Yadda ake Encrypt Full Disk Yayin Sanya Ubuntu 22.04


Rarraba Linux sun yi babban aiki don samun ƙarin kariya ta hanyar kawo cikakken ɓoyayyen faifai da kasancewa jagoran kasuwa.

Hakanan Ubuntu yana haɗe da fasali da yawa kuma ɓoye faifai ɗaya ne daga cikinsu. Bayar da ɓoyayyen ɓoyayyen faifai yana da mahimmanci ga waɗanda ke son amintar da bayanansu na sirri a kowane farashi ko da an sace na'urarka kamar yadda take buƙatar shigar da lambar wucewa a kowace taya.

Za a iya kunna cikakken ɓoyayyen faifai ne kawai yayin shigar da Operating System kamar yadda za a yi amfani da cikakken ɓoyayyen faifai a kowane ɓangaren rumbun kwamfutarka wanda ya haɗa da boot da swap partition. Kuma wannan shine dalilin da ya sa ake buƙatar mu kunna shi daga farkon shigarwa.

Wannan koyawa ta mataki-mataki za ta jagorance ku kan yadda zaku iya kunna cikakken ɓoye ɓoyayyen faifai akan Ubuntu 22.04 kuma don wannan dalili, zamuyi amfani da LVM (Gudanar da Ma'ana) da LUKS (don dalilai na ɓoyewa).

  • Kebul na USB wanda za'a iya kunnawa.
  • Haɗin Intanet tare da isasshen bandwidth don zazzage manyan fayiloli.
  • UEFI yana kunna motherboard.

Amma kafin mu yi tsalle zuwa tsarin, bari mu sami ɗan taƙaitaccen ra'ayi game da fa'idodi da fursunoni na Encryption Disk.

Kowane fasali yana haɗe tare da ribobi da fursunoni kuma wannan ma yana aiki a yanayin ɓoyayyen faifai. Don haka yana da kyau koyaushe a san abin da za ku jira da abin da ba daga matakan da za a yi ba.

  • Yana kare bayananku masu mahimmanci daga sata - Ee, wannan shine mafi ban sha'awa fasalin boye-boye saboda bayanan sirrinku koyaushe za'a kiyaye shi koda an sace tsarin ku. Wannan batu ya fi dacewa a cikin na'urorin hannu kamar Laptops waɗanda ke da damar yin sata.
  • Yana adana bayanan ku daga sa ido - Damar yin kutse a tsarin ku ba su da yawa akan Linux amma ana iya yin hakan idan mai amfani bai da wayo don kare kansa daga zamba na kifi. Ko da an kai hari kan kwamfutarka, mai satar bayanan ba zai iya samun damar shiga bayanan ku ba wanda wata hujja ce ta kunna shi.

  • Tasiri akan Aiki - Ana iya amfani da wannan kawai ga tsarin tare da ƴan albarkatu kamar yadda kwamfutar zamani zata iya ɗaukar ɓoyayyen ɓoyayyen ba tare da wata matsala ba amma duk da haka za ku sami ɗan saurin karantawa da rubuta saurin gudu yayin amfani.

A cewar mu, cikakken boye-boye faifai ne ko da yaushe mai hikima zabi kamar yadda yana ba da yalwa da ribobi da fursunoni yayin da yake da sauki a shawo kan fursunoni tare da 'yan more albarkatun. Don haka idan kun yi kyau tare da ɗigon ayyukan aiki don ingantaccen tsaro, bari mu fara aiwatar da ɓoyayyen.

Encrypting Duk Disk a cikin Ubuntu 22.04

Wannan jagorar sada zumunci ce ta farkon kuma yakamata ya jagorance ku ta kowane mataki yayin da masu amfani da ci gaba za su iya amfana da shi.

Ziyarci shafin saukar da Ubuntu na hukuma kuma zaɓi sigar Ubuntu 22.04 LTS, wanda zai fara zazzage shi ta atomatik.

Don kunna hoton Ubuntu ISO zuwa kebul na USB, za mu yi amfani da Balena Etcher, wanda zai gano OS ɗin da kuke amfani da shi ta atomatik. Da zarar ka gama installing Balena Etcher, shigar da shi a kan tsarin.

