cvs commit: hints cryptoapi.txt

timothy at linuxfromscratch.org timothy at linuxfromscratch.org
Sun Feb 16 08:36:22 PST 2003


timothy     03/02/16 11:36:22

  Modified:    .        cryptoapi.txt
  Log:
  Switched to loop-aes, updated the packages version
  
  Revision  Changes    Path
  1.2       +54 -62    hints/cryptoapi.txt
  
  Index: cryptoapi.txt
  ===================================================================
  RCS file: /home/cvsroot/hints/cryptoapi.txt,v
  retrieving revision 1.1
  retrieving revision 1.2
  diff -u -r1.1 -r1.2
  --- cryptoapi.txt	24 Oct 2002 14:03:00 -0000	1.1
  +++ cryptoapi.txt	16 Feb 2003 16:36:22 -0000	1.2
  @@ -1,6 +1,6 @@
   TITLE:		Encrypted Filesystem Howto
   LFS VERSION:	All
  -AUTHOR:		Christophe Devine <devine at nerim.net>
  +AUTHOR:		Christophe Devine <devine at cr0.net>
   
   SYNOPSIS:
   	Make your personal data secure by building your LFS system
  @@ -16,8 +16,8 @@
       1. Setting up the partition layout
   
       2. Enabling strong cryto in your current system
  -        2.1. Installing Linux-2.4.19
  -        2.2. Installing util-linux-2.11r
  +        2.1. Installing Linux-2.4.20
  +        2.2. Installing util-linux-2.11y
   
       3. Creating the encrypted partition
   
  @@ -32,6 +32,8 @@
       0. Changelog
       ------------
   
  +        2003-01-15 - switched to loop-aes, updated the packages version
  +
           2002-10-19 - first version of the cryptoapi hint released
   
   
  @@ -56,90 +58,81 @@
   your kernel and parts of util-linux.
   
   
  -        2.1. Installing Linux-2.4.19
  +        2.1. Installing Linux-2.4.20
           ----------------------------
   
  -If necessary, download and unpack the kernel sources:
  -
  -$ wget --passive-ftp -q -O - ftp://ftp.kernel.org/pub/linux/kernel/v2.4/linux-2.4.19.tar.bz2 | bzip2 -d -c | tar -xv
  +There are two main projects which add strong crypto support in the kernel:
  +CryptoAPI and loop-aes. This hint uses loop-aes, since it has a *FAST* and
  +highly optimized implementation of AES in assembly language, and therefore
  +provides maximum performance if you have an x86 CPU.
   
  -Then download and apply the CryptoAPI patch (also known as the
  -International Kernel patch), maintained by Herbert Valerio Riedel :
  +If necessary, download and unpack the kernel sources:
   
  -$ cd linux-2.4.19
  -$ wget --passive-ftp -q -O - ftp://ftp.kernel.org/pub/linux/kernel/people/hvr/testing/patch-int-2.4.19.2.bz2 | bzip2 -d -c | patch -Np1
  +ftp://ftp.kernel.org/pub/linux/kernel/v2.4/linux-2.4.20.tar.bz2
   
  -While configuring your kernel, the following options must be enabled :
  +You also have to download and unpack:
   
  -    Block devices  --->
  +http://loop-aes.sourceforge.net/loop-AES-v1.6i.tar.bz2
   
  -    <*> Loopback device support
  +Then you must patch the kernel:
   
  -    Cryptography support (CryptoAPI)  --->
  +linux-2.4.20 $ patch -Np1 -i ../loop-AES-v1.6i/kernel-2.4.20.diff
   
  -    <*> CryptoAPI support (NEW)
  -    [*] Cipher Algorithms
  -    --- 128 bit blocksize
  -    ...
  -    <*>  Serpent cipher (NEW)
  -    <*>  Twofish cipher (NEW)
  -    ...
  -    [*] Crypto Devices
  -    <*>  Loop Crypto support
  -    [*]   Loop IV hack
  -    
  -Only two ciphers have been selected above. You may also want to select AES
  -(aka Rijndael); however, note that Rijndael is considered to have much less
  -security margin than two other AES finalists (Twofish and Serpent).
  -For more information, see:
  +Next, configure your kernel; make sure the following options are set:
   
  -    The Twofish Team's Final Comments on AES Selection
  -    http://www.counterpane.com/twofish-final.html
  +    Block devices  --->
   
  -Now compile and install your kernel, then reboot.
  -You can make sure the crypto ciphers are properly loaded :
  +	<*> Loopback device support
  +	[*]   AES encrypted loop device support (NEW)
   
  -$ ls /proc/crypto/cipher/
  -serpent-cbc  serpent-cfb  serpent-ecb  twofish-cbc  twofish-cfb  twofish-ecb
  +Finally compile the kernel, install it and reboot.
   
