r949 - trunk

archaic at linuxfromscratch.org archaic at linuxfromscratch.org
Sun Mar 27 10:39:09 PST 2005


Author: archaic
Date: 2005-03-27 11:39:09 -0700 (Sun, 27 Mar 2005)
New Revision: 949

Modified:
   trunk/eswap.txt
Log:
Updated the eswap.txt hint.

Modified: trunk/eswap.txt
===================================================================
--- trunk/eswap.txt	2005-03-27 05:05:27 UTC (rev 948)
+++ trunk/eswap.txt	2005-03-27 18:39:09 UTC (rev 949)
@@ -1,6 +1,6 @@
-AUTHOR: Jerome Pinot <ngc891 at gmail.com
+AUTHOR: Jerome Pinot <ngc891 at gmail.com>
 
-DATE: 2005-03-18
+DATE: 2005-03-27
 
 LICENSE: GNU Free Documentation License Version 1.2
 
@@ -12,42 +12,41 @@
 third-part software.
 
 ATTACHMENTS:
-* http://ngc891.blogdns.net/projects/hlfs/hlfs-402-eswap-1.patch
-* http://www.linuxfromscratch.org/patches/downloads/util-linux/util-linux-2.12q-loop_AES-3.0b.patch 
-* http://www.linuxfromscratch.org/patches/downloads/linux/linux-2.6.11.4-loop_AES-3.0b.patch
-* http://www.linuxfromscratch.org/patches/downloads/gnupg/gnupg-1.4.1-loop_AES-3.0b.patch
+* http://ngc891.blogdns.net/projects/hlfs/hlfs-429-eswap-1.patch
+* http://www.linuxfromscratch.org/patches/downloads/util-linux/util-linux-2.12q-loop_AES-3.0c.patch 
+* http://www.linuxfromscratch.org/patches/downloads/linux/linux-2.6.11.6-loop_AES-3.0c.patch
+* http://www.linuxfromscratch.org/patches/downloads/gnupg/gnupg-1.4.1-loop_AES-3.0c.patch
 
 PREREQUISITES:
-This hint is written for HLFS but can be easily applied to LFS. You should
-have some basic knowledge about devices and using swap.
+This hint is written for HLFS but can be easily applied to LFS. You should have 
+some basic knowledge about devices and using swap.
 
 HINT:
 
 I. About encrypting disk
 ------------------------
 
-A Linux system already provides some basic security environment including
-users and groups, passwords, permissions, an
-d now access control via SELinux
-project.
+A Linux system already provides some basic security environment including users 
+and groups, passwords, permissions,
+ and now access control via SELinux project.
 
 However, this could be not enough in some cases like attackers with physical
-access. If someone can physically access your hard drive and mount it in an
+access. If someone can physically access your hard drive and mount it in an 
 other computer, he overpasses the system and can read whatever he wants.
 
-The problem is the same with the swap partition. It stores short lifetime
-data including most of the things you have just done with the computer and
-that didn't fit in the RAM. The system continously overwrite this partition
-and there is no easy structure inside but an attacker could seek in for passwords
-and other data you just typed.
+The problem is the same with the swap partition. It stores short lifetime data 
+including most of the things you have just done with the computer and that 
+didn't fit in the RAM. The system continously overwrite this partition and there
+is no easy structure inside but an attacker could seek in for passwords and 
+other data you just typed.
 
-One protection against this kind of attack is swap encryption. It means
-cipher your data with an algorithm, so you need a passphrase and/or a key to
-access clearly to it. Even, some ciphers like AES provide you a "plausible
-deniability". It means there is no way to know that the partition is actually
-encrypted because it looks just like trash, like an empty partition.
-So, there is no problem for the system being
- overpassed by physical access.
+One protection against this kind of attack is swap encryption. It means cipher 
+your data with an algorithm, so you need a passphrase and/or a key to access 
+clearly to it. Even, some ciphers like AES provide you "plausible deniability".
+It means there is no way to know that the partition is actually encrypted 
+because it looks just like trash, like an empty partition. So, there is no 
+more problem for th
+e system being overpassed by physical access.
 
 Encrypting your partitions could increase drastically your data security.
 
@@ -57,29 +56,28 @@
 There is several ways to encrypt disk on Linux, including cryptoloop, dm-crypt,
 loop-AES and StegFS.
 
-StegFS is a special encrypted file system. It's sounds really great but is
-still under development and needs big modifications of the base system.
+StegFS is a special encrypted file system. It's sounds really great but is still
+under development and needs big modifications of the base system.
 
-Cryptoloop was a special loop device included in the kernel that provides
-access to encrypted device by loopback. Everybody was happy to have such an
-easy way to access encrypted device, but unfortunately, it was found that
-cryptoloop has a nasty flaw and cannot be trust. If you can find cryptoloop in
-some linux distribution, it was actually removed from the official Linux
-kernel source code [1].
+Cryptoloop was a special loop device included in the kernel that provides access
+to encrypted device by loopback. Everybody was happy to have such an easy way to 
+access encrypted device, but unfortunately, it was found that cryptoloop has a 
+flaw and cannot be trust. If you can find cryptoloop in some linux distribution,
+it was actually removed from the official Linux kernel source code [1].
 
