Block system encryption of Windows Linux installed systems. Double encrypted download. Defense and attack on GRUB2

Block system encryption of Windows Linux installed systems. Double encrypted download. Defense and attack on GRUB2 3r32089.  
3r32089.  
3r32087. Cowboy strategy:
3r32089.  
[A]block system encryption Windows 7 installed system; 3r32089.  
GNU /Linux block system encryption (Debian) installed system 3r313324. (including /boot) [/i] ; 3r32089.  
[C]GRUB2 setup, bootloader protection with digital signature, authentication protection; 3r32089.  
[D]sweep - the destruction of unencrypted data; 3r32089.  
[E]universal backup encrypted OS; 3r32089.  
[F]attack to GRUB2 bootloader; 3r32089.  
[G]useful documentation. 3r32089.  
3r32089.  
3r31885. Scheme
: 3r3r8686. 3r32089.  
3r32089.  
* encryption is not hidden; 3r32089.  
* Windows 7 installed - full system encryption; 3r32089.  
* GNU /Linux installed (Debian and derived distributions) 3r32144. - full system encryption (/, including /boot; swap) ; 3r32089.  
* Independent loaders: VeraCrypt is installed in the MBR, GRUB2 is installed in the extended partition; 3r32089.  
* Install /reinstall the OS is not required; 3r32089.  
* used cryptographic software: VeraCrypt, Cryptsetup, GnuPG, Seahorse, GRUB2 - free /free. 3r3355.
3r32089.  
3r32089.  
The above scheme partially solves the problem of “remote boot to a flash drive”, allows you to enjoy encrypted Windows /Linux and exchange data via an “encrypted channel” from one OS to another. 3r32089.  
3r32089.  
3r31885. PC boot order: 3r31886. 3r32089.  
3r32089.  
3r? 31302.  
turning on the machine;
 
boot loader VeraCrypt (A valid password will continue to load Windows 7) ;
 
pressing the “Esc” key will load the GRUB2 bootloader;
 
GRUB2 bootloader. (select distribution /GNU /Linux /CLI) 3r321414. , requires authentication of the GRUB2-superuser <логин/пароль> ;
 
after successful authentication and distribution selection, you will need to enter a password phrase to unlock "/boot/initrd.img";
 
after entering the error-free passwords in GRUB? it is “required” to enter the password (third, BIOS password or GNU /Linux user account password - do not) to unlock and boot the GNU /Linux OS, or automatically substitute the secret key (two passwords + key) ;
 
external invasion of the GRUB2 configuration will freeze the GNU /Linux boot process.
 
3r32089.  
3r32089.  
When partitioning the hard drive (table MBR) A PC can have no more than 4 main sections, or 3 main and one extended, as well as not marked area. The expanded section, unlike the main one, may contain subsections (logical drives = extended partition) . In other words, the “extended partition” on the HDD replaces LVM for the current task: full system encryption. If your disk is divided into 4 main partitions, you need to use lvm, or transform (with formatting) section from main to advanced, or competently use all four sections and leave everything as is, getting the desired result. Even if you have one partition on the disk, Gparted will help to split the HDD (on additional sections) without losing data, but still with a small price to pay for such actions. 3r32089.  
3r32089.  
The layout of the hard disk, for which the verbalization of the entire article will go, is presented in the table below. 3r32089.  
3r3122. 3r32089.  
Table (№1) of 1Tb sections. 3r32089.  
3r32089.  
Something similar should be with you. 3r32089.  
Sda1 - the main section number 1 NTFS (encrypted) ; 3r32089.  
sda2 - extended marker section; 3r32089.  
sda6 - the logical disk (GRUB2 bootloader is installed on it); 3r32089.  
sda8 - swap (encrypted paging file); 3r32089.  
sda9 - test logical drive; 3r32089.  
sda5 - logical disk for the curious; 3r32089.  
sda7 - GNU /Linux OS (transferred OS to an encrypted logical drive); 3r32089.  
sda3 - the main section number 2 with Windows 7 (encrypted) ; 3r32089.  
sda4 - the main section number 3 (it contained unencrypted GNU /Linux, used as a backup) 3r-32144. . 3r32089.  
3r32089.  
3r32087.[А]Windows 7 block system encryption
3r32089.  
3r31885. A1. VeraCrypt
3r32089.  
3r3167. 3r3168. spoiler 3r31886. 3r33170. 3r3171. 3r32089.  
3r32089.  
Download from 3r3178. official site
, or with a mirror sourceforge installation version of the cryptographic software VeraCrypt (at the time of publication of the article v1.2? the portable version of VeraCrypt is not suitable for system encryption) 3r314144. . Check the checksum of the loaded software
 
