cvs commit: hints cryptoapi.txt

timothy at linuxfromscratch.org timothy at linuxfromscratch.org
Thu Oct 24 07:03:01 PDT 2002


timothy     02/10/24 07:03:01

  Added:       .        cryptoapi.txt
  Log:
  Initial commit.
  
  Revision  Changes    Path
  1.1                  hints/cryptoapi.txt
  
  Index: cryptoapi.txt
  ===================================================================
  TITLE:		Encrypted Filesystem Howto
  LFS VERSION:	All
  AUTHOR:		Christophe Devine <devine at nerim.net>
  
  SYNOPSIS:
  	Make your personal data secure by building your LFS system
  	inside a filesystem encrypted with strong cryptography.
  
  HINT:
  
  Contents
  --------
  
      0. Changelog
  
      1. Setting up the partition layout
  
      2. Enabling strong cryto in your current system
          2.1. Installing Linux-2.4.19
          2.2. Installing util-linux-2.11r
  
      3. Creating the encrypted partition
  
      4. Building the LFS system
  
      5. Setting up the boot partition
  
      6. Setting up the bootscripts
  
  
  
      0. Changelog
      ------------
  
          2002-10-19 - first version of the cryptoapi hint released
  
  
      1. Setting up the partition layout
      ----------------------------------
  
  Your hard disk should have at least three partitions:
  
    - one small (~ 8 Mb) unencrypted partition (let's say hda1),
      which will ask the password to mount your encrypted partition.
  
    - the encrypted partition holding the LFS system (hda2).
  
    - other temporary partitions for the host distribution.
  
  
      2. Enabling strong cryto in your current system
      -----------------------------------------------
  
  The host distribution you're using needs to have strong cryptography
  support, which is probably not the case. Therefore, you must recompile
  your kernel and parts of util-linux.
  
  
          2.1. Installing Linux-2.4.19
          ----------------------------
  
  If necessary, download and unpack the kernel sources:
  
  $ wget --passive-ftp -q -O - ftp://ftp.kernel.org/pub/linux/kernel/v2.4/linux-2.4.19.tar.bz2 | bzip2 -d -c | tar -xv
  
  Then download and apply the CryptoAPI patch (also known as the
  International Kernel patch), maintained by Herbert Valerio Riedel :
  
  $ cd linux-2.4.19
  $ wget --passive-ftp -q -O - ftp://ftp.kernel.org/pub/linux/kernel/people/hvr/testing/patch-int-2.4.19.2.bz2 | bzip2 -d -c | patch -Np1
  
  While configuring your kernel, the following options must be enabled :
  
      Block devices  --->
  
      <*> Loopback device support
  
      Cryptography support (CryptoAPI)  --->
  
      <*> CryptoAPI support (NEW)
      [*] Cipher Algorithms
      --- 128 bit blocksize
      ...
      <*>  Serpent cipher (NEW)
      <*>  Twofish cipher (NEW)
      ...
      [*] Crypto Devices
      <*>  Loop Crypto support
      [*]   Loop IV hack
      
  Only two ciphers have been selected above. You may also want to select AES
  (aka Rijndael); however, note that Rijndael is considered to have much less
  security margin than two other AES finalists (Twofish and Serpent).
  For more information, see:
  
      The Twofish Team's Final Comments on AES Selection
      http://www.counterpane.com/twofish-final.html
  
  Now compile and install your kernel, then reboot.
  You can make sure the crypto ciphers are properly loaded :
  
  $ ls /proc/crypto/cipher/
  serpent-cbc  serpent-cfb  serpent-ecb  twofish-cbc  twofish-cfb  twofish-ecb
  
  
          2.2. Installing util-linux-2.11r
          --------------------------------
  
  The losetup program, which is part of the util-linux package, must be
  patched and recompiled in order to add strong crypto support :
  
  $ wget --passive-ftp -q -O - ftp://ftp.kernel.org/pub/linux/utils/util-linux/util-linux-2.11r.tar.bz2 | bzip2 -d -c | tar -xv
  
  $ cd util-linux-2.11r/
  
  $ wget --passive-ftp -q -O - ftp://ftp.kernel.org/pub/linux/kernel/people/hvr/util-linux-cryptoapi/util-linux-2.11r.patch.bz2 | bzip2 -d -c | patch -Np1
  
  $ ./configure && make lib mount
  
  Install the losetup program and manpage as root :
  
  # cp mount/losetup /sbin
  # cp mount/losetup.8 /usr/share/man/man8
  
  
      3. Creating the encrypted partition
      -----------------------------------
  
  First of all, fill the target partition with random data :
  
