Yadda ake Encrypt Drives Ta Amfani da LUKS a cikin Fedora Linux

A cikin wannan labarin, zamu yi bayani a takaice game da ɓoyayyen ɓoyayyen tsari, Linux Unified Key Setup (LUKS), da kuma bayanin umarnin don ƙirƙirar ɓoyayyen na'urar toshe a cikin Fedora Linux.

Ana amfani da ɓoye na'urar don amintar da bayanai a kan na'urar toshewa ta ɓoye shi, kuma don ɓata bayanai, dole ne mai amfani ya samar da wata jumla ko maɓalli don samun dama. Wannan yana ba da ƙarin hanyoyin tsaro kamar yadda yake kiyaye abubuwan da ke cikin na'urar koda kuwa an cire su da jiki daga tsarin.

LUKS (Linux Unified Key Setup) mizani ne na ɓoye ɓoye na'urar a cikin Linux, wanda ke aiki ta hanyar kafa tsarin on-disk don bayanan da kuma manufofin gudanar da maɓallin kewayawa/maɓalli. Yana adana duk bayanan saiti masu mahimmanci a cikin taken bangare (wanda aka sani da taken LUKS), saboda haka yana baka damar yin jigilar ko ƙaura bayanai ba tare da matsala ba.

LUKS suna amfani da tsarin tsarin mapper na kernel tare da tsarin dm-crypt don samar da taswirar ƙananan matakin da ke riƙe ɓoyewa da ƙaddamar da bayanan na'urar. Kuna iya amfani da shirin cryptsetup don aiwatar da matakan matakin mai amfani kamar ƙirƙira da samun damar ɓoyayyun na'urori.

Ana shirya Na'urar toshewa

Umarnin masu zuwa suna nuna matakai don ƙirƙira da daidaita na'urorin toshe bayanan bayan shigarwa.

Shigar da kunshin rubutun.

# dnf install cryptsetup-luks

Na gaba, cika na'urar da bazuwar bayanai kafin ɓoye ta, saboda wannan zai haɓaka ƙarfin ɓoyayyen sosai ta amfani da waɗannan umarnin.

# dd if=/dev/urandom of=/dev/sdb1	           [slow with high quality random data ]
OR
# badblocks -c 10240 -s -w -t random -v /dev/sdb1  [fast with high quality random data]

Gargaɗi: Dokokin da ke sama zasu shafe duk wani data kasance akan na'urar.

Tsarin Na'urar zane

Na gaba, yi amfani da kayan aikin layin umarni na cryptsetup don tsara na'urar azaman na'urar dm-crypt/LUKS zane.

# cryptsetup luksFormat /dev/sdb1

Bayan aiwatar da umarnin, za a sa ka shiga YES (a babban layi) don ba da kalmar wucewa sau biyu don a tsara na'urar don amfani, kamar yadda aka nuna a cikin hoton da ke gaba.

Don tabbatarwa idan aikin yayi nasara, gudanar da wannan umarni.

# cryptsetup isLuks /dev/sdb1 && echo Success

Kuna iya duba taƙaitaccen bayanin ɓoye-ɓoye don na'urar.

# cryptsetup luksDump /dev/sdb1

Kirkirar Taswira don Bada Dama ga abun ciki da aka Decarar da shi

A wannan bangare, za mu saita yadda za mu sami damar rufaffen abin da ke cikin na'urar. Za mu ƙirƙira taswira ta amfani da maɓallin na'urar kernel. Ana ba da shawarar ƙirƙirar suna mai ma'ana don wannan taswirar, wani abu kamar luk-uuid (inda <uuid> aka maye gurbinsa da na'urar LUKS UUID

Don samun abin rufaffen na’urar UUID, gudanar da wannan umarni.

# cryptsetup luksUUID /dev/sdb1

Bayan samun UUID, zaka iya ƙirƙirar sunan zana taswira kamar yadda aka nuna (za a sa ka shigar da kalmar wucewa da aka ƙirƙiro a baya).

# cryptsetup luksOpen /dev/sdb1 luk-59f2b688-526d-45c7-8f0a-1ac4555d1d7c

Idan umarnin yayi nasara, kumburin na'urar da ake kira /dev/mapper/luk-59f2b688-526d-45c7-8f0a-1ac4555d1d7c wanda ke wakiltar na'urar da aka lalata.

