forked from pool/util-linux
1232 lines
53 KiB
Plaintext
1232 lines
53 KiB
Plaintext
|
Written by Jari Ruusu <jariruusu@users.sourceforge.net>, October 26 2004
|
|||
|
|
|||
|
Copyright 2001,2002,2003,2004 by Jari Ruusu.
|
|||
|
Redistribution of this file is permitted under the GNU Public License.
|
|||
|
|
|||
|
|
|||
|
Table of Contents
|
|||
|
~~~~~~~~~~~~~~~~~
|
|||
|
1. Loop device primer
|
|||
|
2. General information
|
|||
|
2.1. Key setup and IV modes
|
|||
|
2.2. Use of journaling file systems on loop device
|
|||
|
2.3. Use of offsets and sizelimits
|
|||
|
2.4. Use of software suspend
|
|||
|
2.5. File system soft block sizes
|
|||
|
2.6. Compatibility with earlier versions
|
|||
|
3. Instructions for building loop.o driver
|
|||
|
4. Instructions for building new mount, umount, losetup, swapon and swapoff
|
|||
|
5. Instructions for building new gpg
|
|||
|
6. Testing the loop.o driver and losetup program
|
|||
|
7. Examples
|
|||
|
7.1 Example 1 - Encrypting swap on 2.4 and newer kernels
|
|||
|
7.2. Example 2 - Partition backed loop with gpg encrypted key file
|
|||
|
7.3. Example 3 - Encrypted partition that multiple users can mount
|
|||
|
7.4. Example 4 - Encrypting /tmp partition with random keys
|
|||
|
7.5. Example 5 - Encrypting root partition
|
|||
|
7.6. Example 6 - Boot from CD-ROM + encrypted root partition
|
|||
|
8. Security levels
|
|||
|
9. Performance tuning for 2.4 and newer kernels
|
|||
|
10. Files
|
|||
|
11. Credits
|
|||
|
|
|||
|
|
|||
|
1. Loop device primer
|
|||
|
~~~~~~~~~~~~~~~~~~~~~
|
|||
|
Loop devices are block devices that do not store any data directly but loop
|
|||
|
all reads and writes to underlying block device or file, possibly encrypting
|
|||
|
and decrypting data in the process. Normally you don't write to a loop
|
|||
|
device directly, but set up a file system on it. The file system will then
|
|||
|
read from and write to loop device.
|
|||
|
|
|||
|
By default, 8 loop devices are available: /dev/loop0, /dev/loop1 ...
|
|||
|
/dev/loop7 (on devfs /dev/loop/0 ... /dev/loop/7). All devices are
|
|||
|
identical, and each can be tied to one real block device or one file on some
|
|||
|
file system. You have to decide and allocate which loop to use for which
|
|||
|
purpose.
|
|||
|
|
|||
|
losetup(8) program is used to make and tear down the connection between a
|
|||
|
loop device and underlying device or file. You don't have to specify type of
|
|||
|
underlying device as loop driver detects that automatically. mount(8),
|
|||
|
umount(8), swapon(8) and swapoff(8) programs can also set up and tear down
|
|||
|
loop devices.
|
|||
|
|
|||
|
File backed loops may deadlock under some kernel + file system combinations.
|
|||
|
So, if you can choose between device backed and file backed, choose device
|
|||
|
backed even if it means that you have to re-partition your disks.
|
|||
|
|
|||
|
|
|||
|
2. General information
|
|||
|
~~~~~~~~~~~~~~~~~~~~~~
|
|||
|
This package provides loadable Linux kernel module (loop.o or loop.ko on 2.6
|
|||
|
kernels) that has AES cipher built-in. The AES cipher can be used to encrypt
|
|||
|
local file systems and disk partitions.
|
|||
|
|
|||
|
Loop device encrypts data but does not authenticate ciphertext. In other
|
|||
|
words, it delivers data privacy, but does not guarantee that data has not
|
|||
|
been tampered with. Admins setting up encrypted file systems should ensure
|
|||
|
that neither ciphertext, nor tools used to access ciphertext (kernel +
|
|||
|
kernel modules, mount, losetup, and other utilities) can be trojaned or
|
|||
|
tampered.
|
|||
|
|
|||
|
This package does *not* modify your kernel in any way, so you are free to
|
|||
|
use kernels of your choice, with or without cool patches. This package works
|
|||
|
with 2.0.x, 2.2.x, 2.4.x (2.4.7 or later) and 2.6.x kernels.
|
|||
|
|
|||
|
Latest version of this package can be found at:
|
|||
|
|
|||
|
http://loop-aes.sourceforge.net/
|
|||
|
http://members.tiscali.fi/ce6c8edf/ (limited downloads)
|
|||
|
|
|||
|
New versions are announced to linux-crypto mailing list:
|
|||
|
|
|||
|
http://mail.nl.linux.org/linux-crypto/
|
|||
|
http://www.spinics.net/lists/crypto/
|
|||
|
|
|||
|
List-subscribe: <mailto:linux-crypto-request@nl.linux.org?Subject=subscribe>
|
|||
|
|
|||
|
|
|||
|
2.1. Key setup and IV modes
|
|||
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|||
|
The AES cipher is used in CBC (cipher block chaining) mode. Data is
|
|||
|
encrypted and decrypted in 512 byte chains. Two key setup modes are
|
|||
|
supported; single-key mode and multi-key mode. Single-key mode uses simple
|
|||
|
sector IV and one AES key to encrypt and decrypt all sectors in the loop
|
|||
|
device. Multi-key mode uses cryptographically more secure MD5 IV and 64
|
|||
|
different AES keys to encrypt and decrypt sectors in the loop device. In
|
|||
|
multi-key mode first key is used for first sector, second key for second
|
|||
|
sector, and so on.
|
|||
|
|
|||
|
Password string has a minimum length of 20 characters. Optional password
|
|||
|
seed (salt) and key iteration count can be used to slow down dictionary
|
|||
|
attacks. Password seed is appended to user supplied password before password
|
|||
|
is hashed using one way hash. If password iteration count is specified,
|
|||
|
password hash output is encrypted N thousand times using AES-256. Unique
|
|||
|
seed prevents an adversary from precomputing hashes of passwords in his
|
|||
|
dictionary in advance, and thus making an optimized attack slower. Large
|
|||
|
password iteration count makes dictionary attack painfully slow.
|
|||
|
|
|||
|
If encryption type is specified as AES128 or AES, password string is hashed
|
|||
|
with SHA-256, and 128 bit AES encryption is used. If encryption type is
|
|||
|
specified as AES192, password string is hashed with SHA-384, and 192 bit AES
|
|||
|
encryption is used. If encryption type is specified as AES256, password
|
|||
|
string is hashed with SHA-512, and 256 bit AES encryption is used.
|
|||
|
|
|||
|
|
|||
|
2.2. Use of journaling file systems on loop device
|
|||
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|||
|
Don't use a journaling file system on top of file backed loop device. Device
|
|||
|
backed loop device can be used with journaling file systems as device backed
|
|||
|
loops guarantee that writes reach disk platters in order required by
|
|||
|
journaling file system (write caching must be disabled on the disk drive, of
|
|||
|
course). With file backed loop devices, correct write ordering may extend
|
|||
|
only to page cache (which resides in RAM) of underlying file system. VM can
|
|||
|
write such pages to disk in any order it wishes, and thus break write order
|
|||
|
expectation of journaling file system.
|
|||
|
|
|||
|
|
|||
|
2.3. Use of offsets and sizelimits
|
|||
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|||
|
losetup and mount programs support using offset to underlying device or
|
|||
|
file. 2.4.x and later kernels also support use of sizelimit that limit size
|
|||
|
of device to some subset of full underlying device or file size. Both offset
|
|||
|
and sizelimit are specified in bytes. If no offset is specified, zero offset
|
|||
|
is used. If no sizelimit is specified, full device/file size is used. If you
|
|||
|
do use nonzero offsets, make sure offset is integer multiple of 512 bytes.
|
|||
|
Nonzero offsets that are not integer multiple of 512 bytes are NOT supported
|
|||
|
as they may be nonportable and/or nonworking.
|
|||
|
|
|||
|
|
|||
|
2.4. Use of software suspend
|
|||
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|||
|
Encryption keys are kept in kernel RAM while loop is active. Key is
|
|||
|
immediately erased when loop is deactivated. Use of suspend-to-disk while
|
|||
|
there are active encrypted loops should be used with caution: it would be
|
|||
|
really bad security wise because encryption keys are written to disk when
|
|||
|
kernel RAM is saved to disk. Once key is written to disk it may be
|
|||
|
recoverable from that disk pretty much forever. Security of data encrypted
|
|||
|
with such recoverable key is void.