3r32089.  
3r3188. $ Certutil -hashfile "C: VeraCrypt Setup ???.exe" SHA256 3r32089.  
3r32089.  
and compare the result with laid out COP on the site developer VeraCrypt. 3r32089.  
If the HashTab software is installed, it is even simpler: right-click (VeraCrypt Setup ???.exe) - properties-hash of the sum of files. 3r32089.  
To verify the signature of the program, the software must be installed on the system 3r3202. gnuPG
; 3r3204. gpg4win
. 3r32089.  
3r32089.  
3r31885. A2. Install /launch VeraCrypt software with administrator rights [/b] 3r32089.  
3r32089.  
3r32089.  
3r32089.  
3r31885. A3. Select the system encryption options for the active partition 3r31886. 3r32089.  
3r32089.  
VeraCrypt - System - Encrypt system partition /disk - Normal - Encrypt Windows system partition - Multi-boot - 3r313134. (warning: “Inexperienced users are not recommended to use this method”, and this is true, agree to “Yes”)
- The boot disk (“Yes”, even if not, still “yes”) - The number of system disks "2 or more" - Multiple systems on a single disk "Yes" - Not Windows bootloader "No" 3r3r13134. (in fact, “Yes”, but VeraCrypt /GRUB2 loaders will not share the MBR among themselves, more precisely, only the smallest part of the loader code is stored in the MBR /boot track, most of it is located within the file system) 3r314144. - Multiboot - Encryption settings 3r32089.  
If you deviate from the above steps (3r-3?134. Block system encryption scheme) 3r-?3144. , VeraCrypt will roll out a warning and will not allow to encrypt the partition. 3r32089.  
3r32089.  
In the next step, to targeted data protection, conduct a “Test” and choose an encryption algorithm. If you have an out of date CPU, then the Twofish encryption algorithm will most likely be the fastest. If the CPU is powerful, you will notice the difference: AES - encryption on the test results will be several times faster than its crypto competitors. AES is a popular encryption algorithm, the hardware of modern CPUs is specially optimized for the “secret” 3r-3256. and on "breaking [/s] ". 3r32089.  
VeraCrypt supports the ability to encrypt disks in a cascade of AES (Twofish) /and other combinations. On a 2-core Intel ???GHz CPU, a decade ago, 3r-32134. (without AES hardware support, A /T cascade encryption) 3r-32144. performance degradation is essentially unnoticeable. (for AMD CPUs of the same epoch /~ parameters — performance is slightly reduced) 3r-32144. . The OS works in dynamics and the consumption of resources for transparent encryption is imperceptible. In contrast, as for example, a noticeable decrease in performance due to the installed test unstable desktop environment Mate v??? (or v??? I do not remember exactly) on GNU /Linux, or because of the work of the telemetry routine in Windows7. Usually sophisticated users perform hardware performance tests before encryption. For example, in Aida64 /Sysbench /systemd-analyze and compared with the results of the same tests after encrypting the system, thereby, refusing the myth for itself, “system encryption is harmful.” The slowdown of the machine and the inconvenience are noticeable when backing up /restoring encrypted data, because the “system backup data” operation itself is not measured in ms, and the same 3r-3253 are added. . In the end, each user chooses an encryption algorithm with respect to the satisfaction of the tasks and the degree of his paranoia. 3r32089.  
It is better to leave the PIM parameter as default so that when booting the OS each time you do not enter exact iteration values. VeraCrypt uses a huge number of iterations to create a truly “slow hash”. An attack on such a “cryptulite” by the Brute force method /rainbow tables makes sense only at 3r-3256. short [/s] "Simple" passphrase and personal victim charset-list. Payback for the strength of the password - the delay in entering the correct password when booting the OS (mounting VeraCrypt volumes on GNU /Linux is much faster). 3r32089.  
Free software for implementing brute force attacks (extracting the passphrase from the VeraCrypt /LUKS drive header) Hashcat and John the Ripper, the latter does not know how to work with Twofish for example. 3r32089.  
Due to the cryptographic strength of encryption algorithms, unstoppable crypto-punkers are developing software with a different attack vector. For example, extracting metadata /keys from RAM. (cold boot /memory direct attack), there is specialized free and non-free software for these purposes. 3r32089.  
Upon completion of setting /generating “unique metadata” of the encrypted active partition, VeraCrypt will offer to restart the PC and test the performance of its bootloader. After reboot-a /start Windows, VeraCrypt will load in standby mode, it remains only to confirm the encryption process - Y. 3r32089.  
3r32089.  
At the final step of system encryption, VeraCrypt will offer to create a backup copy of the header of the active encrypted partition in the form of “veracrypt rescue disk.iso” - you need to do this - [u] in this software, such an operation is a requirement of 3r33275. (in LUKS, as a requirement, this is unfortunately omitted, but underlined in the documentation) 3r32144. . Rescue disk is useful to all, and to someone, and not once. Loss (rewriting header /MBR) backup header permanently deprive access to the decrypted partition with the Windows OS. 3r32089.  
3r32089.  
3r31885. A4. Creating a rescue disk VeraCrypt [/b] 3r32089.  
3r32089.  
By default, VeraCrypt offers to burn “metadata ~ 2-3MB” on a CD, but not all people have disks or DWD-ROM drives, and creating a bootable “VeraCrypt Rescue disk” flash drive will be a technical surprise for someone: Rufus /GUIdd-ROSA ImageWriter and other similar software will not be able to cope with the task, because in addition to copying the displaced metadata to the bootable flash drive, you need to copy /paste from the image outside the file system of the USB drive, in short, correctly copy the MBR /track to trinket. Under the GNU /Linux OS, you can create a bootable flash drive by using the dd utility, looking at this table. 3r32089.  
3r32089.  
3r32089.  
Creating a rescue disk in the Windows environment - otherwise. The developer VeraCrypt did not include the solution to this problem in the official 3r-3297. documentation
on “rescue disk”, but offered a solution in a different way: I put additional software to create a “usb rescue disk” in free access on my VeraCrypt forum. The archivist of this software for Windows is “ create usb veracrypt rescue disk ". After saving the rescue disk.iso, the block system encryption process of the active partition will begin. During encryption, the OS does not stop, no restart of the PC is required. Upon completion of the encryption operation, the active partition becomes fully encrypted, you can use it. If the VeraCrypt bootloader does not appear when the PC starts up, and the header recovery operation does not help, then check the “boot” flag, it should be installed on the partition where Windows is present (regardless of encryption and other operating systems, see table number 1). 3r32089.  
3r31885. This completes the description of block system encryption with Windows OS. 3r31886. 3r32089.  
3r32089.  
3r32087.LUKS. GNU /Linux Encryption (~ Debian) installed OS. Algorithm and Steps 3r3r2088. 3r32089.  
In order to encrypt the installed Debian /derived distribution, you need to map the prepared partition to the virtual block device, transfer it to the mapped GNU /Linux disk, and install /configure GRUB2. If you do not have a bare server, and you value your time, then you need to use the GUI, and most of the terminal commands described below are meant to be driven in “Chuck-Norris mode”. 3r32089.  
3r32089.  
3r31885. B1. Booting a PC from GNU /Linux live usb
3r32089.  
3r32089.  
“To conduct a cryptotest on the performance of iron” 3r32089.  
3r32040. lscpu && cryptsetup benchmark 3r32042. 3r32089.  
3r33337. 3r32089.  
3r32089.  
If you are happy inIf you are a powerful machine owner with hardware support for AES, then the numbers will look like the right side of the terminal, if you're happy, but with antique iron, the left side. 3r32089.  
3r32089.  
3r31885. B2. Partitioning disk. mount /format fs logical disk HDD in Ext4 (Gparted) 3r31886. 3r32089.  
3r32089.  
3r31885. B2.1. Creating an encrypted section header sda7 [/b] 3r32089.  
3r32089.  
Describe the names of the sections, hereinafter, I will agree with respect to its partition table, laid out above. According to your disk layout, you must substitute your partition names. 3r32089.  
3r32089.  
Comparison of disk drive encryption (/dev /sda7> /dev /mapper /sda7_crypt). 3r32089.  
# Simple creation of "LUKS-AES-XTS partition"
 
3r32040. cryptsetup -v -y luksFormat /dev /sda7 3r32042. 3r32089.  
Options:
 
* luksFormat - initialize the LUKS header; 3r32089.  
* -y - password phrase (not key /file); 3r32089.  
* -v-verbalization (output information in the terminal); 3r32089.  
* /dev /sda7 - your logical disk from the extended partition (wherever GNU /Linux transfer /encryption is planned) . 3r32089.  
3r32089.  
The default encryption algorithm is (depends on the version of cryptsetup). 3r32089.  
3r32089.  
3r32040. # Check the default encryption algorithm
cryptsetup --help # is the latest line in terminal output. 3r32041. 3r32042. 3r32089.  
In the absence of hardware support for AES on the CPU, the best choice would be to create an extended “LUKS-Twofish-XTS partition”. 3r32089.  
3r32089.  
3r31885. B2.2. Advanced creation of a “LUKS-Twofish-XTS partition” 3r31886. 3r32089.  
3r32089.  
3r32040. cryptsetup luksFormat /dev /sda7 -v -y -c twofish-xts-plain64 -s 512 -h sha512 -i 1500 - use-urandom 3r32042. 3r32089.  
Options:
 
* luksFormat - initialize the LUKS header; 3r32089.  
* /dev /sda7 is your future encrypted logical drive; 3r32089.  
* -v verbalization; 3r32089.  
* -y password phrase; 3r32089.  
* -c select data encryption algorithm; 3r32089.  
* -s encryption key size; 3r32089.  
* -h hash /crypto function, used RNG 3r-33134. (--use-urandom)
to generate a unique encryption key /decryption of the logical disk header, secondary key header (XTS); a unique master key stored in an encrypted disk header, a secondary XTS key, all this metadata and an encryption routine that encrypts /decrypts any data using the master key and secondary XTS key in section (except the title of the section) stored in ~ 3MB on the selected hard disk partition. 3r32089.  
* -i iterations in milliseconds, instead of “quantity” 3r-32134. (the time delay in processing the passphrase affects the OS load and the reliability of the keys).
To maintain a balance of cryptographic strength with a simple password of the “russian” type, you need to increase the value - (i), with a complex password of the type “? 8dƱob /øfh” the value can be reduced. 3r32089.  
* --use-urandom random number generator, generate keys and salt. 3r32089.  
3r32089.  
After comparing the section sda7> sda7_crypt (the operation is fast, since an encrypted header is created with metadata of ~ 3 mb and that's all) , you need to format and mount the sda7_crypt file system. 3r32089.  
3r32089.  
3r31885. B2.3. Comparison 3r31886. 3r32089.  
3r32089.  
3r32040. cryptsetup open /dev /sda7 sda7_crypt
# this command requests to enter a secret password phrase.
3r32041. 3r32042. 3r32089.  
Options:
 
