Kubuyekezwe umhlahlandlela siqu ekubetheleni kwediski eligcwele ku-RuNet V0.2.
Isu le-Cowboy:
[A] Ukubethelwa kwe-Windows 7 block yesistimu efakiwe;
[B] GNU/Linux block block encryption (UDebian) uhlelo olufakiwe (kufaka phakathi / ibhuthi);
[C] ukucushwa kwe-GRUB2, ukuvikelwa kwe-bootloader ngesiginesha yedijithali/ukuqinisekisa/i-hashing;
[D] ukuhlubula—ukubhujiswa kwedatha engabetheliwe;
[E] ikhophi yasenqolobaneni yendawo yonke ye-OS ebethelwe;
[F] ukuhlasela target - GRUB6 bootloader;
[G]amadokhumenti awusizo.
╭───Scheme #room 40# :
├──╼ I-Windows 7 ifakiwe - ukubethelwa kwesistimu okugcwele, akufihliwe;
├──╼ I-GNU/Linux ifakiwe (I-Debian kanye nokusabalalisa kokuphuma kokunye) - Ukubethelwa kwesistimu okugcwele, akufihliwe(/, kufaka phakathi / ibhuthi; shintshanisa);
├──╼ ama-bootloader azimele: I-VeraCrypt bootloader ifakwe ku-MBR, i-GRUB2 bootloader ifakwe ku-partition enwetshiwe;
├──╼akukho ukufakwa/ukufakwa kabusha kwe-OS okudingekayo;
└──╼isofthiwe ye-cryptographic esetshenzisiwe: VeraCrypt; I-Crypsetup; I-GnuPG; I-Seahorse; I-Hashdeep; I-GRUB2 imahhala/imahhala.
Uhlelo olungenhla luyixazulula kancane inkinga "ye-boot ekude ku-flash drive", ikuvumela ukuthi ujabulele i-OS ebethelwe ye-OS Windows/Linux futhi ushintshane ngedatha "ngesiteshi esibethelwe" kusuka ku-OS eyodwa kuya kwenye.
I-oda lokuqalisa i-PC (enye yezinketho):
- ukuvula umshini;
- ilayisha i-bootloader ye-VeraCrypt (ukufaka iphasiwedi efanele kuzoqhubeka nokuqalisa iWindows 7);
- ukucindezela ukhiye "Esc" kuzolayisha i-GRUB2 boot loader;
- I-GRUB2 boot loader (khetha ukusatshalaliswa/i-GNU/Linux/CLI), izodinga ukuqinisekiswa kwe-GRUB2 superuser ;
- ngemva kokuqinisekiswa okuphumelelayo nokukhetha kokusabalalisa, uzodinga ukufaka umushwana wokungena ukuze uvule "/boot/initrd.img";
- ngemva kokufaka amaphasiwedi angenawo amaphutha, i-GRUB2 "izodinga" ukufakwa kwephasiwedi (okwesithathu, iphasiwedi ye-BIOS noma iphasiwedi ye-akhawunti yomsebenzisi ye-GNU/Linux - ungacabangi) ukuze uvule futhi uqalise i-GNU/Linux OS, noma ukufaka esikhundleni sokhiye oyimfihlo endaweni yawo (amaphasiwedi amabili + ukhiye, noma iphasiwedi + ukhiye);
- ukungena kwangaphandle ekucushweni kwe-GRUB2 kuzomisa inqubo yokuqalisa ye-GNU/Linux.
Kuyinkinga? Kulungile, asihambe sizenzele izinqubo.
Lapho uhlukanisa i-hard drive (Ithebula le-MBR) I-PC ayikwazi ukuba nama-partitions amakhulu angaphezu kuka-4, noma ama-3 main kanye neyodwa enwetshiwe, kanye nendawo engabelwe. Isigaba esinwetshiwe, ngokungafani nesikhulu, singaqukatha izigatshana (amadrayivu anengqondo=ingxenye enwetshiwe). Ngamanye amazwi, "i-partition enwetshiwe" ku-HDD ithatha indawo ye-LVM yomsebenzi owenziwayo: ukubethela kwesistimu okugcwele. Uma idiski yakho ihlukaniswe yaba izingxenye eziyinhloko ezingu-4, udinga ukusebenzisa i-lvm, noma uguqule (ngokufometha) ingxenye ukusuka kokuyinhloko ukuya kokuphambili, noma usebenzise ngokuhlakanipha zonke izigaba ezine futhi ushiye yonke into njengoba injalo, uthole umphumela oyifunayo. Ngisho noma une-partition eyodwa kudiski yakho, i-Gparted izokusiza ukuhlukanisa i-HDD yakho (okwezigaba ezengeziwe) ngaphandle kokulahleka kwedatha, kodwa kusenenhlawulo encane yezenzo ezinjalo.
Uhlelo lokuhlelwa kwe-hard drive, maqondana lapho yonke i-athikili izoshiwo ngomlomo, ivezwe etafuleni elingezansi.
Ithebula (No. 1) lezingxenye ze-1TB.
Kufanele ube nento efanayo futhi.
sda1 - main partition No. 1 NTFS (kubethelwe);
sda2 - umaka wesigaba enwetshiwe;
sda6 - idiski enengqondo (ine-GRUB2 bootloader efakiwe);
sda8 - ukushintshanisa (ifayela lokushintshanisa elibethelwe / hhayi njalo);
sda9 - idiski enengqondo yokuhlola;
sda5 - logic disk for the curious;
sda7 - GNU/Linux OS (i-OS edluliselwe kudiski enengqondo ebethelwe);
sda3 - main partition No. 2 eneWindows 7 OS (kubethelwe);
sda4 - ingxenye enkulu No. 3 (iqukethe i-GNU/Linux engabetheliwe, esetshenziselwa ukwenza isipele/hhayi njalo).
[A] I-Windows 7 System Block Encryption
A1. I-VeraCrypt
Landa kusuka , noma esibukweni inguqulo yokufaka yesoftware ye-cryptographic ye-VeraCrypt (ngesikhathi sokushicilelwa kwesihloko esithi v1.24-Update3, inguqulo ephathekayo ye-VeraCrypt ayifanele ukubethelwa kwesistimu). Hlola i-checksum yesofthiwe elandiwe
$ Certutil -hashfile "C:VeraCrypt Setup 1.24.exe" SHA256
futhi uqhathanise umphumela ne-CS ethunyelwe kuwebhusayithi yonjiniyela we-VeraCrypt.
Uma isoftware ye-HashTab ifakiwe, kulula kakhulu: RMB (Ukusethwa kwe-VeraCrypt 1.24.exe)-properties - isamba se-hash samafayela.
Ukuze uqinisekise isiginesha yohlelo, isofthiwe kanye nokhiye we-pgp wonjiniyela womphakathi kufanele kufakwe ohlelweni. ; .
A2. Ukufaka/ukusebenzisa isofthiwe ye-VeraCrypt enamalungelo omlawuli
A3. Ukukhetha amapharamitha wokubethela wesistimu wokuhlukaniswa okusebenzayoI-VeraCrypt - Uhlelo - Bethela uhlelo lokuhlukanisa/idiski - Okuvamile - Bethela ukuhlukaniswa kwesistimu yeWindows - Multiboot - (isixwayiso: “Abasebenzisi abangenalwazi abanconyiwe ukusebenzisa le ndlela” futhi lokhu kuyiqiniso, siyavuma “Yebo”) - I-boot disk (“yebo”, noma kungenjalo, “yebo”) - Inombolo yamadiski esistimu "2 noma ngaphezulu" - Amasistimu amaningana kudiski eyodwa "Yebo" - Isilayishi se-Non-Windows boot "Cha" (eqinisweni, “Yebo,” kodwa izilayishi ze-VeraCrypt/GRUB2 ngeke zabelane nge-MBR phakathi kwazo; ngokunembile, ingxenye encane kuphela yekhodi yesilayishi sokuqalisa egcinwe kuthrekhi ye-MBR/boot, ingxenye enkulu yayo etholakala ngaphakathi kwesistimu yefayela) - I-Multiboot - Izilungiselelo zokubethela…
Uma uchezuka ezinyathelweni ezingenhla (vimba izikimu zokubethela zesistimu), bese i-VeraCrypt izokhipha isexwayiso futhi ngeke ikuvumele ukuthi ubethele ukwahlukanisa.
Esinyathelweni esilandelayo sokuvikela idatha eqondisiwe, yenza "Ukuhlola" bese ukhetha i-algorithm yokubethela. Uma une-CPU ephelelwe yisikhathi, cishe i-algorithm yokubethela eshesha kakhulu kuzoba yi-Twofish. Uma i-CPU inamandla, uzoqaphela umehluko: ukubethela kwe-AES, ngokusho kwemiphumela yokuhlolwa, kuzoba ngokushesha izikhathi eziningana kunezimbangi zayo ze-crypto. I-AES iyi-algorithm yokubethela edumile; i-hardware yama-CPU anamuhla alungiselelwe ngokukhethekile kokubili "imfihlo" kanye "nokugebenga."
I-VeraCrypt isekela ikhono lokubethela amadiski ku-cascade ye-AES(Izinhlanzi ezimbili)/ nezinye izinhlanganisela. Ku-Intel CPU yakudala kusukela eminyakeni eyishumi edlule (ngaphandle kokusekelwa kwehadiwe kwe-AES, ukubethela kwe-A/T kwe-cascade) Ukwehla kokusebenza akubonakali. (kuma-AMD CPUs enkathi efanayo/~amapharamitha, ukusebenza kwehliswe kancane). I-OS isebenza ngokuguquguqukayo futhi ukusetshenziswa kwensiza ukubethela okusobala akubonakali. Ngokuphambene, isibonelo, kukhona ukwehla okubonakalayo kokusebenza ngenxa yesimo sedeskithophu esifakiwe esingazinzile se-Mate v1.20.1 (noma v1.20.2 Angisakhumbuli kahle) ku-GNU/Linux, noma ngenxa yokusebenza komzila we-telemetry ku-Windows7↑. Ngokuvamile, abasebenzisi abanolwazi benza ukuhlola ukusebenza kwehadiwe ngaphambi kokubethela. Isibonelo, ku-Aida64/Sysbench/systemd-analyze blame iqhathaniswa nemiphumela yokuhlolwa okufanayo ngemva kokubethela uhlelo, ngaleyo ndlela iphikise inganekwane ngokwayo yokuthi “ukubethela kwesistimu kuyingozi.” Ukwehla kancane komshini kanye nokuphazamiseka kuyabonakala lapho wenza ikhophi yasenqolobaneni/ubuyisela idatha ebethelwe, ngoba umsebenzi “wokwenza isipele idatha yesistimu” ngokwawo awukalwa ngo-ms, futhi lezo ziyengezwa. Ekugcineni, umsebenzisi ngamunye ovunyelwe ukuphenya nge-cryptography ubhalansisa i-algorithm yokubethela ngokumelene nokwaneliseka kwemisebenzi ekhona, izinga labo le-paranoia, kanye nokusebenziseka kalula.
Kungcono ukushiya ipharamitha ye-PIM njengokuzenzakalelayo, ukuze kuthi lapho ulayisha i-OS akudingeki ukuthi ufake amanani aqondile wokuphindaphinda isikhathi ngasinye. I-VeraCrypt isebenzisa inani elikhulu lokuphindaphinda ukuze idale "i-hashi ehamba kancane" ngempela. Ukuhlasela "umnenke we-crypto" onjalo usebenzisa indlela yamatafula e-Brute force/rainbow kunengqondo kuphela ngegama lokungena elifushane "elilula" kanye nohlu lwe-charset yomuntu siqu yesisulu. Intengo yokukhokhela amandla ephasiwedi iwukubambezeleka kokufaka iphasiwedi efanele uma ulayisha i-OS. (ukufaka amavolumu e-VeraCrypt ku-GNU/Linux kuyashesha kakhulu).
