CryptoAPI.txt hint

Christophe Devine devine at nerim.net
Sat Oct 19 09:16:31 PDT 2002


TITLE:		Encrypted Filesystem Howto
LFS VERSION:	All
AUTHOR:		Christophe Devine <devine at nerim.net>

SYNOPSIS:
	Make your personal data secure by building your LFS system
	inside a filesystem encrypted with strong cryptography.

HINT:

Summary
-------

    0. Changelog

    1. Setting up the partition layout

    2. Enabling strong cryto in your current system
        2.1. Installing Linux-2.4.19
        2.2. Installing util-linux-2.11r

    3. Creating the encrypted partition

    4. Building the LFS system

    5. Setting up the boot partition

    6. Setting up the bootscripts



    0. Changelog
    ------------

        2002-10-19 - first version of the cryptoapi hint released


    1. Setting up the partition layout
    ----------------------------------

Your hard disk should have at least three partitions:

  - one small (~ 8 Mb) unencrypted partition (let's say hda1),
    which will ask the password to mount your encrypted partition.

  - the encrypted partition holding the LFS system (hda2).

  - other temporary partitions for the host distribution.


    2. Enabling strong cryto in your current system

The host distribution you're using needs to have strong cryptography
support, which is probably not the case. Therefore, you must recompile
your kernel and parts of util-linux.


        2.1. Installing Linux-2.4.19
        ----------------------------

If necessary, download and unpack the kernel sources:

$ wget --passive-ftp -q -O - ftp://ftp.kernel.org/pub/linux/kernel/v2.4/linux-2.4.19.tar.bz2 | bzip2 -d -c | tar -xv

Then download and apply the CryptoAPI patch (also known as the
International Kernel patch), maintained by Herbert Valerio Riedel :

$ cd linux-2.4.19
$ wget --passive-ftp -q -O - ftp://ftp.kernel.org/pub/linux/kernel/people/hvr/testing/patch-int-2.4.19.2.bz2 | bzip2 -d -c | patch -Np1

While configuring your kernel, the following options must be enabled :

    Block devices  --->

    <*> Loopback device support

    Cryptography support (CryptoAPI)  --->

    <*> CryptoAPI support (NEW)
    [*] Cipher Algorithms
    --- 128 bit blocksize
    ...
    <*>  Serpent cipher (NEW)
    <*>  Twofish cipher (NEW)
    ...
    [*] Crypto Devices
    <*>  Loop Crypto support
    [*]   Loop IV hack
    
Only two ciphers have been selected above. You may also want to select AES
(aka Rijndael); however, note that Rijndael is considered to have much less
security margin than two other AES finalists (Twofish and Serpent).
For more information, see:

    The Twofish Team's Final Comments on AES Selection
    http://www.counterpane.com/twofish-final.html

Now compile and install your kernel, then reboot.
You can make sure the crypto ciphers are properly loaded :

$ ls /proc/crypto/cipher/
serpent-cbc  serpent-cfb  serpent-ecb  twofish-cbc  twofish-cfb  twofish-ecb


        2.2. Installing util-linux-2.11r
        --------------------------------

The losetup program, which is part of the util-linux package, must be
patched and recompiled in order to add strong crypto support :

$ wget --passive-ftp -q -O - ftp://ftp.kernel.org/pub/linux/utils/util-linux/util-linux-2.11r.tar.bz2 | bzip2 -d -c | tar -xv

$ cd util-linux-2.11r/

$ wget --passive-ftp -q -O - ftp://ftp.kernel.org/pub/linux/kernel/people/hvr/util-linux-cryptoapi/util-linux-2.11r.patch.bz2 | bzip2 -d -c | patch -Np1

$ ./configure && make lib mount

Install the losetup program and manpage as root :

# cp mount/losetup /sbin
# cp mount/losetup.8 /usr/share/man/man8


    3. Creating the encrypted partition
    -----------------------------------

First of all, fill the target partition with random data :

