Imini nobusuku obuhle nonke! Lokhu okuthunyelwe kuzoba usizo kulabo abasebenzisa ukubethela kwedatha ye-LUKS futhi abafuna ukususa ukubethela amadiski ngaphansi kwe-Linux (Debian, Ubuntu) ku- isigaba sokuqanjwa kokuhlukaniswa kwezimpande. Futhi angikwazanga ukuthola ulwazi olunjalo ku-inthanethi.
Muva nje, ngokwanda kwenani lamadiski emashalofini, ngihlangabezane nenkinga yokukhipha amadiski kusetshenziswa indlela engaphezu kweyaziwa nge/etc/crypttab. Ngokwami, ngiqokomisa izinkinga ezimbalwa ngokusebenzisa le ndlela, okungukuthi ifayela liyafundwa kuphela ngemva kokulayisha (ukukhweza) ukwahlukanisa impande, okuthinta kabi ukungenisa kwe-ZFS, ikakhulukazi uma kuqoqwe kusuka kuma-partitions kudivayisi ye-*_crypt, noma ukuhlasela kwe-mdadm nakho kuqoqwe kusuka kuma-partitions. Sonke siyazi ukuthi ungasebenzisa okuhlukanisiwe kuziqukathi ze-LUKS, akunjalo? Futhi nenkinga yokuqalwa kwangaphambi kwesikhathi kwezinye izinkonzo, lapho zingakabi khona ama-arrays, futhi sebenzisa Sengivele ngidinga okuthile (ngisebenza ne-Proxmox VE 5.x ehlanganisiwe kanye ne-ZFS phezu kwe-iSCSI).
Okuncane mayelana ne-ZFSoverISCSII-iSCSI ingisebenzela nge-LIO, futhi empeleni, lapho i-iscsi target iqala futhi ingawaboni amadivayisi e-ZVOL, ivele iwasuse ekucushweni, okuvimbela amasistimu wezihambeli ukuthi aqale. Ngakho-ke, noma ukubuyisela ifayela le-json eliyisipele, noma ukungeza ngesandla amadivaysi anezihlonzi ze-VM ngayinye, okumane kubi uma kunenqwaba yemishini enjalo futhi ukucushwa ngakunye kunediski engaphezu kwe-1.
Futhi umbuzo wesibili engizowucabangela ukuthi ungasusa kanjani ukubethela (leli iphuzu eliyinhloko le-athikili). Futhi sizokhuluma ngalokhu ngezansi, hamba ekusikeni!
Imvamisa ku-inthanethi basebenzisa ifayela eliyisihluthulelo (elingezwe ngokuzenzakalelayo ku-slot ngomyalo - i-cryptsetup luksAddKey), noma ngokuhlukile okungajwayelekile (kunolwazi oluncane kakhulu ku-inthanethi yolimi lwesiRussia) - iskripthi se-decrypt_derived, esitholakala ku-inthanethi. /lib/cryptsetup/script/ (Yebo, zikhona ezinye izindlela, kodwa ngisebenzise lezi ezimbili, ezakha isisekelo sesihloko). Ngiphinde ngalwela ukwenza kusebenze ngokugcwele okuzimele ngemva kokuqalisa kabusha, ngaphandle kwemiyalo eyengeziwe kukhonsoli, ukuze yonke into βisukeβ kimi ngokushesha. Ngakho-ke, kungani ulinda? -
Ake siqale!
Sithatha isistimu, ngokwesibonelo i-Debian, efakwe ku-sda3_crypt crypto partition kanye namadiski ayishumi nambili alungele ukubethela nokudala noma yini efiswa yinhliziyo yakho. Sinomusho oyisihluthulelo (umshwana wokungena) wokuvula i-sda3_crypt futhi kuvela kulesi sigaba lapho sizosusa khona "i-hashi" yephasiwedi ohlelweni olusebenzayo (olususwe ukubethelwa) bese silwengeza kwamanye amadiski. Konke kuyisisekelo, kukhonsoli esiyenzayo:
/lib/cryptsetup/scripts/decrypt_derived sda3_crypt | cryptsetup luksFormat /dev/sdXlapho i-X iyidiski yethu, ama-partitions, njll.