Isofthiwe yamahhala yokusebenzisa ukuhlasela kwe-brute force (khipha umushwana wokungena ku-VeraCrypt/LUKS unhlokweni wediski) I-Hashcat. UJohn the Ripper akazi ukuthi "angaphula kanjani i-Veracrypt", futhi lapho esebenza ne-LUKS akayiqondi i-cryptography ye-Twofish.
Ngenxa yamandla e-cryptographic we-algorithms yokubethela, ama-cypherpunk angavimbeki athuthukisa isofthiwe nge-vector yokuhlasela ehlukile. Isibonelo, ukukhipha imethadatha/okhiye ku-RAM (ukuhlasela kwe-cold boot/direct memory access attack), Kukhona isofthiwe ekhethekile yamahhala nengamahhala yalezi zinhloso.
Ngemva kokuqeda ukusetha/ukukhiqiza “imethadatha eyingqayizivele” yokuhlukanisa okusebenzayo okubethelwe, i-VeraCrypt izonikela ngokuqalisa kabusha i-PC futhi ihlole ukusebenza kwe-bootloader yayo. Ngemva kokuqalisa kabusha/ukuqala iWindows, iVeraCrypt izolayisha kumodi yokulinda, okusele nje ukuqinisekisa inqubo yokubethela - Y.
Esinyathelweni sokugcina sokubethelwa kwesistimu, i-VeraCrypt izonikela ngokwenza ikhophi eyisipele yesihloko sokuhlukaniswa okubethelwe okusebenzayo ngendlela ye- "veracrypt rescue disk.iso" - lokhu kufanele kwenziwe - kule software umsebenzi onjalo uyimfuneko (ku-LUKS, njengemfuneko - lokhu ngeshwa kweqiwe, kodwa kugcizelelwe emibhalweni). Idiski yokutakula izoba usizo kuwo wonke umuntu, futhi kwabanye ngaphezu kwesisodwa. Ukulahlekelwa (inhlokweni/MBR bhala kabusha) ikhophi eyisipele yenhlokweni izokwenqaba unomphela ukufinyelela ekwahlukaniseni okususwe ukubethela nge-OS Windows.
A4. Ukudala i-VeraCrypt yokuhlenga i-USB/idiskiNgokuzenzakalelayo, i-VeraCrypt inikezela ngokushisa i-“~2-3MB yemethadatha” ku-CD, kodwa akubona bonke abantu abanamadiski noma amadrayivu e-DWD-ROM, futhi ukudala i-flash drive ebhuthayo “i-VeraCrypt Rescue disk” kuzoba isimanga sobuchwepheshe kwabanye: I-Rufus/GUIdd-ROSA ImageWriter kanye nenye isoftware efanayo ngeke ikwazi ukubhekana nomsebenzi, ngoba ngaphezu kokukopisha imethadatha ye-offset ku-flash drive ebhuthayo, udinga ukukopisha/unamathisele isithombe ngaphandle kwesistimu yefayela le-USB drive, ngamafuphi, kopisha kahle i-MBR/umgwaqo uye ku-keychain. Ungakha i-flash drive ebhuthayo kusuka ku-GNU/Linux OS usebenzisa insiza ethi “dd”, ubheka lolu phawu.
Ukudala idiski yokuhlenga endaweni ye-Windows kuhlukile. Umthuthukisi we-VeraCrypt akazange afake isisombululo sale nkinga kusikhulu ngokuthi "idiski yokuhlenga", kodwa ihlongoze isixazululo ngendlela ehlukile: uthumele isofthiwe eyengeziwe yokudala "idiski yokuhlenga i-usb" yokufinyelela mahhala kuforamu yakhe ye-VeraCrypt. Umgcini womlando wale software weWindows "udala idiski yokuhlenga ye-usb veracrypt". Ngemuva kokulondoloza i-disk.iso yokuhlenga, inqubo yokubethela kwesistimu ye-block ye-partition esebenzayo izoqala. Ngesikhathi sokubethela, ukusebenza kwe-OS akumi; ukuqalisa kabusha kwe-PC akudingekile. Lapho kuqedwa umsebenzi wokubethela, ukwahlukanisa okusebenzayo kubethelwa ngokugcwele futhi kungasetshenziswa. Uma i-VeraCrypt bootloader ingaveli lapho uqala i-PC, futhi umsebenzi wokubuyisela unhlokweni ungasizi, bese uhlola ifulegi elithi "boot", kufanele lisethelwe ukwahlukanisa lapho iWindows ikhona khona. (kungakhathaliseki ukubethela nezinye i-OS, bheka ithebula No. 1).
Lokhu kuqeda incazelo yokubethela kwesistimu ye-block nge-Windows OS.
[B]LUKS. Ukubethela kwe-GNU/Linux (~I-Debian) i-OS efakiwe. I-algorithm nezinyathelo
Ukuze ubethele ukusatshalaliswa kwe-Debian/okususelwe, udinga ukubeka kumephu ukwahlukanisa okulungisiwe kudivayisi ye-block ebonakalayo, ukudlulisele kudiski efakwe kumephu ye-GNU/Linux, futhi ufake/ulungiselele i-GRUB2. Uma ungenayo iseva yensimbi engenalutho, futhi usazisa isikhathi sakho, khona-ke udinga ukusebenzisa i-GUI, futhi imiyalo eminingi yokugcina echazwe ngezansi ihloselwe ukuthi isetshenziswe "kwimodi ye-Chuck-Norris".
B1. Iqalisa i-PC kusuka ku-usb ebukhoma ye-GNU/Linux
"Yenza ukuhlolwa kwe-crypto ekusebenzeni kwehadiwe"
lscpu && сryptsetup benchmark
Uma ungumnikazi ojabulayo wemoto enamandla enokwesekwa kwehadiwe ye-AES, izinombolo zizobukeka njengesokudla letheminali; uma ungumnikazi ojabule, kodwa nge-hardware yakudala, izinombolo zizobukeka njengesokunxele.
B2. Ukuhlukaniswa kwediski. ukukhweza/ukufometha i-fs logic disk HDD kuya ku-Ext4 (Gparted)
B2.1. Ukudala unhlokweni we-partition we-sda7 obethelweNgizochaza amagama ama-partitions, lapha nangaphezulu, ngokuhambisana nethebula lami lokuhlukanisa elithunyelwe ngenhla. Ngokusho kwesakhiwo sediski yakho, kufanele ufake esikhundleni samagama akho okuhlukanisa.
Imephu Yokubethela KweDrayivu Enengqondo (/dev/sda7 > /dev/mapper/sda7_crypt).
#Ukudala okulula kwe-“LUKS-AES-XTS partition”
cryptsetup -v -y luksFormat /dev/sda7Izinketho:
* luksFormat - ukuqaliswa kwesihloko se-LUKS;
* -y -umshwana wokungena (hhayi ukhiye/ifayela);
* -v -verbalization (ukubonisa ulwazi esigungwini);
* /dev/sda7 - idiski yakho enengqondo ukusuka ekwahlukaniseni okunwetshiwe (lapho kuhlelwa ukudlulisa/ukubethela i-GNU/Linux).
I-algorithm yokubethela ezenzakalelayo <LI-UKS1: aes-xts-plain64, Ukhiye: 256 bits, LUKS header hashing: sha256, RNG: /dev/urandom> (kuya ngenguqulo ye-cryptsetup).
#Проверка default-алгоритма шифрования
cryptsetup --help #самая последняя строка в выводе терминала.Uma lungekho usekelo lwezingxenyekazi zekhompuyutha ze-AES ku-CPU, ukukhetha okungcono kakhulu kungaba ukwakha “i-LUKS-Twofish-XTS-partition” enwetshiwe.
B2.2. Ukudalwa okuthuthukisiwe kwe-“LUKS-Twofish-XTS-partition”
cryptsetup luksFormat /dev/sda7 -v -y -c twofish-xts-plain64 -s 512 -h sha512 -i 1500 --use-urandom
Izinketho:
* luksFormat - ukuqaliswa kwesihloko se-LUKS;
* /dev/sda7 idiski yakho enengqondo yesikhathi esizayo;
* -v ukukhuluma ngamazwi;
* -y umushwana wokungena;
* -c khetha i-algorithm yokubethela idatha;
* -s usayizi wokhiye wokubethela;
* -h hashing algorithm/crypto function, RNG esetshenzisiwe (--sebenzisa-urandom) ukukhiqiza ukhiye oyingqayizivele wokubethela/ukususa ukubethela kwesihloko sediski esinengqondo, ukhiye wesihloko sesibili (XTS); ukhiye oyinhloko oyingqayizivele ogcinwe kunhlokweni yediski ebetheliwe, ukhiye wesibili we-XTS, yonke le methadatha kanye nohlelo lokubethela okuthi, kusetshenziswa ukhiye oyinhloko nokhiye wesibili we-XTS, kubethela/kususe noma iyiphi idatha ekuhlukaniseni. (ngaphandle kwesihloko sesigaba) igcinwe ku-~3MB ku-partition ye-hard disk ekhethiwe.
* -i ukuphindaphinda ngama-millisecond, esikhundleni sokuthi "inani" (ukubambezeleka kwesikhathi lapho kucutshungulwa umushwana wokungena kuthinta ukulayishwa kwe-OS namandla e-cryptographic okhiye). Ukuze ulondoloze ibhalansi yamandla e-cryptographic, ngephasiwedi elula efana ne-"Russian" udinga ukukhulisa -(i) ivelu; ngephasiwedi eyinkimbinkimbi efana ne-"?8dƱob/øfh" inani lingehliswa.
* -use-urandom inombolo engahleliwe generator, yakha okhiye nosawoti.
Ngemva kokumepha isigaba sda7 > sda7_crypt (ukusebenza kuyashesha, njengoba unhlokweni obethelwe wakhiwe ngo-~3 MB wemethadatha futhi yilokho kuphela), udinga ukufometha futhi ukhweze isistimu yefayela ye-sda7_crypt.
B2.3. Ukuqhathanisa
cryptsetup open /dev/sda7 sda7_crypt
#выполнение данной команды запрашивает ввод секретной парольной фразы.
izinketho:
* vula - fanisa isigaba "negama";
* /dev/sda7 -logical disk;
* sda7_crypt - imephu yegama esetshenziselwa ukukhweza ukwahlukanisa okubethelwe noma ukuyiqalisa lapho i-OS iqala.
B2.4. Ifometha isistimu yefayela ye-sda7_crypt ibe yi-ext4. Ukufaka idiski ku-OS(Qaphela: ngeke ukwazi ukusebenza nge-partition ebethelwe ku-Gparted)
#форматирование блочного шифрованного устройства
mkfs.ext4 -v -L DebSHIFR /dev/mapper/sda7_crypt
izinketho:
* -v -ukukhuluma;
* -L - ilebula yokushayela (evezwa ku-Explorer phakathi kwamanye amadrayivu).
Okulandelayo, kufanele ukhweze idivayisi yebhulokhi ebethelwe ngokoqobo /dev/sda7_crypt ohlelweni
mount /dev/mapper/sda7_crypt /mntUkusebenza ngamafayela kufolda ye-/mnt kuzobethela/kususe ukubethela ngokuzenzakalelayo idatha ku-sda7.
Kulula kakhulu ukwenza imephu nokufaka i-partition ku-Explorer (i-nautilus/caja GUI), ukwahlukanisa kuzobe sekusohlwini lokukhetha idiski, okusele nje ukufaka umushwana wokungena ukuze uvule/ususe ukubethela kwediski. Igama elifanisiwe lizokhethwa ngokuzenzakalelayo hhayi okuthi “sda7_crypt”, kodwa into efana ne/dev/mapper/Luks-xx-xx...
B2.5. Ikhophi yasenqolobaneni yesihloko sediski (~3MB imethadatha)Okukodwa kubalulekile imisebenzi okudingeka yenziwe ngaphandle kokulibala - ikhophi eyisipele yesihloko esithi “sda7_crypt”. Uma ubhala phezu/ulimaza unhlokweni (isibonelo, ukufaka i-GRUB2 ku-partition ye-sda7, njll.), idatha ebethelwe izolahleka ngokuphelele ngaphandle kokuba nokwenzeka kokuyibuyisela, ngoba ngeke kwenzeke ukuphinda ukhiqize okhiye abafanayo; okhiye badalwa ngokuhlukile.
