cvs commit: hints cryptoapi.txt

timothy at timothy at
Thu Feb 20 10:38:37 PST 2003

timothy     03/02/20 13:38:37

  Modified:    .        cryptoapi.txt
  Some changes, thanks to Jari Ruusu for his comments.
  Revision  Changes    Path
  1.3       +36 -13    hints/cryptoapi.txt
  Index: cryptoapi.txt
  RCS file: /home/cvsroot/hints/cryptoapi.txt,v
  retrieving revision 1.2
  retrieving revision 1.3
  diff -u -r1.2 -r1.3
  --- cryptoapi.txt	16 Feb 2003 16:36:22 -0000	1.2
  +++ cryptoapi.txt	20 Feb 2003 18:38:37 -0000	1.3
  @@ -32,6 +32,8 @@
       0. Changelog
  +        2003-02-19 - some changes, thanks to Jari Ruusu for his comments
           2003-01-15 - switched to loop-aes, updated the packages version
           2002-10-19 - first version of the cryptoapi hint released
  @@ -78,12 +80,20 @@
   linux-2.4.20 $ patch -Np1 -i ../loop-AES-v1.6i/kernel-2.4.20.diff
  +A small, but yet important bug has to be fixed (read Jari's comment
  +by patching the loop driver; download and apply the required patch:
  +linux-2.4.20 $ patch -Np1 -i ../loop-AES-v1.6i-bugfix.patch
   Next, configure your kernel; make sure the following options are set:
       Block devices  --->
  -	<*> Loopback device support
  -	[*]   AES encrypted loop device support (NEW)
  +        <*> Loopback device support
  +        [*]   AES encrypted loop device support (NEW)
   Finally compile the kernel, install it and reboot.
  @@ -102,6 +112,13 @@
   util-linux-2.11y $ patch -Np1 -i ../loop-AES-v1.6i/util-linux-2.11y.diff
  +If you wish to use passwords that are less than 20 characters, enter:
  +util-linux-2.11y $ export CFLAGS="-O2 -DLOOP_PASSWORD_MIN_LENGTH=15"
  +If security is important, please do not enable passwords shorter than 20
  +characters. Security is not free, one has to 'pay' in form of long passwords.
   Compile losetup and install it as root:
   util-linux-2.11y $ ./configure && make lib mount
  @@ -118,9 +135,13 @@
   Setup the encrypted loop device :
  -# losetup -e aes128 /dev/loop0 /dev/hda2
  +# losetup -e aes128 -S xxxxxxxxxx /dev/loop0 /dev/hda2
  +For better security, it is recommended you use the -S xxxxxxxxxx option,
  +where "xxxxxxxxxx" is your chosen seed. This makes optimized dictionary
  +attacks much more difficult.
   Make sure you don't forget you password ! For minimum security, it should
   have at least 10 characters and contain letters (both uppercase and lower-
   case), special characters and numbers.  Also, note that using 256-bit AES
  @@ -175,16 +196,16 @@
   # cp -a /dev/{console,hda,hda1,hda2,loop0} /loader/dev/
   # cp /lib/{,,,} /loader/lib/
   # cp /sbin/{losetup,pivot_root} /loader/sbin
  -# cat > /loader/sbin/init << EOF
  +# cat > /loader/sbin/init << "EOF"
  -/sbin/losetup -e aes128 /dev/loop0 /dev/hda2
  +/sbin/losetup -e aes128 -S xxxxxxxxxx /dev/loop0 /dev/hda2
   /bin/mount -n -t ext2 /dev/loop0 /mnt
   while [ $? -ne 0 ]
       /sbin/losetup -d /dev/loop0
  -    /sbin/losetup -e aes128 /dev/loop0 /dev/hda2
  +    /sbin/losetup -e aes128 -S xxxxxxxxxx /dev/loop0 /dev/hda2
       /bin/mount -n -t ext2 /dev/loop0 /mnt
  @@ -202,7 +223,7 @@
   Copy the kernel you've compiled in section 2.1. to /loader/vmlinuz and run:
  @@ -245,15 +266,17 @@
   (you should replace the two md5sums above with the correct ones).
  -Now, if you're low on RAM you'll need some swap space. Do not use an
  -unencrypted swap partition ! Instead, create a large swap file:
  +Now, if you're low on RAM you'll need some swap space. For example,
  +let's say hda3 will hold your encrypted swap partition; you need to
  +create the swap device first:
  -# dd if=/dev/zero of=/swap bs=1048576 count=128
  -# mkswap /swap
  +# losetup -e aes128 /dev/loop1 /dev/hda3
  +# mkswap /dev/loop1
  -Add this line at the beginning of the system initialisation script :
  +Then add the following lines at the beginning of the system startup script:
  -swapon /swap
  +echo "password chosen above" | losetup -p 0 -e aes128 /dev/loop1 /dev/hda3
  +swapon /dev/loop1
   ...and you're finally done.
Unsubscribe: send email to listar at
and put 'unsubscribe hints' in the subject header of the message

More information about the hints mailing list