  # shred -n 1 -v /dev/hda2
  
  Then, setup then encrypted loop device :
  
  # losetup -e twofish -k 256 -P sha512 /dev/loop0 /dev/hda2
  Password:
  
  Next, create the ext2 (or ext3 or reiserfs) filesystem :
  
  # mke2fs /dev/loop0
  
  You can compare the encrypted and unencrypted data :
  
  # xxd /dev/loop0 | less
  # xxd /dev/hda2  | less
  
  
      4. Building the LFS system
      --------------------------
  
  Two steps in the book must be adapted :
  
      * Chapter 6, Installing util-linux :
      
          Use util-linux-2.11r, instead of the version used in the book,
          and apply the patch as described in section 2.2. of this hint.
  
      * Chapter 8, Making the LFS system bootable :
  
          Refer to section 5. below :
  
  
      5. Setting up the boot partition
      --------------------------------
  
  The following instructions assume that you're still chrooted inside $LFS.
  
  Create and mount the boot partition :
  
  # mke2fs /dev/hda1
  # mkdir /loader
  # mount -t ext2 /dev/hda1 /loader
  
  Create the filesystem hierarchy :
  
  # mkdir /loader/{bin,boot,dev,etc,lib,mnt,proc,sbin}
  
  Copy the required files in it :
  
  # cp /bin/{sh,mount,umount} /loader/bin/
  # cp /boot/boot-text.b /loader/boot/boot.b
  # cp -a /dev/{console,hda,hda1,hda2,loop0} /loader/dev/
  # cp /lib/{ld-linux.so.2,libc.so.6,libdl.so.2,libncurses.so.5} /loader/lib/
  # cp /sbin/{losetup,pivot_root} /loader/sbin
  # cat > /loader/sbin/init << EOF
  #!/bin/sh
  
  /bin/mount -n -t proc proc /proc
  /sbin/losetup -e twofish -k 256 -P sha512 /dev/loop0 /dev/hda2
  /bin/mount -n -t ext2 /dev/loop0 /mnt
  
  while [ $? -ne 0 ]
  do
      /sbin/losetup -d /dev/loop0
      /sbin/losetup -e twofish -k 256 -P sha512 /dev/loop0 /dev/hda2
      /bin/mount -n -t ext2 /dev/loop0 /mnt
  done
  
  /bin/umount -n /proc
  cd /mnt
  /sbin/pivot_root . loader
  exec /usr/sbin/chroot . /sbin/init
  EOF
  # chmod 755 /loader/sbin/init
  # cat > /loader/etc/lilo.conf << EOF
  boot=/dev/hda
  lba32
  vga=4
  default=Linux
  image=/vmlinuz
      label=Linux
      root=/dev/hda1
      read-only
  EOF	    
  
  Copy the kernel you've compiled in section 2.1. to /loader/vmlinuz and run :
  
  # lilo -r /loader
  
  
      6. Setting up the bootscripts
      -----------------------------
  
  Make sure your /etc/fstab contains :
  
  /dev/loop0      /      ext2    defaults             0 1
  
  Also, it is a good idea to check the bootloader integrity, in order to spot
  if someone, say a government agency like the FBI or the NSA, has modified
  your boot partition so as to grab your password. Add the following lines at
  the beginning of the system initialisation script:
  
  
  echo -n "Checking master boot record integrity: "
  if [ "`dd if=/dev/hda count=1 2>/dev/null | md5sum`" = "e051a4532356709c73b86789acfbdbbd  -" ]
  then
      echo "OK."
  else
      echo -n "FAILED! press Enter to continue."
      read
  fi
  
  echo -n "Checking bootloader integrity: "
  if [ "`dd if=/dev/hda1 2>/dev/null | md5sum`" = "f3686a17fac8a1090d962bef59c86d3b  -" ]
  then
      echo "OK."
  else
      echo -n "FAILED! press Enter to continue."
      read
  fi
  
  
  (you should replace the two md5sums above with the correct ones).
  
  
  Now, if you're low on RAM you'll need some swap space. Do not use an
  unencrypted swap partition ! Instead, create a large swap file:
  
  # dd if=/dev/zero of=/swap bs=1048576 count=128
  # mkswap /swap
  
  Add this line at the beginning of the system initialisation script :
  
  swapon /swap
  
  ...and you're finally done.
  
  
  
  
-- 
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe hints' in the subject header of the message



More information about the hints mailing list