#Бэкап заголовка раздела
cryptsetup luksHeaderBackup --header-backup-file ~/Бэкап_DebSHIFR /dev/sda7
#Восстановление заголовка раздела
cryptsetup luksHeaderRestore --header-backup-file <file> <device>
izinketho:
* luksHeaderBackup —header-backup-file -backup umyalo;
* luksHeaderRestore —header-backup-file -restore command;
* ~/Backup_DebSHIFR - ifayela eliyisipele;
* /dev/sda7 - ukwahlukanisa okumele kugcinwe ikhophi eyisipele yesihloko sediski esibethelwe.
Kulesi sinyathelo kuqediwe.
B3. Isebenzisa i-GNU/Linux OS (sda4) ekuhlukaniseni okubethelwe (sda7)
Dala ifolda /mnt2 (Qaphela - sisasebenza ne-usb ebukhoma, i-sda7_crypt ifakwe kokuthi /mnt), bese ufaka i-GNU/Linux yethu ku-/mnt2, edinga ukubethelwa.
mkdir /mnt2
mount /dev/sda4 /mnt2
Senza ukudluliswa kwe-OS okulungile sisebenzisa isofthiwe ye-Rsync
rsync -avlxhHX --progress /mnt2/ /mntIzinketho ze-Rsync zichazwe endimeni E1.
Okulandelayo kuyadingeka ukwephula ukwahlukaniswa kwediski okunengqondo
e4defrag -c /mnt/ #после проверки, e4defrag выдаст, что степень дефрагментации раздела~"0", это заблуждение, которое может вам стоить существенной потери производительности!
e4defrag /mnt/ #проводим дефрагментацию шифрованной GNU/Linux
Kwenze umthetho: yenza i-e4defrag ku-GNU/LINux ebethelwe ngezikhathi ezithile uma une-HDD.
Ukudlulisa nokuvumelanisa [GNU/Linux > GNU/Linux-encrypted] kuqediwe kulesi sinyathelo.
NGO 4. Isetha i-GNU/Linux kuhlukaniso olubethelwe lwe-sda7
Ngemva kokudlulisa ngempumelelo i-OS/dev/sda4>/dev/sda7, udinga ukungena ku-GNU/Linux esahlulelweni esibethelwe bese wenza ukumisa okwengeziwe. (ngaphandle kokuqalisa kabusha i-PC) ngokuhlobene nesistimu ebethelwe. Okusho ukuthi, yiba ku-usb ebukhoma, kodwa ukhiphe imiyalo "ehlobene nomsuka we-OS ebethelwe." I-"chroot" izolingisa isimo esifanayo. Ukuze uthole ngokushesha ulwazi mayelana nokuthi iyiphi i-OS osebenza nayo njengamanje (ibetheliwe noma cha, njengoba idatha eku-sda4 ne-sda7 ivumelanisiwe), susa ukuvumelanisa i-OS. Dala kuzinkomba zezimpande (sda4/sda7_crypt) amafayela omaka angenalutho, isibonelo, /mnt/encryptedOS kanye /mnt2/decryptedOS. Ngokushesha hlola ukuthi ukuyiphi i-OS (kuhlanganise nekusasa):
ls /<Tab-Tab>B4.1. "Ukulingiswa kokungena ku-OS ebethelwe"
mount --bind /dev /mnt/dev
mount --bind /proc /mnt/proc
mount --bind /sys /mnt/sys
chroot /mnt
B4.2. Ukuqinisekisa ukuthi umsebenzi wenziwa ngokumelene nesistimu ebethelwe
ls /mnt<Tab-Tab>
#и видим файл "/шифрованнаяОС"
history
#в выводе терминала должна появиться история команд su рабочей ОС.B4.3. Ukudala/ukulungisa ukushintshwa okubethelwe, ukuhlela i-crypttab/fstabNjengoba ifayela lokushintshana lifomethwa ngaso sonke isikhathi uma i-OS iqala, akwenzi mqondo ukudala nokushintshanisa imephu kudiski enengqondo manje, bese uthayipha imiyalo njengasesigabeni B2.2. Ngokushintshanisa, okhiye bayo besikhashana bokubethela bazokwenziwa ngokuzenzakalelayo ekuqaleni ngakunye. Umjikelezo wempilo wokhiye bokushintshanisa: ukwehliswa/ukwehlisa ukwahlukanisa kokushintshana (+ukuhlanza i-RAM); noma qala kabusha i-OS. Ukusetha ukushintshana, ukuvula ifayela elinesibopho sokucushwa kwamadivayisi abethelwe vimba (elifana nefayela le-fstab, kodwa elinesibopho se-crypto).
nano /etc/crypttab siyahlela
#"igama eliqondiwe" "idivayisi yomthombo" "ifayela elingukhiye" "izinketho"
swap /dev/sda8 /dev/urandom swap,cipher=twofish-xts-plain64,size=512,hash=sha512
Izinketho
* Shintsha - igama elifakwe kumephu lapho ubhala ngemfihlo /dev/mapper/swap.
* /dev/sda8 - sebenzisa ukwahlukanisa kwakho okunengqondo ukushintshanisa.
* /dev/urandom - ijeneretha yezikhiye zokubethela ezingahleliwe zokushintshaniswa (nge-boot entsha ye-OS ngayinye, okhiye abasha bayadalwa). I-generator/dev/urandom generator ingaphansi kokungahleliwe kune-/dev/random, ngemva kwakho konke /dev/okungahleliwe isetshenziswa lapho isebenza ezimweni eziyingozi ze-paranoid. Lapho ulayisha i-OS, /dev/random ibambezela ukulayisha imizuzu embalwa ± (bona i-systemd-analyze).
* swap,cipher=twofish-xts-plain64,size=512,hash=sha512: -ingxenye iyazi ukuthi iyashintshwa futhi ifomethwe “ngokuvumelana”; i-algorithm ye-encryption.
#Открываем и правим fstab
nano /etc/fstab
siyahlela
Ukushintshwa okungu- # bekuku / dev / sda8 ngesikhathi sokufakwa
/dev/mapper/swap none swap sw 0 0
/dev/mapper/swap igama elisethwe ku-crypttab.
Okunye ukushintshanisa okubethelwe
Uma ngesizathu esithile ungafuni ukuyeka ukwahlukanisa konke kwefayela elishintshiwe, ungahamba ngenye indlela futhi engcono: ukudala ifayela lokushintshwa efayeleni ekuhlukaniseni okubethelwe nge-OS.
fallocate -l 3G /swap #создание файла размером 3Гб (почти мгновенная операция)
chmod 600 /swap #настройка прав
mkswap /swap #из файла создаём файл подкачки
swapon /swap #включаем наш swap
free -m #проверяем, что файл подкачки активирован и работает
printf "/swap none swap sw 0 0" >> /etc/fstab #при необходимости после перезагрузки swap будет постоянныйUkusethwa kwe-swap partition kuqedile.
B4.4. Ukusetha i-GNU/Linux ebethelwe (ukuhlela amafayela e-crypttab/fstab)Ifayela /etc/crypttab, njengoba kubhalwe ngenhla, lichaza amadivaysi e-block encrypted alungiselelwe ngesikhathi sokuqalisa uhlelo.
#правим /etc/crypttab
nano /etc/crypttab
uma ufane nesigaba esithi sda7>sda7_crypt njengasesigabeni B2.1
# "igama eliqondiwe" "idivayisi yomthombo" "ifayela elingukhiye" "izinketho"
sda7_crypt UUID=81048598-5bb9-4a53-af92-f3f9e709e2f2 none luks
uma ufane nesigaba esithi sda7>sda7_crypt njengasesigabeni B2.2
# "igama eliqondiwe" "idivayisi yomthombo" "ifayela elingukhiye" "izinketho"
sda7_crypt UUID=81048598-5bb9-4a53-af92-f3f9e709e2f2 none cipher=twofish-xts-plain64,size=512,hash=sha512
uma ufane nesigaba esithi sda7>sda7_crypt njengasesigabeni B2.1 noma B2.2, kodwa ungafuni ukufaka kabusha iphasiwedi ukuze uvule futhi uqalise i-OS, esikhundleni segama-mfihlo ungashintsha ukhiye oyimfihlo/ifayela elingahleliwe.
# "igama eliqondiwe" "idivayisi yomthombo" "ifayela elingukhiye" "izinketho"
sda7_crypt UUID=81048598-5bb9-4a53-af92-f3f9e709e2f2 /etc/skey luks
Incazelo
* akukho - ibika ukuthi lapho ulayisha i-OS, ukufaka umushwana wokungena oyimfihlo kuyadingeka ukuze uvule impande.
* I-UUID - isihlonzi sokuhlukanisa. Ukuze uthole i-ID yakho, thayipha itheminali (khumbula ukuthi kusukela kulesi sikhathi kuya phambili, usebenza kutheminali endaweni ye-chroot, hhayi kwenye indawo ye-usb ebukhoma).
fdisk -l #проверка всех разделов
blkid #должно быть что-то подобное
/dev/sda7: UUID=«81048598-5bb9-4a53-af92-f3f9e709e2f2» TYPE=«crypto_LUKS» PARTUUID=«0332d73c-07»
/dev/mapper/sda7_crypt: LABEL=«DebSHIFR» UUID=«382111a2-f993-403c-aa2e-292b5eac4780» TYPE=«ext4»
lo mugqa uyabonakala uma ucela i-blkid kutheminali ye-usb ebukhoma efakwe i-sda7_crypt).
Uthatha i-UUID ku-sdaX yakho (hhayi sdaX_crypt!, UUID sdaX_crypt - izoshiywa ngokuzenzakalelayo lapho kukhiqizwa i-grub.cfg config).
* cipher=twofish-xts-plain64,size=512,hash=sha512 -umbhalo wemfihlo weluks ngemodi ethuthukisiwe.
* /etc/skey - ifayela elingukhiye oyimfihlo, elifakwa ngokuzenzakalelayo ukuze uvule i-OS boot (esikhundleni sokufaka iphasiwedi yesi-3). Ungacacisa noma yiliphi ifayela elifika ku-8MB, kodwa idatha izofundwa <1MB.
#Создание "генерация" случайного файла <секретного ключа> размером 691б.
head -c 691 /dev/urandom > /etc/skey
#Добавление секретного ключа (691б) в 7-й слот заголовка luks
cryptsetup luksAddKey --key-slot 7 /dev/sda7 /etc/skey#Проверка слотов "пароли/ключи luks-раздела"
cryptsetup luksDump /dev/sda7
Kuzobukeka kanjena:
(zenzele uzibonele).
cryptsetup luksKillSlot /dev/sda7 7 #удаление ключа/пароля из 7 слота/etc/fstab iqukethe ulwazi oluchazayo mayelana nezinhlelo ezihlukahlukene zamafayela.
#Правим /etc/fstab
nano /etc/fstab
# "uhlelo lwefayela" "iphoyinti lokukhweza" "hlobo" "izinketho" "lahla" "dlula"
# / yayiku / dev / sda7 ngesikhathi sokufakwa
/dev/mapper/sda7_crypt / ext4 errors=remount-ro 0 1
inketho
* /dev/mapper/sda7_crypt - igama lemephu sda7>sda7_crypt, elicaciswe kufayela /etc/crypttab.
Ukusethwa kwe-crypttab/fstab kuqediwe.
B4.5. Ukuhlela amafayela okumisa. Isikhathi esibalulekileB4.5.1. Ukuhlela i-config /etc/initramfs-tools/conf.d/resume
#Если у вас ранее был активирован swap раздел, отключите его.
nano /etc/initramfs-tools/conf.d/resume
futhi ubeke amazwana (uma ikhona) "#" umugqa "qalisa kabusha". Ifayela kufanele lingabi nalutho ngokuphelele.