* open -make the section "with the name"; 3r32089.  
* /dev /sda7 is a logical disk; 3r32089.  
* sda7_crypt — mapping a name that is used to mount an encrypted partition or initialize it when the OS boots. 3r32089.  
3r32089.  
3r31885. B2.4. Formatting the sda7_crypt file system in ext4. Mounting the drive in OS [/b] 3r32089.  
3r32089.  
(Note: working with an encrypted partition will not work in Gparted) 3r32089.  
3r32089.  
3r32040. # formatting a block encrypted device
mkfs.ext4 -v -L DebSHIFR /dev /mapper /sda7_crypt
3r32041. 3r32042. 3r32089.  
Options:
 
* -v-verbalization; 3r32089.  
* -L-disk label (which is displayed in the Explorer among other disks). 3r32089.  
3r32089.  
Next, you should mount the virtual-encrypted block device /dev /sda7_crypt in the system 3r32089.  
3r32089.  
3r32040. mount /dev /mapper /sda7_crypt /mnt 3r32042. 3r32089.  
Working with files in the /mnt folder will automatically encrypt /decrypt data in sda7. 3r32089.  
It is more convenient to map and mount a partition in (nautilus /caja GUI) , the section will already be in the disk selection list, you only need to enter a passphrase for opening /decrypting the disk. The matching name will be selected automatically and not “sda7_crypt”, but something like /dev /mapper /Luks-xx-xx
 
3r32089.  
3r31885. B2.5. Backup disc header (metadata ~ 3MB) 3r31886. 3r32089.  
3r32089.  
One of the most 3r31885. important 3r31886. operations that need to be done without delay - a backup copy of the “sda7_crypt” header. If you overwrite /damage the header (for example, installing GRUB2 in sda? etc.). 3r-32144. , the encrypted data will be lost permanently without any possibility to recover them, because it will not be possible to regenerate the same keys, the keys are created unique. 3r32089.  
3r32089.  
3r32040. # Backup section header
cryptsetup luksHeaderBackup --header-backup-file ~ /Backup_DebSHIFR /dev /sda7
3r32041. 3r32042. 3r32089.  
3r32040. # Restore section header
cryptsetup luksHeaderRestore --header-backup-file
3r33553. 3r32041. 3r32042. 3r32089.  
Options:
 
* luksHeaderBackup --header-backup-file-backup command; 3r32089.  
* luksHeaderRestore --header-backup-file - restore command; 3r32089.  
* ~ /Backup_DebSHIFR - backup file; 3r32089.  
* /dev /sda7-partition whose backup copy of the encrypted disk header needs to be saved. 3r32089.  
3r31885. At this step, <создание и редактирование зашифрованного раздела> it is finished. 3r31886. 3r32089.  
3r32089.  
3r31885. B3. Moving the GNU /Linux OS to (sda4) on the encrypted partition (sda7) 3r31886. 3r32089.  
3r32089.  
Create a folder /mnt2 (Note - we are still working with live usb, sda7_crypt is mounted to /mnt point) , and mount our GNU /Linux in /mnt? which needs to be encrypted. 3r32089.  
3r32089.  
3r32040. mkdir /mnt2
mount /dev /sda4 /mnt2
3r32041. 3r32042. 3r32089.  
We carry out the correct transfer of the OS using Rsync
 
3r32040. rsync -avH --progress /mnt2 //mnt 3r32042. 3r32089.  
Rsync options are described in E1. 3r32089.  
3r31885. Transfer and synchronize[GNU/Linux > GNU/Linux-зашифрованная]at this step finished. 3r31886. 3r32089.  
3r32089.  
3r31885. AT 4. Setting up GNU /Linux on an encrypted sda7 partition [/b] 3r32089.  
3r32089.  
After the successful transfer of the OS /dev /sda4> /dev /sda? you must enter GNU /Linux on the encrypted partition, and further configure 3r-32134. (without rebooting the PC)
relatively encrypted system. That is, to be in live usb, but to execute commands “relative to the root of the encrypted OS”. Simulate a similar situation will be. To quickly receive information from which OS you are currently working (encrypted or not, since the data in sda4 and sda7 are synchronized) , out of sync OS. Create in root directories. (sda4 /sda7_crypt) empty marker files, for example, /mnt /encryptedOS and /mnt2 /decryptedOS. Quick check in which OS you are (including the future): 3r32089.  
3r32040. ls / 3r32041. 3r32042. 3r32089.  
3r32089.  
3r31885. B4.1. "A simulation of the entrance to the encrypted OS" [/b] 3r32089.  
3r32089.  
3r32040. mount --bind /dev /mnt /dev
mount --bind /proc /mnt /proc
mount --bind /sys /mnt /sys
chroot /mnt
3r32041. 3r32042. 3r32089.  
3r32089.  
3r31885. B4.2. Check that the work is carried out relative to the encrypted system 3r31886. 3r32089.  
3r32089.  
3r32040. ls /mnt
# and see the file "/encryptedOS"
3r32041. 3r32042. 3r32089.  
3r32040. history
# in the terminal output should appear the history of the su commands of the operating system. 3r32041. 3r32042. 3r32089.  
3r32089.  
3r31885. B4.3. Create /configure an encrypted swap (swap section) , edit crypttab /fstab [/b] 3r32089.  
3r32089.  
Since the paging file is formatted every time the OS starts, it does not make sense to create and match the swap with the logical disk now, and type the commands as in Section B2.2. For Swap, each temporary start will automatically generate its own temporary encryption keys. Swap-a key life cycle: unmounting /disabling swap-partition (+ clearing the RAM) ; or restart the OS. Setting up swap, open the file responsible for configuring the block encrypted devices (analog of fstab-file, but responsible for crypto). 3r32089.  
3r32089.  
3r32040. nano /etc /crypttab 3r32042. 3r32089.  
rule 3r32089.  
3r32053. # "Target name" "source device" "key file" "options"
 
swap /dev /sda8 /dev /urandom swap, cipher = twofish-xts-plain6? size = 51? hash = sha512
3r32089.  
Options
 
* swap is the associated name when encrypting /dev /mapper /swap. 3r32089.  
* /dev /sda8 - use your logical partition under swap. 3r32089.  
* /dev /urandom generator of random encryption keys for swap ( with each new OS boot — new keys created). The /dev /urandom generator is less random than /dev /random, after all /dev /random is used when working in dangerous paranoid circumstances. When booting the OS /dev /random, it slows down the boot for a few ± minutes (see systemd-analyze) . 3r32089.  
* swap, cipher = twofish-xts-plain6? size = 51? hash = sha512: -partition knows that it is swap and is formatted "accordingly"; encryption algorithm. 3r32089.  
3r32089.  
3r32040. # Open and edit fstab
nano /etc /fstab
3r32041. 3r32042. 3r32089.  
rule 3r32089.  
3r32053. # swap was on /dev /sda8 during installation
 
/dev /mapper /swap none swap sw ???r3r32089.  
3r32054. 3r32089.  
/dev /mapper /swap is the name specified in crypttab. 3r32089.  
3r31885. The swap partition configuration is complete. 3r31886. 3r32089.  
3r32089.  
3r31885. B4.4. Configuring Encrypted GNU /Linux (edit crypttab /fstab files) 3r31886. 3r32089.  
3r32089.  
The /etc /crypttab file, as written above, describes encrypted block devices that are configured during system boot. 3r32089.  
3r32089.  
3r32040. # rule /etc /crypttab
nano /etc /crypttab
3r32041. 3r32042. 3r32089.  
if the section sda7> sda7_crypt was mapped as in p.???r3r32089.  
3r32053. # "Target name" "source device" "key file" "options"
 
sda7_crypt UUID = 81048598-5bb9-4a53-af92-f3f9e709e2f2 none luks
 
3r32054. 3r32089.  
if the section sda7> sda7_crypt was mapped as in p. B???r3r32089.  
3r32053. # "Target name" "source device" "key file""Options"
 
sda7_crypt UUID = 81048598-5bb9-4a53-af92-f3f9e709e2f2 none cipher = twofish-xts-plain6? size = 51? hash = sha512
3r32089.  
if you mapped the sda7> sda7_crypt section as in p.2.1 or B2.? but do not want to re-enter the password to unlock and boot the OS, then you can substitute the secret key /random file
instead of the password.  
3r32053. # "Target name" "source device" "key file" "options"
 
sda7_crypt UUID = 81048598-5bb9-4a53-af92-f3f9e709e2f2 /etc /skey luks
3r32089.  
Description
 