Ngemuva kokubethela amadiski nge-hashi emshweni wethu oyinhloko, udinga ukuthola i-UUID noma i-ID - kuye ngokuthi ubani osetshenziselwa ini. Sithatha idatha kusuka ku-/dev/disk/by-uuid kanye ne-id, ngokulandelanayo.
Isigaba esilandelayo silungiselela amafayela kanye nemibhalo emincane yemisebenzi esidinga ukuyisebenza, asiqhubeke:
cp -p /usr/share/initramfs-tools/hooks/cryptroot /etc/initramfs-tools/hooks/
cp -p /usr/share/initramfs-tools/scripts/local-top/cryptroot /etc/initramfs-tools/scripts/local-top/okuqhubekayo
touch /etc/initramfs-tools/hooks/decrypt && chmod +x /etc/initramfs-tools/hooks/decryptOkuqukethwe kwe-../decrypt
#!/bin/sh
cp -p /lib/cryptsetup/scripts/decrypt_derived "$DESTDIR/bin/decrypt_derived"okuqhubekayo
touch /etc/initramfs-tools/hooks/partcopy && chmod +x /etc/initramfs-tools/hooks/partcopyOkuqukethwe ../partcopy
#!/bin/sh
cp -p /sbin/partprobe "$DESTDIR/bin/partprobe"
cp -p /lib/x86_64-linux-gnu/libparted.so.2 "$DESTDIR/lib/x86_64-linux-gnu/libparted.so.2"
cp -p /lib/x86_64-linux-gnu/libreadline.so.7 "$DESTDIR/lib/x86_64-linux-gnu/libreadline.so.7"kancane ngaphezulu
touch /etc/initramfs-tools/scripts/local-bottom/partprobe && chmod +x /etc/initramfs-tools/scripts/local-bottom/partprobeOkuqukethwe ../partprobe
#!/bin/sh
$DESTDIR/bin/partprobefuthi okokugcina, ngaphambi kokuvuselela-initramfs, udinga ukuhlela ifayela /etc/initramfs-tools/scripts/local-top/cryptroot, kusukela kumugqa ~360, ucezu lwekhodi ngezansi.
Okwangempela
# decrease $count by 1, apparently last try was successful.
count=$(( $count - 1 ))
message "cryptsetup ($crypttarget): set up successfully"
break
futhi uyilethe kuleli fomu
Kuhleliwe
# decrease $count by 1, apparently last try was successful.
count=$(( $count - 1 ))
/bin/decrypt_derived $crypttarget | cryptsetup luksOpen /dev/disk/by-uuid/ *CRYPT_MAP*
/bin/decrypt_derived $crypttarget | cryptsetup luksOpen /dev/disk/by-id/ *CRYPT_MAP*
message "cryptsetup ($crypttarget): set up successfully"
breakQaphela ukuthi i-UUID noma i-ID ingasetshenziswa lapha. Into esemqoka ukuthi abashayeli abadingekayo bamadivayisi we-HDD/SSD bangezwa ku-/etc/initramfs-tools/modules. Ungathola ukuthi yimuphi umshayeli osetshenziswa ngomyalo ulwazi lwe-udevadm -a -n /dev/sdX | i-egrep 'ebukekayo|DRIVER'.
Manje njengoba sesiqedile futhi wonke amafayela akhona, siyagijima buyekeza-initramfs -u -k konke -v, ekugawulweni kwemithi akumele kube amaphutha ekusebenziseni izikripthi zethu. Siqala kabusha, faka ibinzana eliyisihluthulelo bese ulinda kancane, kuye ngenani lamadiski. Okulandelayo, uhlelo luzoqala futhi esigabeni sokugcina sokuqalisa, okungukuthi ngemva βkokukhuphulaβ ukwahlukanisa impande, kuzokwenziwa umyalo we-partprobe - izothola futhi ithathe zonke izingxenye ezidaliwe kumadivayisi e-LUKS nanoma iyiphi i-array, kungaba yi-ZFS noma mdadm, izohlanganiswa ngaphandle kwezinkinga! Futhi konke lokhu ngaphambi kokulayisha izinsizakalo eziyinhloko ezidinga lawa madiski/amalungu afanayo.
buyekeza1: Kanjani , le ndlela isebenza kuphela ku-LUKS1.
Source: www.habr.com