B4.5.2. Ukuhlela /etc/initramfs-tools/conf.d/cryptsetup
nano /etc/initramfs-tools/conf.d/cryptsetupkufanele ifane
# /etc/initramfs-tools/conf.d/cryptsetup
CRYPTSETUP=yebo
Khipha i-CRYPTSETUP
B4.5.3. Ukuhlela /etc/default/grub config (lokhu kulungiselelwa kunesibopho sekhono lokukhiqiza i-grub.cfg uma usebenza nge-encrypted /boot)
nano /etc/default/grub
engeza umugqa “GRUB_ENABLE_CRYPTODISK=y”
value 'y', grub-mkconfig kanye ne-grub-install izohlola amadrayivu abethelwe futhi ikhiqize imiyalo eyengeziwe edingekayo ukuze ufinyelele kuwo ngesikhathi sokuqalisa. (insmods ).
kufanele kube nokufana
GRUB_DEFAULT = 0
GRUB_TIMEOUT = 1
GRUB_DISTRIBUTOR=`lsb_release -i -s 2> /dev/null || echo Debian`
GRUB_CMDLINE_LINUX_DEFAULT="acpi_backlight=vendor"
GRUB_CMDLINE_LINUX="i-splash ethule noautomount"
GRUB_ENABLE_CRYPTODISK=y
B4.5.4. Ukuhlela i-config /etc/cryptsetup-initramfs/conf-hook
nano /etc/cryptsetup-initramfs/conf-hook
hlola ukuthi ulayini ubeke amazwana yini .
Esikhathini esizayo (futhi ngisho namanje, le parameter ngeke ibe nencazelo, kodwa ngezinye izikhathi iphazamisa ukubuyekezwa kwesithombe se-initrd.img).
B4.5.5. Ukuhlela i-config /etc/cryptsetup-initramfs/conf-hook
nano /etc/cryptsetup-initramfs/conf-hookengeza
KEYFILE_PATTERN=”/etc/skey”
UMASK=0077
Lokhu kuzopakisha ukhiye oyimfihlo "ukhiye" ku-initrd.img, ukhiye uyadingeka ukuze uvule impande lapho i-OS iqala. (uma ungafuni ukufaka iphasiwedi futhi, ukhiye othi “key” uthathelwa indawo imoto).
B4.6. Buyekeza /boot/initrd.img [inguqulo]Ukuze upakishe ukhiye oyimfihlo ku-initrd.img futhi usebenzise ukulungiswa kwe-cryptsetup, buyekeza isithombe
update-initramfs -u -k all
lapho ubuyekeza i-initrd.img (njengoba bethi "Kungenzeka, kodwa akuqiniseki") izixwayiso ezihlobene ne-cryptsetup zizovela, noma, isibonelo, isaziso mayelana nokulahlekelwa kwamamojula we-Nvidia - lokhu kuvamile. Ngemva kokubuyekeza ifayela, hlola ukuthi libuyekeziwe ngempela, bona isikhathi (okuhlobene nendawo ye-chroot./boot/initrd.img). Ukuqapha ngaphambi kokuthi [buyekeza-initramfs -u -k konke] qiniseka ukuthi uhlola ukuthi i-cryptsetup ivuliwe /dev/sda7 sda7_crypt - leli yigama elivela ku-/etc/crypttab, uma kungenjalo ngemva kokuqalisa kabusha kuzoba nephutha le-busybox)
Kulesi sinyathelo, ukusetha amafayela okumisa kuqedile.
[C] Ukufaka nokumisa i-GRUB2/Protection
C1. Uma kunesidingo, fometha ukwahlukanisa okuzinikele kwe-bootloader (ingxenye idinga okungenani u-20MB)
mkfs.ext4 -v -L GRUB2 /dev/sda6C2. Khuphuka /dev/sda6 ukuya ku-/mntNgakho-ke sisebenza ku-chroot, khona-ke ngeke kube khona umkhombandlela we-/mnt2 empandeni, futhi ifolda ye-/mnt izobe ingenalutho.
faka i-GRUB2 partition
mount /dev/sda6 /mntUma unenguqulo endala ye-GRUB2 efakiwe, kuhla lwemibhalo /mnt/boot/grub/i-386-pc (enye inkundla iyenzeka, isibonelo, hhayi i-“i386-pc”) awekho amamojula we-crypto (ngamafuphi, ifolda kufanele ibe namamojula, okuhlanganisa nalawa .mod: cryptodisk; luks; gcry_twofish; gcry_sha512; signature_test.mod), Kulokhu, i-GRUB2 idinga ukunyakaziswa.
apt-get update
apt-get install grub2
Okubalulekile! Lapho ubuyekeza iphakethe le-GRUB2 endaweni yokugcina, lapho ubuzwa "mayelana nokukhetha" lapho ungafaka khona i-bootloader, kufanele wenqabe ukufakwa. (isizathu - ukuzama ukufaka i-GRUB2 - ku-“MBR” noma ku-usb ebukhoma). Uma kungenjalo uzolimaza unhlokweni/isilayishi se-VeraCrypt. Ngemva kokubuyekeza amaphakheji e-GRUB2 nokukhansela ukufakwa, isilayishi sokuqalisa kufanele sifakwe ngesandla kudiski enengqondo, hhayi ku-MBR. Uma inqolobane yakho inenguqulo yakudala ye-GRUB2, zama isuka kuwebhusayithi esemthethweni - angikakayihloli (isebenze nezithuthukisi zakamuva ze-GRUB 2.02 ~BetaX).
C3. Ukufaka i-GRUB2 esabelweni esinwetshiwe [sda6]Kufanele ube ne-partition ekhweziwe [into C.2]
grub-install --force --root-directory=/mnt /dev/sda6
izinketho
* -force - ukufakwa kwe-bootloader, ukweqa zonke izixwayiso ezihlala zikhona futhi uvimbele ukufakwa (ifulegi elidingekayo).
* --root-directory - isetha inkomba ye- impande ye-sda6.
* /dev/sda6 - ukwahlukanisa kwakho kwe-sdaХ (ungaphuthelwa phakathi kwe/mnt/dev/sda6).
C4. Ukudala ifayela lokumisa [grub.cfg]Khohlwa ngomyalo othi "update-grub2", futhi usebenzise umyalo ogcwele wokwenza ifayela lokucushwa
grub-mkconfig -o /mnt/boot/grub/grub.cfg
ngemva kokuqeda ukukhiqiza/ukubuyekeza ifayela le-grub.cfg, itheminali yokukhiphayo kufanele iqukathe i(ama)layini ne-OS etholakala kudiski. (I-“grub-mkconfig” cishe izothola futhi ithathe i-OS ku-usb ebukhoma, uma une-multiboot flash drive Windows 10 kanye nenqwaba yokusabalalisa okubukhoma - lokhu kuvamile). Uma itheminali “ingenalutho” futhi ifayela elithi “grub.cfg” lingakhiqizwa, lokhu kuyafana uma kukhona izimbungulu ze-GRUB ohlelweni. (futhi cishe isilayishi esivela egatsheni lokuhlola lenqolobane), faka kabusha i-GRUB2 emithonjeni ethembekile.
Ukufakwa "okulula" nokusetha kwe-GRUB2 kuqedile.
C5. Ubufakazi bokuhlolwa kwe-GNU/Linux OS ebethelweSiqedela umsebenzi we-crypto ngendlela efanele. Ukushiya ngokucophelela i-GNU/Linux ebethelwe (phuma endaweni ye-chroot).
umount -a #размонтирование всех смонтированных разделов шифрованной GNU/Linux
Ctrl+d #выход из среды chroot
umount /mnt/dev
umount /mnt/proc
umount /mnt/sys
umount -a #размонтирование всех смонтированных разделов на live usb
reboot
Ngemuva kokuqalisa kabusha i-PC, i-bootloader ye-VeraCrypt kufanele ilayishe.
*Ukufaka iphasiwedi yokuhlukanisa okusebenzayo kuzoqala ukulayisha iWindows.
*Ukucindezela ukhiye "Esc" kuzodlulisela ukulawula ku-GRUB2, uma ukhetha i-GNU/Linux ebethelwe - iphasiwedi (sda7_crypt) izodingeka ukuze uvule /boot/initrd.img (uma i-grub2 ibhala ukuthi uuid "ayitholakali" - lena inkinga nge-bootloader ye-grub2, kufanele ifakwe kabusha, isb., isuka egatsheni lokuhlola/esitebeleni njll.).
*Ngokuya ngokuthi ululungise kanjani uhlelo (bheka isigaba B4.4/4.5), ngemva kokufaka iphasiwedi efanele ukuze uvule isithombe /boot/initrd.img, uzodinga iphasiwedi ukuze ulayishe i-OS kernel/root, noma imfihlo. ukhiye uzoshintshwa ngokuzenzakalelayo " skey ", kususwe isidingo sokuphinda ufake umushwana wokungena.
(isikrini “ukushintsha ngokuzenzakalelayo ukhiye oyimfihlo”).
*Okulandelayo kuzoba inqubo ejwayelekile yokulayisha i-GNU/Linux enokuqinisekisa kwe-akhawunti yomsebenzisi.
*Ngemva kokugunyazwa komsebenzisi nokungena ngemvume ku-OS, udinga ukubuyekeza /boot/initrd.img futhi (bheka B4.6).
update-initramfs -u -k allFuthi uma kwenzeka kuba nemigqa eyengeziwe kumenyu ye-GRUB2 (kusuka ekuthathweni kwe-OS-m nge-usb ebukhoma) baqede
mount /dev/sda6 /mnt
grub-mkconfig -o /mnt/boot/grub/grub.cfg
Isifinyezo esisheshayo sokubethela kwesistimu ye-GNU/Linux:
- I-GNU/Linuxinux ibethelwe ngokugcwele, okuhlanganisa i-/boot/kernel kanye ne-initrd;
- ukhiye oyimfihlo uhlanganiswe ku-initrd.img;
- uhlelo lwamanje lokugunyazwa (ufaka iphasiwedi ukuze uvule i-initrd; iphasiwedi/ukhiye ukuze uqalise i-OS; iphasiwedi yokugunyaza i-akhawunti ye-Linux).
Ukubethela kwesistimu ye-"GRUB2 Configuration" yokuhlukaniswa kwebhulokhi kuqediwe.
C6. Ukucushwa okuthuthukisiwe kwe-GRUB2. Ukuvikelwa kwe-Bootloader ngesiginesha yedijithali + ukuvikelwa kokuqinisekisaI-GNU/Linux ibethelwe ngokuphelele, kodwa i-bootloader ayikwazi ukubethelwa - lesi simo sishiwo yi-BIOS. Ngenxa yalesi sizathu, ibhuthi ebethelwe eboshwe ngamaketango ye-GRUB2 ayinakwenzeka, kodwa ibhuthi elula eboshwe ngamaketanga ingenzeka/iyatholakala, kodwa ngokubuka kwezokuphepha akudingekile [bona. P. F].
Ku-GRUB2 “esengozini”, abathuthukisi basebenzise i-algorithm yokuvikela i-bootloader “yesiginesha/ukufakazela ubuqiniso”.
- Uma i-bootloader ivikelwe "isiginesha yayo yedijithali," ukuguqulwa kwangaphandle kwamafayela, noma umzamo wokulayisha amamojula engeziwe kule divayisi yokuqalisa, kuzoholela ekuvinjweni kwenqubo yokuqalisa.
- Lapho uvikela i-bootloader ngokufakazela ubuqiniso, ukuze ukhethe ukulayisha ukusatshalaliswa, noma ufake imiyalo eyengeziwe ku-CLI, uzodinga ukungena ngemvume nephasiwedi ye-superuser-GRUB2.
