cvs commit: hints cryptoapi.txt
timothy at linuxfromscratch.org
timothy at linuxfromscratch.org
Thu Oct 24 08:03:01 MDT 2002
timothy 02/10/24 07:03:01
Added: . cryptoapi.txt
Log:
Initial commit.
Revision Changes Path
1.1 hints/cryptoapi.txt
Index: cryptoapi.txt
===================================================================
TITLE: Encrypted Filesystem Howto
LFS VERSION: All
AUTHOR: Christophe Devine <devine at nerim.net>
SYNOPSIS:
Make your personal data secure by building your LFS system
inside a filesystem encrypted with strong cryptography.
HINT:
Contents
--------
0. Changelog
1. Setting up the partition layout
2. Enabling strong cryto in your current system
2.1. Installing Linux-2.4.19
2.2. Installing util-linux-2.11r
3. Creating the encrypted partition
4. Building the LFS system
5. Setting up the boot partition
6. Setting up the bootscripts
0. Changelog
------------
2002-10-19 - first version of the cryptoapi hint released
1. Setting up the partition layout
----------------------------------
Your hard disk should have at least three partitions:
- one small (~ 8 Mb) unencrypted partition (let's say hda1),
which will ask the password to mount your encrypted partition.
- the encrypted partition holding the LFS system (hda2).
- other temporary partitions for the host distribution.
2. Enabling strong cryto in your current system
-----------------------------------------------
The host distribution you're using needs to have strong cryptography
support, which is probably not the case. Therefore, you must recompile
your kernel and parts of util-linux.
2.1. Installing Linux-2.4.19
----------------------------
If necessary, download and unpack the kernel sources:
$ wget --passive-ftp -q -O - ftp://ftp.kernel.org/pub/linux/kernel/v2.4/linux-2.4.19.tar.bz2 | bzip2 -d -c | tar -xv
Then download and apply the CryptoAPI patch (also known as the
International Kernel patch), maintained by Herbert Valerio Riedel :
$ cd linux-2.4.19
$ wget --passive-ftp -q -O - ftp://ftp.kernel.org/pub/linux/kernel/people/hvr/testing/patch-int-2.4.19.2.bz2 | bzip2 -d -c | patch -Np1
While configuring your kernel, the following options must be enabled :
Block devices --->
<*> Loopback device support
Cryptography support (CryptoAPI) --->
<*> CryptoAPI support (NEW)
[*] Cipher Algorithms
--- 128 bit blocksize
...
<*> Serpent cipher (NEW)
<*> Twofish cipher (NEW)
...
[*] Crypto Devices
<*> Loop Crypto support
[*] Loop IV hack
Only two ciphers have been selected above. You may also want to select AES
(aka Rijndael); however, note that Rijndael is considered to have much less
security margin than two other AES finalists (Twofish and Serpent).
For more information, see:
The Twofish Team's Final Comments on AES Selection
http://www.counterpane.com/twofish-final.html
Now compile and install your kernel, then reboot.
You can make sure the crypto ciphers are properly loaded :
$ ls /proc/crypto/cipher/
serpent-cbc serpent-cfb serpent-ecb twofish-cbc twofish-cfb twofish-ecb
2.2. Installing util-linux-2.11r
--------------------------------
The losetup program, which is part of the util-linux package, must be
patched and recompiled in order to add strong crypto support :
$ wget --passive-ftp -q -O - ftp://ftp.kernel.org/pub/linux/utils/util-linux/util-linux-2.11r.tar.bz2 | bzip2 -d -c | tar -xv
$ cd util-linux-2.11r/
$ wget --passive-ftp -q -O - ftp://ftp.kernel.org/pub/linux/kernel/people/hvr/util-linux-cryptoapi/util-linux-2.11r.patch.bz2 | bzip2 -d -c | patch -Np1
$ ./configure && make lib mount
Install the losetup program and manpage as root :
# cp mount/losetup /sbin
# cp mount/losetup.8 /usr/share/man/man8
3. Creating the encrypted partition
-----------------------------------
First of all, fill the target partition with random data :
# shred -n 1 -v /dev/hda2
Then, setup then encrypted loop device :
# losetup -e twofish -k 256 -P sha512 /dev/loop0 /dev/hda2
Password:
Next, create the ext2 (or ext3 or reiserfs) filesystem :
# mke2fs /dev/loop0
You can compare the encrypted and unencrypted data :
# xxd /dev/loop0 | less
# xxd /dev/hda2 | less
4. Building the LFS system
--------------------------
Two steps in the book must be adapted :
* Chapter 6, Installing util-linux :
Use util-linux-2.11r, instead of the version used in the book,
and apply the patch as described in section 2.2. of this hint.