|
|||
|
|
|||
|
|
|||
|
2.5. File system soft block sizes
|
|||
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|||
|
If you intend to move encrypted file system to some other device (CD-ROM for
|
|||
|
example), be sure to create file system with soft block size that is integer
|
|||
|
multiple of device hard sector size. CD-ROMs have 2048 byte sectors. File
|
|||
|
system with 1024 byte soft block size is not going to work with all CD-ROM
|
|||
|
drives and/or drivers.
|
|||
|
|
|||
|
|
|||
|
2.6. Compatibility with earlier versions
|
|||
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|||
|
This version is compatible with on-disk formats of all previous relased
|
|||
|
versions. This version is compatible with recommended mount, losetup and
|
|||
|
swapon command line syntax and /etc/fstab option syntax since
|
|||
|
loop-AES-v1.1b.
|
|||
|
|
|||
|
Unhashed encryption type as created using ancient loop-AES-v1.0c, now needs
|
|||
|
'mount -o phash=unhashed1' or 'losetup -H unhashed1' options.
|
|||
|
|
|||
|
Mount and losetup programs from loop-AES-v2.0g and older accepted unlimited
|
|||
|
long passphrase when passphrase was read from a file descriptor using '-p 0'
|
|||
|
option. To prevent abuse of mlock()ed RAM by non-root users, mount and
|
|||
|
losetup programs from loop-AES-v2.1a and newer limit max passphrase length
|
|||
|
to 4094 bytes.
|
|||
|
|
|||
|
|
|||
|
3. Instructions for building loop.o driver
|
|||
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|||
|
Before you attempt to build loop.o driver (loop.ko on 2.6 kernels), you
|
|||
|
*must* configure, compile and install new kernel so that CONFIG_MODULES=y
|
|||
|
and CONFIG_BLK_DEV_LOOP=n. Also, CONFIG_KMOD=y is recommended but not
|
|||
|
required (kernel 2.0 doesn't have CONFIG_KMOD, set CONFIG_KERNELD=y
|
|||
|
instead). Configuring your kernel so that loop driver is built-in
|
|||
|
(CONFIG_BLK_DEV_LOOP=y) or module (CONFIG_BLK_DEV_LOOP=m) will *not* work.
|
|||
|
After building and installing your new kernel, do not attempt to clean
|
|||
|
kernel tree, or rename path to kernel sources.
|
|||
|
|
|||
|
(Re)configuring and (re)compiling your kernel are required for following
|
|||
|
reasons: (1) to disable loop driver in your kernel, (2) to get your kernel
|
|||
|
sources to match your running kernel, (3) to get your kernel .config to
|
|||
|
match your running kernel, (4) to set up configure time generated links
|
|||
|
properly, (5) to generate compile time created header files properly to
|
|||
|
match your kernel configuration. Failure to fulfill *all* above requirements
|
|||
|
may cause loop.o driver compilation to fail or generate incorrectly
|
|||
|
operating code. If you are just upgrading existing loop-AES with newer
|
|||
|
version, there is no need to recompile kernel or reboot. Just unmount all
|
|||
|
file systems using old loop driver, and remove loop driver from kernel with
|
|||
|
rmmod command before compiling new loop driver.
|
|||
|
|
|||
|
This is how loop.o is compiled and installed:
|
|||
|
|
|||
|
2.2 and older kernels: Makefile copies your kernel's loop.c to this
|
|||
|
directory. Then, Makefile patches that copy with a
|
|||
|
kernel version specific patch. If patching a copy of
|
|||
|
your kernel's loop.c fails, then a local copy of
|
|||
|
known-to-work and patch-able loop.c-2.X.original is
|
|||
|
used instead.
|
|||
|
|
|||
|
2.4 and newer kernels: Makefile copies pre-patched loop.c-2.X.patched to
|
|||
|
file called patched-loop.c.
|
|||
|
|
|||
|
Resulting patched-loop.c along with other source files is then compiled and
|
|||
|
linked to form a new loop.o driver that is (usually) installed in
|
|||
|
/lib/modules/`uname -r`/block directory. AES cipher is permanently glued to
|
|||
|
loop.o driver so that when loop.o is loaded it automagically has AES support
|
|||
|
built in. There is no need to define any aliases in /etc/modules.conf file.
|
|||
|
|
|||
|
To compile and install loop.o driver, as root, use commands:
|
|||
|
|
|||
|
make clean
|
|||
|
make
|
|||
|
|
|||
|
Makefile tries to locate running kernel source directory, steal definitions
|
|||
|
from kernel Makefile, and build a version that matches your running kernel.
|
|||
|
Following directories are tried, in this order:
|
|||
|
|
|||
|
/lib/modules/`uname -r`/source
|
|||
|
/lib/modules/`uname -r`/build
|
|||
|
/usr/src/linux
|
|||
|
/usr/src/linux-`uname -r`
|
|||
|
/usr/src/kernel-source-`uname -r`
|
|||
|
|
|||
|
You can override automatic kernel source directory detection by specifying
|
|||
|
LINUX_SOURCE like this: make LINUX_SOURCE=/usr/src/linux-2.4.22aa1
|
|||
|
|
|||
|
Both LINUX_SOURCE and KBUILD_OUTPUT must be specified when compiling for
|
|||
|
2.6.x kernel with separate object directory.
|
|||
|
|
|||
|
You can disable automatic module installation and creation of module
|
|||
|
dependencies by specifying MODINST=n RUNDM=n on make command line.
|
|||
|
|
|||
|
Automatic kernel source directory detection is not foolproof. For best
|
|||
|
results, always specify LINUX_SOURCE, especially if loop.o module appears to
|
|||
|
compile for wrong kernel. Observe last five lines of make output for clues.
|
|||
|
|
|||
|
If you are upgrading your kernel and you need loop.o module during boot, you
|
|||
|
probably need to build new version of loop.o module that matches your new
|
|||
|
kernel *before* you boot the new kernel. To build loop.o module for other
|
|||
|
kernel than running kernel, you *must* specify LINUX_SOURCE parameter to
|
|||
|
make.
|
|||
|
|
|||
|
You can override default installation root directory by specifying
|
|||
|
INSTALL_MOD_PATH like this: make INSTALL_MOD_PATH=/path/to/destination/root
|
|||
|
|
|||
|
Makefile detects processor type from kernel configuration. If selected
|
|||
|
processor type is x86 processor or AMD64 processor, optimized assembler
|
|||
|
implementations of AES and MD5 are used instead of C implementations. If you
|
|||
|
want to unconditionally disable x86 assembler AES and MD5 implementations,
|
|||
|
specify X86_ASM=n on make command line. If you want to unconditionally
|
|||
|
disable AMD64 assembler AES and MD5 implementations, specify AMD64_ASM=n on
|
|||
|
make command line.
|
|||
|
|
|||
|
If you want to enable encryption key scrubbing, specify KEYSCRUB=y on make
|
|||
|
command line. Loop encryption key scrubbing moves and inverts key bits in
|
|||
|
kernel RAM so that the thin oxide which forms the storage capacitor
|
|||
|
dielectric of DRAM cells is not permitted to develop detectable property.
|
|||
|
For more info, see Peter Gutmann's paper:
|
|||
|
http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html
|
|||
|
|
|||
|
Note: If your patch program is very old, it may not understand the --dry-run
|
|||
|
option, and may puke lengthy error messages. Even if that happens, the build
|
|||
|
process should still produce a working loop driver.
|
|||
|
|
|||
|
|
|||
|
4. Instructions for building new mount, umount, losetup, swapon and swapoff
|
|||
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|||
|
In order to support AES and other ciphers, mount, umount, losetup, swapon
|
|||
|
and swapoff need to be patched and recompiled. A patch is included. Mount,
|
|||
|
umount, losetup, swapon and swapoff sources are in util-linux package which
|
|||
|
you can get from:
|
|||
|
|
|||
|
ftp://ftp.win.tue.nl/pub/linux-local/utils/util-linux/
|
|||
|
or
|
|||
|
ftp://ftp.kernel.org/pub/linux/utils/util-linux/
|
|||
|
|
|||
|
Just in case if the tarball is not properly signed, the md5 sum of
|
|||
|
util-linux-2.12h.tar.gz is f8f1b2096abbf52fadf86d470c5035dd
|
|||
|
|
|||
|
Do *not* install all the utilities in the util-linux package without
|
|||
|
thinking. You may ruin your system if you do that. Read the INSTALL file
|
|||
|
provided with util-linux tarball.
