Yadda ake Saita Rufaffiyar Fayil ɗin Fayil da Musanya sarari Ta amfani da Kayan aikin Cryptsetup a Linux - Sashe na 3


An horar da A LFCE (gajeren Linux Foundation Certified Engineer) kuma yana da gwaninta don shigarwa, sarrafawa, da magance ayyukan cibiyar sadarwa a cikin tsarin Linux, kuma shine ke kula da ƙira, aiwatarwa da ci gaba da kiyaye tsarin gine-ginen.

Gabatar da Shirin Takaddun Shaida na Gidauniyar Linux (LFCE).

Manufar da ke tattare da boye-boye ita ce baiwa amintattun mutane kawai damar samun damar bayanan ku masu mahimmanci da kuma kare su daga fadawa hannun da ba daidai ba idan aka samu asarar ko satar injin ku/hard disk.

A cikin sauƙi, ana amfani da maɓalli don samun damar shiga bayananku, ta yadda za a samu lokacin da tsarin ke aiki kuma mai izini ya buɗe shi. Wannan yana nuna cewa idan mutum ya yi ƙoƙarin yin hakan. bincika abubuwan da ke cikin faifai (toshe shi zuwa nasa tsarin ko ta hanyar booting na'ura tare da LiveCD/DVD/USB), zai sami bayanan da ba za a iya karantawa kawai ba maimakon ainihin fayilolin.

A cikin wannan labarin za mu tattauna yadda ake saita tsarin fayil ɗin da aka rufaffen tare da dm-crypt (gajeren taswirar na'ura da kuma rubutun kalmomi), daidaitaccen kayan aikin ɓoyayyen matakin kernel. Lura cewa tunda dm-crypt kayan aiki ne na toshewa, ana iya amfani dashi kawai don ɓoye cikakkun na'urori, ɓangarori, ko na'urorin madauki (ba za su yi aiki akan fayiloli na yau da kullun ko kundayen adireshi ba).

Ana Shirya A Drive/Partition/Loop Na'urar don ɓoyewa

Tun da za mu goge duk bayanan da ke cikin faifan da muka zaɓa (/dev/sdb), da farko, muna buƙatar yin ajiyar duk wasu mahimman fayiloli da ke cikin wannan ɓangaren KAFIN > ci gaba da gaba.

Goge duk bayanai daga /dev/sdb. Za mu yi amfani da umarnin dd anan, amma kuma kuna iya yin ta da wasu kayan aikin kamar shred. Na gaba, za mu ƙirƙiri bangare akan wannan na'urar, / dev/sdb1, bin bayani a cikin Sashe na 4 - Ƙirƙiri ɓangarori da Tsarin Fayil a cikin Linux na jerin LFCS.

# dd if=/dev/urandom of=/dev/sdb bs=4096 

Kafin mu ci gaba, muna buƙatar tabbatar da cewa an haɗa kernel ɗin mu tare da tallafin ɓoyewa:

# grep -i config_dm_crypt /boot/config-$(uname -r)

Kamar yadda aka zayyana a hoton da ke sama, dm-crypt kernel module yana buƙatar lodawa don saita ɓoyewa.

Cryptsetup shine keɓancewar gaba don ƙirƙira, daidaitawa, shiga, da sarrafa rufaffiyar tsarin fayil ta amfani da dm-crypt.

# aptitude update && aptitude install cryptsetup 		[On Ubuntu]
# yum update && yum install cryptsetup 				[On CentOS] 
# zypper refresh && zypper install cryptsetup 			[On openSUSE]

Tsohuwar yanayin aiki don cryptsetup shine LUKS ( Saitin Maɓallin Maɓalli na Linux) don haka za mu tsaya tare da shi. Za mu fara da saita ɓangaren LUKS da kalmar wucewa:

# cryptsetup -y luksFormat /dev/sdb1

Umurnin da ke sama yana gudanar da cryptsetup tare da sigogi na asali, waɗanda za a iya jera su tare da,

# cryptsetup --version

Idan kuna son canza sigogin cipher, hash, ko maɓalli, kuna iya amfani da –cipher, < b>–hash, da –maɓalli-size tutoci, bi da bi, tare da ƙimar da aka ɗauka daga /proc/crypto.

