiwe;
[B] GNU/Linux block block encryption (UDebian) uhlelo olufakiwe (kufaka phakathi / ibhuthi);
[C] ukucushwa kwe-GRUB2, ukuvikelwa kwe-bootloader ngesiginesha yedijithali/ukuqinisekisa/i-hashing;
[D] ukuhlubula—ukubhujiswa kwedatha engabetheliwe;
[E] ikhophi yasenqolobaneni yendawo yonke ye-OS ebethelwe;
[F] ukuhlasela target - GRUB6 bootloader;
[G]amadokhumenti awusizo.
╭───Scheme #room 40# :
├──╼ I-Windows 7 ifakiwe - ukubethelwa kwesistimu okugcwele, akufihliwe;
├──╼ I-GNU/Linux ifakiwe (I-Debian kanye nokusabalalisa kokuphuma kokunye) - Ukubethelwa kwesistimu okugcwele, akufihliwe(/, kufaka phakathi / ibhuthi; shintshanisa);
├──╼ ama-bootloader azimele: I-VeraCrypt bootloader ifakwe ku-MBR, i-GRUB2 bootloader ifakwe ku-partition enwetshiwe;
├──╼akukho ukufakwa/ukufakwa kabusha kwe-OS okudingekayo;
└──╼isofthiwe ye-cryptographic esetshenzisiwe: VeraCrypt; I-Crypsetup; I-GnuPG; I-Seahorse; I-Hashdeep; I-GRUB2 imahhala/imahhala.
Uhlelo olungenhla luyixazulula kancane inkinga "ye-boot ekude ku-flash drive", ikuvumela ukuthi ujabulele i-OS ebethelwe ye-OS Windows/Linux futhi ushintshane ngedatha "ngesiteshi esibethelwe" kusuka ku-OS eyodwa kuya kwenye.
I-oda lokuqalisa i-PC (enye yezinketho):
- ukuvula umshini;
- ilayisha i-bootloader ye-VeraCrypt (ukufaka iphasiwedi efanele kuzoqhubeka nokuqalisa iWindows 7);
- ukucindezela ukhiye "Esc" kuzolayisha i-GRUB2 boot loader;
- I-GRUB2 boot loader (khetha ukusatshalaliswa/i-GNU/Linux/CLI), izodinga ukuqinisekiswa kwe-GRUB2 superuser ;
- ngemva kokuqinisekiswa okuphumelelayo nokukhetha kokusabalalisa, uzodinga ukufaka umushwana wokungena ukuze uvule "/boot/initrd.img";
- ngemva kokufaka amaphasiwedi angenawo amaphutha, i-GRUB2 "izodinga" ukufakwa kwephasiwedi (okwesithathu, iphasiwedi ye-BIOS noma iphasiwedi ye-akhawunti yomsebenzisi ye-GNU/Linux - ungacabangi) ukuze uvule futhi uqalise i-GNU/Linux OS, noma ukufaka esikhundleni sokhiye oyimfihlo endaweni yawo (amaphasiwedi amabili + ukhiye, noma iphasiwedi + ukhiye);
- ukungena kwangaphandle ekucushweni kwe-GRUB2 kuzomisa inqubo yokuqalisa ye-GNU/Linux.
Kuyinkinga? Kulungile, asihambe sizenzele izinqubo.
Lapho uhlukanisa i-hard drive (Ithebula le-MBR) I-PC ayikwazi ukuba nama-partitions amakhulu angaphezu kuka-4, noma ama-3 main kanye neyodwa enwetshiwe, kanye nendawo engabelwe. Isigaba esinwetshiwe, ngokungafani nesikhulu, singaqukatha izigatshana (amadrayivu anengqondo=ingxenye enwetshiwe). Ngamanye amazwi, "i-partition enwetshiwe" ku-HDD ithatha indawo ye-LVM yomsebenzi owenziwayo: ukubethela kwesistimu okugcwele. Uma idiski yakho ihlukaniswe yaba izingxenye eziyinhloko ezingu-4, udinga ukusebenzisa i-lvm, noma uguqule (ngokufometha) ingxenye ukusuka kokuyinhloko ukuya kokuphambili, noma usebenzise ngokuhlakanipha zonke izigaba ezine futhi ushiye yonke into njengoba injalo, uthole umphumela oyifunayo. Ngisho noma une-partition eyodwa kudiski yakho, i-Gparted izokusiza ukuhlukanisa i-HDD yakho (okwezigaba ezengeziwe) ngaphandle kokulahleka kwedatha, kodwa kusenenhlawulo encane yezenzo ezinjalo.
Uhlelo lokuhlelwa kwe-hard drive, maqondana lapho yonke i-athikili izoshiwo ngomlomo, ivezwe etafuleni elingezansi.
Ithebula (No. 1) lezingxenye ze-1TB.
Kufanele ube nento efanayo futhi.
sda1 - main partition No. 1 NTFS (kubethelwe);
sda2 - umaka wesigaba enwetshiwe;
sda6 - idiski enengqondo (ine-GRUB2 bootloader efakiwe);
sda8 - ukushintshanisa (ifayela lokushintshanisa elibethelwe / hhayi njalo);
sda9 - idiski enengqondo yokuhlola;
sda5 - logic disk for the curious;
sda7 - GNU/Linux OS (i-OS edluliselwe kudiski enengqondo ebethelwe);
sda3 - main partition No. 2 eneWindows 7 OS (kubethelwe);
sda4 - ingxenye enkulu No. 3 (iqukethe i-GNU/Linux engabetheliwe, esetshenziselwa ukwenza isipele/hhayi njalo).
[A] I-Windows 7 System Block Encryption
A1. I-VeraCrypt
Landa kusuka
$ Certutil -hashfile "C:VeraCrypt Setup 1.24.exe" SHA256
futhi uqhathanise umphumela ne-CS ethunyelwe kuwebhusayithi yonjiniyela we-VeraCrypt.
Uma isoftware ye-HashTab ifakiwe, kulula kakhulu: RMB (Ukusethwa kwe-VeraCrypt 1.24.exe)-properties - isamba se-hash samafayela.
Ukuze uqinisekise isiginesha yohlelo, isofthiwe kanye nokhiye we-pgp wonjiniyela womphakathi kufanele kufakwe ohlelweni.
A2. Ukufaka/ukusebenzisa isofthiwe ye-VeraCrypt enamalungelo omlawuli
A3. Ukukhetha amapharamitha wokubethela wesistimu wokuhlukaniswa okusebenzayoI-VeraCrypt - Uhlelo - Bethela uhlelo lokuhlukanisa/idiski - Okuvamile - Bethela ukuhlukaniswa kwesistimu yeWindows - Multiboot - (isixwayiso: “Abasebenzisi abangenalwazi abanconyiwe ukusebenzisa le ndlela” futhi lokhu kuyiqiniso, siyavuma “Yebo”) - I-boot disk (“yebo”, noma kungenjalo, “yebo”) - Inombolo yamadiski esistimu "2 noma ngaphezulu" - Amasistimu amaningana kudiski eyodwa "Yebo" - Isilayishi se-Non-Windows boot "Cha" (eqinisweni, “Yebo,” kodwa izilayishi ze-VeraCrypt/GRUB2 ngeke zabelane nge-MBR phakathi kwazo; ngokunembile, ingxenye encane kuphela yekhodi yesilayishi sokuqalisa egcinwe kuthrekhi ye-MBR/boot, ingxenye enkulu yayo etholakala ngaphakathi kwesistimu yefayela) - I-Multiboot - Izilungiselelo zokubethela…
Uma uchezuka ezinyathelweni ezingenhla (vimba izikimu zokubethela zesistimu), bese i-VeraCrypt izokhipha isexwayiso futhi ngeke ikuvumele ukuthi ubethele ukwahlukanisa.
Esinyathelweni esilandelayo sokuvikela idatha eqondisiwe, yenza "Ukuhlola" bese ukhetha i-algorithm yokubethela. Uma une-CPU ephelelwe yisikhathi, cishe i-algorithm yokubethela eshesha kakhulu kuzoba yi-Twofish. Uma i-CPU inamandla, uzoqaphela umehluko: ukubethela kwe-AES, ngokusho kwemiphumela yokuhlolwa, kuzoba ngokushesha izikhathi eziningana kunezimbangi zayo ze-crypto. I-AES iyi-algorithm yokubethela edumile; i-hardware yama-CPU anamuhla alungiselelwe ngokukhethekile kokubili "imfihlo" kanye "nokugebenga."
I-VeraCrypt isekela ikhono lokubethela amadiski ku-cascade ye-AES(Izinhlanzi ezimbili)/ nezinye izinhlanganisela. Ku-Intel CPU yakudala kusukela eminyakeni eyishumi edlule (ngaphandle kokusekelwa kwehadiwe kwe-AES, ukubethela kwe-A/T kwe-cascade) Ukwehla kokusebenza akubonakali. (kuma-AMD CPUs enkathi efanayo/~amapharamitha, ukusebenza kwehliswe kancane). I-OS isebenza ngokuguquguqukayo futhi ukusetshenziswa kwensiza ukubethela okusobala akubonakali. Ngokuphambene, isibonelo, kukhona ukwehla okubonakalayo kokusebenza ngenxa yesimo sedeskithophu esifakiwe esingazinzile se-Mate v1.20.1 (noma v1.20.2 Angisakhumbuli kahle) ku-GNU/Linux, noma ngenxa yokusebenza komzila we-telemetry ku-Windows7↑. Ngokuvamile, abasebenzisi abanolwazi benza ukuhlola ukusebenza kwehadiwe ngaphambi kokubethela. Isibonelo, ku-Aida64/Sysbench/systemd-analyze blame iqhathaniswa nemiphumela yokuhlolwa okufanayo ngemva kokubethela uhlelo, ngaleyo ndlela iphikise inganekwane ngokwayo yokuthi “ukubethela kwesistimu kuyingozi.” Ukwehla kancane komshini kanye nokuphazamiseka kuyabonakala lapho wenza ikhophi yasenqolobaneni/ubuyisela idatha ebethelwe, ngoba umsebenzi “wokwenza isipele idatha yesistimu” ngokwawo awukalwa ngo-ms, futhi lezo ziyengezwa. Ekugcineni, umsebenzisi ngamunye ovunyelwe ukuphenya nge-cryptography ubhalansisa i-algorithm yokubethela ngokumelene nokwaneliseka kwemisebenzi ekhona, izinga labo le-paranoia, kanye nokusebenziseka kalula.
Kungcono ukushiya ipharamitha ye-PIM njengokuzenzakalelayo, ukuze kuthi lapho ulayisha i-OS akudingeki ukuthi ufake amanani aqondile wokuphindaphinda isikhathi ngasinye. I-VeraCrypt isebenzisa inani elikhulu lokuphindaphinda ukuze idale "i-hashi ehamba kancane" ngempela. Ukuhlasela "umnenke we-crypto" onjalo usebenzisa indlela yamatafula e-Brute force/rainbow kunengqondo kuphela ngegama lokungena elifushane "elilula" kanye nohlu lwe-charset yomuntu siqu yesisulu. Intengo yokukhokhela amandla ephasiwedi iwukubambezeleka kokufaka iphasiwedi efanele uma ulayisha i-OS. (ukufaka amavolumu e-VeraCrypt ku-GNU/Linux kuyashesha kakhulu).
Isofthiwe yamahhala yokusebenzisa ukuhlasela kwe-brute force (khipha umushwana wokungena ku-VeraCrypt/LUKS unhlokweni wediski) I-Hashcat. UJohn the Ripper akazi ukuthi "angaphula kanjani i-Veracrypt", futhi lapho esebenza ne-LUKS akayiqondi i-cryptography ye-Twofish.