Don ƙona fayil ɗin ISO, buɗe balenaEtcher kuma zaɓi zaɓi Flash daga fayil zaɓi kuma zaɓi fayil ɗin Ubuntu 22.04 da aka sauke kwanan nan.

Na gaba, zaɓi drive ɗin da muke so mu kunna fayil ɗin ISO. Zaɓi zaɓi Zaɓi manufa kuma zai jera duk abubuwan da aka ɗora akan na'urarku. Daga zaɓuɓɓukan da ake da su, zaɓi abin kebul na USB ko DVD.

Da zarar mun sami nasarar kunna kebul ɗin mu na USB, lokaci yayi da za mu yi tari daga kebul na USB. Don taya daga USB, sake yin tsarin ku kuma yi amfani da F10, F2, F12, F1, ko DEL yayin da na'urarku ta tashi. Daga can, dole ne ku zaɓi kebul ɗin ku a matsayin boot ɗin ku.

Da zarar an yi mana boot ta USB, za mu iya ci gaba zuwa ɓangaren ɓoyayyen ɓoyayyen ɓoyayyen. Wannan na iya mamaye wasu sabbin masu amfani saboda yana iya yin kama da rikitarwa amma kawai dole ne ku bi kowane mataki kuma zaku sami rufaffen tsarin ku ba tare da wani lokaci ba.

NOTE: Wasu umarni sun bambanta ga masu amfani da Nvme SSD don haka da fatan za a karanta umarnin kafin amfani da umarnin kamar yadda muka raba su lokacin da ake buƙata.

Da zarar kun shiga cikin Ubuntu, zaku sami zaɓuɓɓuka biyu: Gwada Ubuntu da Sanya Ubuntu. Yayin da za mu ɓoye ɓangarori, ana buƙatar mu yi amfani da yanayin rayuwa. Don haka zaɓi zaɓi na farko mai alamar \Gwaɗa Ubuntu.

Danna Ayyukan da ke saman hagu sannan a buga search for Terminal. Danna Shigar a sakamakon farko kuma zai buɗe mana Terminal. Na gaba, canza zuwa tushen mai amfani, kamar yadda duk umarnin da za mu yi amfani da su za su buƙaci gata na gudanarwa.

$ sudo -i

Kamar yadda umarni masu zuwa za su dogara sosai kan BASH, bari mu canza daga tsohuwar harsashi zuwa BASH ta wannan umarni mai zuwa:

# bash

Na gaba, gano maƙasudin shigarwa, ana buƙatar mu jera duk na'urorin ajiya da aka ɗora ta hanyar umarni mai zuwa:

# lsblk

Kuna iya gano ɓangaren da aka yi niyya cikin sauƙi ta girman kuma a mafi yawan lokuta, za a sanya masa suna sda da vda. A cikin akwati na, yana da sda tare da girman 20GB.

Wannan sashe yana amfani da ku kawai idan kuna amfani da HDD don SATA SSDs. Don haka idan kun kasance wani sanye take da Nvme SSD, ana bayanin rarraba sunaye masu canzawa a matakin ƙasa.

Kamar yadda na'urar da aka yi niyya ke suna sda, ana buƙatar in yi amfani da umarni mai zuwa:

# export DEV="/dev/sda"

Idan kai mutum ne wanda ke amfani da Nvme, tsarin sanya suna don na'urar da kake so za ta kasance kamar /dev/nvme$ {CONTROLLER}n$ {NAMESPACE}p& # 36 {PARTITION} don haka idan akwai bangare ɗaya kawai, zai Wataƙila suna da irin wannan suna ga umarnin da aka bayar:

# export DEV="/dev/nvme0n1"

Yanzu, bari mu saita canjin don taswirar na'urar da aka rufaffen ta hanyar umarni mai zuwa:

# export DM="${DEV##*/}"

Kowace na'urar Nvme za ta buƙaci 'p' a cikin kari don haka yi amfani da umarnin da aka bayar don ƙara kari:

# export DEVP="${DEV}$( if [[ "$DEV" =~ "nvme" ]]; then echo "p"; fi )"
# export DM="${DM}$( if [[ "$DM" =~ "nvme" ]]; then echo "p"; fi )"

Don ƙirƙirar sabon tebur na GPT, za mu yi amfani da kayan aikin sgdidk tare da umarni mai zuwa:

# sgdisk --print $DEV

Yanzu za mu iya cire duk bayanan da ke akwai cikin aminci amma idan kuna shigar da wannan tsarin tare da ɓangarori da ke akwai, da fatan za a guje wa wannan matakin.