|
|||
|
|
|||
|
These commands, as root user, will recompile and install mount, umount,
|
|||
|
losetup, swapon, swapoff and their man pages:
|
|||
|
|
|||
|
zcat util-linux-2.12h.tar.gz | tar xvf -
|
|||
|
cd util-linux-2.12h
|
|||
|
patch -p1 <../util-linux-2.12h.diff
|
|||
|
CFLAGS=-O2 ./configure
|
|||
|
make SUBDIRS="lib mount"
|
|||
|
cd mount
|
|||
|
install -m 4755 -o root mount umount /bin
|
|||
|
install -m 755 losetup swapon /sbin
|
|||
|
rm -f /sbin/swapoff && ( cd /sbin && ln -s swapon swapoff )
|
|||
|
rm -f /usr/share/man/man8/{mount,umount,losetup,swapon,swapoff}.8.gz
|
|||
|
install -m 644 mount.8 umount.8 losetup.8 /usr/share/man/man8
|
|||
|
install -m 644 swapon.8 swapoff.8 /usr/share/man/man8
|
|||
|
rm -f /usr/share/man/man5/fstab.5.gz
|
|||
|
install -m 644 fstab.5 /usr/share/man/man5
|
|||
|
mandb
|
|||
|
cd ../..
|
|||
|
|
|||
|
Debian users may want to put mount package on hold like this:
|
|||
|
|
|||
|
echo mount hold | dpkg --set-selections
|
|||
|
|
|||
|
|
|||
|
5. Instructions for building new gpg
|
|||
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|||
|
When gpg encrypts data with symmetric cipher only or when gpg encrypts
|
|||
|
secret keyring keys with secret passphrase, gpg uses seeded (salted) and
|
|||
|
iterated key setup. However, default amount of iteration is tuned for slow
|
|||
|
processors and can be increased for better resistance against dictionary
|
|||
|
attacks. Larger key iteration makes key setup much slower, but also makes
|
|||
|
dictionary attacks much slower too.
|
|||
|
|
|||
|
Included optional gpg patch makes gpg password iteration 128 times slower.
|
|||
|
gpg stores new iteration value along with seed bytes into symmetric cipher
|
|||
|
encrypted output file or secret keyring, so unpatched gpg versions will read
|
|||
|
and decrypt the data just fine.
|
|||
|
|
|||
|
gpg sources are available from:
|
|||
|
|
|||
|
ftp://ftp.gnupg.org/gcrypt/gnupg/
|
|||
|
|
|||
|
These commands, as root user, will recompile and install gpg and gpgv and
|
|||
|
their man pages:
|
|||
|
|
|||
|
zcat gnupg-1.2.6.tar.gz | tar xvf -
|
|||
|
cd gnupg-1.2.6
|
|||
|
patch -p1 <../gnupg-1.2.6.diff
|
|||
|
CFLAGS="-O2" LDFLAGS="-static -s" ./configure --prefix=/usr --enable-static-rnd=linux
|
|||
|
make
|
|||
|
rm -f /usr/share/man/man1/{gpg,gpgv}.1.gz
|
|||
|
make install
|
|||
|
chown root.root /usr/bin/gpg
|
|||
|
chmod 4755 /usr/bin/gpg
|
|||
|
|
|||
|
Note: Above instructions create statically linked version of gpg. Static
|
|||
|
linking is necessary if you ever decide to encrypt your root partition.
|
|||
|
|
|||
|
If /usr/bin directory is not on your root partition, then it is necessary to
|
|||
|
move gpg to /bin directory on your root partition:
|
|||
|
|
|||
|
cd /usr/bin
|
|||
|
mv gpg ../../bin
|
|||
|
ln -s ../../bin/gpg gpg
|
|||
|
|
|||
|
Debian users may want to put gnupg package on hold like this:
|
|||
|
|
|||
|
echo gnupg hold | dpkg --set-selections
|
|||
|
|
|||
|
|
|||
|
6. Testing the loop.o driver and losetup program
|
|||
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|||
|
Run this command, as root, and Makefile will run series of tests.
|
|||
|
|
|||
|
make tests
|
|||
|
|
|||
|
Makefile will display "*** Test results ok ***" message if tests are
|
|||
|
completed successfully. If tests fail, do not use the driver as it is
|
|||
|
broken.
|
|||
|
|
|||
|
If gpg isn't available, then tests that involve decrypting gpg encrypted key
|
|||
|
files will fail. You can skip gpg key file tests by specifying
|
|||
|
TEST_GPG_TYPES=n on make command line.
|
|||
|
|
|||
|
|
|||
|
7. Examples
|
|||
|
~~~~~~~~~~~
|
|||
|
Many of following examples depend on gpg encrypted key file. gpg appears to
|
|||
|
prevent its own keys from being leaked to swap, but does not appear to
|
|||
|
prevent data handled by it from being leaked to swap. In gpg encrypted key
|
|||
|
file cases, the data handled by gpg are loop encryption keys, and they may
|
|||
|
leak to swap. Therefore, use of gpg encrypted key file depends on encrypted
|
|||
|
swap.
|
|||
|
|
|||
|
When using gpg encrypted key file, the password that is used to encrypt the
|
|||
|
key file is the password that losetup and mount programs want. losetup and
|
|||
|
mount programs run gpg to decrypt the key file, and pipe the password to
|
|||
|
gpg. gpg then decrypts the file and pipes the real loop keys back to losetup
|
|||
|
or mount program.
|
|||
|
|
|||
|
Many of following examples need uuencode program. Not all boxes have it
|
|||
|
installed by default. If you need to install uuencode program, it is usually
|
|||
|
part of sharutils package.
|
|||
|
|
|||
|
Many of following examples attempt to use loop in multi-key mode and thus
|
|||
|
*require* losetup/mount programs from loop-AES-v2.0b or later. Setting up
|
|||
|
multi-key gpg key-file and using that key-file with old single-key only
|
|||
|
aware losetup/mount programs is *dangerous*. In multi-key loop cases
|
|||
|
"losetup -a" command run by root user should output "multi-key" indicating
|
|||
|
that loop is really in multi-key mode. If no "multi-key" string shows up,
|
|||
|
your loop setup is a time bomb. If you later upgrade your losetup/mount
|
|||
|
programs to version that can understand multi-key mode, those new
|
|||
|
losetup/mount programs will correctly setup loop in multi-key mode instead
|
|||
|
of single-key mode, and you may not be able to access your data any more.
|
|||
|
New losetup/mount programs are compatible with both single-key and multi-key
|
|||
|
key-files. New losetup/mount programs will recognize single-key key-files
|
|||
|
and set up loop in single-key mode in those cases. Old single-key only aware
|
|||
|
losetup/mount programs need single-key examples. None of the following gpg
|
|||
|
key-file examples are such.
|
|||
|
|
|||
|
|
|||
|
7.1. Example 1 - Encrypting swap on 2.4 and newer kernels
|
|||
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|||
|
Device backed (partition backed) loop is capable of encrypting swap on 2.4
|
|||
|
and newer kernels. File backed loops can't be used for swap.
|
|||
|
|
|||
|
First, run "swapoff -a" to turn off swap devices in your /etc/fstab file.
|
|||
|
Second, add "loop=/dev/loop?" and "encryption=AES128" options to swap lines
|
|||
|
in your /etc/fstab file. Example:
|
|||
|
|
|||
|
/dev/hda666 none swap sw,loop=/dev/loop6,encryption=AES128 0 0
|
|||
|
^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^
|
|||
|
Third, there may be old unencrypted data on your swap devices, in which case
|
|||
|
you can try to overwrite that data with command like this:
|
|||
|
|
|||
|
dd if=/dev/zero of=/dev/hda666 bs=64k conv=notrunc
|
|||
|
mkswap /dev/hda666
|
|||
|
|
|||
|
Fourth, run "swapon -a" and "rm -rf /var/log/ksymoops" and you are done.
|
|||
|
|
|||
|
Running "swapon -a" will set up loop devices using random keys, run mkswap
|
|||
|
on them, and enable encrypted swap on specified loop devices. Usually your
|
|||
|
distro's startup scripts will run the "swapon -a" command so you don't need
|
|||
|
to change your startup scripts at all. As expected, "swapoff -a" will tear
|
|||
|
down such loop devices.
|
|||
|
|
|||
|
Removing /var/log/ksymoops directory is often required because some versions
|
|||
|
of modprobe (part of modutils package) try to log loaded modules to
|
|||
|
/var/log/ksymoops/*.log files. This is bad because swap is often enabled
|
|||
|
(and loop.o modprobe'd to kernel) before any partitions are mounted
|
|||
|
writable. Without /var/log/ksymoops directory on root partition, modprobe
|
|||
|
will not try to log loaded modules, and you won't see annoying error
|
|||
|
messages.
|
|||
|
|
|||
|
Note: If you are using encrypted swap and you are upgrading your kernel, you
|
|||
|
probably need to build new version of loop.o module that matches your new
|
|||
|
kernel *before* you boot the new kernel. See "Instructions for building
|
|||
|
loop.o driver" section for more details.