Ngenxa yamandla e-cryptographic we-algorithms yokubethela, ama-cypherpunk angavimbeki athuthukisa isofthiwe nge-vector yokuhlasela ehlukile. Isibonelo, ukukhipha imethadatha/okhiye ku-RAM (ukuhlasela kwe-cold boot/direct memory access attack), Kukhona isofthiwe ekhethekile yamahhala nengamahhala yalezi zinhloso.
Ngemva kokuqeda ukusetha/ukukhiqiza “imethadatha eyingqayizivele” yokuhlukanisa okusebenzayo okubethelwe, i-VeraCrypt izonikela ngokuqalisa kabusha i-PC futhi ihlole ukusebenza kwe-bootloader yayo. Ngemva kokuqalisa kabusha/ukuqala iWindows, iVeraCrypt izolayisha kumodi yokulinda, okusele nje ukuqinisekisa inqubo yokubethela - Y.
Esinyathelweni sokugcina sokubethelwa kwesistimu, i-VeraCrypt izonikela ngokwenza ikhophi eyisipele yesihloko sokuhlukaniswa okubethelwe okusebenzayo ngendlela ye- "veracrypt rescue disk.iso" - lokhu kufanele kwenziwe - kule software umsebenzi onjalo uyimfuneko (ku-LUKS, njengemfuneko - lokhu ngeshwa kweqiwe, kodwa kugcizelelwe emibhalweni). Idiski yokutakula izoba usizo kuwo wonke umuntu, futhi kwabanye ngaphezu kwesisodwa. Ukulahlekelwa (inhlokweni/MBR bhala kabusha) ikhophi eyisipele yenhlokweni izokwenqaba unomphela ukufinyelela ekwahlukaniseni okususwe ukubethela nge-OS Windows.
A4. Ukudala i-VeraCrypt yokuhlenga i-USB/idiskiNgokuzenzakalelayo, i-VeraCrypt inikezela ngokushisa i-“~2-3MB yemethadatha” ku-CD, kodwa akubona bonke abantu abanamadiski noma amadrayivu e-DWD-ROM, futhi ukudala i-flash drive ebhuthayo “i-VeraCrypt Rescue disk” kuzoba isimanga sobuchwepheshe kwabanye: I-Rufus/GUIdd-ROSA ImageWriter kanye nenye isoftware efanayo ngeke ikwazi ukubhekana nomsebenzi, ngoba ngaphezu kokukopisha imethadatha ye-offset ku-flash drive ebhuthayo, udinga ukukopisha/unamathisele isithombe ngaphandle kwesistimu yefayela le-USB drive, ngamafuphi, kopisha kahle i-MBR/umgwaqo uye ku-keychain. Ungakha i-flash drive ebhuthayo kusuka ku-GNU/Linux OS usebenzisa insiza ethi “dd”, ubheka lolu phawu.
Ukudala idiski yokuhlenga endaweni ye-Windows kuhlukile. Umthuthukisi we-VeraCrypt akazange afake isisombululo sale nkinga kusikhulu
Lokhu kuqeda incazelo yokubethela kwesistimu ye-block nge-Windows OS.
[B]LUKS. Ukubethela kwe-GNU/Linux (~I-Debian) i-OS efakiwe. I-algorithm nezinyathelo
Ukuze ubethele ukusatshalaliswa kwe-Debian/okususelwe, udinga ukubeka kumephu ukwahlukanisa okulungisiwe kudivayisi ye-block ebonakalayo, ukudlulisele kudiski efakwe kumephu ye-GNU/Linux, futhi ufake/ulungiselele i-GRUB2. Uma ungenayo iseva yensimbi engenalutho, futhi usazisa isikhathi sakho, khona-ke udinga ukusebenzisa i-GUI, futhi imiyalo eminingi yokugcina echazwe ngezansi ihloselwe ukuthi isetshenziswe "kwimodi ye-Chuck-Norris".
B1. Iqalisa i-PC kusuka ku-usb ebukhoma ye-GNU/Linux
"Yenza ukuhlolwa kwe-crypto ekusebenzeni kwehadiwe"
lscpu && сryptsetup benchmark
Uma ungumnikazi ojabulayo wemoto enamandla enokwesekwa kwehadiwe ye-AES, izinombolo zizobukeka njengesokudla letheminali; uma ungumnikazi ojabule, kodwa nge-hardware yakudala, izinombolo zizobukeka njengesokunxele.
B2. Ukuhlukaniswa kwediski. ukukhweza/ukufometha i-fs logic disk HDD kuya ku-Ext4 (Gparted)
B2.1. Ukudala unhlokweni we-partition we-sda7 obethelweNgizochaza amagama ama-partitions, lapha nangaphezulu, ngokuhambisana nethebula lami lokuhlukanisa elithunyelwe ngenhla. Ngokusho kwesakhiwo sediski yakho, kufanele ufake esikhundleni samagama akho okuhlukanisa.
Imephu Yokubethela KweDrayivu Enengqondo (/dev/sda7 > /dev/mapper/sda7_crypt).
#Ukudala okulula kwe-“LUKS-AES-XTS partition”
cryptsetup -v -y luksFormat /dev/sda7
Izinketho:
* luksFormat - ukuqaliswa kwesihloko se-LUKS;
* -y -umshwana wokungena (hhayi ukhiye/ifayela);
* -v -verbalization (ukubonisa ulwazi esigungwini);
* /dev/sda7 - idiski yakho enengqondo ukusuka ekwahlukaniseni okunwetshiwe (lapho kuhlelwa ukudlulisa/ukubethela i-GNU/Linux).
I-algorithm yokubethela ezenzakalelayo <LI-UKS1: aes-xts-plain64, Ukhiye: 256 bits, LUKS header hashing: sha256, RNG: /dev/urandom> (kuya ngenguqulo ye-cryptsetup).
#Проверка default-алгоритма шифрования
cryptsetup --help #самая последняя строка в выводе терминала.
Uma lungekho usekelo lwezingxenyekazi zekhompuyutha ze-AES ku-CPU, ukukhetha okungcono kakhulu kungaba ukwakha “i-LUKS-Twofish-XTS-partition” enwetshiwe.
B2.2. Ukudalwa okuthuthukisiwe kwe-“LUKS-Twofish-XTS-partition”
cryptsetup luksFormat /dev/sda7 -v -y -c twofish-xts-plain64 -s 512 -h sha512 -i 1500 --use-urandom
Izinketho:
* luksFormat - ukuqaliswa kwesihloko se-LUKS;
* /dev/sda7 idiski yakho enengqondo yesikhathi esizayo;
* -v ukukhuluma ngamazwi;
* -y umushwana wokungena;
* -c khetha i-algorithm yokubethela idatha;
* -s usayizi wokhiye wokubethela;
* -h hashing algorithm/crypto function, RNG esetshenzisiwe (--sebenzisa-urandom) ukukhiqiza ukhiye oyingqayizivele wokubethela/ukususa ukubethela kwesihloko sediski esinengqondo, ukhiye wesihloko sesibili (XTS); ukhiye oyinhloko oyingqayizivele ogcinwe kunhlokweni yediski ebetheliwe, ukhiye wesibili we-XTS, yonke le methadatha kanye nohlelo lokubethela okuthi, kusetshenziswa ukhiye oyinhloko nokhiye wesibili we-XTS, kubethela/kususe noma iyiphi idatha ekuhlukaniseni. (ngaphandle kwesihloko sesigaba) igcinwe ku-~3MB ku-partition ye-hard disk ekhethiwe.
* -i ukuphindaphinda ngama-millisecond, esikhundleni sokuthi "inani" (ukubambezeleka kwesikhathi lapho kucutshungulwa umushwana wokungena kuthinta ukulayishwa kwe-OS namandla e-cryptographic okhiye). Ukuze ulondoloze ibhalansi yamandla e-cryptographic, ngephasiwedi elula efana ne-"Russian" udinga ukukhulisa -(i) ivelu; ngephasiwedi eyinkimbinkimbi efana ne-"?8dƱob/øfh" inani lingehliswa.
* -use-urandom inombolo engahleliwe generator, yakha okhiye nosawoti.
Ngemva kokumepha isigaba sda7 > sda7_crypt (ukusebenza kuyashesha, njengoba unhlokweni obethelwe wakhiwe ngo-~3 MB wemethadatha futhi yilokho kuphela), udinga ukufometha futhi ukhweze isistimu yefayela ye-sda7_crypt.
B2.3. Ukuqhathanisa
cryptsetup open /dev/sda7 sda7_crypt
#выполнение данной команды запрашивает ввод секретной парольной фразы.
izinketho:
* vula - fanisa isigaba "negama";
* /dev/sda7 -logical disk;
* sda7_crypt - imephu yegama esetshenziselwa ukukhweza ukwahlukanisa okubethelwe noma ukuyiqalisa lapho i-OS iqala.
B2.4. Ifometha isistimu yefayela ye-sda7_crypt ibe yi-ext4. Ukufaka idiski ku-OS(Qaphela: ngeke ukwazi ukusebenza nge-partition ebethelwe ku-Gparted)
#форматирование блочного шифрованного устройства
mkfs.ext4 -v -L DebSHIFR /dev/mapper/sda7_crypt
izinketho:
* -v -ukukhuluma;
* -L - ilebula yokushayela (evezwa ku-Explorer phakathi kwamanye amadrayivu).
Okulandelayo, kufanele ukhweze idivayisi yebhulokhi ebethelwe ngokoqobo /dev/sda7_crypt ohlelweni
mount /dev/mapper/sda7_crypt /mnt
Ukusebenza ngamafayela kufolda ye-/mnt kuzobethela/kususe ukubethela ngokuzenzakalelayo idatha ku-sda7.
Kulula kakhulu ukwenza imephu nokufaka i-partition ku-Explorer (i-nautilus/caja GUI), ukwahlukanisa kuzobe sekusohlwini lokukhetha idiski, okusele nje ukufaka umushwana wokungena ukuze uvule/ususe ukubethela kwediski. Igama elifanisiwe lizokhethwa ngokuzenzakalelayo hhayi okuthi “sda7_crypt”, kodwa into efana ne/dev/mapper/Luks-xx-xx...
B2.5. Ikhophi yasenqolobaneni yesihloko sediski (~3MB imethadatha)Okukodwa kubalulekile imisebenzi okudingeka yenziwe ngaphandle kokulibala - ikhophi eyisipele yesihloko esithi “sda7_crypt”. Uma ubhala phezu/ulimaza unhlokweni (isibonelo, ukufaka i-GRUB2 ku-partition ye-sda7, njll.), idatha ebethelwe izolahleka ngokuphelele ngaphandle kokuba nokwenzeka kokuyibuyisela, ngoba ngeke kwenzeke ukuphinda ukhiqize okhiye abafanayo; okhiye badalwa ngokuhlukile.
#Бэкап заголовка раздела
cryptsetup luksHeaderBackup --header-backup-file ~/Бэкап_DebSHIFR /dev/sda7
#Восстановление заголовка раздела
cryptsetup luksHeaderRestore --header-backup-file <file> <device>
izinketho:
* luksHeaderBackup —header-backup-file -backup umyalo;
* luksHeaderRestore —header-backup-file -restore command;
* ~/Backup_DebSHIFR - ifayela eliyisipele;
* /dev/sda7 - ukwahlukanisa okumele kugcinwe ikhophi eyisipele yesihloko sediski esibethelwe.
Kulesi sinyathelo kuqediwe.
B3. Isebenzisa i-GNU/Linux OS (sda4) ekuhlukaniseni okubethelwe (sda7)
Dala ifolda /mnt2 (Qaphela - sisasebenza ne-usb ebukhoma, i-sda7_crypt ifakwe kokuthi /mnt), bese ufaka i-GNU/Linux yethu ku-/mnt2, edinga ukubethelwa.
mkdir /mnt2
mount /dev/sda4 /mnt2
Senza ukudluliswa kwe-OS okulungile sisebenzisa isofthiwe ye-Rsync
rsync -avlxhHX --progress /mnt2/ /mnt
Izinketho ze-Rsync zichazwe endimeni E1.