* none - reports that when booting the OS, entering a secret passphrase is required to unlock the root. 3r32089.  
* UUID is the partition ID. To find out your ID dial in the terminal (a reminder that all this time and further, you work in the terminal in the chroot environment, and not in another live usb terminal). 3r32089.  
3r32040. fdisk -l # scan all partitions
blkid # should be something like
3r32041. 3r32042. 3r32089.  
3r32053. /dev /sda7: UUID = "81048598-5bb9-4a53-af92-f3f9e709e2f2" TYPE = "crypto_LUKS" PARTUUID = "0332d73c-07"
 
/dev /mapper /sda7_crypt: LABEL = "DebSHIFR" UUID = "382111a2-f993-403c-aa2e-292b5eac4780" TYPE = "ext4"
 
3r32054. 3r32089.  
This line can be seen when requesting blkid from the live usb terminal when sda7_crypt is mounted). 3r32089.  
UUID take exactly from your sdaX (not sdaX_crypt!, UUID sdaX_crypt - it will automatically leave when generating the grub.cfg config). 3r32089.  
* cipher = twofish-xts-plain6? size = 51? hash = sha512 -luks encryption in advanced mode. 3r32089.  
* /etc /skey is a secret key file that is automatically inserted to unlock the boot of the OS. (instead of entering the 3rd password). You can specify any file up to 8MB, but the data will be read as 3r34040.  
3r32089.  
3r32040. # Generate "generation" of random file <секретного ключа> size 691b.
head -c 691 /dev /urandom> /etc /skey
3r32041. 3r32042. 3r32089.  
3r32040. # Adding the secret key (691b) in the 7th slot of the luks
header. cryptsetup luksAddKey --key-slot 7 /dev /sda7 /etc /skey 3r32042. 3r32089.  
3r32040. # Check slots "passwords /keys of the luks-partition"
cryptsetup luksDump /dev /sda7
3r32041. 3r32042. 3r32089.  
It will look something like this:
 
3r32053. (do it yourself and see for yourself). 3r32054. 3r32089.  
/etc /fstab contains descriptive information about various file systems. 3r32089.  
3r32040. # Edit /etc /fstab
nano /etc /fstab
3r32041. 3r32042. 3r32089.  
3r32053. # “File system” “mount poin” “type” “options” “dump” “pass”
 
# /was on /dev /sda7 during installation
 
/dev /mapper /sda7_crypt /ext4 errors = remount-ro ???r3r32089.  
3r32054. 3r32089.  
option
 
* /dev /mapper /sda7_crypt - sda7 mapping name> sda7_crypt, which is specified in the /etc /crypttab file. 3r32089.  
3r31885. Setting up crypttab /fstab is complete. 3r31886. 3r32089.  
3r32089.  
3r31885. B4.5. Editing configuration files 3r31886. 3r32089.  
3r32089.  
3r31885. B???. Editing the /etc/initramfs-tools/conf.d/resume [/b] config. 3r32089.  
3r32089.  
3r32040. # If you previously had a swap partition activated, disable it.
nano /etc/initramfs-tools/conf.d/resume
3r32041. 3r32042. 3r32089.  
and comment out (if exists) "#" line "resume". The file must be completely empty. 3r32089.  
3r32089.  
3r31885. B???. Editing the /etc/initramfs-tools/conf.d/cryptsetup [/b] config. 3r32089.  
3r32089.  
3r32040. nano /etc/initramfs-tools/conf.d/cryptsetup 3r32042. 3r32089.  
must comply
 
3r32053. # /etc/initramfs-tools/conf.d/cryptsetup
 
CRYPTSETUP = yes
 
export CRYPTSETUP
 
3r32054. 3r32089.  
3r32089.  
3r31885. B???. Editing the config /etc /default /grub (It is this config that is responsible for the ability to generate grub.cfg when working with an encrypted /boot) 3r31886. 3r32089.  
3r32089.  
3r32040. nano /etc /default /grub 3r32042. 3r32089.  
add the line “GRUB_ENABLE_CRYPTODISK = y”
 
the value of 'y', grub-mkconfig and grub-install will check for the presence of encrypted disks and generate additional commands required for their access during the download (insmods
)
. 3r32089.  
there should be a semblance of 3r32089.  
3r32053. GRUB_DEFAULT = 0
 
GRUB_TIMEOUT = 10
 
GRUB_DISTRIBUTOR = `lsb_release -i -s 2> /dev /null || echo Debian`
 
GRUB_CMDLINE_LINUX_DEFAULT = "acpi_backlight = vendor"
 
GRUB_CMDLINE_LINUX = “quiet splash noautomount”
 
GRUB_ENABLE_CRYPTODISK = y
 
3r32054. 3r32089.  
3r32089.  
3r31885. B???. Editing the /etc /cryptsetup-initramfs /conf-hook config [/b] 3r32089.  
3r32089.  
3r32040. nano /etc /cryptsetup-initramfs /conf-hook 3r32042. 3r32089.  
Check that line
<#> commented out. . 3r32089.  
In the future, (and even now, this parameter will not have any meaning, but sometimes it makes it difficult to update the initrd.img image). 3r32089.  
3r32089.  
3r31885. B???. Editing the /etc /cryptsetup-initramfs /conf-hook config [/b] 3r32089.  
3r32089.  
3r32040. nano /etc /cryptsetup-initramfs /conf-hook 3r32042. 3r32089.  
add
 
3r32053. KEYFILE_PATTERN = "/etc /skey"
 
UMASK = 0077
 
3r32054. 3r32089.  
This will pack the “skey” secret key in the initrd.img, the key is needed to unlock the root when booting the OS (if there is no desire to re-enter the password, the “skey” key is automatically substituted) 3r32089.  
3r32089.  
3r31885. B4.6. Update /boot/initrd.img doversion » [/b] 3r32089.  
3r32089.  
To package the secret key in initrd.img and apply cryptsetup fixes, update image
 
3r32040. update-initramfs -u 3r32042. 3r32089.  
when updating initrd.img (as they say, “Perhaps, but this is not accurate”) warnings related to cryptsetup will appear, or, for example, notification of loss of Nvidia modules is normal. After updating the file, check that it has actually been updated, see (regarding the chroot environment) /boot/initrd.img. 3r32089.  
3r31885. At this step, configuration file configuration is complete. 3r31886. 3r32089.  
3r32089.  
3r32087.[С]Installing and configuring GRUB2 easy configuration 3r32088. 3r32089.  
3r31885. C1. If necessary, format the dedicated partition for the boot loader. (section at least 20MB is enough) 3r31886. 3r32089.  
3r32040. mkfs.ext4 -v -L GRUB2 /dev /sda6 3r32042. 3r32089.  
3r32089.  
3r31885. C2. Mounting /dev /sda6 in /mnt [/b] 3r32089.  
3r32089.  
Since we are working in chroot, then the /mnt2 directory will not be at the root, and the /mnt folder will be empty. 3r32089.  
mount the partition GRUB2
 