* Chapter 8, Making the LFS system bootable :
Refer to section 5. below :
5. Setting up the boot partition
--------------------------------
The following instructions assume that you're still chrooted inside $LFS.
Create and mount the boot partition :
# mke2fs /dev/hda1
# mkdir /loader
# mount -t ext2 /dev/hda1 /loader
Create the filesystem hierarchy :
# mkdir /loader/{bin,boot,dev,etc,lib,mnt,proc,sbin}
Copy the required files in it :
# cp /bin/{sh,mount,umount} /loader/bin/
# cp /boot/boot-text.b /loader/boot/boot.b
# cp -a /dev/{console,hda,hda1,hda2,loop0} /loader/dev/
# cp /lib/{ld-linux.so.2,libc.so.6,libdl.so.2,libncurses.so.5} /loader/lib/
# cp /sbin/{losetup,pivot_root} /loader/sbin
# cat > /loader/sbin/init << EOF
#!/bin/sh
/bin/mount -n -t proc proc /proc
/sbin/losetup -e twofish -k 256 -P sha512 /dev/loop0 /dev/hda2
/bin/mount -n -t ext2 /dev/loop0 /mnt
while [ $? -ne 0 ]
do
/sbin/losetup -d /dev/loop0
/sbin/losetup -e twofish -k 256 -P sha512 /dev/loop0 /dev/hda2
/bin/mount -n -t ext2 /dev/loop0 /mnt
done
/bin/umount -n /proc
cd /mnt
/sbin/pivot_root . loader
exec /usr/sbin/chroot . /sbin/init
EOF
# chmod 755 /loader/sbin/init
# cat > /loader/etc/lilo.conf << EOF
boot=/dev/hda
lba32
vga=4
default=Linux
image=/vmlinuz
label=Linux
root=/dev/hda1
read-only
EOF
Copy the kernel you've compiled in section 2.1. to /loader/vmlinuz and run :
# lilo -r /loader
6. Setting up the bootscripts
-----------------------------
Make sure your /etc/fstab contains :
/dev/loop0 / ext2 defaults 0 1
Also, it is a good idea to check the bootloader integrity, in order to spot
if someone, say a government agency like the FBI or the NSA, has modified
your boot partition so as to grab your password. Add the following lines at
the beginning of the system initialisation script:
echo -n "Checking master boot record integrity: "
if [ "`dd if=/dev/hda count=1 2>/dev/null | md5sum`" = "e051a4532356709c73b86789acfbdbbd -" ]
then
echo "OK."
else
echo -n "FAILED! press Enter to continue."
read
fi
echo -n "Checking bootloader integrity: "
if [ "`dd if=/dev/hda1 2>/dev/null | md5sum`" = "f3686a17fac8a1090d962bef59c86d3b -" ]
then
echo "OK."
else
echo -n "FAILED! press Enter to continue."
read
fi
(you should replace the two md5sums above with the correct ones).
Now, if you're low on RAM you'll need some swap space. Do not use an
unencrypted swap partition ! Instead, create a large swap file:
# dd if=/dev/zero of=/swap bs=1048576 count=128
# mkswap /swap
Add this line at the beginning of the system initialisation script :
swapon /swap
...and you're finally done.
--
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe hints' in the subject header of the message
More information about the Hints
mailing list