C6.1. Ukuvikelwa kokuqinisekisa kwe-BootloaderHlola ukuthi usebenza kutheminali ku-OS ebethelwe
ls /<Tab-Tab> #обнаружить файл-маркерdala iphasiwedi yomsebenzisi omkhulu ukuze ugunyazwe ku-GRUB2
grub-mkpasswd-pbkdf2 #введите/повторите пароль суперпользователя. Thola inombolo yocingo. Into efana nale
grub.pbkdf2.sha512.10000.DE10E42B01BB6FEEE46250FC5F9C3756894A8476A7F7661A9FFE9D6CC4D0A168898B98C34EBA210F46FC10985CE28277D0563F74E108FCE3ACBD52B26F8BA04D.27625A4D30E4F1044962D3DD1C2E493EF511C01366909767C3AF9A005E81F4BFC33372B9C041BE9BA904D7C6BB141DE48722ED17D2DF9C560170821F033BCFD8
faka i-GRUB partition
mount /dev/sda6 /mnt hlela i-config
nano -$ /mnt/boot/grub/grub.cfg
hlola ukusesha ifayela ukuthi awekho amafulegi noma kuphi kokuthi “grub.cfg” (“-unrestricted” “-user”,
engeza ekugcineni (ngaphambi komugqa ### END /etc/grub.d/41_custom ###)
"setha ama-superusers = "impande"
password_pbkdf2 impande hash."
Kufanele kube into efana nalena
# Leli fayela linikeza indlela elula yokwengeza okufakiwe kwemenyu yangokwezifiso. Vele uthayiphe i-
# okufakiwe kwemenyu ofuna ukukwengeza ngemva kwalawa mazwana. Qaphela ukuthi ungashintshi
# umugqa 'we-exec tail' ngenhla.
### END /etc/grub.d/40_custom ###### QALA /etc/grub.d/41_custom ###
uma [ -f ${config_directory}/custom.cfg ]; bese
umthombo ${config_directory}/custom.cfg
elif [ -z "${config_directory}" -a -f $prefix/custom.cfg ]; bese
umthombo $prefix/custom.cfg;
fi
setha ama-superusers = "impande"
password_pbkdf2 root grub.pbkdf2.sha512.10000.DE10E42B01BB6FEEE46250FC5F9C3756894A8476A7F7661A9FFE9D6CC4D0A168898B98C34EBA210F46FC10985CE28277D0563F74E108FCE3ACBD52B26F8BA04D.27625A4D30E4F1044962D3DD1C2E493EF511C01366909767C3AF9A005E81F4BFC33372B9C041BE9BA904D7C6BB141DE48722ED17D2DF9C560170821F033BCFD8
### END /etc/grub.d/41_custom ###
#
Uma uvamise ukusebenzisa umyalo othi “grub-mkconfig -o /mnt/boot/grub/grub.cfg” futhi ungafuni ukwenza izinguquko ku-grub.cfg njalo, faka imigqa engenhla. (Ngena ngemvume: Iphasiwedi) kusikripthi somsebenzisi we-GRUB phansi impela
nano /etc/grub.d/41_custom ikati <<EOF
setha ama-superusers = "impande"
password_pbkdf2 root grub.pbkdf2.sha512.10000.DE10E42B01BB6FEEE46250FC5F9C3756894A8476A7F7661A9FFE9D6CC4D0A168898B98C34EBA210F46FC10985CE28277D0563F74E108FCE3ACBD52B26F8BA04D.27625A4D30E4F1044962D3DD1C2E493EF511C01366909767C3AF9A005E81F4BFC33372B9C041BE9BA904D7C6BB141DE48722ED17D2DF9C560170821F033BCFD8
EOF
Lapho udala ukucushwa kwe-“grub-mkconfig -o /mnt/boot/grub/grub.cfg”, imigqa enesibopho sokuqinisekisa izokwengezwa ngokuzenzakalelayo ku-grub.cfg.
Lesi sinyathelo siqedela ukusethwa kokuqinisekisa kwe-GRUB2.
C6.2. Ukuvikelwa kwe-Bootloader ngesiginesha yedijithaliKucatshangwa ukuthi usuvele unokhiye wakho siqu wokubethela we-pgp (noma dala ukhiye onjalo). Uhlelo kufanele lufake isofthiwe ye-cryptographic: gnuPG; i-kleopatra/GPA; I-Seahorse. Isoftware ye-Crypto izokwenza impilo yakho ibe lula kuzo zonke lezi zindaba. I-Seahorse - inguqulo ezinzile yephakheji 3.14.0 (izinguqulo eziphezulu, isibonelo, i-V3.20, zinephutha futhi zineziphazamisi ezibalulekile).
Ukhiye we-PGP udinga ukwenziwa/ukwethulwa/ukwengezwa kuphela endaweni ye-su!
Dala ukhiye wokubethela womuntu siqu
gpg - -gen-keyThumela ukhiye wakho
gpg --export -o ~/perskeyFaka idiski enengqondo ku-OS uma ingakafakwa
mount /dev/sda6 /mnt #sda6 – раздел GRUB2hlanza ukuhlukaniswa kwe-GRUB2
rm -rf /mnt/Faka i-GRUB2 ku-sda6, ubeke ukhiye wakho oyimfihlo esithombeni esikhulu se-GRUB "core.img"
grub-install --force --modules="gcry_sha256 gcry_sha512 signature_test gcry_dsa gcry_rsa" -k ~/perskey --root-directory=/mnt /dev/sda6
izinketho
* --force - faka i-bootloader, udlule zonke izixwayiso ezihlala zikhona (ifulegi elidingekayo).
* —modules="gcry_sha256 gcry_sha512 signature_test gcry_dsa gcry_rsa" - iyala i-GRUB2 ukuthi ilayishe kuqala amamojula adingekayo lapho i-PC iqala.
* -k ~/perskey -indlela eya “kukhiye we-PGP” (ngemuva kokupakisha ukhiye esithombeni, ungasuswa).
* --root-directory -setha inkomba yokuqalisa impande ye-sda6
/dev/sda6 - ukwahlukanisa kwakho kwe-sdaX.
Ikhiqiza/ibuyekeza i-grub.cfg
grub-mkconfig -o /mnt/boot/grub/grub.cfgEngeza umugqa othi “trust/boot/grub/perskey” ekupheleni kwefayela elithi “grub.cfg” (phoqa ukusebenzisa ukhiye we-pgp.) Njengoba sifake i-GRUB2 ngesethi yamamojula, okuhlanganisa nemojula yesiginesha ethi “signature_test.mod”, lokhu kuqeda isidingo sokwengeza imiyalo efana nokuthi “setha hlola_isignesha=phoqelela” kulungiselelo.
Kufanele ibukeke into efana nale (phetha imigqa kufayela le-grub.cfg)
### QALA /etc/grub.d/41_custom ###
uma [ -f ${config_directory}/custom.cfg ]; bese
umthombo ${config_directory}/custom.cfg
elif [ -z "${config_directory}" -a -f $prefix/custom.cfg ]; bese
umthombo $prefix/custom.cfg;
fi
themba /boot/grub/perskey
setha ama-superusers = "impande"
password_pbkdf2 root grub.pbkdf2.sha512.10000.DE10E42B01BB6FEEE46250FC5F9C3756894A8476A7F7661A9FFE9D6CC4D0A168898B98C34EBA210F46FC10985CE28277D0563F74E108FCE3ACBD52B26F8BA04D.27625A4D30E4F1044962D3DD1C2E493EF511C01366909767C3AF9A005E81F4BFC33372B9C041BE9BA904D7C6BB141DE48722ED17D2DF9C560170821F033BCFD8
### END /etc/grub.d/41_custom ###
#
Indlela eya ku-"/boot/grub/perskey" ayidingi ukukhonjwa ku-disk partition ethile, isibonelo i-hd0,6; ku-bootloader ngokwayo, "impande" iyindlela ezenzakalelayo yokuhlukanisa lapho i-GRUB2 ifakwe khona. (bona ukubola kwesethi=..).
Isayina i-GRUB2 (wonke amafayela kuzo zonke izinkomba ze-GRUB) ngokhiye wakho “perskey”.
Isixazululo esilula sendlela yokusayina (ye-nautilus/caja explorer): faka isandiso se-"seahorse" se-Explorer kusuka endaweni yokugcina. Ukhiye wakho kufanele ungezwe endaweni ye-su.
Vula i-Explorer nge-sudo "/mnt/boot" - RMB - sayina. Esikrinini kubonakala kanje
Ukhiye ngokwawo uthi “/mnt/boot/grub/perskey” (kopisha kumkhombandlela we-grub) kufanele futhi isayinwe ngesiginesha yakho. Hlola ukuthi [*.sig] amasiginesha efayela ayavela kuhla lwemibhalo/kumibhalo engaphansi.
Usebenzisa indlela echazwe ngenhla, sayina “/boot” (i-kernel yethu, initrd). Uma isikhathi sakho sifanele noma yini, khona-ke le ndlela iqeda isidingo sokubhala iskripthi se-bash ukuze usayine "amafayela amaningi."
Ukuze ususe wonke amasignesha e-bootloader (uma kukhona okungahambanga kahle)
rm -f $(find /mnt/boot/grub -type f -name '*.sig')Ukuze singasayini i-bootloader ngemva kokubuyekeza isistimu, simisa wonke amaphakheji okubuyekeza ahlobene ne-GRUB2.
apt-mark hold grub-common grub-pc grub-pc-bin grub2 grub2-commonKulesi sinyathelo ukucushwa okuthuthukisiwe kwe-GRUB2 kuqediwe.
C6.3. Ukuhlolwa kobufakazi be-GRUB2 bootloader, evikelwe isiginesha yedijithali kanye nokuqinisekisaI-GRUB2. Uma ukhetha noma yikuphi ukusatshalaliswa kwe-GNU/Linux noma ufaka i-CLI (umugqa womyalo) Kuzodingeka ukugunyazwa kwabasebenzisi abakhulu. Ngemva kokufaka igama lomsebenzisi/iphasiwedi efanele, uzodinga iphasiwedi ye-initrd
Isithombe-skrini sokuqinisekisa ngempumelelo kwe-GRUB2 superuser.
Uma uphazamisa noma yimaphi amafayela e-GRUB2/wenza izinguquko ku-grub.cfg, noma ususa ifayela/isiginesha, noma ulayisha imodule.mod enonya, kuzovela isixwayiso esihambisanayo. I-GRUB2 izomisa kancane ukulayisha.
Isithombe-skrini, umzamo wokuphazamisa i-GRUB2 "ngaphandle".
Ngesikhathi sokuqalisa "okuvamile" "ngaphandle kokungenela", isimo sekhodi yokuphuma kusistimu sithi "0". Ngakho-ke, akwaziwa ukuthi ukuvikela kuyasebenza noma cha (okungukuthi, "ngokuvikela noma ngaphandle kokuvikela isiginesha ye-bootloader" ngesikhathi sokulayisha okuvamile isimo siyefana "0" - lokhu kubi).
Ungahlola kanjani ukuvikelwa kwesiginesha yedijithali?
Indlela engalungile yokuhlola: inkohliso/ukukhipha imojuli esetshenziswa yi-GRUB2, isibonelo, susa isiginesha luks.mod.sig futhi uthole iphutha.
Indlela efanele: hamba ku-CLI ye-bootloader bese uthayipha umyalo
trust_list
Ukuphendula, kufanele uthole “izigxivizo zeminwe ze-perskey”; uma isimo sithi “0,” khona-ke ukuvikelwa kwesiginesha kungasebenzi, hlola kabili isigaba C6.2.
Kulesi sinyathelo, ukucushwa okuthuthukisiwe "Ukuvikela i-GRUB2 ngesiginesha yedijithali kanye nokuqinisekisa" kuqediwe.
I-C7 Enye indlela yokuvikela i-bootloader ye-GRUB2 usebenzisa i-hashingIndlela "ye-CPU Boot Loader Protection/Authentication" echazwe ngenhla ingeyakudala. Ngenxa yokungapheleli kwe-GRUB2, ezimweni ze-paranoid ingakwazi ukuhlaselwa kwangempela, engizokunikeza ngezansi esigabeni [F]. Ngaphezu kwalokho, ngemva kokubuyekeza i-OS/kernel, i-bootloader kufanele isayinwe kabusha.
