cvs commit: hints cryptoapi.txt

timothy at timothy at
Thu Oct 24 07:03:01 PDT 2002

timothy     02/10/24 07:03:01

  Added:       .        cryptoapi.txt
  Initial commit.
  Revision  Changes    Path
  1.1                  hints/cryptoapi.txt
  Index: cryptoapi.txt
  TITLE:		Encrypted Filesystem Howto
  AUTHOR:		Christophe Devine <devine at>
  	Make your personal data secure by building your LFS system
  	inside a filesystem encrypted with strong cryptography.
      0. Changelog
      1. Setting up the partition layout
      2. Enabling strong cryto in your current system
          2.1. Installing Linux-2.4.19
          2.2. Installing util-linux-2.11r
      3. Creating the encrypted partition
      4. Building the LFS system
      5. Setting up the boot partition
      6. Setting up the bootscripts
      0. Changelog
          2002-10-19 - first version of the cryptoapi hint released
      1. Setting up the partition layout
  Your hard disk should have at least three partitions:
    - one small (~ 8 Mb) unencrypted partition (let's say hda1),
      which will ask the password to mount your encrypted partition.
    - the encrypted partition holding the LFS system (hda2).
    - other temporary partitions for the host distribution.
      2. Enabling strong cryto in your current system
  The host distribution you're using needs to have strong cryptography
  support, which is probably not the case. Therefore, you must recompile
  your kernel and parts of util-linux.
          2.1. Installing Linux-2.4.19
  If necessary, download and unpack the kernel sources:
  $ wget --passive-ftp -q -O - | bzip2 -d -c | tar -xv
  Then download and apply the CryptoAPI patch (also known as the
  International Kernel patch), maintained by Herbert Valerio Riedel :
  $ cd linux-2.4.19
  $ wget --passive-ftp -q -O - | bzip2 -d -c | patch -Np1
  While configuring your kernel, the following options must be enabled :
      Block devices  --->
      <*> Loopback device support
      Cryptography support (CryptoAPI)  --->
      <*> CryptoAPI support (NEW)
      [*] Cipher Algorithms
      --- 128 bit blocksize
      <*>  Serpent cipher (NEW)
      <*>  Twofish cipher (NEW)
      [*] Crypto Devices
      <*>  Loop Crypto support
      [*]   Loop IV hack
  Only two ciphers have been selected above. You may also want to select AES
  (aka Rijndael); however, note that Rijndael is considered to have much less
  security margin than two other AES finalists (Twofish and Serpent).
  For more information, see:
      The Twofish Team's Final Comments on AES Selection
  Now compile and install your kernel, then reboot.
  You can make sure the crypto ciphers are properly loaded :
  $ ls /proc/crypto/cipher/
  serpent-cbc  serpent-cfb  serpent-ecb  twofish-cbc  twofish-cfb  twofish-ecb
          2.2. Installing util-linux-2.11r
  The losetup program, which is part of the util-linux package, must be
  patched and recompiled in order to add strong crypto support :
  $ wget --passive-ftp -q -O - | bzip2 -d -c | tar -xv
  $ cd util-linux-2.11r/
  $ wget --passive-ftp -q -O - | bzip2 -d -c | patch -Np1
  $ ./configure && make lib mount
  Install the losetup program and manpage as root :
  # cp mount/losetup /sbin
  # cp mount/losetup.8 /usr/share/man/man8
      3. Creating the encrypted partition
  First of all, fill the target partition with random data :
  # shred -n 1 -v /dev/hda2
  Then, setup then encrypted loop device :
  # losetup -e twofish -k 256 -P sha512 /dev/loop0 /dev/hda2
  Next, create the ext2 (or ext3 or reiserfs) filesystem :
  # mke2fs /dev/loop0
  You can compare the encrypted and unencrypted data :
  # xxd /dev/loop0 | less
  # xxd /dev/hda2  | less
      4. Building the LFS system
  Two steps in the book must be adapted :
      * Chapter 6, Installing util-linux :
          Use util-linux-2.11r, instead of the version used in the book,
          and apply the patch as described in section 2.2. of this hint.
      * Chapter 8, Making the LFS system bootable :
          Refer to section 5. below :
      5. Setting up the boot partition
  The following instructions assume that you're still chrooted inside $LFS.
  Create and mount the boot partition :
  # mke2fs /dev/hda1
  # mkdir /loader
  # mount -t ext2 /dev/hda1 /loader
  Create the filesystem hierarchy :
  # mkdir /loader/{bin,boot,dev,etc,lib,mnt,proc,sbin}
  Copy the required files in it :
  # cp /bin/{sh,mount,umount} /loader/bin/
  # cp /boot/boot-text.b /loader/boot/boot.b
  # cp -a /dev/{console,hda,hda1,hda2,loop0} /loader/dev/
  # cp /lib/{,,,} /loader/lib/
  # cp /sbin/{losetup,pivot_root} /loader/sbin
  # cat > /loader/sbin/init << EOF
  /bin/mount -n -t proc proc /proc
  /sbin/losetup -e twofish -k 256 -P sha512 /dev/loop0 /dev/hda2
  /bin/mount -n -t ext2 /dev/loop0 /mnt
  while [ $? -ne 0 ]
      /sbin/losetup -d /dev/loop0
      /sbin/losetup -e twofish -k 256 -P sha512 /dev/loop0 /dev/hda2
      /bin/mount -n -t ext2 /dev/loop0 /mnt
  /bin/umount -n /proc
  cd /mnt
  /sbin/pivot_root . loader
  exec /usr/sbin/chroot . /sbin/init
  # chmod 755 /loader/sbin/init
  # cat > /loader/etc/lilo.conf << EOF
  Copy the kernel you've compiled in section 2.1. to /loader/vmlinuz and run :
  # lilo -r /loader
      6. Setting up the bootscripts
  Make sure your /etc/fstab contains :
  /dev/loop0      /      ext2    defaults             0 1
  Also, it is a good idea to check the bootloader integrity, in order to spot
  if someone, say a government agency like the FBI or the NSA, has modified
  your boot partition so as to grab your password. Add the following lines at
  the beginning of the system initialisation script:
  echo -n "Checking master boot record integrity: "
  if [ "`dd if=/dev/hda count=1 2>/dev/null | md5sum`" = "e051a4532356709c73b86789acfbdbbd  -" ]
      echo "OK."
      echo -n "FAILED! press Enter to continue."
  echo -n "Checking bootloader integrity: "
  if [ "`dd if=/dev/hda1 2>/dev/null | md5sum`" = "f3686a17fac8a1090d962bef59c86d3b  -" ]
      echo "OK."
      echo -n "FAILED! press Enter to continue."
  (you should replace the two md5sums above with the correct ones).
  Now, if you're low on RAM you'll need some swap space. Do not use an
  unencrypted swap partition ! Instead, create a large swap file:
  # dd if=/dev/zero of=/swap bs=1048576 count=128
  # mkswap /swap
  Add this line at the beginning of the system initialisation script :
  swapon /swap
  ...and you're finally done.
Unsubscribe: send email to listar at
and put 'unsubscribe hints' in the subject header of the message

More information about the hints mailing list