r945 - trunk

tushar at linuxfromscratch.org tushar at linuxfromscratch.org
Fri Mar 18 20:18:16 PST 2005


Author: tushar
Date: 2005-03-18 21:18:15 -0700 (Fri, 18 Mar 2005)
New Revision: 945

Modified:
   trunk/eswap.txt
Log:
Update Hint: eswap

Modified: trunk/eswap.txt
===================================================================
--- trunk/eswap.txt	2005-03-17 03:29:34 UTC (rev 944)
+++ trunk/eswap.txt	2005-03-19 04:18:15 UTC (rev 945)
@@ -1,6 +1,6 @@
-AUTHOR: Jerome Pinot <ngc891 at gmail.com>
+AUTHOR: Jerome Pinot <ngc891 at gmail.com
 
-DATE: 2005-02-13
+DATE: 2005-03-18
 
 LICENSE: GNU Free Documentation License Version 1.2
 
@@ -12,9 +12,10 @@
 third-part software.
 
 ATTACHMENTS:
-* http://www.linuxfromscratch.org/patches/util-linux/util-linux-2.12q-loop_AES-3.0b.patch 
-* http://www.linuxfromscratch.org/patches/linux/linux-2.6.10-loop_AES-3.0b.patch
-* http://www.linuxfromscratch.org/patches/gnupg/gnupg-1.4.0-loop_AES-3.0b.patch
+* http://ngc891.blogdns.net/projects/hlfs/hlfs-402-eswap-1.patch
+* http://www.linuxfromscratch.org/patches/downloads/util-linux/util-linux-2.12q-loop_AES-3.0b.patch 
+* http://www.linuxfromscratch.org/patches/downloads/linux/linux-2.6.11.4-loop_AES-3.0b.patch
+* http://www.linuxfromscratch.org/patches/downloads/gnupg/gnupg-1.4.1-loop_AES-3.0b.patch
 
 PREREQUISITES:
 This hint is written for HLFS but can be easily applied to LFS. You should
@@ -26,11 +27,11 @@
 ------------------------
 
 A Linux system already provides some basic security environment including
-users and groups, passwords, permissions, and now access control via SELinux
+users and groups, passwords, permissions, an
+d now access control via SELinux
 project.
 
-However, this could be not enough in some cases like 
-attackers with physical
+However, this could be not enough in some cases like attackers with physical
 access. If someone can physically access your hard drive and mount it in an
 other computer, he overpasses the system and can read whatever he wants.
 
@@ -45,10 +46,10 @@
 access clearly to it. Even, some ciphers like AES provide you a "plausible
 deniability". It means there is no way to know that the partition is actually
 encrypted because it looks just like trash, like an empty partition.
-So, there is no problem for the system being overpassed by physical access.
+So, there is no problem for the system being
+ overpassed by physical access.
 
-Encrypting your partitions could increase drastically your data
- security.
+Encrypting your partitions could increase drastically your data security.
 
 II. How to do?
 --------------
@@ -68,10 +69,10 @@
 
 dm-crypt is an encrypted device mapper created to replace cryptoloop [2]. You can
 find it in the official source, under the device mapper sub-section. It is
-supposed to avoid the flaw of cryptoloop, but actually, it fails. You can find 
+supposed to avoid the flaw of cryptoloop, but actually, it fails. You can fin
+d 
 on the web more informations about that [3]. So even if it's available natively in 
-the kerne
-l it should be avoid for more security.
+the kernel it should be avoid for more security.
 
 So there is loop-AES. It is stable and modular and needs few modifications to
 the base system. It consists of patches to apply to the kernel (2.4 and 2.6) and 
@@ -92,39 +93,50 @@
 --------------------
 
 It's a matter of applying 2 patches and changing a little the /etc/fstab file.
-Using multi-key needs GnuPG and special bootscripts.
+The easiest way is to patch the svn version of the book like this:
 
+-- Optional --
+ 
+ wget h
+ttp://ngc891.blogdns.net/projects/hlfs/hlfs-402-eswap-1.patch
+ cd HLFS
+ patch -Np1 -i ../hlfs-402-eswap-1.patch
+ 
+-- Optional --
+
+Unfortunatly, it can be out of date so you have choice to follow the other way:
+
 1. First you need to apply the util-linux-2.12q-loop_AES-3.0b.patch to the
-util-linux before building it during chapter 6.
+util-linux before building it during chapter 6. This patch enables the use of 
+mount, umount, and swapon for encrypted devices.
 
- $ patch -
-Np1 -i ../util-linux-2.12q-loop_AES-3.0b.patch
+ $ patch -Np1 -i ../util-linux-2.12q-loop_AES-3.0b.patch
 
-
 2. You need to change the line about swap file in the /etc/fstab (chapter 7)
 
-from:
-	/dev/hdb2	swap	swap	pri=1	0	0
-to:
-	/dev/hdb2	swap	swap	sw,loop=/dev/loop7,encryption=AES128,pri=1	0	0
+from:	/dev/[yyy]	swap	swap	pri=1	0	0
+to:	/dev/[yyy]	swap	swap	sw,loop=/dev/loop7,encryption=AES128,pri=1	0	0
 
-This will activate your swap partition at boot by a multi-keys encrypted loop device.
+The swap will be mount using a loopback device with a multikeys AES encryption. 
+It uses the last loop device so you will be able to use from /dev/loop0 to 
+/dev/loop6 for other purpose.
 
 3. Finally, you must patch your kernel source before "make menuconfig" in
 chapter 7:
 
- patch -Np1 -i ../linux-2.6.10-loop_AES-3.0b.patch
+ patch -Np1 -i ../linux-2.6.11.4-loop_AES-3.0b.patch
 
-Then, during "make menuconfig", you MUST select loop-AES under loop item of the
-block sub-section or your swap partition may not be available.
+Then, during "make menuconfig", you
+ MUST select loop-AES under loop item of the
+block sub-section or your swap partition may not be available. You should enable
+BLK_DEV_LOOP_AES and BLK_DEV_LOOP_KEYSCRUB.
 
-
 IV. Setting up third-part software
 ----------------------------------
 
-1. GnuPG 1.4.0
+1. GnuPG 1.4.1
 
- patch -Np1 -i ../gnupg-1.4.0-loop_AES-3.0b.patch
+ patch -Np1 -i ../gnupg-1.4.1-loop_AES-3.0b.patch
  
  sed -e 's/^CFLAGS .*$/& -pie -fpie/' -i `find . -name Makefile.in`
  
@@ -135,8 +147,7 @@
 2. Sharutils 4.3.78
 
 We need sharutils for uuencode to convert randon binary data from /dev/urandom
-to r
-andom ascii data for keys generation.
+to random ascii data for keys generation.
 
  sed -e 's/^CFLAGS .*$/& -pie -fpie/' -i `find . -name Makefile.in` &&
  ./configure --prefix=/usr &&
@@ -151,16 +162,20 @@
  ./configure --prefix=/usr &&
  make && make install
 
-
 ACKNOWLEDGEMENTS:
 
-
 CHANGELOG:
+[2005-03-18]
+  * updated for Li
+nux 2.6.11.4 and GnuPG 1.4.1
+  * added hlfs book patch
+  * some fixes
 [2005-02-27]
-  * Added Sharutils and aespipe.
-  * Some fixes.
+  * Added Sharutils and aespipe
+  * Some fixes
 [2005-02-19]
-  * Added GnuPG compilation guide.
-  * Few fixes.
+  * Added GnuPG compilation guide
+  * Few fixes
 [2005-02-13]
-  * Initial version.
+  * Initial version
+




More information about the hints mailing list