Ukuvikela i-GRUB2 bootloader usebenzisa i-hashing
Izinzuzo ngaphezu kokwakudala:
- Izinga eliphezulu lokuthembeka (i-hashing/ukuqinisekiswa kwenzeka kuphela esisetshenziswa sendawo esibethelwe. Yonke ingxenye eyabiwe ngaphansi kwe-GRUB2 ilawulwa kunoma yiziphi izinguquko, futhi yonke enye into ibethelwe; ohlelweni lwakudala olunokuvikelwa/Ukuqinisekisa kwe-CPU, amafayela kuphela alawulwayo, kodwa hhayi mahhala. isikhala, lapho “okuthile” kunganezelwa khona into embi).
- Ukungena ngemvume okubethelwe (ilogi ebhalwe ngekhodi efundeka umuntu yengezwa esikimini).
- Isivinini (ukuvikelwa/ukuqinisekiswa kwayo yonke ingxenye eyabelwe i-GRUB2 kwenzeka cishe ngokushesha).
- I-automation yazo zonke izinqubo ze-cryptographic.
Ukungalungi phezu kwama-classics.
- Ukukhohlisa kwesiginesha (ngokwethiyori, kungenzeka ukuthola ukungqubuzana komsebenzi we-hashi onikeziwe).
- Ukwanda kwezinga lobunzima (uma kuqhathaniswa nokwakudala, kudingeka amakhono engeziwe ku-GNU/Linux OS).
Indlela i-GRUB2/partition hashing idea esebenza ngayo
I-GRUB2 partition "isayiniwe"; lapho amabhuzu e-OS, ukwahlukanisa kwe-boot loader ihlolwa ukuthi ayinakuguqulwa yini, kulandelwa ukungena endaweni evikelekile (ebethelwe). Uma i-bootloader noma ukwahlukanisa kwayo kusengozini, ngaphezu kwelogi yokungena, okulandelayo kwethulwa:
Into.
Ukuhlola okufanayo kwenzeka izikhathi ezine ngosuku, okungalayishi izinsiza zesistimu.
Kusetshenziswa umyalo othi “-$ check_GRUB”, ukuhlola okusheshayo kwenzeka noma ngasiphi isikhathi ngaphandle kokungena, kodwa ngolwazi oluphumayo ku-CLI.
Kusetshenziswa umyalo othi “-$ sudo signature_GRUB”, i-GRUB2 boot loader/partition isayinwa kabusha futhi nokugawulwa kwayo okubuyekeziwe. (kudingeka ngemva kokuvuselelwa kwe-OS/boot), futhi ukuphila kuyaqhubeka.
Ukusetshenziswa kwendlela ye-hashing ye-bootloader nesigaba sayo
0) Masisayine i-GRUB bootloader/partition ngokuqala ngokuyifaka ku-/media/username
-$ hashdeep -c md5 -r /media/username/GRUB > /podpis.txt1) Sakha umbhalo ngaphandle kwesandiso kumpande ye-OS ebethelwe ~/podpis, sisebenzise amalungelo okuphepha adingekayo we-744 kanye nokuvikela okungenangqondo kuwo.
Ukugcwalisa elikuqukethe
#!/bin/bash
#Проверка всего раздела выделенного под загрузчик GRUB2 на неизменность.
#Ведется лог "о вторжении/успешной проверке каталога", короче говоря ведется полный лог с тройной вербализацией. Внимание! обратить взор на пути: хранить ЦП GRUB2 только на зашифрованном разделе OS GNU/Linux.
echo -e "******************************************************************n" >> '/var/log/podpis.txt' && date >> '/var/log/podpis.txt' && hashdeep -vvv -a -k '/podpis.txt' -r '/media/username/GRUB' >> '/var/log/podpis.txt'
a=`tail '/var/log/podpis.txt' | grep failed` #не использовать "cat"!!
b="hashdeep: Audit failed"
#Условие: в случае любых каких-либо изменений в разделе выделенном под GRUB2 к полному логу пишется второй отдельный краткий лог "только о вторжении" и выводится на монитор мигание gif-ки "warning".
if [[ "$a" = "$b" ]]
then
echo -e "****n" >> '/var/log/vtorjenie.txt' && echo "vtorjenie" >> '/var/log/vtorjenie.txt' && date >> '/var/log/vtorjenie.txt' & sudo -u username DISPLAY=:0 eom '/warning.gif'
fiQalisa umbhalo kusuka su, i-hashing ye-GRUB partition kanye ne-bootloader yayo izohlolwa, gcina ilogi.
Masidale noma sikopishe, isibonelo, “ifayela elinonya” [virus.mod] esakhiweni se-GRUB2 futhi siqalise ukuskena/ukuhlola kwesikhashana:
-$ hashdeep -vvv -a -k '/podpis.txt' -r '/media/username/GRUBI-CLI kumele ibone ukuhlasela kwenqaba yethu-#Ukungena okusikiwe ku-CLI
Ср янв 2 11::41 MSK 2020
/media/username/GRUB/boot/grub/virus.mod: Moved from /media/username/GRUB/1nononoshifr
/media/username/GRUB/boot/grub/i386-pc/mda_text.mod: Ok
/media/username/GRUB/boot/grub/grub.cfg: Ok
hashdeep: Audit failed
Input files examined: 0
Known files expecting: 0
Files matched: 325
Files partially matched: 0
Files moved: 1
New files found: 0
Known files not found: 0
#Njengoba ubona, “Amafayela ahanjisiwe: 1 futhi Ukucwaningwa Kwehlulekile” kuyavela, okusho ukuthi isheke lihlulekile.
Ngenxa yesimo sokuhlukaniswa esihlolwayo, esikhundleni sokuthi “Kutholwe amafayela amasha"> “Amafayela ahanjisiwe”
2) Beka i-gif lapha > ~/warning.gif, setha izimvume ku-744.
3) Ilungiselela i-fstab ukuze ikhweze ngokuzenzakalelayo ingxenye ye-GRUB ekuqaleni
-$ sudo nano /etc/fstabLABEL=GRUB /imidiya/igama lomsebenzisi/GRUB ext4 okuzenzakalelayo 0 0
4) Izungezisa ilogu
-$ sudo nano /etc/logrotate.d/podpis /var/log/podpis.txt {
nsuku zonke
jikelezisa 50
usayizi 5M
usuku lwosuku
cindezela
ukubambezela
olddir /var/log/old
}/var/log/vtorjenie.txt {
nyangazonke
jikelezisa 5
usayizi 5M
usuku lwosuku
olddir /var/log/old
}
5) Engeza umsebenzi ku-cron
-$ sudo crontab -e'/ukubhalisa'
0 */6 * * * ‘/podpis
6) Ukudala iziteketiso ezihlala njalo
-$ sudo su
-$ echo "alias подпись_GRUB='hashdeep -c md5 -r /media/username/GRUB > /podpis.txt'" >> /root/.bashrc && bash
-$ echo "alias проверка_GRUB='hashdeep -vvv -a -k '/podpis.txt' -r /media/username/GRUB'" >> .bashrc && bash
Ngemuva kokuvuselelwa kwe-OS -$ apt-get upgrade phinda usayine ingxenye yethu ye-GRUB
-$ подпись_GRUB
Kuleli qophelo, ukuvikelwa kwe-hashing kokuhlukaniswa kwe-GRUB kuqediwe.
[D] Ukusula - ukucekelwa phansi kwedatha engabetheliwe
Susa amafayela akho omuntu ngokuphelele kangangokuthi “ngisho noNkulunkulu akakwazi ukuwafunda,” ngokusho komkhulumeli waseNingizimu Carolina uTrey Gowdy.
Njengenjwayelo, kunezinhlobonhlobo “zezinganekwane kanye ", mayelana nokubuyisela idatha ngemva kokuthi isusiwe ku-hard drive. Uma ukholelwa ku-cyberwitchcraft, noma uyilungu lomphakathi wewebhu kaDkt futhi ungakaze uzame ukuthola idatha ngemva kokuba isusiwe/ibhalwe ngaphezulu. (ngokwesibonelo, ukutakula kusetshenziswa i-R-studio), khona-ke indlela ehlongozwayo ayinakwenzeka ukukufanela, sebenzisa okuseduze nawe.
Ngemva kokudlulisela ngempumelelo i-GNU/Linux engxenyeni ebethelwe, ikhophi endala kufanele isuswe ngaphandle kokuba nokwenzeka kokuthola idatha. Indlela yokuhlanza yonke indawo: isofthiwe ye-Windows/Linux yamahhala ye-GUI .
Ngokushesha fometha isigaba, idatha okumele ichithwe kuyo (nge-Gparted) qala i-BleachBit, khetha "Hlanza isikhala samahhala" - khetha ukwahlukanisa (i-sdaX yakho enekhophi yangaphambilini ye-GNU/Linux), inqubo yokukhumula izoqala. I-BleachBit - isula idiski ngokudlula okukodwa - yilokho "esikudingayo", Kodwa! Lokhu kusebenza kuphela ngombono uma ufomethe idiski futhi wayihlanza ku-software ye-BB v2.0.
Ukunakwa! I-BB isula idiski, ishiya imethadatha; amagama amafayela ayagcinwa lapho idatha isusiwe (I-Ccleaner - ayishiyi imethadatha).
Futhi inganekwane mayelana nethuba lokuthola kabusha idatha akuyona inganekwane ngokuphelele.I-Bleachbit V2.0-2 iphakheji ye-OS Debian yangaphambili engazinzile (kanye nanoma iyiphi enye isoftware efanayo: sfill; sula-Nautilus - nazo zaqashelwa kuleli bhizinisi elingcolile) empeleni ube nesiphazamisi esibucayi: umsebenzi "wokusula isikhala samahhala". isebenza ngokungalungile kumadrayivu e-HDD/Flash (ntfs/ext4). I-software yalolu hlobo, lapho usula isikhala samahhala, ayibhali idiski yonke, njengoba abasebenzisi abaningi becabanga. Futhi abanye (Okuningi kwe) idatha esusiwe I-OS/isofthiwe ibheka le datha njengengasusiwe/idatha yomsebenzisi futhi lapho uhlanza i-“OSP” yeqa lawa mafayela. Inkinga ukuthi ngemva kwesikhathi eside kangaka, ukuhlanza disk "amafayela asusiwe" angatholwa ngisho nangemva kokudlula okungu-3+ kokusula i-disc.
Ku-GNU/Linux e-Bleachbit 2.0-2 Imisebenzi yokususa unomphela amafayela nezinkomba isebenza ngokwethembeka, kodwa ayisusi isikhala esikhululekile. Ukuze uqhathanise: ku-Windows ku-CCleaner umsebenzi we-“OSP ye-ntfs” usebenza kahle, futhi uNkulunkulu ngeke akwazi ngempela ukufunda idatha esusiwe.
Futhi ngakho, ukususa ngokuphelele "ukuyekethisa" idatha endala engabetheliwe, I-Bleachbit idinga ukufinyelela okuqondile kule datha, bese usebenzisa umsebenzi othi “susa unomphela amafayela/izinkomba”.
Ukuze ususe “amafayela asusiwe usebenzisa amathuluzi e-OS avamile” ku-Windows, sebenzisa i-CCleaner/BB ngomsebenzi we-“OSP”. Ku-GNU/Linux ngale nkinga (susa amafayela asusiwe) udinga ukuzijwayeza uwedwa (ukususa idatha + umzamo ozimele wokuyibuyisela futhi akufanele uthembele enguqulweni yesofthiwe (uma kungeyona ibhukhimakhi, bese kuba iphutha)), kuleli cala kuphela uzokwazi ukuqonda indlela yale nkinga futhi ulahle idatha esusiwe ngokuphelele.
Angikayihloli i-Bleachbit v3.0, kungenzeka ukuthi inkinga isilungisiwe.
I-Bleachbit v2.0 isebenza ngokwethembeka.
Kulesi sinyathelo, ukusula idiski kuqedile.
[E] Ikhophi yasenqolobaneni yendawo yonke ye-OS ebethelwe
Umsebenzisi ngamunye unendlela yakhe yokwenza ikhophi yasenqolobaneni yedatha, kodwa idatha ye-System OS ebethelwe idinga indlela ehluke kancane emsebenzini. Isofthiwe ehlanganisiwe, njenge-Clonezilla nesofthiwe efanayo, ayikwazi ukusebenza ngokuqondile nedatha ebethelwe.