3r32040. mount /dev /sda6 /mnt 3r32042. 3r32089.  
If you have an old version of GRUB2 installed, in the /mnt /boot /grub /i-386-pc directory. (another platform is possible, for example, not “i386-pc”) no crypto modules (in short, there should be modules in the folder, including these .mod: cryptodisk; luks; gcry_twofish; gcry_sha512; signature_test.mod), 3r314144. in this case, GRUB2 needs to be shaken. 3r32089.  
3r32040. apt-get update
apt-get install grub2
3r32041. 3r32042. 3r32089.  
Important! When upgrading the GRUB2 package from the repository, the question of “choosing” where to install the bootloader is to abandon the 3r-13134 installation. (The reason - the attempt to install GRUB2 - in the "MBR" or live usb)
. Otherwise you will damage the VeraCrypt header /downloader. After upgrading the GRUB2 packages, and canceling the installation, you need to install the bootloader manually on the logical disk, and not in the “MBR”. If your repository has an outdated version of GRUB? try update it from the official site - did not check (worked with fresh GRUB ??? ~ BetaX loaders). 3r32089.  
3r32089.  
C3. Installing GRUB2 in the extended section “sda6”
 
3r32089.  
You must have a[п.C.2]partition mounted. 3r32089.  
3r32040. grub-install --force --root-directory = /mnt /dev /sda6 3r32042. 3r32089.  
Options
 
* --force - install the bootloader, bypassing all the warnings that almost always exist and block the installation (required flag). 3r32089.  
* --root-directory - install the
directory. to sda6 root. 3r32089.  
* /dev /sda6 is your sdaX partition (do not miss <пробел> between /mnt /dev /sda6). 3r32089.  
3r32089.  
3r31885. C4. Creating a configuration file 3r31162. 3r31886. 3r32089.  
3r32089.  
Forget about the update-grub2 command, and use the full command to generate the
configuration file.  
3r32040. grub-mkconfig -o /mnt/boot/grub/grub.cfg 3r32042. 3r32089.  
after the generation /update of the grub.cfg file is completed, the output terminal should contain lines (a) with the found OS on the disk. (“Grub-mkconfig” will probably find and pick up the OS from live usb, if you have a multiboot flash drive with Windows 10 and a bunch of live distros, this is normal). If the terminal is “empty”, the file “grub.cfg” is not generated, then this is the case when the GRUB system bugs (and most likely the bootloader from the repository test branch), Reinstall GRUB2 from trusted sources. 3r32089.  
3r31885. The “easy configuration” installation and the GRUB2 setup is complete. 3r31886. 3r32089.  
3r32089.  
3r31885. C5. Proof-test the encrypted GNU /Linux OS [/b] 3r32089.  
3r32089.  
Correctly complete the cryptomissius. Carefully leave the encrypted GNU /Linux (exit from chroot environment). 3r32089.  
3r32040. umount -a # unmount all mounted partitions using encrypted GNU /Linux
Ctrl + d # exit chroot
umount /mnt /dev
umount /mnt /proc
umount /mnt /sys
umount -a # unmount all mounted partitions to live usb
reboot 3r32042. 3r32089.  
After the PC has restarted, the VeraCrypt bootloader should boot. 3r32089.  
3r31212. 3r32089.  
3r32089.  
* Enter the password for the active partition - will start loading Windows. 3r32089.  
* Pressing the “Esc” key will transfer control to GRUB? when selecting encrypted GNU /Linux, you will need a password (sda7_crypt) to unlock /boot /initit.img. 3r32089.  
3r31221. 3r32089.  
3r32089.  
* Depending on how you set up the system (see p.4.4 /4.5) after verWhen entering the password to unlock the /boot/initrd.img image, you will need a password to load the kernel /OS root, or the secret key “skey” will be automatically substituted, eliminating the need to re-enter the passphrase. 3r32089.  
3r31228. 3r32089.  
(screen "automatic substitution of the secret key"). 3r32089.  
3r32089.  
* Next comes the familiar GNU /Linux boot process with user account authentication. 3r32089.  
3r31237. 3r32089.  
3r32089.  
* After authorizing a user and logging into the OS, you need to re-update /boot/initrd.img (see v4.6). 3r32089.  
3r32040. update-initramfs –u 3r32042. 3r32089.  
And in the case of extra lines in the menu GRUB2 3r332324. (from OS pickup from live usb)
get rid of them
 
3r32040. mount /dev /sda6 /mnt
grub-mkconfig -o /mnt/boot/grub/grub.cfg
3r32041. 3r32042. 3r32089.  
3r31885. Summary of GNU /Linux system encryption: 3r31886. 3r32089.  
3r32089.  
3r? 31302.  
GNU /Linuxinux is fully encrypted, including /boot /kernel and initrd;
 
private key is packed in initrd.img;
 
The current authorization scheme is (enter the password to unlock the initrd; password /key to boot the OS; the password to authorize the Linux account) 3r314144. .
 
3r32089.  
3r31885. "Simple Configuration GRUB2" block partition system encryption completed. 3r31886. 3r32089.  
3r32089.  
3r31885. C6. Advanced configuration GRUB2. Bootloader protection with digital signature + authentication protection 3r31886. 3r32089.  
3r32089.  
GNU /Linux is completely encrypted, but the bootloader cannot be encrypted - this condition is dictated by the BIOS. For this reason, GRUB2 chained encrypted download is not possible, but simple chain loading is possible /available, from the point of view of protection,[см. П. F]is unnecessary. . 3r32089.  
For the “vulnerable” GRUB? the developers implemented the signature /authentication bootloader protection algorithm. 3r32089.  
3r? 31302.  
When protecting the bootloader with “its own digital signature”, an external modification of the files, or an attempt to load additional modules in this bootloader, will lead the download process to blocking.
 
When protecting the bootloader with authentication, you will need to enter the login and password of the superuser GRUB2 to select the boot of any distribution kit, or enter additional commands in the CLI.
 
3r32089.  
3r32089.  
3r31885. C6.1. Loader protection authentication 3r31886. 3r32089.  
3r32089.  
Check that you are working in a terminal in an encrypted OS
 
3r32040. ls / # detect file marker 3r32042. 3r32089.  
Create a superuser password for authorization in GRUB2
 
3r32040. grub-mkpasswd-pbkdf2 # enter /re-enter superuser password. 3r32041. 3r32042. 3r32089.  
Get a password hash. Something like this
 
3r32053. grub.pbkdf2.sha???.DE10E42B01BB6FEEE46250FC5F9C3756894A8476A7F7661A9FFE9D6CC4D0A168898B98C34EBA210F46FC10985CE28277D0563F74E108FCE3ACBD52B26F8BA04D.27625A4D30E4F1044962D3DD1C2E493EF511C01366909767C3AF9A005E81F4BFC33372B9C041BE9BA904D7C6BB141DE48722ED17D2DF9C560170821F033BCFD8
 
3r32054. 3r32089.  
mount the partition GRUB
 
3r32040. mount /dev /sda6 /mnt 3r32042. 3r32089.  
edit the config
 
3r32040. nano - $ /mnt/boot/grub/grub.cfg 3r32042. 3r32089.  
check the file search that there are no flags anywhere in grub.cfg ("--unrestricted", "--user",
 
add at the very end of (before the line ### END /etc/grub.d/41_custom ###) 3r32089.  
"Set superusers =" root "
 
password_pbkdf2 root hash. "

 
3r32089.  
It should be something like
 
3r32053. # This file provides custom menu entries. Simply type the
 
# menu entries you want to add after this comment. Be careful not to change
 
# the 'exec tail' line above. 3r32089.  
### END /etc/grub.d/40_custom ###
 
3r32089.  
### BEGIN /etc/grub.d/41_custom ###
 
if[-f ${config_directory}/custom.cfg ]; then
 
source $ {config_directory} /custom.cfg
 
elif[-z "${config_directory}" -a -f $prefix/custom.cfg ]; then
 
source $ prefix /custom.cfg; 3r32089.  
fi
 
set superusers = "root"
 
password_pbkdf2 root grub.pbkdf2.sha???.DE10E42B01BB6FEEE46250FC5F9C3756894A8476A7F7661A9FFE9D6CC4D0A168898B98C34EBA210F46FC10985CE28277D0563F74E108FCE3ACBD52B26F8BA04D.27625A4D30E4F1044962D3DD1C2E493EF511C01366909767C3AF9A005E81F4BFC33372B9C041BE9BA904D7C6BB141DE48722ED17D2DF9C560170821F033BCFD8
 
