cvs commit: hints cryptoapi.txt

timothy at linuxfromscratch.org timothy at linuxfromscratch.org
Thu Feb 20 10:38:37 PST 2003


timothy     03/02/20 13:38:37

  Modified:    .        cryptoapi.txt
  Log:
  Some changes, thanks to Jari Ruusu for his comments.
  
  Revision  Changes    Path
  1.3       +36 -13    hints/cryptoapi.txt
  
  Index: cryptoapi.txt
  ===================================================================
  RCS file: /home/cvsroot/hints/cryptoapi.txt,v
  retrieving revision 1.2
  retrieving revision 1.3
  diff -u -r1.2 -r1.3
  --- cryptoapi.txt	16 Feb 2003 16:36:22 -0000	1.2
  +++ cryptoapi.txt	20 Feb 2003 18:38:37 -0000	1.3
  @@ -32,6 +32,8 @@
       0. Changelog
       ------------
   
  +        2003-02-19 - some changes, thanks to Jari Ruusu for his comments
  +
           2003-01-15 - switched to loop-aes, updated the packages version
   
           2002-10-19 - first version of the cryptoapi hint released
  @@ -78,12 +80,20 @@
   
   linux-2.4.20 $ patch -Np1 -i ../loop-AES-v1.6i/kernel-2.4.20.diff
   
  +A small, but yet important bug has to be fixed (read Jari's comment
  +at http://loop-aes.sourceforge.net/loop-AES-v1.6i.important-readme),
  +by patching the loop driver; download and apply the required patch:
  +
  +http://linuxfromscratch.org/~devine/loop-AES-v1.6i-bugfix.patch
  +
  +linux-2.4.20 $ patch -Np1 -i ../loop-AES-v1.6i-bugfix.patch
  +
   Next, configure your kernel; make sure the following options are set:
   
       Block devices  --->
   
  -	<*> Loopback device support
  -	[*]   AES encrypted loop device support (NEW)
  +        <*> Loopback device support
  +        [*]   AES encrypted loop device support (NEW)
   
   Finally compile the kernel, install it and reboot.
   
  @@ -102,6 +112,13 @@
   
   util-linux-2.11y $ patch -Np1 -i ../loop-AES-v1.6i/util-linux-2.11y.diff
   
  +If you wish to use passwords that are less than 20 characters, enter:
  +
  +util-linux-2.11y $ export CFLAGS="-O2 -DLOOP_PASSWORD_MIN_LENGTH=15"
  +
  +If security is important, please do not enable passwords shorter than 20
  +characters. Security is not free, one has to 'pay' in form of long passwords.
  +
   Compile losetup and install it as root:
   
   util-linux-2.11y $ ./configure && make lib mount
  @@ -118,9 +135,13 @@
   
   Setup the encrypted loop device :
   
  -# losetup -e aes128 /dev/loop0 /dev/hda2
  +# losetup -e aes128 -S xxxxxxxxxx /dev/loop0 /dev/hda2
   Password:
   
  +For better security, it is recommended you use the -S xxxxxxxxxx option,
  +where "xxxxxxxxxx" is your chosen seed. This makes optimized dictionary
  +attacks much more difficult.
  +
   Make sure you don't forget you password ! For minimum security, it should
   have at least 10 characters and contain letters (both uppercase and lower-
   case), special characters and numbers.  Also, note that using 256-bit AES
  @@ -175,16 +196,16 @@
   # cp -a /dev/{console,hda,hda1,hda2,loop0} /loader/dev/
   # cp /lib/{ld-linux.so.2,libc.so.6,libdl.so.2,libncurses.so.5} /loader/lib/
   # cp /sbin/{losetup,pivot_root} /loader/sbin
  -# cat > /loader/sbin/init << EOF
  +# cat > /loader/sbin/init << "EOF"
   #!/bin/sh
   
  -/sbin/losetup -e aes128 /dev/loop0 /dev/hda2
  +/sbin/losetup -e aes128 -S xxxxxxxxxx /dev/loop0 /dev/hda2
   /bin/mount -n -t ext2 /dev/loop0 /mnt
   
   while [ $? -ne 0 ]
   do
       /sbin/losetup -d /dev/loop0
  -    /sbin/losetup -e aes128 /dev/loop0 /dev/hda2
  +    /sbin/losetup -e aes128 -S xxxxxxxxxx /dev/loop0 /dev/hda2
       /bin/mount -n -t ext2 /dev/loop0 /mnt
   done
   
  @@ -202,7 +223,7 @@
       label=Linux
       root=/dev/hda1
       read-only
  -EOF	    
  +EOF
   
   Copy the kernel you've compiled in section 2.1. to /loader/vmlinuz and run:
   
  @@ -245,15 +266,17 @@
   (you should replace the two md5sums above with the correct ones).
   
   
  -Now, if you're low on RAM you'll need some swap space. Do not use an
  -unencrypted swap partition ! Instead, create a large swap file:
  +Now, if you're low on RAM you'll need some swap space. For example,
  +let's say hda3 will hold your encrypted swap partition; you need to
  +create the swap device first:
   
  -# dd if=/dev/zero of=/swap bs=1048576 count=128
  -# mkswap /swap
  +# losetup -e aes128 /dev/loop1 /dev/hda3
  +# mkswap /dev/loop1
   
  -Add this line at the beginning of the system initialisation script :
  +Then add the following lines at the beginning of the system startup script:
   
  -swapon /swap
  +echo "password chosen above" | losetup -p 0 -e aes128 /dev/loop1 /dev/hda3
  +swapon /dev/loop1
   
   ...and you're finally done.
   
  
  
  
-- 
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe hints' in the subject header of the message



More information about the hints mailing list