Isitatimende senkinga yokwenza ikhophi yasenqolobaneni yamadivayisi avinjiwe:
- indawo yonke - i-algorithm/isofthiwe yokusekelayo efanayo ye-Windows/Linux;
- ikhono lokusebenza kukhonsoli nganoma iyiphi i-usb GNU/Linux ebukhoma ngaphandle kwesidingo sokulandwa kwesoftware okwengeziwe (kodwa usancoma i-GUI);
- ukuphepha kwamakhophi ayisipele - “izithombe” ezigciniwe kufanele zibethelwe/zivikelwe ngephasiwedi;
- usayizi wedatha ebethelwe kufanele uhambisane nosayizi wedatha yangempela ekopishwayo;
- ukukhishwa okulula kwamafayela adingekayo kukhophi eyisipele (asikho isidingo sokususa ukubethela sonke isigaba kuqala).
Isibonelo, yenza ikhophi yasenqolobaneni/ubuyisele usebenzisa insiza ethi “dd”
dd if=/dev/sda7 of=/путь/sda7.img bs=7M conv=sync,noerror
dd if=/путь/sda7.img of=/dev/sda7 bs=7M conv=sync,noerrorIhambisana cishe nawo wonke amaphuzu omsebenzi, kodwa ngokusho kwephuzu lesi-4 alimelani nokugxekwa, ngoba likopisha yonke i-disk partition, kuhlanganise nendawo yamahhala - hhayi ezithakazelisayo.
Isibonelo, ikhophi yasenqolobaneni ye-GNU/Linux nge-archiver [tar" | gpg] ilungile, kepha ukwenza isipele seWindows udinga ukubheka esinye isisombululo - akuthakazelisi.
E1. Isipele se-Universal Windows/Linux. Xhuma i-rsync (Grsync)+VeraCrypt volumeI-algorithm yokwenza ikhophi eyisipele:
- ukudala isitsha esibethelwe (ivolumu/ifayela) I-VeraCrypt ye-OS;
- dlulisa/uvumelanise i-OS usebenzisa isofthiwe ye-Rsync esitsheni se-crypto se-VeraCrypt;
- uma kunesidingo, layisha ivolumu ye-VeraCrypt ku-www.
Ukudala isiqukathi se-VeraCrypt esibethelwe sinezici zako siqu:
ukudala ivolumu eguqukayo (ukwakhiwa kwe-DT kutholakala kuphela ku-Windows, kungasetshenziswa naku-GNU/Linux);
ukudala ivolumu evamile, kodwa kunesidingo "somlingiswa oyindida" (ngokukanjiniyela) – ukufometha kwesiqukathi.
Ivolumu eguquguqukayo yenziwa cishe ngokushesha ku-Windows, kodwa lapho ukopisha idatha ku-GNU/Linux > VeraCrypt DT, ukusebenza kukonke komsebenzi wokulondoloza kwehla kakhulu.
Ivolumu evamile engu-70 GB ye-Twofish iyakhiwa (ake sithi, ngokwesilinganiso samandla e-PC) ku-HDD ~ ngesigamu sehora (ukubhala phezu kwedatha yesiqukathi sangaphambilini ngephasi eyodwa kungenxa yezidingo zokuphepha). Umsebenzi wokufometha ngokushesha ivolumu lapho uyidala ususiwe ku-VeraCrypt Windows/Linux, ngakho ukudala isiqukathi kungenzeka kuphela “ngokubhala kabusha iphasi eyodwa” noma ngokudala ivolumu eguquguqukayo esebenza kancane.
Dala ivolumu evamile ye-VeraCrypt (hhayi i-dynamic/ntfs), akufanele kube nezinkinga.
Lungiselela/dala/vula isitsha ku-VeraCrypt GUI> GNU/Linux bukhoma usb (ivolumu izofakwa ngokuzenzakalela ku-/media/veracrypt2, ivolumu ye-Windows OS izofakwa ku-/media/veracrypt1). Ukudala isipele esibethelwe se-Windows OS kusetshenziswa i-GUI rsync (grsync)ngokuhlola amabhokisi.
Linda ukuthi inqubo iphele. Uma isipele sesiqedile, sizoba nefayela elilodwa elibethelwe.
Ngokufanayo, dala ikhophi eyisipele ye-GNU/Linux OS ngokususa ukumaka ibhokisi elithi “ukuhambisana kweWindows” ku-rsync GUI.
Ukunakwa! dala isitsha se-Veracrypt "sekhophi yasenqolobaneni ye-GNU/Linux" ohlelweni lwefayela ext4. Uma wenza ikhophi yasenqolobaneni esiqukathi se-ntfs, lapho-ke ubuyisela ikhophi enjalo, uzolahlekelwa yiwo wonke amalungelo/amaqembu kuyo yonke idatha yakho.
Yonke imisebenzi ingenziwa kutheminali. Izinketho eziyisisekelo ze-rsync:
* -g -gcina amaqembu;
* -P -inqubekelaphambili - isimo sesikhathi esichithwe kufayela;
* -H - kopisha ama-hardlinks njengoba enjalo;
* -a -imodi yokugcina umlando (amafulegi amaningi we-rlptgoD);
* -v -ukukhuluma.
Uma ufuna ukukhweza “ivolumu ye-Windows VeraCrypt” usebenzisa ikhonsoli kuhlelo lwe-cryptsetup, ungakha isibizo (su)
echo "alias veramount='cryptsetup open --veracrypt --tcrypt-system --type tcrypt /dev/sdaX Windows_crypt && mount /dev/mapper/ Windows_crypt /media/veracrypt1'" >> .bashrc && bash
Manje umyalo "wezithombe eziphelele" uzokutshela ukuthi ufake umushwana wokungena, futhi ivolumu yesistimu yeWindows ebethelwe izofakwa ku-OS.
Imephu/khweza ivolumu yesistimu ye-VeraCrypt kumyalo we-cryptsetup
cryptsetup open --veracrypt --tcrypt-system --type tcrypt /dev/sdaX Windows_crypt
mount /dev/mapper/Windows_crypt /mntImephu/i-mount VeraCrypt partition/container kumyalo we-cryptsetup
cryptsetup open --veracrypt --type tcrypt /dev/sdaY test_crypt
mount /dev/mapper/test_crypt /mntEsikhundleni sesibizo, sizokwengeza (isikripthi sokuqala) ivolumu yesistimu eneWindows OS kanye nediski ebethelwe enengqondo ye-ntfs ekuqaliseni kwe-GNU/Linux.
Dala umbhalo bese uwugcina kokuthi ~/VeraOpen.sh
printf 'Ym9i' | base64 -d | cryptsetup open --veracrypt --tcrypt-system --type tcrypt /dev/sda3 Windows_crypt && mount /dev/mapper/Windows_crypt /media/Winda7 #декодируем пароль из base64 (bob) и отправляем его на запрос ввода пароля при монтировании системного диска ОС Windows.
printf 'Ym9i' | base64 -d | cryptsetup open --veracrypt --type tcrypt /dev/sda1 ntfscrypt && mount /dev/mapper/ntfscrypt /media/КонтейнерНтфс #аналогично, но монтируем логический диск ntfs.
Sabalalisa amalungelo "alungile":
sudo chmod 100 /VeraOpen.shDala amafayela amabili afanayo (igama elifanayo!) ku-/etc/rc.local naku-~/etc/init.d/rc.local
Ukugcwalisa amafayela
#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will «exit 0» on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.
sh -c "sleep 1 && '/VeraOpen.sh'" #после загрузки ОС, ждём ~ 1с и только потом монтируем диски.
exit 0Sabalalisa amalungelo "alungile":
sudo chmod 100 /etc/rc.local && sudo chmod 100 /etc/init.d/rc.local Yilokho-ke, manje lapho silayisha i-GNU/Linux asidingi ukufaka amaphasiwedi ukuze sikhweze amadiski e-ntfs abethelwe, amadiski afakwa ngokuzenzakalelayo.
Inothi kafushane mayelana nalokho okuchazwe ngenhla esigabeni E1 isinyathelo ngesinyathelo (kodwa manje se-OS GNU/Linux)
1) Dala ivolumu ku-fs ext4 > 4gb (yefayela) Linux ku-Veracrypt [Cryptbox].
2) Qalisa kabusha ukuze uphile i-usb.
3) ~$ cryptsetup open/dev/sda7 Lunux #mapping partition encrypted.
4) ~$ khweza /dev/mapper/Linux /mnt #khweza ukwahlukanisa okubethelwe ku-/mnt.
5) ~$ mkdir mnt2 #ukudala uhla lwemibhalo lwekhophi yasenqolobaneni yesikhathi esizayo.
6) ~$ cryptsetup open —veracrypt —type tcrypt ~/CryptoBox CryptoBox && mount /dev/mapper/CryptoBox /mnt2 #Mepha ivolumu yeVeracrypt ebizwa ngokuthi “CryptoBox” bese ufaka i-CryptoBox ku-/mnt2.
7) ~$ rsync -avlxhHX —inqubekelaphambili /mnt /mnt2/ #ukusebenza kwesipele sokuhlukaniswa okubethelwe kuvolumu ye-Veracrypt ebethelwe.
(p/s/ Ukunakwa! Uma udlulisa i-GNU/Linux ebethelwe isuka ekwakhiweni/umshini othile iye komunye, isibonelo, i-Intel > AMD (okungukuthi, ukuthumela ikhophi yasenqolobaneni ukusuka ekuhlukaniseni okubethelwe kuya kwenye ukwahlukanisa okubethelwe kwe-Intel > AMD), Ungakhohlwa Ngemva kokudlulisa i-OS ebethelwe, hlela ukhiye obambele oyimfihlo esikhundleni sephasiwedi, mhlawumbe. ukhiye wangaphambilini ~/etc/skey - ngeke usalingana nenye ukwahlukanisa okubethelwe, futhi akululeki ukuthi udale ukhiye omusha "cryptsetup luksAddKey" ngaphansi kwe-chroot - kungenzeka iphutha, ku-~/etc/crypttab cacisa esikhundleni sokuthi "/etc/skey" okwesikhashana "akekho" ", ngemva kokuqalisa kabusha nokungena ku-OS, dala kabusha ukhiye wakho oyimfihlo we-wildcard futhi).
Njengomakadebona be-IT, khumbulani ukwenza ngokuhlukene izipele zezihloko zezingxenye ezibethelwe zeWindows/Linux OS, noma ukubethela kuzokujikela.
Kulesi sinyathelo, ukugcinwa kwekhophi yasenqolobaneni ye-OS ebethelwe kuyaqedwa.
[F] Ukuhlasela ku-bootloader ye-GRUB2
ImininingwaneUma uvikele i-bootloader yakho ngesiginesha yedijithali kanye/noma ukufakazela ubuqiniso (bheka iphuzu C6.), khona-ke lokhu ngeke kuvikele ekufinyeleleni ngokomzimba. Idatha ebethelwe isazofinyeleleka, kodwa ukuvikela kuzodlulwa (setha kabusha ukuvikelwa kwesiginesha yedijithali) I-GRUB2 ivumela i-cyber-villain ukuthi ifake ikhodi yayo ku-bootloader ngaphandle kokuphakamisa izinsolo (ngaphandle uma umsebenzisi eqapha mathupha isimo se-bootloader, noma aqhamuke nekhodi yakhe yeskripthi eqinile ye-grub.cfg).
I-algorithm yokuhlasela. Isigebengu
* Ivula i-PC kusuka ku-usb ebukhoma. Noma yiluphi ushintsho (umephuli) amafayela azokwazisa umnikazi wangempela we-PC mayelana nokungenwa ku-bootloader. Kodwa ukufakwa kabusha okulula kwe-GRUB2 ukugcina i-grub.cfg (kanye nekhono elilandelayo lokuyihlela) izovumela umhlaseli ukuthi ahlele noma yimaphi amafayela (kulesi simo, uma kulayishwa i-GRUB2, umsebenzisi wangempela ngeke aziswe. Isimo siyefana )
* Ifaka isahlukaniso esingabetheliwe, sigcina “/mnt/boot/grub/grub.cfg”.