### END /etc/grub.d/41_custom ###
 
#
 
3r32054. 3r32089.  
If you often use the “grub-mkconfig -o /mnt/boot/grub/grub.cfg” command and do not want to make changes to grub.cfg each time, enter the above lines 3r313134. (login /password)
to the GRUB user script to the very bottom
 
3r32040. nano /etc/grub.d/41_custom 3r32042. 3r32089.  
3r32053. cat EOF
 
set superusers = "root"
 
password_pbkdf2 root grub.pbkdf2.sha???.DE10E42B01BB6FEEE46250FC5F9C3756894A8476A7F7661A9FFE9D6CC4D0A168898B98C34EBA210F46FC10985CE28277D0563F74E108FCE3ACBD52B26F8BA04D.27625A4D30E4F1044962D3DD1C2E493EF511C01366909767C3AF9A005E81F4BFC33372B9C041BE9BA904D7C6BB141DE48722ED17D2DF9C560170821F033BCFD8
 
EOF
 
3r32054. 3r32089.  
3r32089.  
When generating the “grub-mkconfig -o /mnt/boot/grub/grub.cfg” config, the lines responsible for authentication will be added automatically to grub.cfg. 3r32089.  
3r31885. In this step, the configuration of GRUB2 authentication is complete. 3r31886. 3r32089.  
3r32089.  
3r31885. C6.2. Protecting the bootloader with a digital signature 3r32089.  
3r32089.  
It is assumed that you already have your personal pgp encryption key (or create such a key). Cryptographic software must be installed in the system: gnuPG; kleopatra /GPA; Seahorse. Crypto-software will greatly facilitate your life in all such cases. Seahorse is a stable version of the package ??? (the versions above, for example, V??? are inferior and have significant bugs). 3r32089.  
3r32089.  
The PGP key needs to be generated /launched /added only in the su environment! 3r32089.  
3r32089.  
Generate a personal encryption key
 
3r32040. gpg - -gen-key 3r32042. 3r32089.  
Export your key
 
3r32040. gpg --export -o ~ /perskey 3r32042. 3r32089.  
Mount the logical disk in the OS if it is not mounted
 
3r32040. mount /dev /sda6 /mnt # sda6 - partition GRUB2 3r32042. 3r32089.  
clean the GRUB2 partition
 
3r32040. rm -rf /mnt / 3r32042. 3r32089.  
Install GRUB2 in sda? putting your personal key in the main GRUB image "core.img"
 
3r32040. grub-install --force --modules = "gcry_sha256 gcry_sha512 signature_test gcry_dsa gcry_rsa" -k ~ /perskey --root-directory = /mnt /dev /sda6 3r32042. 3r32089.  
Options
 
* --force - install the bootloader, bypassing all the warnings that always exist (required flag). 3r32089.  
* --modules = "gcry_sha256 gcry_sha512 signature_test gcry_dsa gcry_rsa" - instructs GRUB2 to preload the necessary modules when starting the PC. 3r32089.  
* -k ~ /perskey - the path to the "PGP key" (after packing the key into the image, it can be deleted). 3r32089.  
* --root-directory - install the boot directory to the sda6 root
 
/dev /sda6 is your sdaX partition. 3r32089.  
3r32089.  
We generate /update grub.cfg
 
3r32040. grub-mkconfig -o /mnt/boot/grub/grub.cfg 3r32042. 3r32089.  
Add the line “trust /boot /grub /perskey” to the end of the grub.cfg file. (force the use of pgp-key.) Since we installed GRUB2 with a set of modules, including the signature module “signature_test.mod”, this eliminates the need to add commands like “set check_signatures = enforce” to the config. 3r32089.  
3r32089.  
It should look something like this (end lines in the grub.cfg file) 3r32089.  
3r32053. ### BEGIN /etc/grub.d/41_custom ###
 
if[-f ${config_directory}/custom.cfg ]; then
 
source $ {config_directory} /custom.cfg
 
elif[-z "${config_directory}" -a -f $prefix/custom.cfg ]; then
 
source $ prefix /custom.cfg; 3r32089.  
fi
 
trust /boot /grub /perskey
 
set superusers = "root"
 
password_pbkdf2 root grub.pbkdf2.sha???.DE10E42B01BB6FEEE46250FC5F9C3756894A8476A7F7661A9FFE9D6CC4D0A168898B98C34EBA210F46FC10985CE28277D0563F74E108FCE3ACBD52B26F8BA04D.27625A4D30E4F1044962D3DD1C2E493EF511C01366909767C3AF9A005E81F4BFC33372B9C041BE9BA904D7C6BB141DE48722ED17D2DF9C560170821F033BCFD8
 
### END /etc/grub.d/41_custom ###
 
#
3r32089.  
3r32089.  
The path to "/boot /grub /perskey" does not need to point to a specific partition of the disk, for example hd?? for itself the bootloader "root" is the default path of the partition on which GRUB2 is installed (see set rot = ). 3r32089.  
3r32089.  
Sign the GRUB2 (all files in all directories /grub) 3r32144. your key "perskey". 3r32089.  
Simple solution how to sign (for the conductor nautilus /caja): Install the extension “seahorse” for the conductor from the repository. You must have the key added to su. 3r32089.  
Open the sudo explorer from "/mnt /boot" - right-click to sign. On the screen, it looks like this
 
3r32089.  
3r31582. 3r32089.  
3r32089.  
The key itself "/mnt /boot /grub /perskey" (copy to grub directory) must also be signed by his own signature. Check that the[*.sig]file signatures appear in the directory /subdirectories. . 3r32089.  
In the manner described above, sign "/boot" (our kernel, initrd). If your time is worth something, then this method saves you from writing a bash script to sign the "multiple files". 3r32089.  
3r32089.  
To remove all signatures loader (if something went wrong) 3r32089.  
3r32040. rm -f $ (find /mnt /boot /grub-type f -name '* .sig') 3r32042. 3r32089.  
In order not to sign the bootloader after the system update, freeze all update packages related to GRUB2. 3r32089.  
3r32040. apt-mark hold grub-common grub-pc grub-pc-bin grub2 grub2-common 3r32042. 3r32089.  
3r31885. In this step, <защита загрузчика цифровой подписью> GRUB2 advanced configuration is complete. 3r31886. 3r32089.  
3r32089.  
3r31885. C6.3. Proof-test GRUB2 bootloader, digitally signed and authenticated. 3r31886. 3r32089.  
3r32089.  
GRUB2. When choosing a distro GNU /Linux or logging in to CLI 3r-32134. (command line)
bySuperuser authorization required. After entering the correct username /password you will need a password from the initrd
 
3r32089.  
3r31634. 3r32089.  
Screen, successful authentication of GRUB2-superuser. 3r32089.  
3r32089.  
If you forge any of the GRUB2 files /make changes to grub.cfg, or delete the file /signature, load the malicious module .mod, then a corresponding warning will appear. Download GRUB2 pauses. 3r32089.  
3r32089.  
3r31645. 3r32089.  
Screen, an attempt to intervene in GRUB2 "from the outside." 3r32089.  
3r32089.  
With “normal” boot “without intrusion”, the system status of exit code is “0”. Therefore, it is not known whether the protection works or not (that is, “with the protection of the bootloader with a signature or without it” during normal bootup, the status is the same “0” - this is bad). 3r32089.  
3r32089.  
How to check digital signature protection? 3r32089.  
3r32089.  
Inconvenient way to check: forge /delete the used GRUB2 module, for example, delete the signature luks.mod.sig and get an error. 3r32089.  
3r32089.  
The correct way: go to the CLI loader and type the command
 