Okulandelayo kuyadingeka ukwephula ukwahlukaniswa kwediski okunengqondo
e4defrag -c /mnt/ #после проверки, e4defrag выдаст, что степень дефрагментации раздела~"0", это заблуждение, которое может вам стоить существенной потери производительности!
e4defrag /mnt/ #проводим дефрагментацию шифрованной GNU/Linux
Kwenze umthetho: yenza i-e4defrag ku-GNU/LINux ebethelwe ngezikhathi ezithile uma une-HDD.
Ukudlulisa nokuvumelanisa [GNU/Linux > GNU/Linux-encrypted] kuqediwe kulesi sinyathelo.
NGO 4. Isetha i-GNU/Linux kuhlukaniso olubethelwe lwe-sda7
Ngemva kokudlulisa ngempumelelo i-OS/dev/sda4>/dev/sda7, udinga ukungena ku-GNU/Linux esahlulelweni esibethelwe bese wenza ukumisa okwengeziwe. (ngaphandle kokuqalisa kabusha i-PC) ngokuhlobene nesistimu ebethelwe. Okusho ukuthi, yiba ku-usb ebukhoma, kodwa ukhiphe imiyalo "ehlobene nomsuka we-OS ebethelwe." I-"chroot" izolingisa isimo esifanayo. Ukuze uthole ngokushesha ulwazi mayelana nokuthi iyiphi i-OS osebenza nayo njengamanje (ibetheliwe noma cha, njengoba idatha eku-sda4 ne-sda7 ivumelanisiwe), susa ukuvumelanisa i-OS. Dala kuzinkomba zezimpande (sda4/sda7_crypt) amafayela omaka angenalutho, isibonelo, /mnt/encryptedOS kanye /mnt2/decryptedOS. Ngokushesha hlola ukuthi ukuyiphi i-OS (kuhlanganise nekusasa):
ls /<Tab-Tab>
B4.1. "Ukulingiswa kokungena ku-OS ebethelwe"
mount --bind /dev /mnt/dev
mount --bind /proc /mnt/proc
mount --bind /sys /mnt/sys
chroot /mnt
B4.2. Ukuqinisekisa ukuthi umsebenzi wenziwa ngokumelene nesistimu ebethelwe
ls /mnt<Tab-Tab>
#и видим файл "/шифрованнаяОС"
history
#в выводе терминала должна появиться история команд su рабочей ОС.
B4.3. Ukudala/ukulungisa ukushintshwa okubethelwe, ukuhlela i-crypttab/fstabNjengoba ifayela lokushintshana lifomethwa ngaso sonke isikhathi uma i-OS iqala, akwenzi mqondo ukudala nokushintshanisa imephu kudiski enengqondo manje, bese uthayipha imiyalo njengasesigabeni B2.2. Ngokushintshanisa, okhiye bayo besikhashana bokubethela bazokwenziwa ngokuzenzakalelayo ekuqaleni ngakunye. Umjikelezo wempilo wokhiye bokushintshanisa: ukwehliswa/ukwehlisa ukwahlukanisa kokushintshana (+ukuhlanza i-RAM); noma qala kabusha i-OS. Ukusetha ukushintshana, ukuvula ifayela elinesibopho sokucushwa kwamadivayisi abethelwe vimba (elifana nefayela le-fstab, kodwa elinesibopho se-crypto).
nano /etc/crypttab
siyahlela
#"igama eliqondiwe" "idivayisi yomthombo" "ifayela elingukhiye" "izinketho"
swap /dev/sda8 /dev/urandom swap,cipher=twofish-xts-plain64,size=512,hash=sha512
Izinketho
* Shintsha - igama elifakwe kumephu lapho ubhala ngemfihlo /dev/mapper/swap.
* /dev/sda8 - sebenzisa ukwahlukanisa kwakho okunengqondo ukushintshanisa.
* /dev/urandom - ijeneretha yezikhiye zokubethela ezingahleliwe zokushintshaniswa (nge-boot entsha ye-OS ngayinye, okhiye abasha bayadalwa). I-generator/dev/urandom generator ingaphansi kokungahleliwe kune-/dev/random, ngemva kwakho konke /dev/okungahleliwe isetshenziswa lapho isebenza ezimweni eziyingozi ze-paranoid. Lapho ulayisha i-OS, /dev/random ibambezela ukulayisha imizuzu embalwa ± (bona i-systemd-analyze).
* swap,cipher=twofish-xts-plain64,size=512,hash=sha512: -ingxenye iyazi ukuthi iyashintshwa futhi ifomethwe “ngokuvumelana”; i-algorithm ye-encryption.
#Открываем и правим fstab
nano /etc/fstab
siyahlela
Ukushintshwa okungu- # bekuku / dev / sda8 ngesikhathi sokufakwa
/dev/mapper/swap none swap sw 0 0
/dev/mapper/swap igama elisethwe ku-crypttab.
Okunye ukushintshanisa okubethelwe
Uma ngesizathu esithile ungafuni ukuyeka ukwahlukanisa konke kwefayela elishintshiwe, ungahamba ngenye indlela futhi engcono: ukudala ifayela lokushintshwa efayeleni ekuhlukaniseni okubethelwe nge-OS.
fallocate -l 3G /swap #создание файла размером 3Гб (почти мгновенная операция)
chmod 600 /swap #настройка прав
mkswap /swap #из файла создаём файл подкачки
swapon /swap #включаем наш swap
free -m #проверяем, что файл подкачки активирован и работает
printf "/swap none swap sw 0 0" >> /etc/fstab #при необходимости после перезагрузки swap будет постоянный
Ukusethwa kwe-swap partition kuqedile.
B4.4. Ukusetha i-GNU/Linux ebethelwe (ukuhlela amafayela e-crypttab/fstab)Ifayela /etc/crypttab, njengoba kubhalwe ngenhla, lichaza amadivaysi e-block encrypted alungiselelwe ngesikhathi sokuqalisa uhlelo.
#правим /etc/crypttab
nano /etc/crypttab
uma ufane nesigaba esithi sda7>sda7_crypt njengasesigabeni B2.1
# "igama eliqondiwe" "idivayisi yomthombo" "ifayela elingukhiye" "izinketho"
sda7_crypt UUID=81048598-5bb9-4a53-af92-f3f9e709e2f2 none luks
uma ufane nesigaba esithi sda7>sda7_crypt njengasesigabeni B2.2
# "igama eliqondiwe" "idivayisi yomthombo" "ifayela elingukhiye" "izinketho"
sda7_crypt UUID=81048598-5bb9-4a53-af92-f3f9e709e2f2 none cipher=twofish-xts-plain64,size=512,hash=sha512
uma ufane nesigaba esithi sda7>sda7_crypt njengasesigabeni B2.1 noma B2.2, kodwa ungafuni ukufaka kabusha iphasiwedi ukuze uvule futhi uqalise i-OS, esikhundleni segama-mfihlo ungashintsha ukhiye oyimfihlo/ifayela elingahleliwe.
# "igama eliqondiwe" "idivayisi yomthombo" "ifayela elingukhiye" "izinketho"
sda7_crypt UUID=81048598-5bb9-4a53-af92-f3f9e709e2f2 /etc/skey luks
Incazelo
* akukho - ibika ukuthi lapho ulayisha i-OS, ukufaka umushwana wokungena oyimfihlo kuyadingeka ukuze uvule impande.
* I-UUID - isihlonzi sokuhlukanisa. Ukuze uthole i-ID yakho, thayipha itheminali (khumbula ukuthi kusukela kulesi sikhathi kuya phambili, usebenza kutheminali endaweni ye-chroot, hhayi kwenye indawo ye-usb ebukhoma).
fdisk -l #проверка всех разделов
blkid #должно быть что-то подобное
/dev/sda7: UUID=«81048598-5bb9-4a53-af92-f3f9e709e2f2» TYPE=«crypto_LUKS» PARTUUID=«0332d73c-07»
/dev/mapper/sda7_crypt: LABEL=«DebSHIFR» UUID=«382111a2-f993-403c-aa2e-292b5eac4780» TYPE=«ext4»
lo mugqa uyabonakala uma ucela i-blkid kutheminali ye-usb ebukhoma efakwe i-sda7_crypt).
Uthatha i-UUID ku-sdaX yakho (hhayi sdaX_crypt!, UUID sdaX_crypt - izoshiywa ngokuzenzakalelayo lapho kukhiqizwa i-grub.cfg config).
* cipher=twofish-xts-plain64,size=512,hash=sha512 -umbhalo wemfihlo weluks ngemodi ethuthukisiwe.
* /etc/skey - ifayela elingukhiye oyimfihlo, elifakwa ngokuzenzakalelayo ukuze uvule i-OS boot (esikhundleni sokufaka iphasiwedi yesi-3). Ungacacisa noma yiliphi ifayela elifika ku-8MB, kodwa idatha izofundwa <1MB.
#Создание "генерация" случайного файла <секретного ключа> размером 691б.
head -c 691 /dev/urandom > /etc/skey
#Добавление секретного ключа (691б) в 7-й слот заголовка luks
cryptsetup luksAddKey --key-slot 7 /dev/sda7 /etc/skey
#Проверка слотов "пароли/ключи luks-раздела"
cryptsetup luksDump /dev/sda7
Kuzobukeka kanjena:
(zenzele uzibonele).
cryptsetup luksKillSlot /dev/sda7 7 #удаление ключа/пароля из 7 слота
/etc/fstab iqukethe ulwazi oluchazayo mayelana nezinhlelo ezihlukahlukene zamafayela.
#Правим /etc/fstab
nano /etc/fstab
# "uhlelo lwefayela" "iphoyinti lokukhweza" "hlobo" "izinketho" "lahla" "dlula"
# / yayiku / dev / sda7 ngesikhathi sokufakwa
/dev/mapper/sda7_crypt / ext4 errors=remount-ro 0 1
inketho
* /dev/mapper/sda7_crypt - igama lemephu sda7>sda7_crypt, elicaciswe kufayela /etc/crypttab.
Ukusethwa kwe-crypttab/fstab kuqediwe.
B4.5. Ukuhlela amafayela okumisa. Isikhathi esibalulekileB4.5.1. Ukuhlela i-config /etc/initramfs-tools/conf.d/resume
#Если у вас ранее был активирован swap раздел, отключите его.
nano /etc/initramfs-tools/conf.d/resume
futhi ubeke amazwana (uma ikhona) "#" umugqa "qalisa kabusha". Ifayela kufanele lingabi nalutho ngokuphelele.
B4.5.2. Ukuhlela /etc/initramfs-tools/conf.d/cryptsetup
nano /etc/initramfs-tools/conf.d/cryptsetup
kufanele ifane
# /etc/initramfs-tools/conf.d/cryptsetup
CRYPTSETUP=yebo
Khipha i-CRYPTSETUP
B4.5.3. Ukuhlela /etc/default/grub config (lokhu kulungiselelwa kunesibopho sekhono lokukhiqiza i-grub.cfg uma usebenza nge-encrypted /boot)
nano /etc/default/grub
engeza umugqa “GRUB_ENABLE_CRYPTODISK=y”
value 'y', grub-mkconfig kanye ne-grub-install izohlola amadrayivu abethelwe futhi ikhiqize imiyalo eyengeziwe edingekayo ukuze ufinyelele kuwo ngesikhathi sokuqalisa. (insmods ).
kufanele kube nokufana
GRUB_DEFAULT = 0
GRUB_TIMEOUT = 1
GRUB_DISTRIBUTOR=`lsb_release -i -s 2> /dev/null || echo Debian`
GRUB_CMDLINE_LINUX_DEFAULT="acpi_backlight=vendor"
GRUB_CMDLINE_LINUX="i-splash ethule noautomount"
GRUB_ENABLE_CRYPTODISK=y
B4.5.4. Ukuhlela i-config /etc/cryptsetup-initramfs/conf-hook
nano /etc/cryptsetup-initramfs/conf-hook
hlola ukuthi ulayini ubeke amazwana yini .