Ana iya karanta na'urar toshe wacce aka ƙirƙira ta kuma a rubuta ta don son duk wani nau'in toshewar hanyar da ba a ɓoye ta ba. Kuna iya ganin wasu bayanai game da na'urar da aka tsara ta hanyar aiwatar da umarni mai zuwa.

# dmsetup info /dev/mapper/luk-59f2b688-526d-45c7-8f0a-1ac4555d1d7c

Irƙirar Fayil ɗin Fayil akan Na'urar da aka Sanya

Yanzu za mu duba yadda za a ƙirƙiri tsarin fayil a kan na'urar da aka zana, wanda zai ba ku damar amfani da kumburin na'urar da aka tsara kamar kowane sauran kayan toshewa.

Don ƙirƙirar ext4 filesystem a kan na'urar da aka zana, gudanar da wannan umarni.

# mkfs.ext4 /dev/mapper/luk-59f2b688-526d-45c7-8f0a-1ac4555d1d7c

Don hawa tsarin fayil ɗin da ke sama, ƙirƙirar masa dutsen misali /mnt/ɓoyayyen-na'urar sannan sai ku ɗora shi kamar haka.

# mkdir -p /mnt/encrypted-device
# mount /dev/mapper/luk-59f2b688-526d-45c7-8f0a-1ac4555d1d7c /mnt/encrypted-device/

Informationara Bayanin Taswira zuwa/sauransu/crypttab da/sauransu/fstab

Abu na gaba, muna buƙatar daidaita tsarin don saita taswira ta atomatik don na'urar harma ɗora ta a lokacin taya.

Ya kamata ku ƙara bayanin taswira a cikin fayil ɗin/sauransu/crypttab, a cikin tare da tsari mai zuwa.

luk-59f2b688-526d-45c7-8f0a-1ac4555d1d7c  UUID=59f2b688-526d-45c7-8f0a-1ac4555d1d7c   none

a cikin tsarin da ke sama:

  • luk-59f2b688-526d-45c7-8f0a-1ac4555d1d7c - shine sunan zana taswira
  • UUID = 59f2b688-526d-45c7-8f0a-1ac4555d1d7c - shine sunan na'urar

Adana fayil ɗin kuma rufe shi.

Na gaba, addara shigarwa mai zuwa zuwa/sauransu/fstab don ɗora na'urar da aka tsara ta atomatik a tsarin taya.

/dev/mapper/luk-59f2b688-526d-45c7-8f0a-1ac4555d1d7c  /mnt/encrypted-device  ext4 0 0

Adana fayil ɗin kuma rufe shi.

Sannan aiwatar da wannan umarni don sabunta rukunin tsarin da aka kirkira daga wadannan fayilolin.

# systemctl daemon-reload

Ajiyayyen LUKS Headers

Aƙarshe, zamuyi bayani akan yadda ake ajiye bayanan LUKS. Wannan mataki ne mai mahimmanci don kauce wa rasa duk bayanan a cikin na'urar toshe ɓoyayyen, idan har sassan da ke dauke da taken LUKS sun lalace ta hanyar kuskuren mai amfani ko gazawar kayan aiki. Wannan aikin yana ba da damar dawo da bayanai.

Don adana bayanan LUKS.

# mkdir /root/backups  
# cryptsetup luksHeaderBackup --header-backup-file luks-headers /dev/mapper/luk-59f2b688-526d-45c7-8f0a-1ac4555d1d7c

Kuma don dawo da maƙallan LUKS.

# cryptsetup luksHeaderRestore --header-backup-file /root/backups/luks-headers /dev/mapper/luk-59f2b688-526d-45c7-8f0a-1ac4555d1d7c

Shi ke nan! A cikin wannan labarin, munyi bayanin yadda ake ɓoye toshe na'urorin ta amfani da LUKS a cikin rarraba Fedora Linux. Shin kuna da wata tambaya ko tsokaci game da wannan batun ko jagorar, yi amfani da fom ɗin da ke ƙasa don isa gare mu.