3r32040. trust_list 3r32042. 3r32089.  
In response, they should receive a “perskey” imprint, if the status is “0”, then the signature protection does not work, recheck p.6.2. 3r32089.  
3r31885. In this step, the advanced setting “Protection of GRUB2 with digital signature and authentication” is over. 3r31886. 3r32089.  
3r32089.  
3r32087.[D]Scraping - the destruction of unencrypted data 3r32088. 3r32089.  
Delete your personal files so completely that “even God cannot read them,” according to South Carolina Trey Gaudi. 3r32089.  
3r32089.  
As usual, there are various “myths and legends ", About restoring data after deleting it from the hard disk. If you believe in cyber community, or you are a member of the Dr web community and have never tried to restore data after deleting /rewriting it, 3r-32134. (for example, restore using R-studio)
, then the proposed method is unlikely to suit you, use what is closer to you. 3r32089.  
After the successful transfer of GNU /Linux to an encrypted partition, the old copy must be deleted without the possibility of data recovery. Universal cleaning method: software for Windows /Linux free GUI software 3r3r161696. BleachBit
. 3r32089.  
Quickly format the partition, the data on which you want to destroy (using Gparted), Run BleachBit, select "Clearing Free Space" - select section (your sdaX with a previous copy of GNU /Linux) 3r31414. , the stripping process starts. BleachBit - wipes the disc in one pass - this is what "we need." 3r32089.  
3r31885. In this step, “disc cleaning” is complete. 3r31886. 3r32089.  
3r32089.  
3r32087.[E]Universal backup of encrypted OS
3r32089.  
Each user has his own method of data backup, but the encrypted data of the “System OS” requires a slightly different approach to the task. Unified software such as Clonezilla and similar software cannot work directly with encrypted data. 3r32089.  
3r32089.  
Setting the task of backing up encrypted block devices:
 
 
universality - the same algorithm /backup software for Windows /Linux;
 
The ability to work in the console from any GNU /Linux live usb without the need for additional software downloads (but still recommend GUI) ;
 
backup security - stored “images” must be encrypted /password protected;
 
the size of the encrypted data must match the size of the real data copied;
 
Convenient extraction of the necessary files from the backup (no requirement to decrypt the entire section first).
 
3r32089.  
3r32089.  
For example, backup /restore through the utility "dd"
 
3r32040. dd if = /dev /sda7 of = /path /sda7.img bs = 7M conv = sync, noerror
dd if = /path /sda7.img of = /dev /sda7 bs = 7M conv = sync, noerror 3r32042. 3r32089.  
Corresponds to almost all items of the task, but according to claim 4 does not hold water, as it copies the entire section of the disk as a whole, including free space. Not interested. 3r32089.  
3r32089.  
For example, a backup copy of GNU /Linux through the tar archiver
 
convenient, but for Windows backup you need to look for another solution. Not interested. 3r32089.  
3r32089.  
3r31885. E1. Backup Windows /Linux. A bunch of rsync + VeraCrypt volume [/b] 3r32089.  
3r32089.  
The backup algorithm: 3r32089.  
 
creating an encrypted container (volume /file) VeraCrypt for OS;
 
OS transfer /synchronization using Rsync to VeraCrypt container;
 
if necessary, load the volume VeraCrypt in www.
 
3r32089.  
3r32089.  
Creating an encrypted container VeraCrypt has its own characteristics:
 
creating a dynamic volume (DT creation is available only in Windows; it can be used in GNU /Linux) 3r-32144. ; 3r32089.  
creating a regular volume, but there is a requirement of "paranoid nature" 3r3 -32134. (according to the developer)
- container formatting. 3r32089.  
The dynamic volume is created almost instantly in Windows OS, but when copying data from GNU /Linux OS> VeraCrypt DT, in general, the performance of the backup operation decreases significantly. 3r32089.  
A regular Twofish volume of 70 GB is created (let's say, on average PC power) on HDD ~ for half an hour (rewriting of former container data in a single pass, due to security requirements). From VeraCrypt, Windows /Linux removed the function of quick formatting of the volume when it was created, so creating a container is possible only through “rewriting in one pass” or creating a weakly productive dynamic volume. 3r32089.  
3r32089.  
Create a regular volume VeraCrypt (not dynamic) , no problems should arise. 3r32089.  
Customize /create /open container in VeraCrypt GUI> GNU /Linux live usb (the volume will be automounted in /media /veracrypt? the Windows OS volume is mounted in /media /veracrypt1). We create an encrypted backup of the Windows OS using the rsync GUI. (grsync) by putting ticks. 3r32089.  
3r32089.  
3r31825. 3r32089.  
3r32089.  
Wait until the end of the process. Upon completion of the backup, we will have one encrypted file. 3r32089.  
Similarly, create a backup of GNU /Linux, removing the checkmark in the rsync GUI "compatibility with Windows." 3r32089.  
3r32089.  
You can carry out all operations in the terminal. Options for rsync:
 
* -g - save groups; 3r32089.  
* -P --progress - the status of the work on the file; 3r32089.  
* -H-copy hardlinks as is; 3r32089.  
* -a archive mode (several rlptgoD flags) ; 3r32089.  
* -v-verbalization. 3r32089.  
3r32089.  
If you want to mount the “Windows volume VeraCrypt” through the console in the cryptsetup software, you can create alias (su)
 
3r32040. echo "alias veramount = 'cryptsetup open --veracrypt --tcrypt-system --type tcrypt /dev /sdaX Windows_crypt && mount /dev /mapper /Windows_crypt /media /veracrypt1'" .bashrc && bash
3r32041. 3r32042. 3r32089.  
Now, using the “veramount pictures” command, you will be prompted to enter a passphrase, and the Windows encrypted system volume will be mounted in the OS. 3r32089.  
3r32089.  
Match /mount the VeraCrypt system volume in the cryptsetup command
 
3r32040. cryptsetup open --veracrypt --tcrypt-system --type tcrypt /dev /sdaX Windows_crypt
mount /dev /Windows_crypt /mnt 3r32042. 3r32089.  
Match /mount the VeraCrypt partition /container in the cryptsetup command
 
3r32040. cryptsetup open --veracrypt --type tcrypt /dev /sdaY test_crypt
mount /dev /test_crypt /mnt 3r32042. 3r32089.  
We are not forgetting separately to make backups of encrypted partitions on Windows /Linux OS. 3r32089.  
3r31885. In this step, the backup of the encrypted OS is completed. 3r31886. 3r32089.  
3r32089.  
3r32087.[F]Attack to the GRUB2 loader
3r32089.  
If you have protected your bootloader with a digital signature and /or authentication, 3r-32134. (see p. C6.)
then it will not protect against physical access. Encrypted data will still be inaccessible, but the protection bypass is 3r313134. (reset digital signature protection)
GRUB2 allows cyber-villain to inject its code into the bootloader without arousing suspicion (unless the user manually monitors the status of the bootloader, or does not come up with its strong arbitrary script code for grub.cfg). 3r32089.  
3r32089.  
Algorithm attack. The attacker
 