|
|||
|
|
|||
|
|
|||
|
7.2. Example 2 - Partition backed loop with gpg encrypted key file
|
|||
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|||
|
This example, originally from Michael H. Warfield, shows how to create an
|
|||
|
ext2 file system on encrypted hard disk partition, and creates 64 random
|
|||
|
encryption keys that are encrypted using gpg. Store the key file where ever
|
|||
|
you like, on separate removable media, USB dongle, or on a smart card if you
|
|||
|
like. You have to have both your passphrase and that key file in order to
|
|||
|
mount that file system.
|
|||
|
|
|||
|
This example uses a fictitious partition /dev/hda666 for storage and
|
|||
|
fictitious directory /mnt666 as mount point. A removable USB dongle is
|
|||
|
assumed to be (auto-)mounted at /a/usbdongle directory.
|
|||
|
|
|||
|
Create 64 random encryption keys and encrypt those keys using gpg. Reading
|
|||
|
from /dev/random may take indefinitely long if kernel's random entropy pool
|
|||
|
is empty. If that happens, do some other work on some other console (use
|
|||
|
keyboard, mouse and disks). Use of gpg encrypted key file depends on
|
|||
|
encrypted swap.
|
|||
|
|
|||
|
head -c 2880 /dev/random | uuencode -m - | head -n 65 | tail -n 64 \
|
|||
|
| gpg --symmetric -a >/a/usbdongle/keyfile.gpg
|
|||
|
|
|||
|
Fill the partition with random looking data. "dd" command may take a while
|
|||
|
to execute if partition is large.
|
|||
|
|
|||
|
head -c 15 /dev/urandom | uuencode -m - | head -n 2 | tail -n 1 \
|
|||
|
| losetup -p 0 -e AES128 /dev/loop3 /dev/hda666
|
|||
|
dd if=/dev/zero of=/dev/loop3 bs=4k conv=notrunc 2>/dev/null
|
|||
|
losetup -d /dev/loop3
|
|||
|
|
|||
|
Add this to your /etc/fstab file:
|
|||
|
|
|||
|
/dev/hda666 /mnt666 ext2 defaults,noauto,loop=/dev/loop3,encryption=AES128,gpgkey=/a/usbdongle/keyfile.gpg 0 0
|
|||
|
|
|||
|
The "losetup -F" command asks for passphrase to unlock your key file.
|
|||
|
Losetup -F option reads loop related options from /etc/fstab. Partition name
|
|||
|
/dev/hda666, encryption=AES128 and gpgkey=/a/usbdongle/keyfile.gpg come from
|
|||
|
/etc/fstab.
|
|||
|
|
|||
|
losetup -F /dev/loop3
|
|||
|
mkfs -t ext2 /dev/loop3
|
|||
|
losetup -d /dev/loop3
|
|||
|
mkdir /mnt666
|
|||
|
|
|||
|
Now you should be able to mount the file system like this. The "mount"
|
|||
|
command asks for passphrase to unlock your key file.
|
|||
|
|
|||
|
mount /mnt666
|
|||
|
|
|||
|
Check that loop is really in multi-key mode. Losetup -a output should
|
|||
|
include string "multi-key" indicating that loop is really in multi-key mode.
|
|||
|
If no "multi-key" string shows up, you somehow managed to mess up gpg key
|
|||
|
file generation part or you are trying to use old losetup/mount programs
|
|||
|
that only understand single-key mode.
|
|||
|
|
|||
|
losetup -a
|
|||
|
|
|||
|
You can unmount partition like this:
|
|||
|
|
|||
|
umount /mnt666
|
|||
|
|
|||
|
Unmounted filesystem can be fsck'ed like this. -F option reads loop related
|
|||
|
options from /etc/fstab. Partition name /dev/hda666, encryption=AES128 and
|
|||
|
gpgkey=/a/usbdongle/keyfile.gpg come from /etc/fstab.
|
|||
|
|
|||
|
losetup -F /dev/loop3
|
|||
|
fsck -t ext2 -f -y /dev/loop3
|
|||
|
losetup -d /dev/loop3
|
|||
|
|
|||
|
|
|||
|
7.3. Example 3 - Encrypted partition that multiple users can mount
|
|||
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|||
|
This example shows how to create encrypted partition that multiple non-root
|
|||
|
users can mount, each with their own gpg key. Non-root users don't have
|
|||
|
access to file system key that is actually used to encrypt data. Root can
|
|||
|
add or remove user's permission to mount encrypted partition at any time.
|
|||
|
This example uses a fictitious partition /dev/hda666 for storage and
|
|||
|
fictitious directory /secret1 as mount point.
|
|||
|
|
|||
|
Create 64 random file system keys and encrypt those keys using root's gpg
|
|||
|
public key. Reading from /dev/random may take indefinitely long if kernel's
|
|||
|
random entropy pool is empty. If that happens, do some other work on some
|
|||
|
other console (use keyboard, mouse and disks). Use of gpg encrypted key file
|
|||
|
depends on encrypted swap.
|
|||
|
|
|||
|
umask 077
|
|||
|
head -c 2880 /dev/random | uuencode -m - | head -n 65 | tail -n 64 \
|
|||
|
| gpg -e -a -r "Superuser" > /root/masterkey-secret1.gpg
|
|||
|
|
|||
|
Fill the partition with random looking data. "dd" command may take a while
|
|||
|
to execute if partition is large.
|
|||
|
|
|||
|
head -c 15 /dev/urandom | uuencode -m - | head -n 2 | tail -n 1 \
|
|||
|
| losetup -p 0 -e AES128 /dev/loop0 /dev/hda666
|
|||
|
dd if=/dev/zero of=/dev/loop0 bs=4k conv=notrunc 2>/dev/null
|
|||
|
losetup -d /dev/loop0
|
|||
|
|
|||
|
Use file system keys to setup /dev/loop0 to partition /dev/hda666 and create
|
|||
|
encrypted ext2 file system. The "losetup -e" command asks for root's gpg
|
|||
|
passphrase to unlock root's secret gpg key.
|
|||
|
|
|||
|
losetup -e AES128 -K /root/masterkey-secret1.gpg /dev/loop0 /dev/hda666
|
|||
|
mkfs -t ext2 /dev/loop0
|
|||
|
losetup -d /dev/loop0
|
|||
|
mkdir /secret1
|
|||
|
|
|||
|
Add mount information to /etc/fstab file. Something like this:
|
|||
|
|
|||
|
/dev/hda666 /secret1 ext2 defaults,user,noauto,encryption=AES128,loop=/dev/loop0,gpgkey=/etc/userkey-secret1.gpg 0 0
|
|||
|
^^^^
|
|||
|
You may want to check non-obvious side effects of above "user" mount option.
|
|||
|
It's all explained in mount man page.
|
|||
|
|
|||
|
Create root-only-readable /etc/userkey-secret1.gpg file which contains file
|
|||
|
system key encrypted with each user's public key. List all users as
|
|||
|
recipient who should be able to mount /secret1 encrypted partition. Repeat
|
|||
|
this every time you want to add or remove users.
|
|||
|
|
|||
|
umask 077
|
|||
|
gpg --decrypt < /root/masterkey-secret1.gpg | gpg -e -a --always-trust \
|
|||
|
-r "Superuser" -r "John Doe" -r "Tea Lipton" > /etc/userkey-secret1.gpg
|
|||
|
|
|||
|
Users can mount encrypted partition like this. mount asks for gpg passphrase
|
|||
|
to unlock user's secret gpg key. Each user can use their own gpg key.
|
|||
|
|
|||
|
mount /secret1
|
|||
|
|
|||
|
Root user can check that loop is really in multi-key mode. Losetup -a output
|
|||
|
should include string "multi-key" indicating that loop is really in
|
|||
|
multi-key mode. If no "multi-key" string shows up, you somehow managed to
|
|||
|
mess up gpg key file generation part or you are trying to use old
|
|||
|
losetup/mount programs that only understand single-key mode.
|
|||
|
|
|||
|
losetup -a
|
|||
|
|
|||
|
You can unmount partition like this:
|
|||
|
|
|||
|
umount /secret1
|
|||
|
|
|||
|
Root user can fsck unmounted filesystem like this. -F option reads loop
|
|||
|
related options from /etc/fstab. Partition name /dev/hda666,
|
|||
|
encryption=AES128 and gpgkey=/etc/userkey-secret1.gpg come from /etc/fstab.
|
|||
|
|
|||
|
losetup -F /dev/loop0
|
|||
|
fsck -t ext2 -f -y /dev/loop0
|
|||
|
losetup -d /dev/loop0
|
|||
|
|
|||
|
|
|||
|
7.4. Example 4 - Encrypting /tmp partition with random keys
|
|||
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|||
|
When mount passphrase hash function is specified as random, mount does not
|
|||
|
ask for password but sets up 64 random keys and attempts to put loop to
|
|||
|
multi-key mode and creates new file system on that encrypted loop device
|
|||
|
before that file system is mounted.