* Ifaka kabusha i-bootloader (isusa "i-perskey" esithombeni se-core.img)
grub-install --force --root-directory=/mnt /dev/sda6
* Ibuyisela okuthi “grub.cfg” > “/mnt/boot/grub/grub.cfg”, iyihlele uma kudingeka, isibonelo, yengeza imojula yakho ethi “keylogger.mod” kufolda enamamojula okulayisha, kokuthi “grub.cfg” > umugqa "insmod keylogger". Noma, isibonelo, uma isitha sinobuqili, ngemva kokufaka kabusha i-GRUB2 (wonke amasignesha ahlala ekhona) yakha isithombe esikhulu se-GRUB2 isebenzisa i-"grub-mkimage enenketho (-c)." Inketho ethi “-c” izokuvumela ukuthi ulayishe ukulungiselelwa kwakho ngaphambi kokulayisha i-“grub.cfg” eyinhloko. Ukulungiselelwa kungaqukatha umugqa owodwa kuphela: ukuqondisa kabusha kunoma iyiphi i-“modern.cfg”, exutshwe, isibonelo, namafayela angu-400. (amamojula+amasiginesha) kufolda "/boot/grub/i386-pc". Kulesi simo, umhlaseli angafaka ikhodi engafanele futhi alayishe amamojula ngaphandle kokuthinta i-“/boot/grub/grub.cfg”, ngisho noma umsebenzisi asebenzise i-“hashsum” kufayela futhi alibonise okwesikhashana esikrinini.
Umhlaseli ngeke adinge ukungena ngemvume/iphasiwedi ye-GRUB2; uzodinga nje ukukopisha imigqa (unesibopho sokuqinisekisa) "/boot/grub/grub.cfg" ku-"modern.cfg" yakho
setha ama-superusers = "impande"
password_pbkdf2 root grub.pbkdf2.sha512.10000.DE10E42B01BB6FEEE46250FC5F9C3756894A8476A7F7661A9FFE9D6CC4D0A168898B98C34EBA210F46FC10985CE28277D0563F74E108FCE3ACBD52B26F8BA04D.27625A4D30E4F1044962D3DD1C2E493EF511C01366909767C3AF9A005E81F4BFC33372B9C041BE9BA904D7C6BB141DE48722ED17D2DF9C560170821F033BCFD8
Futhi umnikazi we-PC usazogunyazwa njengomsebenzisi omkhulu we-GRUB2.
I-chain loading (i-bootloader ilayisha enye i-bootloader), njengoba ngibhale ngenhla, akuwenzi umqondo (yenzelwe inhloso ehlukile). I-bootloader ebethelwe ayikwazi ukulayishwa ngenxa ye-BIOS (i-chain boot iqala kabusha i-GRUB2> i-GRUB2 ebethelwe, iphutha!). Kodwa-ke, uma usasebenzisa umqondo wokulayisha iketango, ungaqiniseka ukuthi yiyona ebethelwe elayishwayo. (akuthuthukisiwe) "grub.cfg" kusukela kuhlukanisa okubethelwe. Futhi lokhu kuwumqondo ongamanga wokuphepha, ngoba yonke into ekhonjiswa ku-"grub.cfg" ebethelwe (ukulayisha imojula) kwengeza kumamojula alayishwe ku-GRUB2 engabetheliwe.
Uma ufuna ukuhlola lokhu, bese wabela/ubethela olunye usuku lokuhlukanisa, kopisha i-GRUB2 kuyo (umsebenzi wokufaka i-grub ekuhlukaniseni okubethelwe akwenzeki) naku-"grub.cfg" (ukulungiselelwa okungabetheliwe) shintsha imigqa efana nale
imenyu 'GRUBx2' --class upholi --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-simple-382111a2-f993-403-2-aa292e-5b4780eacXNUMX' {
layisha_ividiyo
insmod gzio
uma [ x$grub_platform = xxen]; bese i-insmod xzio; insmod lzopio; fi
insmod ingxenye_msdos
i-cryptodisk ye-insmod
insmod lux
insmod gcry_twofish
insmod gcry_twofish
i-insmod gcry_sha512
insmod ext2
cryptomount -u 15c47d1c4bd34e5289df77bcf60ee838
set root=’cryptouuid/15c47d1c4bd34e5289df77bcf60ee838′
evamile /boot/grub/grub.cfg
}
izintambo
* insmod - ukulayisha amamojula adingekayo okusebenza ngediski ebethelwe;
* I-GRUBx2 - igama lomugqa oboniswe kumenyu yokuqalisa ye-GRUB2;
* i-cryptomount -u 15c47d1c4bd34e5289df77bcf60ee838 -bona. i-fdisk -l (sda9);
* setha impande - ukusetha impande;
* evamile /boot/grub/grub.cfg - ifayela lokucushwa elisebenzisekayo ekwahlukaniseni okubethelwe.
Ukuqiniseka ukuthi yi-"grub.cfg" ebethelwe elayishiwe kuyimpendulo enhle yokufaka igama-mfihlo/uvula "sdaY" lapho ukhetha umugqa othi "GRUBx2" kumenyu ye-GRUB.
Lapho usebenza ku-CLI, ukuze ungadideki (bese uhlola ukuthi "set root" imvelo variable iyasebenza), dala amafayela amathokheni angenalutho, isibonelo, esigabeni esibethelwe "/shifr_grub", esigabeni esingabhaliwe "/noshifr_grub". Ihlola i-CLI
cat /Tab-TabNjengoba kuphawuliwe ngenhla, lokhu ngeke kusize ekulandeni amamojula anonya uma lawo mamojula egcina ekwi-PC yakho. Isibonelo, i-keylogger ezokwazi ukulondoloza izinkinobho zokhiye efayeleni futhi ixube namanye amafayela kokuthi "~/i386" ize ilandwe umhlaseli onokufinyelela ngokomzimba ku-PC.
Indlela elula yokuqinisekisa ukuthi ukuvikelwa kwesiginesha yedijithali kusebenza ngokuqhubekayo (ayisethiwe kabusha), futhi akekho ohlasele i-bootloader, faka umyalo ku-CLI
list_trusted
ekuphenduleni sithola ikhophi ye-"perskey" yethu, noma singatholi lutho uma sihlaselwa (udinga futhi ukuhlola okuthi "setha ama-check_signatures=enforce").
Ububi obukhulu balesi sinyathelo ukufaka imiyalo mathupha. Uma ungeza lo myalo ku-"grub.cfg" futhi uvikela ukulungiselelwa ngesiginesha yedijithali, khona-ke okukhiphayo kokuqala kwesifinyezo sokhiye esikrinini kufushane kakhulu ngesikhathi, futhi ungase ungabi naso isikhathi sokubona okukhiphayo ngemva kokulayisha i-GRUB2. .
Akekho ngokukhethekile ongafaka izimangalo kunjiniyela: unjiniyela kwezakhe isigatshana 18.2 simemezela ngokusemthethweni
"Qaphela ukuthi ngisho nokuvikelwa kwephasiwedi ye-GRUB, i-GRUB ngokwayo ayikwazi ukuvimbela umuntu onokufinyelela ngokomzimba emshinini ekuguquleni i-firmware yalowo mshini (isb., i-Coreboot noma i-BIOS) ukuze ibangele umshini ukuthi uqalise kusuka kudivayisi ehlukile (elawulwa ngumhlaseli). I-GRUB iyisixhumanisi esisodwa kuphela kuchungechunge oluvikelekile lwe-boot."
I-GRUB2 igcwele kakhulu imisebenzi enganikeza umuzwa wokuvikeleka okungamanga, futhi ukuthuthukiswa kwayo sekuvele kuyidlule i-MS-DOS ngokusebenza, kodwa iyi-bootloader nje. Kuyahlekisa ukuthi i-GRUB2 - "kusasa" ingaba yi-OS, kanye nemishini ebonakalayo ye-GNU/Linux ebhuthayo yayo.
Ividiyo emfushane emayelana nokuthi ngisetha kanjani kabusha ukuvikelwa kwesiginesha yedijithali ye-GRUB2 futhi ngamemezela ukungenela kwami kumsebenzisi wangempela (Ngikwesabise, kodwa esikhundleni salokho okuboniswa kuvidiyo, ungabhala ikhodi engenangozi engenabungozi/.mod).
Iziphetho:
I-1) Ukubethela kwesistimu ye-Windows kulula ukuyisebenzisa, futhi ukuvikela ngephasiwedi eyodwa kulula kakhulu kunokuvikela ngamaphasiwedi amaningana ngokubethela kwesistimu ye-block ye-GNU/Linux, ukuze kube nokulungile: lokhu kokugcina kuyazenzakalela.
2) Ngibhale lesi sihloko njengesifanele futhi sinemininingwane elula umhlahlandlela wokubethela kwediski eligcwele i-VeraCrypt/LUKS ekhaya elilodwa lomshini, elihamba phambili kakhulu ku-RuNet (IMHO). Umhlahlandlela unezinhlamvu> ezingu-50k ubude, ngakho-ke awuzange uhlanganise izahluko ezithakazelisayo: abadwebi be-cryptographer abanyamalalayo/abahlala emthunzini; mayelana neqiniso lokuthi ezincwadini ezihlukahlukene ze-GNU/Linux babhala kancane/ababhali mayelana ne-cryptography; mayelana neSigaba 51 soMthethosisekelo weRussian Federation; O /ukuvinjelwa , mayelana nokuthi kungani udinga ukubethela "impande/boot". Umhlahlandlela ubonakale ubanzi kakhulu, kodwa unemininingwane. (echaza ngisho nezinyathelo ezilula), futhi, lokhu kuzokongela isikhathi esiningi uma ufika "ekubetheni kwangempela".
3) Ukubethelwa kwediski okugcwele kwenziwa ku-Windows 7 64; I-GNU/Linux Parrot 4x; I-GNU/Debian 9.0/9.5.
4) Kwenziwa ukuhlasela ngempumelelo ku wakhe I-GRUB2 bootloader.
I-5) Isifundo senzelwe ukusiza bonke abantu abane-paranoid ku-CIS, lapho ukusebenza ngokubethela kuvunyelwe ezingeni lezomthetho. Futhi ikakhulukazi kulabo abafuna ukukhipha ukubethela kwediski eligcwele ngaphandle kokubhidliza amasistimu abo amisiwe.
6) Ngisebenze kabusha futhi ngabuyekeza imanuwali yami, efanele ngo-2020.
[G] Amadokhumenti awusizo
- (Februwari 2012 RU)
- /usr/share/doc/cryptsetup(-run) [insiza yendawo] (imibhalo esemthethweni enemininingwane yokusetha ukubethela kwe-GNU/Linux kusetshenziswa i-cryptsetup)
- (imibhalo emifushane yokusetha ukubethela kwe-GNU/Linux kusetshenziswa i-cryptsetup)
- (imibhalo ye-archlinux)
- (ikhasi le-arch man)
- (ikhasi le-arch man)
- .
Amathegi: ukubethela okugcwele kwediski, ukubethela kokuhlukanisa, ukubethela kwediski egcwele ye-Linux, ukubethela kwesistimu okugcwele kwe-LUKS1.
Abasebenzisi ababhalisiwe kuphela abangabamba iqhaza kuhlolovo. , wamukelekile.
Ingabe uyabhala?
-
17,1%Ngibhala ngemfihlo konke engingakwenza. Ngiyahlanya.14
-
34,2%Ngibhala ngemfihlo idatha ebalulekile kuphela.28
-
14,6%Kwesinye isikhathi ngiyabhala ngemfihlo, ngesinye isikhathi ngiyakhohlwa.12
-
34,2%Cha, angikubhali, akulungile futhi kuyabiza.28
Bangu-82 abasebenzisi abavotile. Abasebenzisi abangama-22 bayenqaba.
Source: www.habr.com