CryptoAPI.txt hint

ivo van doorn ivd at euronet.nl
Tue Oct 22 05:31:33 PDT 2002


Christophe Devine wrote:

> TITLE:		Encrypted Filesystem Howto
> LFS VERSION:	All
> AUTHOR:		Christophe Devine
>
> SYNOPSIS:
> 	Make your personal data secure by building your LFS system
> 	inside a filesystem encrypted with strong cryptography.
>
> HINT:
>
> Summary
> -------
>
>     0. Changelog
>
>     1. Setting up the partition layout
>
>     2. Enabling strong cryto in your current system
>         2.1. Installing Linux-2.4.19
>         2.2. Installing util-linux-2.11r
>
>     3. Creating the encrypted partition
>
>     4. Building the LFS system
>
>     5. Setting up the boot partition
>
>     6. Setting up the bootscripts
>
>
>
>     0. Changelog
>     ------------
>
>         2002-10-19 - first version of the cryptoapi hint released
>
>
>     1. Setting up the partition layout
>     ----------------------------------
>
> Your hard disk should have at least three partitions:
>
>   - one small (~ 8 Mb) unencrypted partition (let's say hda1),
>     which will ask the password to mount your encrypted partition.
>
>   - the encrypted partition holding the LFS system (hda2).
>
>   - other temporary partitions for the host distribution.
>
>
>     2. Enabling strong cryto in your current system
>
> The host distribution you're using needs to have strong cryptography
> support, which is probably not the case. Therefore, you must recompile
> your kernel and parts of util-linux.
>
>
>         2.1. Installing Linux-2.4.19
>         ----------------------------
>
> If necessary, download and unpack the kernel sources:
>
> $ wget --passive-ftp -q -O - 
> ftp://ftp.kernel.org/pub/linux/kernel/v2.4/linux-2.4.19.tar.bz2 | 
> bzip2 -d -c | tar -xv
>
> Then download and apply the CryptoAPI patch (also known as the
> International Kernel patch), maintained by Herbert Valerio Riedel :
>
> $ cd linux-2.4.19
> $ wget --passive-ftp -q -O - 
> ftp://ftp.kernel.org/pub/linux/kernel/people/hvr/testing/patch-int-2.4.19.2.bz2 
> | bzip2 -d -c | patch -Np1
>
> While configuring your kernel, the following options must be enabled :
>
>     Block devices  --->
>
>     <*> Loopback device support
>
>     Cryptography support (CryptoAPI)  --->
>
>     <*> CryptoAPI support (NEW)
>     [*] Cipher Algorithms
>     --- 128 bit blocksize
>     ...
>     <*>  Serpent cipher (NEW)
>     <*>  Twofish cipher (NEW)
>     ...
>     [*] Crypto Devices
>     <*>  Loop Crypto support
>     [*]   Loop IV hack
>
> Only two ciphers have been selected above. You may also want to select AES
> (aka Rijndael); however, note that Rijndael is considered to have much 
> less
> security margin than two other AES finalists (Twofish and Serpent).
> For more information, see:
>
>     The Twofish Team's Final Comments on AES Selection
>     http://www.counterpane.com/twofish-final.html
>
> Now compile and install your kernel, then reboot.
> You can make sure the crypto ciphers are properly loaded :
>
> $ ls /proc/crypto/cipher/
> serpent-cbc  serpent-cfb  serpent-ecb  twofish-cbc  twofish-cfb 
> twofish-ecb
>
>
>         2.2. Installing util-linux-2.11r
>         --------------------------------
>
> The losetup program, which is part of the util-linux package, must be
> patched and recompiled in order to add strong crypto support :
>
> $ wget --passive-ftp -q -O - 
> ftp://ftp.kernel.org/pub/linux/utils/util-linux/util-linux-2.11r.tar.bz2 
> | bzip2 -d -c | tar -xv
>
> $ cd util-linux-2.11r/
>
> $ wget --passive-ftp -q -O - 
> ftp://ftp.kernel.org/pub/linux/kernel/people/hvr/util-linux-cryptoapi/util-linux-2.11r.patch.bz2 
> | bzip2 -d -c | patch -Np1
>
> $ ./configure && make lib mount
>
> Install the losetup program and manpage as root :
>
> # cp mount/losetup /sbin
> # cp mount/losetup.8 /usr/share/man/man8
>
>
>     3. Creating the encrypted partition
>     -----------------------------------
>
> First of all, fill the target partition with random data :
>
> # shred -n 1 -v /dev/hda2
>
> Then, setup then encrypted loop device :
>
> # losetup -e twofish -k 256 -P sha512 /dev/loop0 /dev/hda2
> Password:
>
> Next, create the ext2 (or ext3 or reiserfs) filesystem :