Don tsara bayanan, yi amfani da umarni mai zuwa:

# sgdisk --zap-all $DEV

Za mu keɓe ɓangaren 2MB don ainihin hoton GRUB na yanayin BIOS, 768MB boot partition, da 128MB don tsarin fayil ɗin EFI, sauran sarari za a keɓe ga mai amfani inda za ku iya adana bayanan da kuke so.

Yi amfani da umarnin da aka bayar ɗaya bayan ɗaya don raba abin tuƙi:

# sgdisk --new=1:0:+768M $DEV
# sgdisk --new=2:0:+2M $DEV
# sgdisk --new=3:0:+128M $DEV
# sgdisk --new=5:0:0 $DEV
# sgdisk --typecode=1:8301 --typecode=2:ef02 --typecode=3:ef00 --typecode=5:8301 $DEV

Don canza sunan ɓangaren, yi amfani da umarnin da aka bayar:

# sgdisk --change-name=1:/boot --change-name=2:GRUB --change-name=3:EFI-SP --change-name=5:rootfs $DEV
# sgdisk --hybrid 1:2:3 $DEV

Don lissafin sassan da aka ƙirƙira kwanan nan, yi amfani da umarni mai zuwa:

# sgdisk --print $DEV

Bari mu fara aiwatar da ɓoyayyen ɓoyayyen mu ta hanyar ɓoye ɓangaren taya. Ana buƙatar ka rubuta YES a cikin duk iyakoki lokacin da ya nemi izininka.

# cryptsetup luksFormat --type=luks1 ${DEV}1

Yanzu, bari mu ɓoye ɓangaren OS ta hanyar umarni mai zuwa:

# cryptsetup luksFormat --type=luks1 ${DEV}5

Don ƙarin shigarwa, dole ne mu buše ɓoyayyen ɓangarori ta amfani da umarni masu zuwa don buɗe ɓangarorin boot da OS.

# cryptsetup open ${DEV}1 LUKS_BOOT
# cryptsetup open ${DEV}5 ${DM}5_crypt

Wannan matakin yana aiki ne kawai idan tsarin ku yana sanye da Nvme SSD. Yi amfani da umarni masu zuwa don ɓoye ɓoyayyen boot da OS:

# cryptsetup luksFormat --type=luks1 ${DEVP}1
# cryptsetup luksFormat --type=luks1 ${DEVP}5

Yanzu, bari mu buše ɓoyayyen ɓangarori kamar yadda ya wajaba a gare mu mu aiwatar da gaba a cikin shigarwa.

# cryptsetup open ${DEVP}1 LUKS_BOOT
# cryptsetup open ${DEVP}5 ${DM}5_crypt

Wannan shine ɗayan matakai mafi mahimmanci kamar idan ba a yi ba, mai sakawa zai kashe ikon rubuta tsarin fayil. Yi amfani da umarni mai zuwa don fara tsarawa:

# mkfs.ext4 -L boot /dev/mapper/LUKS_BOOT

Idan tsarin ku yana sanye da HDD da SATA SSD, yi amfani da umarni mai zuwa don tsara shi a cikin FAT16:

# mkfs.vfat -F 16 -n EFI-SP ${DEV}3

Don haka idan tsarin ku yana amfani da Nvme SSD, zaku iya tsara sashi na 3 cikin sauƙi ta amfani da umarni mai zuwa:

# mkfs.vfat -F 16 -n EFI-SP ${DEVP}3

LVM yana ɗaya daga cikin waɗannan ayyuka waɗanda na fi sha'awar su. Ko da ba ku yi amfani da fasalin LVM ba, kunna shi ba zai cutar da tsarin ku ba kuma a nan gaba, idan kuna buƙatar kowane fasalin da LVM ke bayarwa, zaku iya amfani da su ba tare da wata matsala ba.