Esikhathini esizayo (futhi ngisho namanje, le parameter ngeke ibe nencazelo, kodwa ngezinye izikhathi iphazamisa ukubuyekezwa kwesithombe se-initrd.img).
B4.5.5. Ukuhlela i-config /etc/cryptsetup-initramfs/conf-hook
nano /etc/cryptsetup-initramfs/conf-hook
engeza
KEYFILE_PATTERN=”/etc/skey”
UMASK=0077
Lokhu kuzopakisha ukhiye oyimfihlo "ukhiye" ku-initrd.img, ukhiye uyadingeka ukuze uvule impande lapho i-OS iqala. (uma ungafuni ukufaka iphasiwedi futhi, ukhiye othi “key” uthathelwa indawo imoto).
B4.6. Buyekeza /boot/initrd.img [inguqulo]Ukuze upakishe ukhiye oyimfihlo ku-initrd.img futhi usebenzise ukulungiswa kwe-cryptsetup, buyekeza isithombe
update-initramfs -u -k all
lapho ubuyekeza i-initrd.img (njengoba bethi "Kungenzeka, kodwa akuqiniseki") izixwayiso ezihlobene ne-cryptsetup zizovela, noma, isibonelo, isaziso mayelana nokulahlekelwa kwamamojula we-Nvidia - lokhu kuvamile. Ngemva kokubuyekeza ifayela, hlola ukuthi libuyekeziwe ngempela, bona isikhathi (okuhlobene nendawo ye-chroot./boot/initrd.img). Ukuqapha ngaphambi kokuthi [buyekeza-initramfs -u -k konke] qiniseka ukuthi uhlola ukuthi i-cryptsetup ivuliwe /dev/sda7 sda7_crypt - leli yigama elivela ku-/etc/crypttab, uma kungenjalo ngemva kokuqalisa kabusha kuzoba nephutha le-busybox)
Kulesi sinyathelo, ukusetha amafayela okumisa kuqedile.
[C] Ukufaka nokumisa i-GRUB2/Protection
C1. Uma kunesidingo, fometha ukwahlukanisa okuzinikele kwe-bootloader (ingxenye idinga okungenani u-20MB)
mkfs.ext4 -v -L GRUB2 /dev/sda6
C2. Khuphuka /dev/sda6 ukuya ku-/mntNgakho-ke sisebenza ku-chroot, khona-ke ngeke kube khona umkhombandlela we-/mnt2 empandeni, futhi ifolda ye-/mnt izobe ingenalutho.
faka i-GRUB2 partition
mount /dev/sda6 /mnt
Uma unenguqulo endala ye-GRUB2 efakiwe, kuhla lwemibhalo /mnt/boot/grub/i-386-pc (enye inkundla iyenzeka, isibonelo, hhayi i-“i386-pc”) awekho amamojula we-crypto (ngamafuphi, ifolda kufanele ibe namamojula, okuhlanganisa nalawa .mod: cryptodisk; luks; gcry_twofish; gcry_sha512; signature_test.mod), Kulokhu, i-GRUB2 idinga ukunyakaziswa.
apt-get update
apt-get install grub2
Okubalulekile! Lapho ubuyekeza iphakethe le-GRUB2 endaweni yokugcina, lapho ubuzwa "mayelana nokukhetha" lapho ungafaka khona i-bootloader, kufanele wenqabe ukufakwa. (isizathu - ukuzama ukufaka i-GRUB2 - ku-“MBR” noma ku-usb ebukhoma). Uma kungenjalo uzolimaza unhlokweni/isilayishi se-VeraCrypt. Ngemva kokubuyekeza amaphakheji e-GRUB2 nokukhansela ukufakwa, isilayishi sokuqalisa kufanele sifakwe ngesandla kudiski enengqondo, hhayi ku-MBR. Uma inqolobane yakho inenguqulo yakudala ye-GRUB2, zama
C3. Ukufaka i-GRUB2 esabelweni esinwetshiwe [sda6]Kufanele ube ne-partition ekhweziwe [into C.2]
grub-install --force --root-directory=/mnt /dev/sda6
izinketho
* -force - ukufakwa kwe-bootloader, ukweqa zonke izixwayiso ezihlala zikhona futhi uvimbele ukufakwa (ifulegi elidingekayo).
* --root-directory - isetha inkomba ye- impande ye-sda6.
* /dev/sda6 - ukwahlukanisa kwakho kwe-sdaХ (ungaphuthelwa phakathi kwe/mnt/dev/sda6).
C4. Ukudala ifayela lokumisa [grub.cfg]Khohlwa ngomyalo othi "update-grub2", futhi usebenzise umyalo ogcwele wokwenza ifayela lokucushwa
grub-mkconfig -o /mnt/boot/grub/grub.cfg
ngemva kokuqeda ukukhiqiza/ukubuyekeza ifayela le-grub.cfg, itheminali yokukhiphayo kufanele iqukathe i(ama)layini ne-OS etholakala kudiski. (I-“grub-mkconfig” cishe izothola futhi ithathe i-OS ku-usb ebukhoma, uma une-multiboot flash drive Windows 10 kanye nenqwaba yokusabalalisa okubukhoma - lokhu kuvamile). Uma itheminali “ingenalutho” futhi ifayela elithi “grub.cfg” lingakhiqizwa, lokhu kuyafana uma kukhona izimbungulu ze-GRUB ohlelweni. (futhi cishe isilayishi esivela egatsheni lokuhlola lenqolobane), faka kabusha i-GRUB2 emithonjeni ethembekile.
Ukufakwa "okulula" nokusetha kwe-GRUB2 kuqedile.
C5. Ubufakazi bokuhlolwa kwe-GNU/Linux OS ebethelweSiqedela umsebenzi we-crypto ngendlela efanele. Ukushiya ngokucophelela i-GNU/Linux ebethelwe (phuma endaweni ye-chroot).
umount -a #размонтирование всех смонтированных разделов шифрованной GNU/Linux
Ctrl+d #выход из среды chroot
umount /mnt/dev
umount /mnt/proc
umount /mnt/sys
umount -a #размонтирование всех смонтированных разделов на live usb
reboot
Ngemuva kokuqalisa kabusha i-PC, i-bootloader ye-VeraCrypt kufanele ilayishe.
*Ukufaka iphasiwedi yokuhlukanisa okusebenzayo kuzoqala ukulayisha iWindows.
*Ukucindezela ukhiye "Esc" kuzodlulisela ukulawula ku-GRUB2, uma ukhetha i-GNU/Linux ebethelwe - iphasiwedi (sda7_crypt) izodingeka ukuze uvule /boot/initrd.img (uma i-grub2 ibhala ukuthi uuid "ayitholakali" - lena inkinga nge-bootloader ye-grub2, kufanele ifakwe kabusha, isb., isuka egatsheni lokuhlola/esitebeleni njll.).
*Ngokuya ngokuthi ululungise kanjani uhlelo (bheka isigaba B4.4/4.5), ngemva kokufaka iphasiwedi efanele ukuze uvule isithombe /boot/initrd.img, uzodinga iphasiwedi ukuze ulayishe i-OS kernel/root, noma imfihlo. ukhiye uzoshintshwa ngokuzenzakalelayo " skey ", kususwe isidingo sokuphinda ufake umushwana wokungena.
(isikrini “ukushintsha ngokuzenzakalelayo ukhiye oyimfihlo”).
*Okulandelayo kuzoba inqubo ejwayelekile yokulayisha i-GNU/Linux enokuqinisekisa kwe-akhawunti yomsebenzisi.
*Ngemva kokugunyazwa komsebenzisi nokungena ngemvume ku-OS, udinga ukubuyekeza /boot/initrd.img futhi (bheka B4.6).
update-initramfs -u -k all
Futhi uma kwenzeka kuba nemigqa eyengeziwe kumenyu ye-GRUB2 (kusuka ekuthathweni kwe-OS-m nge-usb ebukhoma) baqede
mount /dev/sda6 /mnt
grub-mkconfig -o /mnt/boot/grub/grub.cfg
Isifinyezo esisheshayo sokubethela kwesistimu ye-GNU/Linux:
- I-GNU/Linuxinux ibethelwe ngokugcwele, okuhlanganisa i-/boot/kernel kanye ne-initrd;
- ukhiye oyimfihlo uhlanganiswe ku-initrd.img;
- uhlelo lwamanje lokugunyazwa (ufaka iphasiwedi ukuze uvule i-initrd; iphasiwedi/ukhiye ukuze uqalise i-OS; iphasiwedi yokugunyaza i-akhawunti ye-Linux).
Ukubethela kwesistimu ye-"GRUB2 Configuration" yokuhlukaniswa kwebhulokhi kuqediwe.
C6. Ukucushwa okuthuthukisiwe kwe-GRUB2. Ukuvikelwa kwe-Bootloader ngesiginesha yedijithali + ukuvikelwa kokuqinisekisaI-GNU/Linux ibethelwe ngokuphelele, kodwa i-bootloader ayikwazi ukubethelwa - lesi simo sishiwo yi-BIOS. Ngenxa yalesi sizathu, ibhuthi ebethelwe eboshwe ngamaketango ye-GRUB2 ayinakwenzeka, kodwa ibhuthi elula eboshwe ngamaketanga ingenzeka/iyatholakala, kodwa ngokubuka kwezokuphepha akudingekile [bona. P. F].
Ku-GRUB2 “esengozini”, abathuthukisi basebenzise i-algorithm yokuvikela i-bootloader “yesiginesha/ukufakazela ubuqiniso”.
- Uma i-bootloader ivikelwe "isiginesha yayo yedijithali," ukuguqulwa kwangaphandle kwamafayela, noma umzamo wokulayisha amamojula engeziwe kule divayisi yokuqalisa, kuzoholela ekuvinjweni kwenqubo yokuqalisa.
- Lapho uvikela i-bootloader ngokufakazela ubuqiniso, ukuze ukhethe ukulayisha ukusatshalaliswa, noma ufake imiyalo eyengeziwe ku-CLI, uzodinga ukungena ngemvume nephasiwedi ye-superuser-GRUB2.
C6.1. Ukuvikelwa kokuqinisekisa kwe-BootloaderHlola ukuthi usebenza kutheminali ku-OS ebethelwe
ls /<Tab-Tab> #обнаружить файл-маркер
dala iphasiwedi yomsebenzisi omkhulu ukuze ugunyazwe ku-GRUB2
grub-mkpasswd-pbkdf2 #введите/повторите пароль суперпользователя.
Thola inombolo yocingo. Into efana nale
grub.pbkdf2.sha512.10000.DE10E42B01BB6FEEE46250FC5F9C3756894A8476A7F7661A9FFE9D6CC4D0A168898B98C34EBA210F46FC10985CE28277D0563F74E108FCE3ACBD52B26F8BA04D.27625A4D30E4F1044962D3DD1C2E493EF511C01366909767C3AF9A005E81F4BFC33372B9C041BE9BA904D7C6BB141DE48722ED17D2DF9C560170821F033BCFD8
faka i-GRUB partition
mount /dev/sda6 /mnt
hlela i-config
nano -$ /mnt/boot/grub/grub.cfg
hlola ukusesha ifayela ukuthi awekho amafulegi noma kuphi kokuthi “grub.cfg” (“-unrestricted” “-user”,
engeza ekugcineni (ngaphambi komugqa ### END /etc/grub.d/41_custom ###)
"setha ama-superusers = "impande"
password_pbkdf2 impande hash."