3r32089.  
* Boot a PC from live usb. Any change to (offender) files will cause the real PC host to be notified of an invasion of the bootloader. But a simple reinstallation of GRUB2 with saving grub.cfg (and the subsequent possibility of editing it) allows an attacker to edit any files. (In this situation, when GRUB2 is loaded, the real user will not be notified. The status is the same 3r31914.) 3r314144. 3r32089.  
* Mounts an unencrypted partition, saves "/mnt/boot/grub/grub.cfg". 3r32089.  
* Reinstalls the bootloader. (throwing away the “perskey” from the core.img image) 3r32089.  
3r32040. grub-install --force --root-directory = /mnt /dev /sda6 3r32042. 3r32089.  
* Returns "grub.cfg"> "/mnt/boot/grub/grub.cfg", if necessary, it edits, for example, adding your module "keylogger.mod" to the folder with the loader modules in the "grub.cfg"> line "Insmod keylogger". Or, for example, if the enemy is cunning, then after reinstalling GRUB2 (all signatures remain in place) it collects the main image of GRUB2 using “grub-mkimage with the (-c) option. The“ -c ”option allows you to load your config before loading the main“ grub.cfg ”. The config can consist of just one line: redirect to any “modern.cfg”, mixed, for example, with ~ 400 files 3r313134. (modules + signatures)
in the folder "/boot /grub /i386-pc". In this case, the intruder can enter arbitrary code and load the modules without affecting "/boot/grub/grub.cfg", even if the user has applied "hashsum" to the file and temporarily displayed it on the screen. 3r32089.  
The attacker will not need to crack the login /password of the GRUB2 superuser, you just need to copy the lines 3r313134. (responsible for authentication) 3r314144. "/boot/grub/grub.cfg" in your "modern.cfg" 3r32020.  
3r32053. set superusers = "root"
 
password_pbkdf2 root grub.pbkdf2.sha???.DE10E42B01BB6FEEE46250FC5F9C3756894A8476A7F7661A9FFE9D6CC4D0A168898B98C34EBA210F46FC10985CE28277D0563F74E108FCE3ACBD52B26F8BA04D.27625A4D30E4F1044962D3DD1C2E493EF511C01366909767C3AF9A005E81F4BFC33372B9C041BE9BA904D7C6BB141DE48722ED17D2DF9C560170821F033BCFD8
 
3r32054. 3r32089.  
And for the PC host, the GRUB2 authentication of the root user will still be valid. 3r32089.  
3r32089.  
Chain loading (bootloader loads another bootloader) , as stated above, does not make sense (it is intended for another purpose) . Because of the BIOS, you cannot load the encrypted bootloader (when chain loading, GRUB2 is restarted> encrypted GRUB? an error!) . However, if you still take advantage of the idea of ​​chain loading, then you can be sure that it is the encrypted 3r313134 that is being loaded. (not upgraded) [/i] "Grub.cfg" from an encrypted partition. And this is also a false sense of security, because everything that is indicated in the encrypted "grub.cfg" (module loading) is added to modules that are loaded from unencrypted GRUB2. 3r32089.  
3r32089.  
If you want to check this, select /encrypt another sdaY partition, copy GRUB2 to it. (grub-install operation on the encrypted partition is impossible) and in “grub.cfg” (unencrypted config) change strings like this
 
3r32053. menuentry 'GRUBX2' - class parrot - class gnu-linux - class gnu - class os $ menuentry_id_option 'gnulinux-simple-382111a2-f993-403c-aa2e-292b5eac4780' {
 
load_video
 
insmod gzio
 
if[x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi
 
insmod part_msdos
 
insmod cryptodisk
 
insmod luks
 
insmod gcry_twofish
 
insmod gcry_twofish
 
insmod gcry_sha512
 
insmod ext2
 
cryptomount -u 15c47d1c4bd34e5289df77bcf60ee838
 
set root = 'cryptouuid /15c47d1c4bd34e5289df77bcf60ee838'
 
normal /boot/grub/grub.cfg
 
}
 
3r32054. 3r32089.  
lines
 
* insmod - loading the necessary modules to work with an encrypted disk; 3r32089.  
* GRUBx2 - name of the displayed line in the menu; 3r32089.  
* cryptomount -u 15c47d1c4bd34e5289df77bcf60ee838 - see fdisk -l (sda9); 3r32089.  
* set root - install root; 3r32089.  
* normal grub.cfg configuration file on the encrypted partition. 3r32089.  
3r32089.  
The confidence that it is the encrypted “grub.cfg” that is loaded is the password entry /unlock “sdaY” when selecting the “GRUBx2” line in the GRUB menu. 3r32089.  
3r32089.  
When working in the CLI, not to get confused (and check if the “set root” variable environment worked), 3r-32144. Create empty marker files, for example, in the encrypted "/shifr_grub" section, in the unencrypted "/noshifr_grub" section. Check in CLI 3r32039. 3r32040. cat /Tab-Tab 3r32042. 3r32089.  
As noted above, this will not help from downloading malicious modules if such modules are on your PC. For example, a keylogger who can save keystrokes to a file and mix with other files in "~ /i386" until an attacker downloads it with physical access to the PC. 3r32089.  
3r32089.  
The easiest way to verify that digital signature protection is actively running 3r313134. (not reset)
, and no one invaded the bootloader, in the CLI we type the command
 
3r32040. list_trusted 3r32042. 3r32089.  
in response, we receive a cast of our perskey, or get nothing if we are attacked by (also check “set check_signatures = enforce”) . 3r32089.  
Significant minus of such a step, fill the team manually. If you add this command to “grub.cfg” and protect it with a digital signature, then the preliminary output of the key snapshot on the screen is too short in timing, and you may not have time to see the output, having received the GRUB2 download. 3r32089.  
There’s really no one to complain аbout: the developer is in his documentation Clause 18.2 officially declares r3r32053. “If you’d like to have a password, you can’t get it.” GRUB is a best-selling boot chain. 3r32054. 3r32089.  
GRUB2 is too overloaded with functions that can give a sense of false security, and its development has already outpaced the functionality of MS-DOS OS, and this is just a bootloader. It's funny that GRUB2 - “tomorrow” can become an OS, and GNU /Linux loaded virtual machines for it. 3r32089.  
3r32089.  
A small video about how I dropped the GRUB2 digital signature protection, and announced my intrusion to the real user 3r-13134. (frightened, but instead of what is shown on the video - you can write not innocuous arbitrary code /.mod)
. 3r32089.  
3r32065. 3r32066. 3r32067. 3r32068. 3r32069.
3r32089.  
3r32089.  
Conclusions:
 
1) Block system encryption for Windows is easier to implement, and protection with a single password is more secure than protection with multiple passwords with GNU /Linux block system encryption. 3r32089.  
2) The article was written as a guide to Windows /GNU /Linux system encryption. Therefore, it did not consider some interesting chapters: about cryptographers who disappear /are kept in the shadow, about the fact that in different GNU /Linux books they do not write about encryption, about Article 51 of the RF Constitution, about what you need to encrypt the /boot root . The article turned out already considerable. 3r32089.  
3) System encryption performed on Windows ???; GNU /Linux Parrot 4x; GNU /Debian 9.5. 3r32089.  
3r32089.  
3r32087.[G]Useful documentation
3r32089.  
 
3r32094. TrueCrypt
User Guide. (February ? 2012 RU) 3-3332144.
 
Documentation VeraCrypt
 
/usr /share /doc /cryptsetup (-run)[локальный ресурс] (The official detailed documentation for setting up GNU /Linux encryption using cryptsetup) 3r314144.
 
The official cryptsetup FAQ [i] (brief documentation on configuring GNU /Linux encryption using cryptsetup) 3r32144.
 
Encryption device LUKS [i] (archlinux documentation)

 
A detailed syntax for cryptsetup (arch manual page)
 
Detailed description of crypttab (arch manual page)
 
Official documentation GRUB2 .
 

Only registered users can participate in the survey. Enter , you are welcome.
Do you encrypt data?
3r32424.
Encrypt everything that is possible. I have paranoia.
3r32424.
I encrypt only important data.
3r32424.
Sometimes I encrypt, sometimes I forget.
3r32424.
No, I do not encrypt, it is inconvenient and costly.
No one has voted yet. posts.poll.no_abstained_yet.
+ 0 -

Add comment