CryptoAPI.txt hint

Christophe Devine devine at
Sat Oct 19 09:16:31 PDT 2002

TITLE:		Encrypted Filesystem Howto
AUTHOR:		Christophe Devine <devine at>

	Make your personal data secure by building your LFS system
	inside a filesystem encrypted with strong cryptography.



    0. Changelog

    1. Setting up the partition layout

    2. Enabling strong cryto in your current system
        2.1. Installing Linux-2.4.19
        2.2. Installing util-linux-2.11r

    3. Creating the encrypted partition

    4. Building the LFS system

    5. Setting up the boot partition

    6. Setting up the bootscripts

    0. Changelog

        2002-10-19 - first version of the cryptoapi hint released

    1. Setting up the partition layout

Your hard disk should have at least three partitions:

  - one small (~ 8 Mb) unencrypted partition (let's say hda1),
    which will ask the password to mount your encrypted partition.

  - the encrypted partition holding the LFS system (hda2).

  - other temporary partitions for the host distribution.

    2. Enabling strong cryto in your current system

The host distribution you're using needs to have strong cryptography
support, which is probably not the case. Therefore, you must recompile
your kernel and parts of util-linux.

        2.1. Installing Linux-2.4.19

If necessary, download and unpack the kernel sources:

$ wget --passive-ftp -q -O - | bzip2 -d -c | tar -xv

Then download and apply the CryptoAPI patch (also known as the
International Kernel patch), maintained by Herbert Valerio Riedel :

$ cd linux-2.4.19
$ wget --passive-ftp -q -O - | bzip2 -d -c | patch -Np1

While configuring your kernel, the following options must be enabled :

    Block devices  --->

    <*> Loopback device support

    Cryptography support (CryptoAPI)  --->

    <*> CryptoAPI support (NEW)
    [*] Cipher Algorithms
    --- 128 bit blocksize
    <*>  Serpent cipher (NEW)
    <*>  Twofish cipher (NEW)
    [*] Crypto Devices
    <*>  Loop Crypto support
    [*]   Loop IV hack
Only two ciphers have been selected above. You may also want to select AES
(aka Rijndael); however, note that Rijndael is considered to have much less
security margin than two other AES finalists (Twofish and Serpent).
For more information, see:

    The Twofish Team's Final Comments on AES Selection

Now compile and install your kernel, then reboot.
You can make sure the crypto ciphers are properly loaded :

$ ls /proc/crypto/cipher/
serpent-cbc  serpent-cfb  serpent-ecb  twofish-cbc  twofish-cfb  twofish-ecb

        2.2. Installing util-linux-2.11r

The losetup program, which is part of the util-linux package, must be
patched and recompiled in order to add strong crypto support :

$ wget --passive-ftp -q -O - | bzip2 -d -c | tar -xv

$ cd util-linux-2.11r/

$ wget --passive-ftp -q -O - | bzip2 -d -c | patch -Np1

$ ./configure && make lib mount

Install the losetup program and manpage as root :

# cp mount/losetup /sbin
# cp mount/losetup.8 /usr/share/man/man8

    3. Creating the encrypted partition

First of all, fill the target partition with random data :

# shred -n 1 -v /dev/hda2

Then, setup then encrypted loop device :

# losetup -e twofish -k 256 -P sha512 /dev/loop0 /dev/hda2

Next, create the ext2 (or ext3 or reiserfs) filesystem :

# mke2fs /dev/loop0

You can compare the encrypted and unencrypted data :

# xxd /dev/loop0 | less
# xxd /dev/hda2  | less

    4. Building the LFS system

Two steps in the book must be adapted :

    * Chapter 6, Installing util-linux :
        Use util-linux-2.11r, instead of the version used in the book,
        and apply the patch as described in section 2.2. of this hint.

    * Chapter 8, Making the LFS system bootable :

        Refer to the section 5. below :

    5. Setting up the boot partition

The following instructions assume that you're still chrooted inside $LFS.

Create and mount the boot partition :

# mke2fs /dev/hda1
# mkdir /loader
# mount -t ext2 /dev/hda1 /loader

Create the filesystem hierarchy :

# mkdir /loader/{bin,boot,dev,etc,lib,mnt,proc,sbin}

Copy the required files in it :

# cp /bin/{sh,mount,umount} /loader/bin/
# cp /boot/boot-text.b /loader/boot/boot.b
# cp -a /dev/{console,hda,hda1,hda2,loop0} /loader/dev/
# cp /lib/{,,,} /loader/lib/
# cp /sbin/{losetup,pivot_root} /loader/sbin
# cat > /loader/sbin/init << EOF

/bin/mount -n -t proc proc /proc
/sbin/losetup -e twofish -k 256 -P sha512 /dev/loop0 /dev/hda2
/bin/mount -n -t ext2 /dev/loop0 /mnt

while [ $? -ne 0 ]
    /sbin/losetup -d /dev/loop0
    /sbin/losetup -e twofish -k 256 -P sha512 /dev/loop0 /dev/hda2
    /bin/mount -n -t ext2 /dev/loop0 /mnt

/bin/umount -n /proc
cd /mnt
/sbin/pivot_root . loader
exec /usr/sbin/chroot . /sbin/init
# chmod 755 /loader/sbin/init
# cat > /loader/etc/lilo.conf << EOF

Copy the kernel you've compiled in section 2.1. to /loader/vmlinuz and run :

# lilo -r /loader

    6. Setting up the bootscripts

Make sure your /etc/fstab contains :

/dev/loop0      /      ext2    defaults             0 1

Also, it is a good idea to check the bootloader integrity, in order to spot
if someone, say a government agency like the FBI or the NSA, has modified
your boot partition so as to grab your password. Add the following lines at
the beginning of the system initialisation script:

echo -n "Checking master boot record integrity: "
if [ "`dd if=/dev/hda count=1 2>/dev/null | md5sum`" = "e051a4532356709c73b86789acfbdbbd  -" ]
    echo "OK."
    echo -n "FAILED! press Enter to continue."

echo -n "Checking bootloader integrity: "
if [ "`dd if=/dev/hda1 2>/dev/null | md5sum`" = "f3686a17fac8a1090d962bef59c86d3b  -" ]
    echo "OK."
    echo -n "FAILED! press Enter to continue."

(you should replace the two md5sums above with the correct ones).

Now, if you're low on RAM you'll need some swap space. Do not use an
unencrypted swap partition ! Instead, create a large swap file:

# dd if=/dev/zero of=/swap bs=1048576 count=128
# mkswap /swap

Add this line at the beginning of the system initialisation script :

swapon /swap

...and you're finally done.

Unsubscribe: send email to listar at
and put 'unsubscribe hints' in the subject header of the message

More information about the hints mailing list