Anan, zamu ware 4GB zuwa ɓangaren musanyawa wanda zai yi amfani da sararin diski lokacin da tsarin ya ƙare daga ƙwaƙwalwar ajiya. Hakanan muna ba da kashi 80% na sarari kyauta don tushen don mai amfani zai iya amfani da sararin faifan sa don max damar.

Tabbas, zaku iya canza shi gwargwadon yanayin amfaninku har ma da gyara shi a nan gaba. Yi amfani da umarnin da aka bayar ɗaya bayan ɗaya kuma tsarin ku zai kasance shirye-shiryen LVM ba da daɗewa ba:

# pvcreate /dev/mapper/${DM}5_crypt
# vgcreate ubuntu--vg /dev/mapper/${DM}5_crypt
# lvcreate -L 4G -n swap_1 ubuntu—vg
# lvcreate -l 80%FREE -n root ubuntu--vg

Lokaci yayi da za a fara mai sakawa Ubuntu. Kawai rage mai sakawa kuma zaku sami mai sakawa akan allon gida.

Ko kun tafi tare da shigarwa na yau da kullun ko kaɗan, ya rage naku amma ana buƙatar zaɓin wasu zaɓuɓɓuka don samun ƙwarewa mafi kyau, kuma waɗanda ke shigar da sabuntawa da direbobi na ɓangare na uku da codecs waɗanda tabbas zasu haɓaka ƙwarewar mai amfani da adanawa. ku lokaci bayan shigarwa.

A cikin ɓangaren nau'in shigarwa, zaɓi zaɓin da aka lakafta \Wani abu dabam wanda zai taimaka mana wajen sarrafa sassan da muka ƙirƙira da hannu.

Anan, zaku sami ɓangarori da yawa masu suna iri ɗaya. Kuna iya gano ainihin asali cikin sauƙi kamar yadda mai sakawa zai ambaci girman da aka ɗauka. Yanzu, bari mu fara da LUKS_BOOT.

Zaɓi LUKS_BOOT kuma danna maɓallin canji.

Yanzu, zaɓi tsarin fayil ɗin jarida na Ext4 a cikin zaɓi na farko. Kunna Tsarin zaɓin ɓangaren kuma a cikin wurin mount, zaɓi /boot.

Hakazalika, zaɓi ubuntu-vg-root kuma danna maɓallin canji. Anan, zaɓi tsarin fayil ɗin jarida na Ext4 a zaɓi na farko. Kunna Tsarin zaɓin ɓangaren kuma a cikin na ƙarshe, zaɓi zaɓin \/.

Yanzu, zaɓi ubuntu–vg-swap_1 kuma danna maɓallin zaɓuɓɓuka. Zaɓi zaɓin yanki na musanyawa kuma shi ke nan.

Ƙare canje-canje kuma zaɓi wurin da kuke a yanzu.

Bayan ƙirƙirar mai amfani, kar a danna maɓallin shigar yanzu kamar yadda za mu yi amfani da wasu umarni bayan ƙirƙirar sabon mai amfani. Ƙirƙiri mai amfani da kalmar sirri mai ƙarfi.

Bayan kun ƙirƙiri mai amfani, buɗe tashar ku kuma yi amfani da umarnin da aka bayar yayin da za mu ba da damar ɓoyewa akan GRUB kafin farawa ya fara:

# while [ ! -d /target/etc/default/grub.d ]; do sleep 1; done; echo "GRUB_ENABLE_CRYPTODISK=y" > /target/etc/default/grub.d/local.cfg

Da zarar an gama shigarwa, danna kan ci gaba da gwadawa yayin da muke zuwa wasu canje-canje waɗanda har yanzu suna buƙatar mu yi amfani da faifan bootable.