|
|||
|
|
|||
|
First, unmount your existing /tmp partition by running "umount /tmp". There
|
|||
|
may be open files in there, so you may have to do this from single user
|
|||
|
mode.
|
|||
|
|
|||
|
Second, add loop= encryption= and phash=random mount options to /etc/fstab
|
|||
|
file. The sixth /etc/fstab field (fs_passno) must be zero so that fcsk will
|
|||
|
not attempt to check this partition.
|
|||
|
|
|||
|
/dev/hda555 /tmp ext2 defaults,loop=/dev/loop2,encryption=AES128,phash=random/1777 0 0
|
|||
|
^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^ ^
|
|||
|
Third, run "mount /tmp" command and you are done.
|
|||
|
|
|||
|
Octal digits after phash=random/ mount option specify initial permissions of
|
|||
|
file system root directory that gets created on the loop device. 1777 means
|
|||
|
read+write+search permissions for all and sticky bit set. Type "man 2 stat"
|
|||
|
for more info about what each bit stands for.
|
|||
|
|
|||
|
Encryption keys and plaintext data on above type mount vanish on unmount or
|
|||
|
power off. Using journaled file system in such case does not make much
|
|||
|
sense, because file system is re-created with different encryption keys on
|
|||
|
each mount, and file system jounal is never used.
|
|||
|
|
|||
|
This example requires that mount program is derived from util-linux patch
|
|||
|
found in loop-AES-v2.2d or later version.
|
|||
|
|
|||
|
|
|||
|
7.5. Example 5 - Encrypting root partition
|
|||
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|||
|
Encrypting root partition requires a small unencrypted /boot partition.
|
|||
|
Everything else (root, swap and other partitions) can be encrypted. Kernels
|
|||
|
and tools required to boot kernels reside in the /boot partition. Included
|
|||
|
build-initrd.sh script builds a small "initrd" ram-disk that works with 2.2
|
|||
|
2.4, and 2.6 kernels. build-initrd.sh script depends on having minix file
|
|||
|
system support in the kernel and working mkfs.minix program binary.
|
|||
|
Util-linux includes source for mkfs.minix if you don't have it and need to
|
|||
|
build it yourself. You need to temporarily boot from rescue floppy/CD-ROM or
|
|||
|
other partition to do the actual encrypting work. The rescue floppy/CD-ROM
|
|||
|
or other partition kernel doesn't need to support loop crypto, so just about
|
|||
|
anything that boots will work.
|
|||
|
|
|||
|
1) build-initrd.sh script needs dietlibc. Dietlibc source is available
|
|||
|
from:
|
|||
|
|
|||
|
http://www.fefe.de/dietlibc/
|
|||
|
ftp://ftp.kernel.org/pub/linux/libs/dietlibc/
|
|||
|
|
|||
|
To compile and install dietlibc, follow instructions in the dietlibc
|
|||
|
README file. For example, on a x86 box, do this:
|
|||
|
|
|||
|
make
|
|||
|
install bin-i386/diet /usr/local/bin
|
|||
|
|
|||
|
2) You need to use aespipe program (v2.2a or later) with your rescue
|
|||
|
floppy/CD-ROM or other partition. aespipe source is available from:
|
|||
|
|
|||
|
http://loop-aes.sourceforge.net/
|
|||
|
http://members.tiscali.fi/ce6c8edf/ (limited downloads)
|
|||
|
|
|||
|
Download latest version of aespipe-*.tar.bz2
|
|||
|
|
|||
|
Dynamically linked aespipe program may have library dependency problems
|
|||
|
with rescue floppy/CD-ROM or other partition C library. To avoid such
|
|||
|
trouble, aespipe program needs to be linked statically. Static linking
|
|||
|
with glibc makes aespipe much bigger (hundreds of kilobytes), and may
|
|||
|
also create link warning about 'getpwuid'. Big program size and link
|
|||
|
warning can be ignored here.
|
|||
|
|
|||
|
Compile aespipe program like this:
|
|||
|
|
|||
|
CFLAGS="-O2" LDFLAGS="-static -s" ./configure
|
|||
|
make
|
|||
|
make tests
|
|||
|
|
|||
|
Copy statically linked aespipe program to /boot partition.
|
|||
|
|
|||
|
cp -p aespipe /boot
|
|||
|
|
|||
|
3) If you followed advise about recompiling and statically linking gpg
|
|||
|
program, you don't need to do that again. However, if you don't have
|
|||
|
statically linked gpg, you need to do that now because later steps in
|
|||
|
root partition encryption depend on it.
|
|||
|
|
|||
|
4) Backup all important data before proceeding with root partition
|
|||
|
encryption.
|
|||
|
|
|||
|
5) Recompile your kernel. These are required: CONFIG_BLK_DEV_RAM=y
|
|||
|
CONFIG_BLK_DEV_RAM_SIZE=4096 CONFIG_BLK_DEV_INITRD=y CONFIG_MINIX_FS=y
|
|||
|
CONFIG_PROC_FS=y CONFIG_CRAMFS=n (or CONFIG_CRAMFS=m)
|
|||
|
|
|||
|
CONFIG_BLK_DEV_{RAM,INITRD}=y are needed because kernel needs to support
|
|||
|
initial ramdisk. CONFIG_MINIX_FS=y is needed because file system on
|
|||
|
initrd is minix. CONFIG_CRAMFS=n is needed because cramfs code may
|
|||
|
incorrectly detect initrd's compressed minix file system as cramfs file
|
|||
|
system. If cramfs must be built-in, then build-initrd.sh must be
|
|||
|
configured with USEPIVOT=1, and kernel parameter "rootfstype=minix" must
|
|||
|
be added to bootloader configuration file. 2.2.x and older kernels have
|
|||
|
neither CONFIG_CRAMFS nor cramfs, so that kernel configuration setting
|
|||
|
can be ignored on those kernels.
|
|||
|
|
|||
|
All kernel subsystems needed by root and /boot file systems must be
|
|||
|
compiled directly into kernel (and not be modules).
|
|||
|
|
|||
|
cd /usr/src/linux-2.4.22aa1
|
|||
|
cp .config ../somewhere/somename.config
|
|||
|
make distclean
|
|||
|
cp ../somewhere/somename.config .config
|
|||
|
make config
|
|||
|
make dep && make clean && make bzImage
|
|||
|
make modules && make modules_install
|
|||
|
cat arch/i386/boot/bzImage >/boot/vmlinuz
|
|||
|
cp System.map /boot/System.map-2.4.22aa1
|
|||
|
|
|||
|
6) Compile loop-AES loop.o module for your kernel.
|
|||
|
|
|||
|
cd ../loop-AES-*
|
|||
|
make LINUX_SOURCE=/usr/src/linux-2.4.22aa1
|
|||
|
|
|||
|
7) Copy kernel version specific loop.o (2.4 and older kernels) or loop.ko
|
|||
|
(2.6 kernels) to /boot/modules-KERNELRELEASE/
|
|||
|
|
|||
|
mkdir /boot/modules-2.4.22aa1
|
|||
|
^^^^^^^^^
|
|||
|
cp -p /lib/modules/2.4.22aa1/block/loop.*o /boot/modules-2.4.22aa1/
|
|||
|
^^^^^^^^^ ^^^^^^^^^
|
|||
|
Note: You need to have a kernel version specific loop.o or loop.ko
|
|||
|
module in /boot/modules-KERNELRELEASE/ directory for every kernel you
|
|||
|
intend to use.
|
|||
|
|
|||
|
8) If your boot scripts automatically run "umount /initrd" and "blockdev
|
|||
|
--flushbufs /dev/ram0" commands, you may want to disable those commands.
|
|||
|
If you don't disable them, you may see annoying error messages when
|
|||
|
booting to encrypted root partition.
|
|||
|
|
|||
|
Root partition loop device node is inside initrd, and that device node
|
|||
|
will remain busy forever. This means that encrypted root initrd can't be
|
|||
|
unmounted and RAM used by initrd file system can't be freed. This
|
|||
|
unable-to-unmount side effect is the reason why initrd is intentionally
|
|||
|
made as small as possible.
|
|||
|
|
|||
|
9) Create 64 random encryption keys and encrypt those keys using gpg.
|
|||
|
Reading from /dev/random may take indefinitely long if kernel's random
|
|||
|
entropy pool is empty. If that happens, do some other work on some other
|
|||
|
console (use keyboard, mouse and disks). Use of gpg encrypted key file
|
|||
|
depends on encrypted swap.