Kufanele kube into efana nalena
# Leli fayela linikeza indlela elula yokwengeza okufakiwe kwemenyu yangokwezifiso. Vele uthayiphe i-
# okufakiwe kwemenyu ofuna ukukwengeza ngemva kwalawa mazwana. Qaphela ukuthi ungashintshi
# umugqa 'we-exec tail' ngenhla.
### END /etc/grub.d/40_custom ###### QALA /etc/grub.d/41_custom ###
uma [ -f ${config_directory}/custom.cfg ]; bese
umthombo ${config_directory}/custom.cfg
elif [ -z "${config_directory}" -a -f $prefix/custom.cfg ]; bese
umthombo $prefix/custom.cfg;
fi
setha ama-superusers = "impande"
password_pbkdf2 root grub.pbkdf2.sha512.10000.DE10E42B01BB6FEEE46250FC5F9C3756894A8476A7F7661A9FFE9D6CC4D0A168898B98C34EBA210F46FC10985CE28277D0563F74E108FCE3ACBD52B26F8BA04D.27625A4D30E4F1044962D3DD1C2E493EF511C01366909767C3AF9A005E81F4BFC33372B9C041BE9BA904D7C6BB141DE48722ED17D2DF9C560170821F033BCFD8
### END /etc/grub.d/41_custom ###
#
Uma uvamise ukusebenzisa umyalo othi “grub-mkconfig -o /mnt/boot/grub/grub.cfg” futhi ungafuni ukwenza izinguquko ku-grub.cfg njalo, faka imigqa engenhla. (Ngena ngemvume: Iphasiwedi) kusikripthi somsebenzisi we-GRUB phansi impela
nano /etc/grub.d/41_custom
ikati <<EOF
setha ama-superusers = "impande"
password_pbkdf2 root grub.pbkdf2.sha512.10000.DE10E42B01BB6FEEE46250FC5F9C3756894A8476A7F7661A9FFE9D6CC4D0A168898B98C34EBA210F46FC10985CE28277D0563F74E108FCE3ACBD52B26F8BA04D.27625A4D30E4F1044962D3DD1C2E493EF511C01366909767C3AF9A005E81F4BFC33372B9C041BE9BA904D7C6BB141DE48722ED17D2DF9C560170821F033BCFD8
EOF
Lapho udala ukucushwa kwe-“grub-mkconfig -o /mnt/boot/grub/grub.cfg”, imigqa enesibopho sokuqinisekisa izokwengezwa ngokuzenzakalelayo ku-grub.cfg.
Lesi sinyathelo siqedela ukusethwa kokuqinisekisa kwe-GRUB2.
C6.2. Ukuvikelwa kwe-Bootloader ngesiginesha yedijithaliKucatshangwa ukuthi usuvele unokhiye wakho siqu wokubethela we-pgp (noma dala ukhiye onjalo). Uhlelo kufanele lufake isofthiwe ye-cryptographic: gnuPG; i-kleopatra/GPA; I-Seahorse. Isoftware ye-Crypto izokwenza impilo yakho ibe lula kuzo zonke lezi zindaba. I-Seahorse - inguqulo ezinzile yephakheji 3.14.0 (izinguqulo eziphezulu, isibonelo, i-V3.20, zinephutha futhi zineziphazamisi ezibalulekile).
Ukhiye we-PGP udinga ukwenziwa/ukwethulwa/ukwengezwa kuphela endaweni ye-su!
Dala ukhiye wokubethela womuntu siqu
gpg - -gen-key
Thumela ukhiye wakho
gpg --export -o ~/perskey
Faka idiski enengqondo ku-OS uma ingakafakwa
mount /dev/sda6 /mnt #sda6 – раздел GRUB2
hlanza ukuhlukaniswa kwe-GRUB2
rm -rf /mnt/
Faka i-GRUB2 ku-sda6, ubeke ukhiye wakho oyimfihlo esithombeni esikhulu se-GRUB "core.img"
grub-install --force --modules="gcry_sha256 gcry_sha512 signature_test gcry_dsa gcry_rsa" -k ~/perskey --root-directory=/mnt /dev/sda6
izinketho
* --force - faka i-bootloader, udlule zonke izixwayiso ezihlala zikhona (ifulegi elidingekayo).
* —modules="gcry_sha256 gcry_sha512 signature_test gcry_dsa gcry_rsa" - iyala i-GRUB2 ukuthi ilayishe kuqala amamojula adingekayo lapho i-PC iqala.
* -k ~/perskey -indlela eya “kukhiye we-PGP” (ngemuva kokupakisha ukhiye esithombeni, ungasuswa).
* --root-directory -setha inkomba yokuqalisa impande ye-sda6
/dev/sda6 - ukwahlukanisa kwakho kwe-sdaX.
Ikhiqiza/ibuyekeza i-grub.cfg
grub-mkconfig -o /mnt/boot/grub/grub.cfg
Engeza umugqa othi “trust/boot/grub/perskey” ekupheleni kwefayela elithi “grub.cfg” (phoqa ukusebenzisa ukhiye we-pgp.) Njengoba sifake i-GRUB2 ngesethi yamamojula, okuhlanganisa nemojula yesiginesha ethi “signature_test.mod”, lokhu kuqeda isidingo sokwengeza imiyalo efana nokuthi “setha hlola_isignesha=phoqelela” kulungiselelo.
Kufanele ibukeke into efana nale (phetha imigqa kufayela le-grub.cfg)
### QALA /etc/grub.d/41_custom ###
uma [ -f ${config_directory}/custom.cfg ]; bese
umthombo ${config_directory}/custom.cfg
elif [ -z "${config_directory}" -a -f $prefix/custom.cfg ]; bese
umthombo $prefix/custom.cfg;
fi
themba /boot/grub/perskey
setha ama-superusers = "impande"
password_pbkdf2 root grub.pbkdf2.sha512.10000.DE10E42B01BB6FEEE46250FC5F9C3756894A8476A7F7661A9FFE9D6CC4D0A168898B98C34EBA210F46FC10985CE28277D0563F74E108FCE3ACBD52B26F8BA04D.27625A4D30E4F1044962D3DD1C2E493EF511C01366909767C3AF9A005E81F4BFC33372B9C041BE9BA904D7C6BB141DE48722ED17D2DF9C560170821F033BCFD8
### END /etc/grub.d/41_custom ###
#
Indlela eya ku-"/boot/grub/perskey" ayidingi ukukhonjwa ku-disk partition ethile, isibonelo i-hd0,6; ku-bootloader ngokwayo, "impande" iyindlela ezenzakalelayo yokuhlukanisa lapho i-GRUB2 ifakwe khona. (bona ukubola kwesethi=..).
Isayina i-GRUB2 (wonke amafayela kuzo zonke izinkomba ze-GRUB) ngokhiye wakho “perskey”.
Isixazululo esilula sendlela yokusayina (ye-nautilus/caja explorer): faka isandiso se-"seahorse" se-Explorer kusuka endaweni yokugcina. Ukhiye wakho kufanele ungezwe endaweni ye-su.
Vula i-Explorer nge-sudo "/mnt/boot" - RMB - sayina. Esikrinini kubonakala kanje
Ukhiye ngokwawo uthi “/mnt/boot/grub/perskey” (kopisha kumkhombandlela we-grub) kufanele futhi isayinwe ngesiginesha yakho. Hlola ukuthi [*.sig] amasiginesha efayela ayavela kuhla lwemibhalo/kumibhalo engaphansi.
Usebenzisa indlela echazwe ngenhla, sayina “/boot” (i-kernel yethu, initrd). Uma isikhathi sakho sifanele noma yini, khona-ke le ndlela iqeda isidingo sokubhala iskripthi se-bash ukuze usayine "amafayela amaningi."
Ukuze ususe wonke amasignesha e-bootloader (uma kukhona okungahambanga kahle)
rm -f $(find /mnt/boot/grub -type f -name '*.sig')
Ukuze singasayini i-bootloader ngemva kokubuyekeza isistimu, simisa wonke amaphakheji okubuyekeza ahlobene ne-GRUB2.
apt-mark hold grub-common grub-pc grub-pc-bin grub2 grub2-common
Kulesi sinyathelo ukucushwa okuthuthukisiwe kwe-GRUB2 kuqediwe.
C6.3. Ukuhlolwa kobufakazi be-GRUB2 bootloader, evikelwe isiginesha yedijithali kanye nokuqinisekisaI-GRUB2. Uma ukhetha noma yikuphi ukusatshalaliswa kwe-GNU/Linux noma ufaka i-CLI (umugqa womyalo) Kuzodingeka ukugunyazwa kwabasebenzisi abakhulu. Ngemva kokufaka igama lomsebenzisi/iphasiwedi efanele, uzodinga iphasiwedi ye-initrd
Isithombe-skrini sokuqinisekisa ngempumelelo kwe-GRUB2 superuser.
Uma uphazamisa noma yimaphi amafayela e-GRUB2/wenza izinguquko ku-grub.cfg, noma ususa ifayela/isiginesha, noma ulayisha imodule.mod enonya, kuzovela isixwayiso esihambisanayo. I-GRUB2 izomisa kancane ukulayisha.
Isithombe-skrini, umzamo wokuphazamisa i-GRUB2 "ngaphandle".
Ngesikhathi sokuqalisa "okuvamile" "ngaphandle kokungenela", isimo sekhodi yokuphuma kusistimu sithi "0". Ngakho-ke, akwaziwa ukuthi ukuvikela kuyasebenza noma cha (okungukuthi, "ngokuvikela noma ngaphandle kokuvikela isiginesha ye-bootloader" ngesikhathi sokulayisha okuvamile isimo siyefana "0" - lokhu kubi).
Ungahlola kanjani ukuvikelwa kwesiginesha yedijithali?
Indlela engalungile yokuhlola: inkohliso/ukukhipha imojuli esetshenziswa yi-GRUB2, isibonelo, susa isiginesha luks.mod.sig futhi uthole iphutha.
Indlela efanele: hamba ku-CLI ye-bootloader bese uthayipha umyalo
trust_list
Ukuphendula, kufanele uthole “izigxivizo zeminwe ze-perskey”; uma isimo sithi “0,” khona-ke ukuvikelwa kwesiginesha kungasebenzi, hlola kabili isigaba C6.2.
Kulesi sinyathelo, ukucushwa okuthuthukisiwe "Ukuvikela i-GRUB2 ngesiginesha yedijithali kanye nokuqinisekisa" kuqediwe.
I-C7 Enye indlela yokuvikela i-bootloader ye-GRUB2 usebenzisa i-hashingIndlela "ye-CPU Boot Loader Protection/Authentication" echazwe ngenhla ingeyakudala. Ngenxa yokungapheleli kwe-GRUB2, ezimweni ze-paranoid ingakwazi ukuhlaselwa kwangempela, engizokunikeza ngezansi esigabeni [F]. Ngaphezu kwalokho, ngemva kokubuyekeza i-OS/kernel, i-bootloader kufanele isayinwe kabusha.
Ukuvikela i-GRUB2 bootloader usebenzisa i-hashing
Izinzuzo ngaphezu kokwakudala:
- Izinga eliphezulu lokuthembeka (i-hashing/ukuqinisekiswa kwenzeka kuphela esisetshenziswa sendawo esibethelwe. Yonke ingxenye eyabiwe ngaphansi kwe-GRUB2 ilawulwa kunoma yiziphi izinguquko, futhi yonke enye into ibethelwe; ohlelweni lwakudala olunokuvikelwa/Ukuqinisekisa kwe-CPU, amafayela kuphela alawulwayo, kodwa hhayi mahhala. isikhala, lapho “okuthile” kunganezelwa khona into embi).