   
  -        2.2. Installing util-linux-2.11r
  +        2.2. Installing util-linux-2.11y
           --------------------------------
   
   The losetup program, which is part of the util-linux package, must be
  -patched and recompiled in order to add strong crypto support :
  +patched and recompiled in order to add strong cryptography support:
   
  -$ wget --passive-ftp -q -O - ftp://ftp.kernel.org/pub/linux/utils/util-linux/util-linux-2.11r.tar.bz2 | bzip2 -d -c | tar -xv
  +First of all, download and unpack:
   
  -$ cd util-linux-2.11r/
  +ftp://ftp.kernel.org/pub/linux/utils/util-linux/util-linux-2.11y.tar.bz2
   
  -$ wget --passive-ftp -q -O - ftp://ftp.kernel.org/pub/linux/kernel/people/hvr/util-linux-cryptoapi/util-linux-2.11r.patch.bz2 | bzip2 -d -c | patch -Np1
  +Apply the patch provided with loop-aes:
   
  -$ ./configure && make lib mount
  +util-linux-2.11y $ patch -Np1 -i ../loop-AES-v1.6i/util-linux-2.11y.diff
   
  -Install the losetup program and manpage as root :
  +Compile losetup and install it as root:
   
  -# cp mount/losetup /sbin
  -# cp mount/losetup.8 /usr/share/man/man8
  +util-linux-2.11y $ ./configure && make lib mount
  +util-linux-2.11y # cp mount/losetup /sbin
  +util-linux-2.11y # cp mount/losetup.8 /usr/share/man/man8
   
   
       3. Creating the encrypted partition
       -----------------------------------
   
  -First of all, fill the target partition with random data :
  +Fill the target partition with random data:
   
   # shred -n 1 -v /dev/hda2
   
  -Then, setup then encrypted loop device :
  +Setup the encrypted loop device :
   
  -# losetup -e twofish -k 256 -P sha512 /dev/loop0 /dev/hda2
  +# losetup -e aes128 /dev/loop0 /dev/hda2
   Password:
   
  -Next, create the ext2 (or ext3 or reiserfs) filesystem :
  +Make sure you don't forget you password ! For minimum security, it should
  +have at least 10 characters and contain letters (both uppercase and lower-
  +case), special characters and numbers.  Also, note that using 256-bit AES
  +would not be any more secure, since even 128-bit AES is almost impossible
  +to crack using brute-force (even with millions of CPU-years).
  +
  +Now create the ext2 (or ext3 or reiserfs) filesystem and mount it:
   
   # mke2fs /dev/loop0
  +# mount  /dev/loop0 /mnt/lfs
   
  -You can compare the encrypted and unencrypted data :
  +You can compare the encrypted and unencrypted data:
   
   # xxd /dev/loop0 | less
   # xxd /dev/hda2  | less
  @@ -152,7 +145,7 @@
   
       * Chapter 6, Installing util-linux :
       
  -        Use util-linux-2.11r, instead of the version used in the book,
  +        Use util-linux-2.11y, instead of the version used in the book,
           and apply the patch as described in section 2.2. of this hint.
   
       * Chapter 8, Making the LFS system bootable :
  @@ -173,7 +166,7 @@
   
   Create the filesystem hierarchy :
   
  -# mkdir /loader/{bin,boot,dev,etc,lib,mnt,proc,sbin}
  +# mkdir /loader/{bin,boot,dev,etc,lib,mnt,sbin}
   
   Copy the required files in it :
   
  @@ -185,18 +178,16 @@
   # cat > /loader/sbin/init << EOF
   #!/bin/sh
   
  -/bin/mount -n -t proc proc /proc
  -/sbin/losetup -e twofish -k 256 -P sha512 /dev/loop0 /dev/hda2
  +/sbin/losetup -e aes128 /dev/loop0 /dev/hda2
   /bin/mount -n -t ext2 /dev/loop0 /mnt
   
   while [ $? -ne 0 ]
   do
       /sbin/losetup -d /dev/loop0
  -    /sbin/losetup -e twofish -k 256 -P sha512 /dev/loop0 /dev/hda2
  +    /sbin/losetup -e aes128 /dev/loop0 /dev/hda2
       /bin/mount -n -t ext2 /dev/loop0 /mnt
   done
   
  -/bin/umount -n /proc
   cd /mnt
   /sbin/pivot_root . loader
   exec /usr/sbin/chroot . /sbin/init
  @@ -213,7 +204,7 @@
       read-only
   EOF	    
   
  -Copy the kernel you've compiled in section 2.1. to /loader/vmlinuz and run :
  +Copy the kernel you've compiled in section 2.1. to /loader/vmlinuz and run:
   
   # lilo -r /loader
   
  @@ -221,14 +212,15 @@
       6. Setting up the bootscripts
       -----------------------------
   
  -Make sure your /etc/fstab contains :
  +Make sure your /etc/fstab contains:
   
   /dev/loop0      /      ext2    defaults             0 1
   
  -Also, it is a good idea to check the bootloader integrity, in order to spot
  -if someone, say a government agency like the FBI or the NSA, has modified
  -your boot partition so as to grab your password. Add the following lines at
  -the beginning of the system initialisation script:
  +Also, it is a good idea to check the boot partition integrity inside the
  +encrypted partition, in order to spot if someone, say a government agency
  +like the FBI or the NSA, has modified your boot partition so as to grab
  +your password. Add the following lines at the beginning of the system
  +initialisation script:
   
   
   echo -n "Checking master boot record integrity: "
  
  
  
-- 
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe hints' in the subject header of the message



More information about the hints mailing list