# shred -n 1 -v /dev/hda2

Then, setup then encrypted loop device :

# losetup -e twofish -k 256 -P sha512 /dev/loop0 /dev/hda2
Password:

Next, create the ext2 (or ext3 or reiserfs) filesystem :

# mke2fs /dev/loop0

You can compare the encrypted and unencrypted data :

# xxd /dev/loop0 | less
# xxd /dev/hda2  | less


    4. Building the LFS system
    --------------------------

Two steps in the book must be adapted :

    * Chapter 6, Installing util-linux :
    
        Use util-linux-2.11r, instead of the version used in the book,
        and apply the patch as described in section 2.2. of this hint.

    * Chapter 8, Making the LFS system bootable :

        Refer to the section 5. below :


    5. Setting up the boot partition
    --------------------------------

The following instructions assume that you're still chrooted inside $LFS.

Create and mount the boot partition :

# mke2fs /dev/hda1
# mkdir /loader
# mount -t ext2 /dev/hda1 /loader

Create the filesystem hierarchy :

# mkdir /loader/{bin,boot,dev,etc,lib,mnt,proc,sbin}

Copy the required files in it :

# cp /bin/{sh,mount,umount} /loader/bin/
# cp /boot/boot-text.b /loader/boot/boot.b
# cp -a /dev/{console,hda,hda1,hda2,loop0} /loader/dev/
# cp /lib/{ld-linux.so.2,libc.so.6,libdl.so.2,libncurses.so.5} /loader/lib/
# cp /sbin/{losetup,pivot_root} /loader/sbin
# cat > /loader/sbin/init << EOF
#!/bin/sh

/bin/mount -n -t proc proc /proc
/sbin/losetup -e twofish -k 256 -P sha512 /dev/loop0 /dev/hda2
/bin/mount -n -t ext2 /dev/loop0 /mnt

while [ $? -ne 0 ]
do
    /sbin/losetup -d /dev/loop0
    /sbin/losetup -e twofish -k 256 -P sha512 /dev/loop0 /dev/hda2
    /bin/mount -n -t ext2 /dev/loop0 /mnt
done

/bin/umount -n /proc
cd /mnt
/sbin/pivot_root . loader
exec /usr/sbin/chroot . /sbin/init
EOF
# chmod 755 /loader/sbin/init
# cat > /loader/etc/lilo.conf << EOF
boot=/dev/hda
lba32
vga=4
default=Linux
image=/vmlinuz
    label=Linux
    root=/dev/hda1
    read-only
EOF	    

Copy the kernel you've compiled in section 2.1. to /loader/vmlinuz and run :

# lilo -r /loader


    6. Setting up the bootscripts
    -----------------------------

Make sure your /etc/fstab contains :

/dev/loop0      /      ext2    defaults             0 1

Also, it is a good idea to check the bootloader integrity, in order to spot
if someone, say a government agency like the FBI or the NSA, has modified
your boot partition so as to grab your password. Add the following lines at
the beginning of the system initialisation script:


echo -n "Checking master boot record integrity: "
if [ "`dd if=/dev/hda count=1 2>/dev/null | md5sum`" = "e051a4532356709c73b86789acfbdbbd  -" ]
then
    echo "OK."
else
    echo -n "FAILED! press Enter to continue."
    read
fi

echo -n "Checking bootloader integrity: "
if [ "`dd if=/dev/hda1 2>/dev/null | md5sum`" = "f3686a17fac8a1090d962bef59c86d3b  -" ]
then
    echo "OK."
else
    echo -n "FAILED! press Enter to continue."
    read
fi


(you should replace the two md5sums above with the correct ones).


Now, if you're low on RAM you'll need some swap space. Do not use an
unencrypted swap partition ! Instead, create a large swap file:

# dd if=/dev/zero of=/swap bs=1048576 count=128
# mkswap /swap

Add this line at the beginning of the system initialisation script :

swapon /swap

...and you're finally done.

-- 
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe hints' in the subject header of the message



More information about the hints mailing list