- Ukungena ngemvume okubethelwe (ilogi ebhalwe ngekhodi efundeka umuntu yengezwa esikimini).
- Isivinini (ukuvikelwa/ukuqinisekiswa kwayo yonke ingxenye eyabelwe i-GRUB2 kwenzeka cishe ngokushesha).
- I-automation yazo zonke izinqubo ze-cryptographic.
Ukungalungi phezu kwama-classics.
- Ukukhohlisa kwesiginesha (ngokwethiyori, kungenzeka ukuthola ukungqubuzana komsebenzi we-hashi onikeziwe).
- Ukwanda kwezinga lobunzima (uma kuqhathaniswa nokwakudala, kudingeka amakhono engeziwe ku-GNU/Linux OS).
Indlela i-GRUB2/partition hashing idea esebenza ngayo
I-GRUB2 partition "isayiniwe"; lapho amabhuzu e-OS, ukwahlukanisa kwe-boot loader ihlolwa ukuthi ayinakuguqulwa yini, kulandelwa ukungena endaweni evikelekile (ebethelwe). Uma i-bootloader noma ukwahlukanisa kwayo kusengozini, ngaphezu kwelogi yokungena, okulandelayo kwethulwa:
Into.
Ukuhlola okufanayo kwenzeka izikhathi ezine ngosuku, okungalayishi izinsiza zesistimu.
Kusetshenziswa umyalo othi “-$ check_GRUB”, ukuhlola okusheshayo kwenzeka noma ngasiphi isikhathi ngaphandle kokungena, kodwa ngolwazi oluphumayo ku-CLI.
Kusetshenziswa umyalo othi “-$ sudo signature_GRUB”, i-GRUB2 boot loader/partition isayinwa kabusha futhi nokugawulwa kwayo okubuyekeziwe. (kudingeka ngemva kokuvuselelwa kwe-OS/boot), futhi ukuphila kuyaqhubeka.
Ukusetshenziswa kwendlela ye-hashing ye-bootloader nesigaba sayo
0) Masisayine i-GRUB bootloader/partition ngokuqala ngokuyifaka ku-/media/username
-$ hashdeep -c md5 -r /media/username/GRUB > /podpis.txt
1) Sakha umbhalo ngaphandle kwesandiso kumpande ye-OS ebethelwe ~/podpis, sisebenzise amalungelo okuphepha adingekayo we-744 kanye nokuvikela okungenangqondo kuwo.
Ukugcwalisa elikuqukethe
#!/bin/bash
#Проверка всего раздела выделенного под загрузчик GRUB2 на неизменность.
#Ведется лог "о вторжении/успешной проверке каталога", короче говоря ведется полный лог с тройной вербализацией. Внимание! обратить взор на пути: хранить ЦП GRUB2 только на зашифрованном разделе OS GNU/Linux.
echo -e "******************************************************************n" >> '/var/log/podpis.txt' && date >> '/var/log/podpis.txt' && hashdeep -vvv -a -k '/podpis.txt' -r '/media/username/GRUB' >> '/var/log/podpis.txt'
a=`tail '/var/log/podpis.txt' | grep failed` #не использовать "cat"!!
b="hashdeep: Audit failed"
#Условие: в случае любых каких-либо изменений в разделе выделенном под GRUB2 к полному логу пишется второй отдельный краткий лог "только о вторжении" и выводится на монитор мигание gif-ки "warning".
if [[ "$a" = "$b" ]]
then
echo -e "****n" >> '/var/log/vtorjenie.txt' && echo "vtorjenie" >> '/var/log/vtorjenie.txt' && date >> '/var/log/vtorjenie.txt' & sudo -u username DISPLAY=:0 eom '/warning.gif'
fi
Qalisa umbhalo kusuka su, i-hashing ye-GRUB partition kanye ne-bootloader yayo izohlolwa, gcina ilogi.
Masidale noma sikopishe, isibonelo, “ifayela elinonya” [virus.mod] esakhiweni se-GRUB2 futhi siqalise ukuskena/ukuhlola kwesikhashana:
-$ hashdeep -vvv -a -k '/podpis.txt' -r '/media/username/GRUB
I-CLI kumele ibone ukuhlasela kwenqaba yethu-#Ukungena okusikiwe ku-CLI
Ср янв 2 11::41 MSK 2020
/media/username/GRUB/boot/grub/virus.mod: Moved from /media/username/GRUB/1nononoshifr
/media/username/GRUB/boot/grub/i386-pc/mda_text.mod: Ok
/media/username/GRUB/boot/grub/grub.cfg: Ok
hashdeep: Audit failed
Input files examined: 0
Known files expecting: 0
Files matched: 325
Files partially matched: 0
Files moved: 1
New files found: 0
Known files not found: 0
#Njengoba ubona, “Amafayela ahanjisiwe: 1 futhi Ukucwaningwa Kwehlulekile” kuyavela, okusho ukuthi isheke lihlulekile.
Ngenxa yesimo sokuhlukaniswa esihlolwayo, esikhundleni sokuthi “Kutholwe amafayela amasha"> “Amafayela ahanjisiwe”
2) Beka i-gif lapha > ~/warning.gif, setha izimvume ku-744.
3) Ilungiselela i-fstab ukuze ikhweze ngokuzenzakalelayo ingxenye ye-GRUB ekuqaleni
-$ sudo nano /etc/fstab
LABEL=GRUB /imidiya/igama lomsebenzisi/GRUB ext4 okuzenzakalelayo 0 0
4) Izungezisa ilogu
-$ sudo nano /etc/logrotate.d/podpis
/var/log/podpis.txt {
nsuku zonke
jikelezisa 50
usayizi 5M
usuku lwosuku
cindezela
ukubambezela
olddir /var/log/old
}/var/log/vtorjenie.txt {
nyangazonke
jikelezisa 5
usayizi 5M
usuku lwosuku
olddir /var/log/old
}
5) Engeza umsebenzi ku-cron
-$ sudo crontab -e
qala kabusha '/ukubhalisa'
0 */6 * * * ‘/podpis
6) Ukudala iziteketiso ezihlala njalo
-$ sudo su
-$ echo "alias подпись_GRUB='hashdeep -c md5 -r /media/username/GRUB > /podpis.txt'" >> /root/.bashrc && bash
-$ echo "alias проверка_GRUB='hashdeep -vvv -a -k '/podpis.txt' -r /media/username/GRUB'" >> .bashrc && bash
Ngemuva kokuvuselelwa kwe-OS -$ apt-get upgrade
phinda usayine ingxenye yethu ye-GRUB
-$ подпись_GRUB
Kuleli qophelo, ukuvikelwa kwe-hashing kokuhlukaniswa kwe-GRUB kuqediwe.
[D] Ukusula - ukucekelwa phansi kwedatha engabetheliwe
Susa amafayela akho omuntu ngokuphelele kangangokuthi “ngisho noNkulunkulu akakwazi ukuwafunda,” ngokusho komkhulumeli waseNingizimu Carolina uTrey Gowdy.
Njengenjwayelo, kunezinhlobonhlobo “zezinganekwane kanye
Ngemva kokudlulisela ngempumelelo i-GNU/Linux engxenyeni ebethelwe, ikhophi endala kufanele isuswe ngaphandle kokuba nokwenzeka kokuthola idatha. Indlela yokuhlanza yonke indawo: isofthiwe ye-Windows/Linux yamahhala ye-GUI
Ngokushesha fometha isigaba, idatha okumele ichithwe kuyo (nge-Gparted) qala i-BleachBit, khetha "Hlanza isikhala samahhala" - khetha ukwahlukanisa (i-sdaX yakho enekhophi yangaphambilini ye-GNU/Linux), inqubo yokukhumula izoqala. I-BleachBit - isula idiski ngokudlula okukodwa - yilokho "esikudingayo", Kodwa! Lokhu kusebenza kuphela ngombono uma ufomethe idiski futhi wayihlanza ku-software ye-BB v2.0.
Ukunakwa! I-BB isula idiski, ishiya imethadatha; amagama amafayela ayagcinwa lapho idatha isusiwe (I-Ccleaner - ayishiyi imethadatha).
Futhi inganekwane mayelana nethuba lokuthola kabusha idatha akuyona inganekwane ngokuphelele.I-Bleachbit V2.0-2 iphakheji ye-OS Debian yangaphambili engazinzile (kanye nanoma iyiphi enye isoftware efanayo: sfill; sula-Nautilus - nazo zaqashelwa kuleli bhizinisi elingcolile) empeleni ube nesiphazamisi esibucayi: umsebenzi "wokusula isikhala samahhala". isebenza ngokungalungile kumadrayivu e-HDD/Flash (ntfs/ext4). I-software yalolu hlobo, lapho usula isikhala samahhala, ayibhali idiski yonke, njengoba abasebenzisi abaningi becabanga. Futhi abanye (Okuningi kwe) idatha esusiwe I-OS/isofthiwe ibheka le datha njengengasusiwe/idatha yomsebenzisi futhi lapho uhlanza i-“OSP” yeqa lawa mafayela. Inkinga ukuthi ngemva kwesikhathi eside kangaka, ukuhlanza disk "amafayela asusiwe" angatholwa ngisho nangemva kokudlula okungu-3+ kokusula i-disc.
Ku-GNU/Linux e-Bleachbit 2.0-2 Imisebenzi yokususa unomphela amafayela nezinkomba isebenza ngokwethembeka, kodwa ayisusi isikhala esikhululekile. Ukuze uqhathanise: ku-Windows ku-CCleaner umsebenzi we-“OSP ye-ntfs” usebenza kahle, futhi uNkulunkulu ngeke akwazi ngempela ukufunda idatha esusiwe.
Futhi ngakho, ukususa ngokuphelele "ukuyekethisa" idatha endala engabetheliwe, I-Bleachbit idinga ukufinyelela okuqondile kule datha, bese usebenzisa umsebenzi othi “susa unomphela amafayela/izinkomba”.
Ukuze ususe “amafayela asusiwe usebenzisa amathuluzi e-OS avamile” ku-Windows, sebenzisa i-CCleaner/BB ngomsebenzi we-“OSP”. Ku-GNU/Linux ngale nkinga (susa amafayela asusiwe) udinga ukuzijwayeza uwedwa (ukususa idatha + umzamo ozimele wokuyibuyisela futhi akufanele uthembele enguqulweni yesofthiwe (uma kungeyona ibhukhimakhi, bese kuba iphutha)), kuleli cala kuphela uzokwazi ukuqonda indlela yale nkinga futhi ulahle idatha esusiwe ngokuphelele.
Angikayihloli i-Bleachbit v3.0, kungenzeka ukuthi inkinga isilungisiwe.
I-Bleachbit v2.0 isebenza ngokwethembeka.
Kulesi sinyathelo, ukusula idiski kuqedile.
[E] Ikhophi yasenqolobaneni yendawo yonke ye-OS ebethelwe
Umsebenzisi ngamunye unendlela yakhe yokwenza ikhophi yasenqolobaneni yedatha, kodwa idatha ye-System OS ebethelwe idinga indlela ehluke kancane emsebenzini. Isofthiwe ehlanganisiwe, njenge-Clonezilla nesofthiwe efanayo, ayikwazi ukusebenza ngokuqondile nedatha ebethelwe.