A cikin wannan sashe, za mu hau faifai, shigar da fakitin da ake buƙata, sannan mu yi wasu canje-canje masu mahimmanci don yin aikin ɓoyewa. Don haka buɗe tashar ku kuma bi matakan da aka bayar:

Ana amfani da Chroot don samun damar ɓangarorin da muka shigar da Ubuntu. Yi amfani da umarnin da aka bayar ɗaya daga cikinsu ya haɗa da hawan tuƙi da ƙirƙirar mahalli na chroot.

# mount /dev/mapper/ubuntu----vg-root /target
# for n in proc sys dev etc/resolv.conf; do mount --rbind /$n /target/$n; done 
# chroot /target
# mount -a

Kunshin Cryptsetup zai ɗauki alhakin buše ɓoyayyen fayiloli a lokacin taya kuma za mu iya shigar da shi cikin sauƙi ta hanyar ba da umarni:

# apt install -y cryptsetup-initramfs

Za a yi amfani da fayil ɗin maɓalli don bincika lambar wucewa don ɓarna kuma an adana shi a /boot/ wanda kuma ɓoyayyen bangare ne. Yi amfani da umarnin da aka bayar don ci gaba:

# echo "KEYFILE_PATTERN=/etc/luks/*.keyfile" >> /etc/cryptsetup-initramfs/conf-hook 
# echo "UMASK=0077" >> /etc/initramfs-tools/initramfs.conf 

Za mu ƙirƙiri babban fayil na 512 bytes, sanya shi amintacce, kuma za mu ƙara rufaffiyar kundin. Kuna iya cimma hakan ta amfani da umarnin da aka bayar:

# mkdir /etc/luks
# dd if=/dev/urandom of=/etc/luks/boot_os.keyfile bs=512 count=1
# chmod u=rx,go-rwx /etc/luks
# chmod u=r,go-rwx /etc/luks/boot_os.keyfile

Wannan yakamata ya zama ɗayan matakai na ƙarshe yayin da muke kusa da samun nasarar ɓoye tsarin mu. Yi amfani da umarni mai zuwa don ƙara maɓalli a fayil ɗin boot_os.key.

# cryptsetup luksAddKey ${DEV}1 /etc/luks/boot_os.keyfile
# cryptsetup luksAddKey ${DEV}5 /etc/luks/boot_os.keyfile 

Don ƙara maɓallai zuwa crypttab, yi amfani da umarni mai zuwa:

# echo "LUKS_BOOT UUID=$(blkid -s UUID -o value ${DEV}1) /etc/luks/boot_os.keyfile luks,discard" >> /etc/crypttab
# echo "${DM}5_crypt UUID=$(blkid -s UUID -o value ${DEV}5) /etc/luks/boot_os.keyfile luks,discard" >> /etc/crypttab

Idan kuna amfani da Nvme SSD, zaku iya amfani da umarni mai zuwa don ƙara maɓalli a boot_os.file:

# cryptsetup luksAddKey ${DEVP}1 /etc/luks/boot_os.keyfile
# cryptsetup luksAddKey ${DEVP}5 /etc/luks/boot_os.keyfile 

Hakazalika, don ƙara maɓalli a cikin crypttab, yi amfani da umarni mai zuwa:

# echo "LUKS_BOOT UUID=$(blkid -s UUID -o value ${DEVP}1) /etc/luks/boot_os.keyfile luks,discard" >> /etc/crypttab
# echo "${DM}5_crypt UUID=$(blkid -s UUID -o value ${DEVP}5) /etc/luks/boot_os.keyfile luks,discard" >> /etc/crypttab

Yanzu bari mu sabunta fayilolin initialramfs kamar yadda zai ƙara rubutun buɗewa da fayil-fayil ta umarni mai zuwa:

# update-initramfs -u -k all

Yanzu, sake kunna tsarin ku kuma zai kai ku zuwa GRUB pass-phrase m don taya tsarin ku.

Babban manufar da ke bayan wannan jagorar ita ce yin hanya mai sauƙi don bi inda ko da mafari zai iya amintar da tsarin su ta hanyar ba da damar ɓoye ɓoyayyen diski a cikin Ubuntu.