|
|||
|
|
|||
|
umask 077
|
|||
|
head -c 2880 /dev/random | uuencode -m - | head -n 65 | tail -n 64 \
|
|||
|
| gpg --symmetric -a >/boot/rootkey.gpg
|
|||
|
|
|||
|
10) Edit build-initrd.sh to match your setup. Set BOOTDEV, BOOTTYPE,
|
|||
|
CRYPTROOT and ROOTTYPE variables to correct values. If you are using 2.2
|
|||
|
or older kernels, set USEPIVOT=0 because 2.2 and older kernels do not
|
|||
|
have pivot_root functionality. You may also want to set
|
|||
|
LOADNATIONALKEYB=1 and manually copy your uncompressed national keyboard
|
|||
|
layout file (in "loadkeys" format) to /boot/default.kmap
|
|||
|
|
|||
|
loadkeys configuration files for some popular distros:
|
|||
|
|
|||
|
Debian: /etc/console/boottime.kmap.gz
|
|||
|
Mandrake: /usr/lib/kbd/keymaps/i386/qwert[yz]/*.kmap.gz
|
|||
|
Red Hat: /lib/kbd/keymaps/i386/qwert[yz]/*.kmap.gz
|
|||
|
SuSE: /usr/lib/kbd/keymaps/i386/qwert[yz]/*.map.gz
|
|||
|
Slackware: /usr/share/kbd/keymaps/i386/qwert[yz]/*.map.gz
|
|||
|
|
|||
|
Or alternatively, you can create keyboard map using your current
|
|||
|
keyboard layout. Like this:
|
|||
|
|
|||
|
dumpkeys >/boot/default.kmap
|
|||
|
|
|||
|
devfs enabled kernel users (CONFIG_DEVFS_FS=y and CONFIG_DEVFS_MOUNT=y
|
|||
|
in kernel configuration) need to pay special attention to comments above
|
|||
|
these build-initrd.sh options: USEDEVFS, BOOTDEV, CRYPTROOT and
|
|||
|
EXTERNALGPGDEV.
|
|||
|
|
|||
|
11) Edit /etc/lilo.conf (or whatever) and set root= initrd= and append= as
|
|||
|
explained in comments at beginning of build-initrd.sh script.
|
|||
|
|
|||
|
12) Build a new /boot/initrd.gz
|
|||
|
|
|||
|
./build-initrd.sh
|
|||
|
|
|||
|
Note: /boot/initrd.gz is supposed to be small (2 KB to 3 KB). All other
|
|||
|
utilities (loop.o module, insmod, losetup, loadkeys and possibly
|
|||
|
libraries) are copied to /boot directory. Libraries are not copied if
|
|||
|
programs are statically linked.
|
|||
|
|
|||
|
13) Run lilo (or whatever)
|
|||
|
|
|||
|
lilo
|
|||
|
|
|||
|
14) Reboot your computer from rescue floppy/CD-ROM or other partition, so
|
|||
|
that the partition you are about to encrypt is *not* mounted.
|
|||
|
|
|||
|
15) Now you should be running a shell from rescue floppy/CD-ROM or other
|
|||
|
partition. This example assumes that /dev/hda1 is your /boot partition
|
|||
|
and /dev/hda2 is your root partition. Temporarily mount your root
|
|||
|
partition under /mnt
|
|||
|
|
|||
|
mount -t ext2 /dev/hda2 /mnt
|
|||
|
|
|||
|
16) Edit root partition entry in /mnt/etc/fstab file. Replace old /dev/hda2
|
|||
|
with /dev/loop5 or whatever loop you are using for root partition. Loop
|
|||
|
device number must match ROOTLOOPINDEX= in build-initrd.sh
|
|||
|
configuration. The default in build-initrd.sh is 5, meaning /dev/loop5.
|
|||
|
|
|||
|
Old /etc/fstab line:
|
|||
|
/dev/hda2 / ext2 defaults 0 1
|
|||
|
New /etc/fstab line:
|
|||
|
/dev/loop5 / ext2 defaults 0 1
|
|||
|
|
|||
|
devfs enabled kernel users (CONFIG_DEVFS_FS=y and CONFIG_DEVFS_MOUNT=y
|
|||
|
in kernel configuration) need to substitute /dev/loop5 with /dev/loop/5
|
|||
|
|
|||
|
17) Unmount your root partition (and sync for extra safety).
|
|||
|
|
|||
|
umount /mnt
|
|||
|
sync
|
|||
|
|
|||
|
18) Mount your normal /boot partition under /mnt so that you can use
|
|||
|
previously built statically linked aespipe and gpg programs and read gpg
|
|||
|
encrypted key file 'rootkey.gpg'. Statically linked gpg program was
|
|||
|
copied there by build-initrd.sh script.
|
|||
|
|
|||
|
mount -r -t ext2 /dev/hda1 /mnt
|
|||
|
|
|||
|
19) Use dd program to read your root partition contents, pipe that data
|
|||
|
through aespipe program, and finally write encrypted data back to same
|
|||
|
partition with another dd program. This is going to take a while if
|
|||
|
partition is large.
|
|||
|
|
|||
|
dd if=/dev/hda2 bs=64k \
|
|||
|
| /mnt/aespipe -e AES128 -K /mnt/rootkey.gpg -G / \
|
|||
|
| dd of=/dev/hda2 bs=64k conv=notrunc
|
|||
|
|
|||
|
aespipe program tries to run gpg from obvious locations on your rescue
|
|||
|
floppy/CD-ROM file system, but if it can't find gpg from those obvious
|
|||
|
locations, aespipe finally tries to run gpg from same directory that
|
|||
|
aespipe was run from (/mnt/) and should find statically linked gpg
|
|||
|
program there.
|
|||
|
|
|||
|
20) Clean up and reboot your computer.
|
|||
|
|
|||
|
umount /mnt
|
|||
|
sync
|
|||
|
reboot
|
|||
|
|
|||
|
If you are upgrading kernel of a system where root partition is already
|
|||
|
encrypted, only steps 5 to 7 and 13 are needed. /boot/initrd.gz is kernel
|
|||
|
independent and there is no need to re-create it for each kernel. However,
|
|||
|
if you are upgrading from 2.4 kernel to 2.6 kernel, new insmod may need to
|
|||
|
be copied to /boot directory by running step 12 before running step 13.
|
|||
|
|
|||
|
If you want to fsck and mount partitions automatically and are indeed
|
|||
|
encrypting root partition, it may be easier to just losetup required
|
|||
|
partitions early in init scripts (before partitions are fsck'ed and
|
|||
|
mounted). Don't losetup root partition again, as root partition has already
|
|||
|
been losetup'ed by /linuxrc program in the "initrd" ram-disk.
|
|||
|
|
|||
|
Init scripts reside on root partition and encryption keys within such init
|
|||
|
scripts are protected by root partition encryption. Of course, init scripts
|
|||
|
containing sensitive keys must be readable only by root user:
|
|||
|
|
|||
|
-rwx------ 1 root root 162 Nov 24 19:23 /etc/rcS.d/S07losetup.sh
|
|||
|
|
|||
|
Here is an example of /etc/rcS.d/S07losetup.sh Debian init script. Other
|
|||
|
distros may store such init scripts in different directory under different
|
|||
|
name. On SuSE, /etc/init.d/boot.d/S01losetup.sh may be more appropriate.
|
|||
|
|
|||
|
#!/bin/sh
|
|||
|
echo "Pd1eXapMJk0XAJnNSIzE" | losetup -p 0 -e AES128 -K /etc/swapkey.gpg /dev/loop6 /dev/hda666
|
|||
|
echo "D0aZNSNnu6FdAph+zrHt" | losetup -p 0 -e AES128 -K /etc/homekey.gpg /dev/loop4 /dev/hdd666
|
|||
|
|
|||
|
Above partitions use gpg encrypted key files. Having encrypted files on
|
|||
|
encrypted partition may seem little bit silly, but currently -K option is
|
|||
|
the easiest way to activate multi-key mode with more secure MD5 IV
|
|||
|
computation.
|
|||
|
|
|||
|
Here are example lines of /etc/fstab file. It's not necessary to give
|
|||
|
"loop=/dev/loop4,encryption=AES128" mount options as loop devices are
|
|||
|
already losetup'ed and there is no need for mount program to do that again.
|
|||
|
|
|||
|
/dev/loop5 / ext2 defaults 0 1
|
|||
|
/dev/loop6 none swap sw 0 0
|
|||
|
/dev/loop4 /home ext2 defaults 0 2
|
|||
|
|
|||
|
In above example, device /dev/hda666 is used as encrypted swap with fixed
|
|||
|
key. If you set up swap with fixed key like in above example, don't forget
|
|||
|
to initialize swap space by running "mkswap /dev/loop6" once. /dev/hdd666 is
|
|||
|
used as encrypted /home partition. /dev/loop5 is encrypted root partition,
|
|||
|
and it set up by /linuxrc program in "initrd" ram-disk.