Isitatimende senkinga yokwenza ikhophi yasenqolobaneni yamadivayisi avinjiwe:
- indawo yonke - i-algorithm/isofthiwe yokusekelayo efanayo ye-Windows/Linux;
- ikhono lokusebenza kukhonsoli nganoma iyiphi i-usb GNU/Linux ebukhoma ngaphandle kwesidingo sokulandwa kwesoftware okwengeziwe (kodwa usancoma i-GUI);
- ukuphepha kwamakhophi ayisipele - “izithombe” ezigciniwe kufanele zibethelwe/zivikelwe ngephasiwedi;
- usayizi wedatha ebethelwe kufanele uhambisane nosayizi wedatha yangempela ekopishwayo;
- ukukhishwa okulula kwamafayela adingekayo kukhophi eyisipele (asikho isidingo sokususa ukubethela sonke isigaba kuqala).
Isibonelo, yenza ikhophi yasenqolobaneni/ubuyisele usebenzisa insiza ethi “dd”
dd if=/dev/sda7 of=/путь/sda7.img bs=7M conv=sync,noerror
dd if=/путь/sda7.img of=/dev/sda7 bs=7M conv=sync,noerror
Ihambisana cishe nawo wonke amaphuzu omsebenzi, kodwa ngokusho kwephuzu lesi-4 alimelani nokugxekwa, ngoba likopisha yonke i-disk partition, kuhlanganise nendawo yamahhala - hhayi ezithakazelisayo.
Isibonelo, ikhophi yasenqolobaneni ye-GNU/Linux nge-archiver [tar" | gpg] ilungile, kepha ukwenza isipele seWindows udinga ukubheka esinye isisombululo - akuthakazelisi.
E1. Isipele se-Universal Windows/Linux. Xhuma i-rsync (Grsync)+VeraCrypt volumeI-algorithm yokwenza ikhophi eyisipele:
- ukudala isitsha esibethelwe (ivolumu/ifayela) I-VeraCrypt ye-OS;
- dlulisa/uvumelanise i-OS usebenzisa isofthiwe ye-Rsync esitsheni se-crypto se-VeraCrypt;
- uma kunesidingo, layisha ivolumu ye-VeraCrypt ku-www.
Ukudala isiqukathi se-VeraCrypt esibethelwe sinezici zako siqu:
ukudala ivolumu eguqukayo (ukwakhiwa kwe-DT kutholakala kuphela ku-Windows, kungasetshenziswa naku-GNU/Linux);
ukudala ivolumu evamile, kodwa kunesidingo "somlingiswa oyindida" (ngokukanjiniyela) – ukufometha kwesiqukathi.
Ivolumu eguquguqukayo yenziwa cishe ngokushesha ku-Windows, kodwa lapho ukopisha idatha ku-GNU/Linux > VeraCrypt DT, ukusebenza kukonke komsebenzi wokulondoloza kwehla kakhulu.
Ivolumu evamile engu-70 GB ye-Twofish iyakhiwa (ake sithi, ngokwesilinganiso samandla e-PC) ku-HDD ~ ngesigamu sehora (ukubhala phezu kwedatha yesiqukathi sangaphambilini ngephasi eyodwa kungenxa yezidingo zokuphepha). Umsebenzi wokufometha ngokushesha ivolumu lapho uyidala ususiwe ku-VeraCrypt Windows/Linux, ngakho ukudala isiqukathi kungenzeka kuphela “ngokubhala kabusha iphasi eyodwa” noma ngokudala ivolumu eguquguqukayo esebenza kancane.
Dala ivolumu evamile ye-VeraCrypt (hhayi i-dynamic/ntfs), akufanele kube nezinkinga.
Lungiselela/dala/vula isitsha ku-VeraCrypt GUI> GNU/Linux bukhoma usb (ivolumu izofakwa ngokuzenzakalela ku-/media/veracrypt2, ivolumu ye-Windows OS izofakwa ku-/media/veracrypt1). Ukudala isipele esibethelwe se-Windows OS kusetshenziswa i-GUI rsync (grsync)ngokuhlola amabhokisi.
Linda ukuthi inqubo iphele. Uma isipele sesiqedile, sizoba nefayela elilodwa elibethelwe.
Ngokufanayo, dala ikhophi eyisipele ye-GNU/Linux OS ngokususa ukumaka ibhokisi elithi “ukuhambisana kweWindows” ku-rsync GUI.
Ukunakwa! dala isitsha se-Veracrypt "sekhophi yasenqolobaneni ye-GNU/Linux" ohlelweni lwefayela ext4. Uma wenza ikhophi yasenqolobaneni esiqukathi se-ntfs, lapho-ke ubuyisela ikhophi enjalo, uzolahlekelwa yiwo wonke amalungelo/amaqembu kuyo yonke idatha yakho.
Yonke imisebenzi ingenziwa kutheminali. Izinketho eziyisisekelo ze-rsync:
* -g -gcina amaqembu;
* -P -inqubekelaphambili - isimo sesikhathi esichithwe kufayela;
* -H - kopisha ama-hardlinks njengoba enjalo;
* -a -imodi yokugcina umlando (amafulegi amaningi we-rlptgoD);
* -v -ukukhuluma.
Uma ufuna ukukhweza “ivolumu ye-Windows VeraCrypt” usebenzisa ikhonsoli kuhlelo lwe-cryptsetup, ungakha isibizo (su)
echo "alias veramount='cryptsetup open --veracrypt --tcrypt-system --type tcrypt /dev/sdaX Windows_crypt && mount /dev/mapper/ Windows_crypt /media/veracrypt1'" >> .bashrc && bash
Manje umyalo "wezithombe eziphelele" uzokutshela ukuthi ufake umushwana wokungena, futhi ivolumu yesistimu yeWindows ebethelwe izofakwa ku-OS.
Imephu/khweza ivolumu yesistimu ye-VeraCrypt kumyalo we-cryptsetup
cryptsetup open --veracrypt --tcrypt-system --type tcrypt /dev/sdaX Windows_crypt
mount /dev/mapper/Windows_crypt /mnt
Imephu/i-mount VeraCrypt partition/container kumyalo we-cryptsetup
cryptsetup open --veracrypt --type tcrypt /dev/sdaY test_crypt
mount /dev/mapper/test_crypt /mnt
Esikhundleni sesibizo, sizokwengeza (isikripthi sokuqala) ivolumu yesistimu eneWindows OS kanye nediski ebethelwe enengqondo ye-ntfs ekuqaliseni kwe-GNU/Linux.
Dala umbhalo bese uwugcina kokuthi ~/VeraOpen.sh
printf 'Ym9i' | base64 -d | cryptsetup open --veracrypt --tcrypt-system --type tcrypt /dev/sda3 Windows_crypt && mount /dev/mapper/Windows_crypt /media/Winda7 #декодируем пароль из base64 (bob) и отправляем его на запрос ввода пароля при монтировании системного диска ОС Windows.
printf 'Ym9i' | base64 -d | cryptsetup open --veracrypt --type tcrypt /dev/sda1 ntfscrypt && mount /dev/mapper/ntfscrypt /media/КонтейнерНтфс #аналогично, но монтируем логический диск ntfs.
Sabalalisa amalungelo "alungile":
sudo chmod 100 /VeraOpen.sh
Dala amafayela amabili afanayo (igama elifanayo!) ku-/etc/rc.local naku-~/etc/init.d/rc.local
Ukugcwalisa amafayela
#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will «exit 0» on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.
sh -c "sleep 1 && '/VeraOpen.sh'" #после загрузки ОС, ждём ~ 1с и только потом монтируем диски.
exit 0
Sabalalisa amalungelo "alungile":
sudo chmod 100 /etc/rc.local && sudo chmod 100 /etc/init.d/rc.local
Yilokho-ke, manje lapho silayisha i-GNU/Linux asidingi ukufaka amaphasiwedi ukuze sikhweze amadiski e-ntfs abethelwe, amadiski afakwa ngokuzenzakalelayo.
Inothi kafushane mayelana nalokho okuchazwe ngenhla esigabeni E1 isinyathelo ngesinyathelo (kodwa manje se-OS GNU/Linux)
1) Dala ivolumu ku-fs ext4 > 4gb (yefayela) Linux ku-Veracrypt [Cryptbox].
2) Qalisa kabusha ukuze uphile i-usb.
3) ~$ cryptsetup open/dev/sda7 Lunux #mapping partition encrypted.
4) ~$ khweza /dev/mapper/Linux /mnt #khweza ukwahlukanisa okubethelwe ku-/mnt.
5) ~$ mkdir mnt2 #ukudala uhla lwemibhalo lwekhophi yasenqolobaneni yesikhathi esizayo.
6) ~$ cryptsetup open —veracrypt —type tcrypt ~/CryptoBox CryptoBox && mount /dev/mapper/CryptoBox /mnt2 #Mepha ivolumu yeVeracrypt ebizwa ngokuthi “CryptoBox” bese ufaka i-CryptoBox ku-/mnt2.
7) ~$ rsync -avlxhHX —inqubekelaphambili /mnt /mnt2/ #ukusebenza kwesipele sokuhlukaniswa okubethelwe kuvolumu ye-Veracrypt ebethelwe.
(p/s/ Ukunakwa! Uma udlulisa i-GNU/Linux ebethelwe isuka ekwakhiweni/umshini othile iye komunye, isibonelo, i-Intel > AMD (okungukuthi, ukuthumela ikhophi yasenqolobaneni ukusuka ekuhlukaniseni okubethelwe kuya kwenye ukwahlukanisa okubethelwe kwe-Intel > AMD), Ungakhohlwa Ngemva kokudlulisa i-OS ebethelwe, hlela ukhiye obambele oyimfihlo esikhundleni sephasiwedi, mhlawumbe. ukhiye wangaphambilini ~/etc/skey - ngeke usalingana nenye ukwahlukanisa okubethelwe, futhi akululeki ukuthi udale ukhiye omusha "cryptsetup luksAddKey" ngaphansi kwe-chroot - kungenzeka iphutha, ku-~/etc/crypttab cacisa esikhundleni sokuthi "/etc/skey" okwesikhashana "akekho" ", ngemva kokuqalisa kabusha nokungena ku-OS, dala kabusha ukhiye wakho oyimfihlo we-wildcard futhi).
Njengomakadebona be-IT, khumbulani ukwenza ngokuhlukene izipele zezihloko zezingxenye ezibethelwe zeWindows/Linux OS, noma ukubethela kuzokujikela.
Kulesi sinyathelo, ukugcinwa kwekhophi yasenqolobaneni ye-OS ebethelwe kuyaqedwa.
[F] Ukuhlasela ku-bootloader ye-GRUB2
ImininingwaneUma uvikele i-bootloader yakho ngesiginesha yedijithali kanye/noma ukufakazela ubuqiniso (bheka iphuzu C6.), khona-ke lokhu ngeke kuvikele ekufinyeleleni ngokomzimba. Idatha ebethelwe isazofinyeleleka, kodwa ukuvikela kuzodlulwa (setha kabusha ukuvikelwa kwesiginesha yedijithali) I-GRUB2 ivumela i-cyber-villain ukuthi ifake ikhodi yayo ku-bootloader ngaphandle kokuphakamisa izinsolo (ngaphandle uma umsebenzisi eqapha mathupha isimo se-bootloader, noma aqhamuke nekhodi yakhe yeskripthi eqinile ye-grub.cfg).
I-algorithm yokuhlasela. Isigebengu
* Ivula i-PC kusuka ku-usb ebukhoma. Noma yiluphi ushintsho (umephuli) amafayela azokwazisa umnikazi wangempela we-PC mayelana nokungenwa ku-bootloader. Kodwa ukufakwa kabusha okulula kwe-GRUB2 ukugcina i-grub.cfg (kanye nekhono elilandelayo lokuyihlela) izovumela umhlaseli ukuthi ahlele noma yimaphi amafayela (kulesi simo, uma kulayishwa i-GRUB2, umsebenzisi wangempela ngeke aziswe. Isimo siyefana )
* Ifaka isahlukaniso esingabetheliwe, sigcina “/mnt/boot/grub/grub.cfg”.