Bayan haka, muna buƙatar buɗe ɓangaren LUKS (za a sa mu ga kalmar wucewar da muka shigar a baya). Idan amincin ya yi nasara, ɓoyayyen ɓangaren mu zai kasance a cikin /dev/mapper tare da ƙayyadadden suna:

# cryptsetup luksOpen /dev/sdb1 my_encrypted_partition

Yanzu, za mu tsara bangare a matsayin ext4.

# mkfs.ext4 /dev/mapper/my_encrypted_partition

kuma ƙirƙirar wurin tudu don hawa ɓoyayyen ɓoyayyen ɓangaren. A ƙarshe, ƙila mu so mu tabbatar ko aikin dutsen ya yi nasara.

# mkdir /mnt/enc
# mount /dev/mapper/my_encrypted_partition /mnt/enc
# mount | grep partition

Lokacin da kuka gama rubutawa zuwa ko karantawa daga tsarin fayil ɗin da aka ɓoye, kawai cire shi

# umount /mnt/enc

kuma rufe sashin LUKS ta amfani da,

# cryptesetup luksClose my_encrypted_partition

A ƙarshe, za mu bincika ko ɓoyayyen ɓangaren mu yana da aminci:

1. Bude sashin LUKS

# cryptsetup luksOpen /dev/sdb1 my_encrypted_partition

2. Shigar da kalmar wucewar ku

3. Dutsen partition

# mount /dev/mapper/my_encrypted_partition /mnt/enc

4. Ƙirƙiri babban fayil a cikin wurin dutsen.

# echo “This is Part 3 of a 12-article series about the LFCE certification” > /mnt/enc/testfile.txt

5. Tabbatar cewa za ku iya shiga cikin fayil ɗin da kuka ƙirƙira.

# cat /mnt/enc/testfile.txt

6. Cire tsarin fayil ɗin.

# umount /mnt/enc

7. Rufe sashin LUKS.

# cryptsetup luksClose my_encrypted_partition

8. Yi ƙoƙarin hawan bangare azaman tsarin fayil na yau da kullun. Ya kamata ya nuna kuskure.

# mount /dev/sdb1 /mnt/enc

Rufe sararin Swap don ƙarin Tsaro

passphrase da kuka shigar a baya don amfani da ɓoyayyen ɓangaren ana adana shi a cikin RAM ƙwaƙwalwar ajiya yayin da yake buɗewa. Idan wani zai iya samun hannunsa a kan wannan maɓalli, zai iya lalata bayanan. Wannan yana da sauƙin yi musamman a cikin yanayin kwamfutar tafi-da-gidanka, tunda yayin hibernating abubuwan da ke cikin RAM ana kiyaye su akan ɓangaren musanyawa.

Don guje wa barin kwafin maɓalli mai isa ga ɓarawo, ɓoye ɓangaren musanya ta bin waɗannan matakan:

1 Ƙirƙiri ɓangaren da za a yi amfani da shi azaman musanya tare da girman da ya dace (/dev/sdd1 a cikin yanayinmu) kuma a ɓoye shi kamar yadda aka bayyana a baya. Suna kawai \swap don dacewa.'

2. Sanya shi azaman musanyawa kuma kunna shi.

# mkswap /dev/mapper/swap
# swapon /dev/mapper/swap

3. Na gaba, canza shigarwa mai dacewa a cikin /etc/fstab.

/dev/mapper/swap none        	swap	sw          	0   	0

4. A ƙarshe, gyara /etc/crypttab kuma sake yi.

swap               /dev/sdd1         /dev/urandom swap

Da zarar tsarin ya gama booting, zaku iya tabbatar da matsayin wurin musanya:

# cryptsetup status swap

Takaitawa

A cikin wannan labarin mun bincika yadda ake ɓoye ɓoyayyen bangare da musanya sarari. Tare da wannan saitin, bayananku yakamata su kasance lafiyayye. Jin kyauta don gwaji kuma kada ku yi shakka don dawowa gare mu idan kuna da tambayoyi ko sharhi. Kawai yi amfani da fom ɗin da ke ƙasa - za mu yi farin cikin ji daga gare ku!