|
|||
|
|
|||
|
|
|||
|
7.6. Example 6 - Boot from CD-ROM + encrypted root partition
|
|||
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|||
|
Here is slight variation of above 'encrypting root partition' instructions.
|
|||
|
Computer gets booted from read-only CD-ROM and there is no need for any
|
|||
|
unencrypted partitions on the hard disk.
|
|||
|
|
|||
|
1-6) Same as above 'encrypting root partition' steps 1-6.
|
|||
|
|
|||
|
7) Copy kernel version specific loop.o or loop.ko module to CD-ROM source
|
|||
|
directory
|
|||
|
|
|||
|
rm -r -f /boot/iso/modules-*
|
|||
|
mkdir -p /boot/iso/modules-2.4.22aa1
|
|||
|
^^^^^^^^^
|
|||
|
cp -p /lib/modules/2.4.22aa1/block/loop.*o /boot/iso/modules-2.4.22aa1/
|
|||
|
^^^^^^^^^ ^^^^^^^^^
|
|||
|
8-9) Same as above 'encrypting root partition' steps 8-9, with exception
|
|||
|
that in step 9 you must write rootkey.gpg to /boot/iso directory instead
|
|||
|
of /boot directory.
|
|||
|
|
|||
|
10a) Contents of /boot/initrd.conf configuration file are below.
|
|||
|
|
|||
|
BOOTDEV=/dev/hdc # CD-ROM device
|
|||
|
BOOTTYPE=iso9660
|
|||
|
CRYPTROOT=/dev/hda2
|
|||
|
ROOTTYPE=ext2
|
|||
|
CIPHERTYPE=AES128
|
|||
|
DESTINATIONPREFIX=/boot/iso
|
|||
|
INITRDGZNAME=../initrd.gz
|
|||
|
LOADNATIONALKEYB=1
|
|||
|
|
|||
|
devfs enabled kernel users (CONFIG_DEVFS_FS=y and CONFIG_DEVFS_MOUNT=y
|
|||
|
in kernel configuration) need to pay special attention to comments above
|
|||
|
these build-initrd.sh options: USEDEVFS, BOOTDEV, CRYPTROOT and
|
|||
|
EXTERNALGPGDEV.
|
|||
|
|
|||
|
10b) Copy your national keyboard layout to CD-ROM source directory in
|
|||
|
uncompressed form.
|
|||
|
|
|||
|
dumpkeys >/boot/iso/default.kmap
|
|||
|
|
|||
|
11) Contents of /etc/lilo.conf configuration file are below. Two copies of
|
|||
|
'/dev/loop7' on first two lines refer to temporary file backed loop
|
|||
|
mount that is mounted on /mnt later in step 13a.
|
|||
|
|
|||
|
boot=/dev/loop7
|
|||
|
disk=/dev/loop7
|
|||
|
bios=0x00
|
|||
|
sectors=36
|
|||
|
heads=2
|
|||
|
cylinders=80
|
|||
|
geometric
|
|||
|
compact
|
|||
|
read-only
|
|||
|
prompt
|
|||
|
timeout=30
|
|||
|
vga=normal
|
|||
|
backup=/dev/null
|
|||
|
install=text
|
|||
|
map=/mnt/map
|
|||
|
image=/mnt/vmlinuz
|
|||
|
label=Linux
|
|||
|
append="init=/linuxrc rootfstype=minix"
|
|||
|
initrd=/mnt/initrd.gz
|
|||
|
root=/dev/ram0
|
|||
|
|
|||
|
12) Build new /boot/initrd.gz
|
|||
|
|
|||
|
./build-initrd.sh /boot/initrd.conf
|
|||
|
|
|||
|
13a) Build and mount minix file system on floppy image
|
|||
|
|
|||
|
dd if=/dev/zero of=/boot/iso/fdimage.bin bs=1024 count=2880
|
|||
|
mkfs -t minix -i 32 /boot/iso/fdimage.bin 2880
|
|||
|
mount -t minix /boot/iso/fdimage.bin /mnt -o loop=/dev/loop7
|
|||
|
|
|||
|
13b) Copy kernel and initrd.gz to floppy image
|
|||
|
|
|||
|
cp -p /boot/vmlinuz /mnt/vmlinuz
|
|||
|
cp -p /boot/initrd.gz /mnt/initrd.gz
|
|||
|
|
|||
|
13c) Run lilo and unmount floppy image
|
|||
|
|
|||
|
lilo
|
|||
|
umount /mnt
|
|||
|
sync
|
|||
|
|
|||
|
13d) Create boot CD-ROM image
|
|||
|
|
|||
|
mkisofs -r -b fdimage.bin /boot/iso >/boot/bootcdimage.iso
|
|||
|
|
|||
|
13e) Burn /boot/bootcdimage.iso to CD-R. Resulting CD-ROM is your boot
|
|||
|
CD-ROM that you use to boot to encrypted root, not the rescue CD-ROM
|
|||
|
referred to in above 'encrypting root partition' step 14.
|
|||
|
|
|||
|
You may want to burn two copies or at least archive bootcdimage.iso to
|
|||
|
some unencrypted partition so that you can burn new copy if original
|
|||
|
CD-ROM gets damaged.
|
|||
|
|
|||
|
13f) Temporarily disable swap partitions and put a "temporary file system on
|
|||
|
swap" into one of swap partitions. This example assumes that /dev/hda3
|
|||
|
is such swap partition. The 'dd' command clears first 64KB of that
|
|||
|
partition so that dangerously buggy rescue floppies/CD-ROMs don't enable
|
|||
|
swap on it.
|
|||
|
|
|||
|
swapoff -a
|
|||
|
dd if=/dev/zero of=/dev/hda3 bs=64k count=1 conv=notrunc
|
|||
|
mkfs -t ext2 /dev/hda3
|
|||
|
mount -t ext2 /dev/hda3 /mnt
|
|||
|
|
|||
|
13g) Copy statically linked aespipe and gpg programs and rootkey.gpg file to
|
|||
|
"temporary file system on swap" partition.
|
|||
|
|
|||
|
cp -p /boot/aespipe /boot/iso/rootkey.gpg /usr/bin/gpg /mnt
|
|||
|
umount /mnt
|
|||
|
|
|||
|
14-19) Same as above 'encrypting root partition' steps 14-19, with exception
|
|||
|
that in step 18 you must rw mount (no -r option to mount) "temporary
|
|||
|
file system on swap" /dev/hda3 instead of /boot partition.
|
|||
|
|
|||
|
20) Clean up and reboot your computer. The 'dd' command attempts to
|
|||
|
overwrite gpg encrypted root partition key file and 'mkswap' command
|
|||
|
restores "temporary file system on swap" /dev/hda3 back to swap usage.
|
|||
|
|
|||
|
dd if=/dev/zero of=/mnt/rootkey.gpg bs=64k count=1 conv=notrunc
|
|||
|
umount /mnt
|
|||
|
sync
|
|||
|
mkswap /dev/hda3
|
|||
|
sync
|
|||
|
reboot
|
|||
|
|
|||
|
If you are upgrading kernel of a system where root partition is already
|
|||
|
encrypted, only steps 5 to 7 and 13a to 13e are needed. However, if you are
|
|||
|
upgrading from 2.4 kernel to 2.6 kernel, new insmod may need to be copied to
|
|||
|
/boot/iso directory by running step 12 before running step 13a.
|
|||
|
|
|||
|
|
|||
|
8. Security levels
|
|||
|
~~~~~~~~~~~~~~~~~~
|
|||
|
Loop encryption key can be set up in different ways. Just in case it isn't
|
|||
|
obvious how these different ways rank security wise, here is a list of
|
|||
|
security levels from 1 (highest security) to 4 (lowest security).
|
|||
|
|
|||
|
1) gpg encrypted 'multi-key' key file and/or gpg public+private keys are
|
|||
|
stored on separate removable USB dongle that is not available to
|
|||
|
attacker. If USB dongle and its key files are available to attacker,
|
|||
|
security level is equivalent to level 2. (Example 2)
|
|||
|
|
|||
|
2) gpg encrypted 'multi-key' key file and gpg public+private keys are
|
|||
|
stored on disk that is available to attacker. This assumes that included
|
|||
|
gpg patch is applied to gpg and symmetric cipher encrypted key file or
|
|||
|
private keyring password was created/changed with patched version.
|
|||
|
(Example 3)
|
|||
|
|
|||
|
3) Loop is used in single-key mode. Random password seed and iteration
|
|||
|
count are used to slow down optimized dictionary attacks. This level is
|
|||
|
vulnerable to watermark attacks. Watermarked files contain special bit
|
|||
|
patterns that can be detected without decryption.