* Ifaka kabusha i-bootloader (isusa "i-perskey" esithombeni se-core.img)
grub-install --force --root-directory=/mnt /dev/sda6
* Ibuyisela okuthi “grub.cfg” > “/mnt/boot/grub/grub.cfg”, iyihlele uma kudingeka, isibonelo, yengeza imojula yakho ethi “keylogger.mod” kufolda enamamojula okulayisha, kokuthi “grub.cfg” > umugqa "insmod keylogger". Noma, isibonelo, uma isitha sinobuqili, ngemva kokufaka kabusha i-GRUB2 (wonke amasignesha ahlala ekhona) yakha isithombe esikhulu se-GRUB2 isebenzisa i-"grub-mkimage enenketho (-c)." Inketho ethi “-c” izokuvumela ukuthi ulayishe ukulungiselelwa kwakho ngaphambi kokulayisha i-“grub.cfg” eyinhloko. Ukulungiselelwa kungaqukatha umugqa owodwa kuphela: ukuqondisa kabusha kunoma iyiphi i-“modern.cfg”, exutshwe, isibonelo, namafayela angu-400. (amamojula+amasiginesha) kufolda "/boot/grub/i386-pc". Kulesi simo, umhlaseli angafaka ikhodi engafanele futhi alayishe amamojula ngaphandle kokuthinta i-“/boot/grub/grub.cfg”, ngisho noma umsebenzisi asebenzise i-“hashsum” kufayela futhi alibonise okwesikhashana esikrinini.
Umhlaseli ngeke adinge ukungena ngemvume/iphasiwedi ye-GRUB2; uzodinga nje ukukopisha imigqa (unesibopho sokuqinisekisa) "/boot/grub/grub.cfg" ku-"modern.cfg" yakho
setha ama-superusers = "impande"
password_pbkdf2 root grub.pbkdf2.sha512.10000.DE10E42B01BB6FEEE46250FC5F9C3756894A8476A7F7661A9FFE9D6CC4D0A168898B98C34EBA210F46FC10985CE28277D0563F74E108FCE3ACBD52B26F8BA04D.27625A4D30E4F1044962D3DD1C2E493EF511C01366909767C3AF9A005E81F4BFC33372B9C041BE9BA904D7C6BB141DE48722ED17D2DF9C560170821F033BCFD8
Futhi umnikazi we-PC usazogunyazwa njengomsebenzisi omkhulu we-GRUB2.
I-chain loading (i-bootloader ilayisha enye i-bootloader), njengoba ngibhale ngenhla, akuwenzi umqondo (yenzelwe inhloso ehlukile). I-bootloader ebethelwe ayikwazi ukulayishwa ngenxa ye-BIOS (i-chain boot iqala kabusha i-GRUB2> i-GRUB2 ebethelwe, iphutha!). Kodwa-ke, uma usasebenzisa umqondo wokulayisha iketango, ungaqiniseka ukuthi yiyona ebethelwe elayishwayo. (akuthuthukisiwe) "grub.cfg" kusukela kuhlukanisa okubethelwe. Futhi lokhu kuwumqondo ongamanga wokuphepha, ngoba yonke into ekhonjiswa ku-"grub.cfg" ebethelwe (ukulayisha imojula) kwengeza kumamojula alayishwe ku-GRUB2 engabetheliwe.
Uma ufuna ukuhlola lokhu, bese wabela/ubethela olunye usuku lokuhlukanisa, kopisha i-GRUB2 kuyo (umsebenzi wokufaka i-grub ekuhlukaniseni okubethelwe akwenzeki) naku-"grub.cfg" (ukulungiselelwa okungabetheliwe) shintsha imigqa efana nale
imenyu 'GRUBx2' --class upholi --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-simple-382111a2-f993-403-2-aa292e-5b4780eacXNUMX' {
layisha_ividiyo
insmod gzio
uma [ x$grub_platform = xxen]; bese i-insmod xzio; insmod lzopio; fi
insmod ingxenye_msdos
i-cryptodisk ye-insmod
insmod lux
insmod gcry_twofish
insmod gcry_twofish
i-insmod gcry_sha512
insmod ext2
cryptomount -u 15c47d1c4bd34e5289df77bcf60ee838
set root=’cryptouuid/15c47d1c4bd34e5289df77bcf60ee838′
evamile /boot/grub/grub.cfg
}
izintambo
* insmod - ukulayisha amamojula adingekayo okusebenza ngediski ebethelwe;
* I-GRUBx2 - igama lomugqa oboniswe kumenyu yokuqalisa ye-GRUB2;
* i-cryptomount -u 15c47d1c4bd34e5289df77bcf60ee838 -bona. i-fdisk -l (sda9);
* setha impande - ukusetha impande;
* evamile /boot/grub/grub.cfg - ifayela lokucushwa elisebenzisekayo ekwahlukaniseni okubethelwe.
Ukuqiniseka ukuthi yi-"grub.cfg" ebethelwe elayishiwe kuyimpendulo enhle yokufaka igama-mfihlo/uvula "sdaY" lapho ukhetha umugqa othi "GRUBx2" kumenyu ye-GRUB.
Lapho usebenza ku-CLI, ukuze ungadideki (bese uhlola ukuthi "set root" imvelo variable iyasebenza), dala amafayela amathokheni angenalutho, isibonelo, esigabeni esibethelwe "/shifr_grub", esigabeni esingabhaliwe "/noshifr_grub". Ihlola i-CLI
cat /Tab-Tab
Njengoba kuphawuliwe ngenhla, lokhu ngeke kusize ekulandeni amamojula anonya uma lawo mamojula egcina ekwi-PC yakho. Isibonelo, i-keylogger ezokwazi ukulondoloza izinkinobho zokhiye efayeleni futhi ixube namanye amafayela kokuthi "~/i386" ize ilandwe umhlaseli onokufinyelela ngokomzimba ku-PC.
Indlela elula yokuqinisekisa ukuthi ukuvikelwa kwesiginesha yedijithali kusebenza ngokuqhubekayo (ayisethiwe kabusha), futhi akekho ohlasele i-bootloader, faka umyalo ku-CLI
list_trusted
ekuphenduleni sithola ikhophi ye-"perskey" yethu, noma singatholi lutho uma sihlaselwa (udinga futhi ukuhlola okuthi "setha ama-check_signatures=enforce").
Ububi obukhulu balesi sinyathelo ukufaka imiyalo mathupha. Uma ungeza lo myalo ku-"grub.cfg" futhi uvikela ukulungiselelwa ngesiginesha yedijithali, khona-ke okukhiphayo kokuqala kwesifinyezo sokhiye esikrinini kufushane kakhulu ngesikhathi, futhi ungase ungabi naso isikhathi sokubona okukhiphayo ngemva kokulayisha i-GRUB2. .
Akekho ngokukhethekile ongafaka izimangalo kunjiniyela: unjiniyela kwezakhe
"Qaphela ukuthi ngisho nokuvikelwa kwephasiwedi ye-GRUB, i-GRUB ngokwayo ayikwazi ukuvimbela umuntu onokufinyelela ngokomzimba emshinini ekuguquleni i-firmware yalowo mshini (isb., i-Coreboot noma i-BIOS) ukuze ibangele umshini ukuthi uqalise kusuka kudivayisi ehlukile (elawulwa ngumhlaseli). I-GRUB iyisixhumanisi esisodwa kuphela kuchungechunge oluvikelekile lwe-boot."
I-GRUB2 igcwele kakhulu imisebenzi enganikeza umuzwa wokuvikeleka okungamanga, futhi ukuthuthukiswa kwayo sekuvele kuyidlule i-MS-DOS ngokusebenza, kodwa iyi-bootloader nje. Kuyahlekisa ukuthi i-GRUB2 - "kusasa" ingaba yi-OS, kanye nemishini ebonakalayo ye-GNU/Linux ebhuthayo yayo.
Ividiyo emfushane emayelana nokuthi ngisetha kanjani kabusha ukuvikelwa kwesiginesha yedijithali ye-GRUB2 futhi ngamemezela ukungenela kwami kumsebenzisi wangempela (Ngikwesabise, kodwa esikhundleni salokho okuboniswa kuvidiyo, ungabhala ikhodi engenangozi engenabungozi/.mod).
Iziphetho:
I-1) Ukubethela kwesistimu ye-Windows kulula ukuyisebenzisa, futhi ukuvikela ngephasiwedi eyodwa kulula kakhulu kunokuvikela ngamaphasiwedi amaningana ngokubethela kwesistimu ye-block ye-GNU/Linux, ukuze kube nokulungile: lokhu kokugcina kuyazenzakalela.
2) Ngibhale lesi sihloko njengesifanele futhi sinemininingwane elula umhlahlandlela wokubethela kwediski eligcwele i-VeraCrypt/LUKS ekhaya elilodwa lomshini, elihamba phambili kakhulu ku-RuNet (IMHO). Umhlahlandlela unezinhlamvu> ezingu-50k ubude, ngakho-ke awuzange uhlanganise izahluko ezithakazelisayo: abadwebi be-cryptographer abanyamalalayo/abahlala emthunzini; mayelana neqiniso lokuthi ezincwadini ezihlukahlukene ze-GNU/Linux babhala kancane/ababhali mayelana ne-cryptography; mayelana neSigaba 51 soMthethosisekelo weRussian Federation; O
3) Ukubethelwa kwediski okugcwele kwenziwa ku-Windows 7 64; I-GNU/Linux Parrot 4x; I-GNU/Debian 9.0/9.5.
4) Kwenziwa ukuhlasela ngempumelelo ku wakhe I-GRUB2 bootloader.
I-5) Isifundo senzelwe ukusiza bonke abantu abane-paranoid ku-CIS, lapho ukusebenza ngokubethela kuvunyelwe ezingeni lezomthetho. Futhi ikakhulukazi kulabo abafuna ukukhipha ukubethela kwediski eligcwele ngaphandle kokubhidliza amasistimu abo amisiwe.
6) Ngisebenze kabusha futhi ngabuyekeza imanuwali yami, efanele ngo-2020.
[G] Amadokhumenti awusizo
Umhlahlandlela Womsebenzisi we-TrueCrypt (Februwari 2012 RU)VeraCrypt Documentation - /usr/share/doc/cryptsetup(-run) [insiza yendawo] (imibhalo esemthethweni enemininingwane yokusetha ukubethela kwe-GNU/Linux kusetshenziswa i-cryptsetup)
I-cryptsetup ye-FAQ esemthethweni (imibhalo emifushane yokusetha ukubethela kwe-GNU/Linux kusetshenziswa i-cryptsetup)Ukubethela kwedivayisi ye-LUKS (imibhalo ye-archlinux)Incazelo enemininingwane ye-cryptsetup syntax (ikhasi le-arch man)Incazelo enemininingwane ye-crypttab (ikhasi le-arch man)Amadokhumenti asemthethweni e-GRUB2 .
Amathegi: ukubethela okugcwele kwediski, ukubethela kokuhlukanisa, ukubethela kwediski egcwele ye-Linux, ukubethela kwesistimu okugcwele kwe-LUKS1.
Abasebenzisi ababhalisiwe kuphela abangabamba iqhaza kuhlolovo.
Ingabe uyabhala?
-
17,1%Ngibhala ngemfihlo konke engingakwenza. Ngiyahlanya.14
-
34,2%Ngibhala ngemfihlo idatha ebalulekile kuphela.28
-
14,6%Kwesinye isikhathi ngiyabhala ngemfihlo, ngesinye isikhathi ngiyakhohlwa.12
-
34,2%Cha, angikubhali, akulungile futhi kuyabiza.28
Bangu-82 abasebenzisi abavotile. Abasebenzisi abangama-22 bayenqaba.
Source: www.habr.com