-dm-crypt is an encrypted device mapper created to replace cryptoloop [2]. You can
-find it in the official source, under the device mapper sub-section. It is
-supposed to avoid the flaw of cryptoloop, but actually, it fails. You can fin
-d 
-on the web more informations about that [3]. So even if it's available natively in 
-the kernel it should be avoid for more security.
+dm-crypt is an encrypted device mapper created to replace cryptoloop [2]. You 
+can find it in the official source, under the device mapper sub-section. It is
+supposed to avoid the flaw of cryptoloop, but actually, it fails. 
+You can find 
+on the web more informations about that [3]. So even if it's available natively 
+in the kernel it should be avoid for more security.
 
-So there is loop-AES. It is stable and modular and needs few modifications to
-the base system. It consists of patches to apply to the kernel (2.4 and 2.6) and 
-some utilities. Using multi-key with loop-AES avoids the flaw of cryptoloop
-and dm-crypt. It uses the AES algorithm which is known to be one of the
-strongest available. Moreover, there is already an LFS hint for encrypting
-root partition using loop-AES [4].
+So there is loop-AES. It is stable and modular and needs few modifications to 
+the base system. It consists of patches to apply to the kernel (2.4 and 2.6) and
+some utilities. Using multi-key with loop-AES avoids the flaw of cryptoloop and 
+dm-crypt. It uses the AES algorithm which is known to be one of the strongest 
+available. Moreover, there is already an LFS hint for encrypting root partition 
+using loop-AES [4].
 
 You can find loop-AES here:
 http://sourceforge.net/projects/loop-aes/ 
@@ -95,22 +93,22 @@
 It's a matter of applying 2 patches and changing a little the /etc/fstab file.
 The easiest way is to patch the svn version of the book like this:
 
--- Optional --
+-- Optiona
+l --
  
- wget h
-ttp://ngc891.blogdns.net/projects/hlfs/hlfs-402-eswap-1.patch
+ wget http://ngc891.blogdns.net/projects/hlfs/hlfs-429-eswap-1.patch
  cd HLFS
- patch -Np1 -i ../hlfs-402-eswap-1.patch
+ patch -Np1 -i ../hlfs-429-eswap-1.patch
  
 -- Optional --
 
 Unfortunatly, it can be out of date so you have choice to follow the other way:
 
-1. First you need to apply the util-linux-2.12q-loop_AES-3.0b.patch to the
+1. First you need to apply the util-linux-2.12q-loop_AES-3.0c.patch to the
 util-linux before building it during chapter 6. This patch enables the use of 
 mount, umount, and swapon for encrypted devices.
 
- $ patch -Np1 -i ../util-linux-2.12q-loop_AES-3.0b.patch
+ $ patch -Np1 -i ../util-linux-2.12q-loop_AES-3.0c.patch
 
 2. You need to change the line about swap file in the /etc/fstab (chapter 7)
 
@@ -124,19 +122,21 @@
 3. Finally, you must patch your kernel source before "make menuconfig" in
 chapter 7:
 
- patch -Np1 -i ../linux-2.6.11.4-loop_AES-3.0b.patch
+ patch -Np1 -i ../linux-2.6.11.6-loop_AES-3.0c.patch
 
-Then, during "make menuconfig", you
- MUST select loop-AES under loop item of the
+Then, during "make me
+nuconfig", you MUST select loop-AES under loop item of the
 block sub-section or your swap partition may not be available. You should enable
 BLK_DEV_LOOP_AES and BLK_DEV_LOOP_KEYSCRUB.
 
 IV. Setting up third-part software
 ----------------------------------
 
+You can find the following packages in http://ngc891.blogdns.net/projects/hlfs/packages 
+
 1. GnuPG 1.4.1
 
- patch -Np1 -i ../gnupg-1.4.1-loop_AES-3.0b.patch
+ patch -Np1 -i ../gnupg-1.4.1-loop_AES-3.0c.patch
  
  sed -e 's/^CFLAGS .*$/& -pie -fpie/' -i `find . -name Makefile.in`
  
@@ -153,21 +153,24 @@
  ./configure --prefix=/usr &&
  make && make install
 
-3. Aespipe 2.3a
+3. Aespipe 2.3b
 
 Add some flags and build aespipe:
 
  sed -e 's/^LINK .*$/& -nointl/' -i Makefile.in
  sed -e '10,0s/^/CFLAGS+=-pie -fpie\n&/' -i Makefile.in &&
- ./configure --prefix=/usr &&
+ ./configu
+re --prefix=/usr &&
  make && make install
 
 ACKNOWLEDGEMENTS:
+Thanks to the author of loop-AES, Jari Ruusu
 
 CHANGELOG:
+[2005-03-27]
+  * updated for loop-AES 3.0c
 [2005-03-18]
-  * updated for Li
-nux 2.6.11.4 and GnuPG 1.4.1
+  * updated for Linux 2.6.11.4 and GnuPG 1.4.1
   * added hlfs book patch
   * some fixes
 [2005-02-27]
@@ -179,3 +182,4 @@
 [2005-02-13]
   * Initial version
 
+




More information about the hints mailing list