|
|||
|
|
|||
|
4) Loop is used in single-key mode. Neither password seed nor gpg encrypted
|
|||
|
key file are used. This level is vulnerable to optimized dictionary
|
|||
|
attacks as well as watermark attacks. (mainline linux cryptoloop is
|
|||
|
example of this type of backdoored crypto)
|
|||
|
|
|||
|
|
|||
|
9. Performance tuning for 2.4 and newer kernels
|
|||
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|||
|
Loop-AES driver for 2.4 and newer kernels understand two additional options:
|
|||
|
lo_prealloc and lo_nice. First number of 'lo_prealloc' is the default number
|
|||
|
of RAM pages to pre-allocate for each device backed (partition backed) loop.
|
|||
|
Every configured device backed loop pre-allocates this amount of RAM pages
|
|||
|
unless later 'lo_prealloc' numbers provide an override. 'lo_prealloc'
|
|||
|
overrides are defined in pairs: loop_index,number_of_pages. If 'lo_prealloc'
|
|||
|
is undefined, all pre-allocations default to 125 pages. A maximum of four
|
|||
|
overrides (four number pairs) can be used.
|
|||
|
|
|||
|
This example line added to your /etc/modules.conf file means that each
|
|||
|
device backed loop device pre-allocates 100 pages of RAM at losetup/mount
|
|||
|
time, except that /dev/loop6 allocates 200 pages, and /dev/loop5 allocates
|
|||
|
250 pages.
|
|||
|
|
|||
|
options loop lo_prealloc=100,6,200,5,250
|
|||
|
|
|||
|
On x86 systems page size is 4 Kbytes, some other architectures have 8 Kbyte
|
|||
|
page size.
|
|||
|
|
|||
|
lo_nice option sets scheduler nice for loop helper threads. Values between 0
|
|||
|
(low priority) to -20 (high priority) can be used. If loop transfers are
|
|||
|
disk transfer rate limited, lowering loop thread priority may improve
|
|||
|
performance. If loop transfers are CPU processing power limited, increasing
|
|||
|
loop thread priority may improve performance. renice(8) command can be used
|
|||
|
to alter nice values of loop helper threads while loop is being used.
|
|||
|
Example /etc/modules.conf line:
|
|||
|
|
|||
|
options loop lo_nice=-4
|
|||
|
|
|||
|
If lo_nice is not set, default nice value for kernels with old scheduler is
|
|||
|
-20. For kernels with O(1) scheduler, default nice value is -1.
|
|||
|
|
|||
|
2.6 kernels include anticipatory (the default) and deadline I/O schedulers.
|
|||
|
Deadline I/O scheduler may improve performance of device backed loop
|
|||
|
devices.<2E>Please read kernel's Documentation/as-iosched.txt file for more
|
|||
|
information.
|
|||
|
|
|||
|
|
|||
|
10. Files
|
|||
|
~~~~~~~~~
|
|||
|
ChangeLog History of changes and public releases.
|
|||
|
|
|||
|
Makefile Makefile to build and install loop.o module.
|
|||
|
|
|||
|
README This README file.
|
|||
|
|
|||
|
aes-GPL.diff A patch for aes-amd64.S and aes-x86.S files that
|
|||
|
updates licenses to be fully GPL compatible.
|
|||
|
aes-amd64.S and aes-x86.S files are derived from
|
|||
|
Brian Gladman's December 2001 published version
|
|||
|
that had no mention of GPL, but both Brian
|
|||
|
Gladman and Jari Ruusu permit this license
|
|||
|
change.
|
|||
|
|
|||
|
aes-amd64.S Optimized assembler implementation of AES cipher
|
|||
|
for AMD64 and compatible processors.
|
|||
|
|
|||
|
aes-x86.S Optimized assembler implementation of AES cipher
|
|||
|
for x86 processors.
|
|||
|
|
|||
|
aes.[ch] AES encryption functions, portable and usable in
|
|||
|
kernel and in user space, as well as in other
|
|||
|
operating systems.
|
|||
|
|
|||
|
build-initrd.sh Bash shell script to build a small initrd
|
|||
|
ram-disk that can be used when root partition is
|
|||
|
encrypted.
|
|||
|
|
|||
|
dkms.conf Configuration file for Dynamic Kernel Module
|
|||
|
Support. http://linux.dell.com/dkms/dkms.html
|
|||
|
for more info. This dkms.conf can't be used to
|
|||
|
compile loop module with partial kernel sources
|
|||
|
that some distros provide. Build procedure
|
|||
|
depends on presence of full kernel sources, and
|
|||
|
using partial kernel source to build loop module
|
|||
|
will guarantee miscompiled loop module.
|
|||
|
|
|||
|
glue.c Glue logic between loop driver and encryption
|
|||
|
functions in aes.c / aes-*.S and md5.c / md5-*.S
|
|||
|
|
|||
|
gnupg-*.diff Optional patch for gpg that increases password
|
|||
|
iteration and thus slows down dictionary attacks
|
|||
|
against gpg encrypted key files.
|
|||
|
|
|||
|
gpgkey[12].asc gpg encrypted key files that are used by
|
|||
|
Makefile when "make tests" command is run. These
|
|||
|
key files are encrypted with symmetric cipher
|
|||
|
using 12345678901234567890 password.
|
|||
|
|
|||
|
kernel-2.[46].*.diff Kernel patch for those people who prefer not to
|
|||
|
use modules. Before this patch can be applied to
|
|||
|
your kernel, drivers/block/loop.c and
|
|||
|
include/linux/loop.h source files must be
|
|||
|
removed using 'rm' command. Obviously applying
|
|||
|
this patch changes your kernel sources, so this
|
|||
|
is not entirely hassle free. This patch is
|
|||
|
against recent mainline kernel. If this patch
|
|||
|
doesn't apply cleanly to your kernel, I don't
|
|||
|
want to know about it. Note: you only need to
|
|||
|
build loop.o module or apply this patch but not
|
|||
|
both.
|
|||
|
|
|||
|
loop.c-2.[02].diff Kernel version specific patches that fix bugs
|
|||
|
and preregisters AES cipher transfer to latest
|
|||
|
loop.c source.
|
|||
|
|
|||
|
loop.c-2.[02].original Unmodified loop.c sources that are used as
|
|||
|
secondary source if patch does not apply cleanly
|
|||
|
to primary source. Primary source is the loop.c
|
|||
|
of your kernel.
|
|||
|
|
|||
|
loop.c-2.[46].patched Pre-patched loop.c sources for kernels where
|
|||
|
changes are so extensive that distributing
|
|||
|
*.original plus *.diff does not make sense.
|
|||
|
|
|||
|
md5-amd64.S Optimized assembler implementation of MD5
|
|||
|
transform function for AMD64 and compatible
|
|||
|
processors.
|
|||
|
|
|||
|
md5-x86.S Optimized assembler implementation of MD5
|
|||
|
transform function for x86 processors.
|
|||
|
|
|||
|
md5.[ch] MD5 transform function implementation that is
|
|||
|
used to compute IVs. This source code was copied
|
|||
|
from Linux kernel CryptoAPI implementation.
|
|||
|
|
|||
|
util-linux-2.12*.diff Util-linux patch that adds support for AES and
|
|||
|
other ciphers.
|
|||
|
|
|||
|
|
|||
|
11. Credits
|
|||
|
~~~~~~~~~~~
|
|||
|
This package uses AES cipher sources that were originally written by
|
|||
|
Dr Brian Gladman:
|
|||
|
|
|||
|
// Copyright (c) 2001, Dr Brian Gladman <brg@gladman.uk.net>, Worcester, UK.
|
|||
|
// All rights reserved.
|
|||
|
//
|
|||
|
// TERMS
|
|||
|
//
|
|||
|
// Redistribution and use in source and binary forms, with or without
|
|||
|
// modification, are permitted subject to the following conditions:
|
|||
|
//
|
|||
|
// 1. Redistributions of source code must retain the above copyright
|
|||
|
// notice, this list of conditions and the following disclaimer.
|
|||
|
//
|
|||
|
// 2. Redistributions in binary form must reproduce the above copyright
|
|||
|
// notice, this list of conditions and the following disclaimer in the
|
|||
|
// documentation and/or other materials provided with the distribution.
|
|||
|
//
|
|||
|
// 3. The copyright holder's name must not be used to endorse or promote
|
|||
|
// any products derived from this software without his specific prior
|
|||
|
// written permission.
|
|||
|
//
|
|||
|
// This software is provided 'as is' with no express or implied warranties
|
|||
|
// of correctness or fitness for purpose.
|
|||
|
|
|||
|
Util-linux patch has few lines of documentation copied from international
|
|||
|
crypto patch: -p option documentation in losetup and mount man pages were
|
|||
|
written by Marc Mutz.
|
|||
|
|
|||
|
Util-linux patch includes rmd160.[ch] files that were copied from
|
|||
|
international crypto patch: they were originally written by GnuPG team and
|
|||
|
modified by Marc Mutz.
|