>
> # mke2fs /dev/loop0
>
> You can compare the encrypted and unencrypted data :
>
> # xxd /dev/loop0 | less
> # xxd /dev/hda2  | less
>
>
>     4. Building the LFS system
>     --------------------------
>
> Two steps in the book must be adapted :
>
>     * Chapter 6, Installing util-linux :
>
>         Use util-linux-2.11r, instead of the version used in the book,
>         and apply the patch as described in section 2.2. of this hint.
>
>     * Chapter 8, Making the LFS system bootable :
>
>         Refer to the section 5. below :
>
>
>     5. Setting up the boot partition
>     --------------------------------
>
> The following instructions assume that you're still chrooted inside $LFS.
>
> Create and mount the boot partition :
>
> # mke2fs /dev/hda1
> # mkdir /loader
> # mount -t ext2 /dev/hda1 /loader
>
> Create the filesystem hierarchy :
>
> # mkdir /loader/{bin,boot,dev,etc,lib,mnt,proc,sbin}
>
> Copy the required files in it :
>
> # cp /bin/{sh,mount,umount} /loader/bin/
> # cp /boot/boot-text.b /loader/boot/boot.b
> # cp -a /dev/{console,hda,hda1,hda2,loop0} /loader/dev/
> # cp /lib/{ld-linux.so.2,libc.so.6,libdl.so.2,libncurses.so.5} 
> /loader/lib/
> # cp /sbin/{losetup,pivot_root} /loader/sbin
> # cat > /loader/sbin/init << EOF
> #!/bin/sh
>
> /bin/mount -n -t proc proc /proc
> /sbin/losetup -e twofish -k 256 -P sha512 /dev/loop0 /dev/hda2
> /bin/mount -n -t ext2 /dev/loop0 /mnt
>
> while [ $? -ne 0 ]
> do
>     /sbin/losetup -d /dev/loop0
>     /sbin/losetup -e twofish -k 256 -P sha512 /dev/loop0 /dev/hda2
>     /bin/mount -n -t ext2 /dev/loop0 /mnt
> done
>
> /bin/umount -n /proc
> cd /mnt
> /sbin/pivot_root . loader
> exec /usr/sbin/chroot . /sbin/init
> EOF
> # chmod 755 /loader/sbin/init
> # cat > /loader/etc/lilo.conf << EOF
> boot=/dev/hda
> lba32
> vga=4
> default=Linux
> image=/vmlinuz
>     label=Linux
>     root=/dev/hda1
>     read-only
> EOF	
>
> Copy the kernel you've compiled in section 2.1. to /loader/vmlinuz and 
> run :
>
> # lilo -r /loader
>
>
>     6. Setting up the bootscripts
>     -----------------------------
>
> Make sure your /etc/fstab contains :
>
> /dev/loop0      /      ext2    defaults             0 1
>
> Also, it is a good idea to check the bootloader integrity, in order to 
> spot
> if someone, say a government agency like the FBI or the NSA, has modified
> your boot partition so as to grab your password. Add the following 
> lines at
> the beginning of the system initialisation script:
>
>
> echo -n "Checking master boot record integrity: "
> if [ "`dd if=/dev/hda count=1 2>/dev/null | md5sum`" = 
> "e051a4532356709c73b86789acfbdbbd  -" ]
> then
>     echo "OK."
> else
>     echo -n "FAILED! press Enter to continue."
>     read
> fi
>
> echo -n "Checking bootloader integrity: "
> if [ "`dd if=/dev/hda1 2>/dev/null | md5sum`" = 
> "f3686a17fac8a1090d962bef59c86d3b  -" ]
> then
>     echo "OK."
> else
>     echo -n "FAILED! press Enter to continue."
>     read
> fi
>
>
> (you should replace the two md5sums above with the correct ones).
>
>
> Now, if you're low on RAM you'll need some swap space. Do not use an
> unencrypted swap partition ! Instead, create a large swap file:
>
> # dd if=/dev/zero of=/swap bs=1048576 count=128
> # mkswap /swap
>
> Add this line at the beginning of the system initialisation script :
>
> swapon /swap
>
> ...and you're finally done.
>
Hi,

First of all I would like to say its great this hint has been created.
I was already searching on how to add crypto, so this hint was just in 
time..:)

but I have one question. Since the CVS version of LFS switched to 
util-linux-2.11w
is this alright to use for the crypto hint as well?
And has the patch already been implemented into this version of 
util-linux. Since when I checked if a patch was available for 
util-linux-2.11w there was none. And last patch was for version 2.11r.
So is no patch needed, or do I have to wait untill the proper patch has 
been released?

thanks

Ivo

-- 
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe hints' in the subject header of the message



More information about the hints mailing list