jonen/notes/notes_2004-06.twingle

<hr/>

 Debian-stable and AES-loop(crypto-api) file-system encryption(kernel 2.6.x):
  - read:
     http://www.mirrors.wiretapped.net/security/cryptography/filesystems/loop-aes/loop-AES.README
     http://www.sdc.org/~leila/usb-dongle/readme.html
     http://www.kerneli.org/howto/node3.php
     http://www.linuxsecurity.com/docs/HOWTO/Encryption-HOWTO/
  - updated/new packages needed for 2.6:
        coreutils
        modconf
        modutils
        module-init-tools
    #: apt-get install modutils modconf module-init-tools coreutils -t testing    
  - updated/new packages needed for aes-cryptoloop:
        loop-aes-utils
        util-linux (testing)
  - new packages needed for crypto-swap script:
        sharutils (uuencode)
  - create encrypted fs:
      echo ${PASSPHRASE} | losetup -p 0 -e aes-256 ${LOOPDEV} ${DEVICE}
    - with special seed:
      echo ${PASSPHRASE} | losetup -p 0 -S ${SEED} -e aes-256 ${LOOPDEV} ${DEVICE}
  - for crypto-swap, try this script:
    #------------------------ crypto-swap begin ------------------------------------
    #!/bin/sh
    # Run this script somewhere in your startup scripts _after_ random
    # number generator has been initialized and /usr has been mounted.
    # (md5sum, uuencode, tail and head programs usually reside in /usr/bin/)

    # encrypted swap partition
    SWAPDEVICE=/dev/hda3

    # loop device name
    LOOPDEV=/dev/loop6

    MD=`dd if=${SWAPDEVICE} bs=4k count=10 2>/dev/null | md5sum`
    for X in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 ; do
        dd if=/dev/zero of=${SWAPDEVICE} bs=4k count=10 conv=notrunc 2>/dev/null
        sync
    done
    UR=`dd if=/dev/urandom bs=18 count=1 2>/dev/null \
        | uuencode -m - | head -n 2 | tail -n 1`
    echo ${MD}${UR} | losetup -p 0 -e aes-256-cbc  ${LOOPDEV} ${SWAPDEVICE}
    MD=
    UR=
    dd if=/dev/zero of=${LOOPDEV} bs=4k count=10 conv=notrunc 2>/dev/null
    sync
    mkswap ${LOOPDEV}
    sync
    swapon ${LOOPDEV}
    #------------------------ crypto-swap end --------------------------------------
  
  - mounting encrypted file sytems at boot-time
   - for interactive key-passphrase, add following at /etc/fstab:
       /dev/hda6   <mount-point>   <fs-type>   defaults,loop=/dev/loop6,encryption=AES256   0   0
     
     with this method you have to enter your passphrase at boot-time (when the encrypted fs will be mounted)
    
  - with use of init script (WARNING: password/seed have to be written in PLAINTEXT!!):
   - create follwing script at '/etc/init.d/prepare-cryptofs.sh':
    #------------------------ prepare-cryptofs.sh begin ------------------------------------
    #!/bin/sh
    # encrypted partition
    DEVICE=/dev/hda3
    # loop device name
    LOOPDEV=/dev/loop3

    PASSPHRASE="WSyPeR1gh07fvoyNZjtxo7Y6F4o="
    SEED="NUmdxSWIbPdYijbdo/0v"

    case "$1" in
      start)
        echo "Setting up loop devices used for crypto-fs..."
        echo ${PASSPHRASE} | losetup -p 0 -S ${SEED} -e aes-256 ${LOOPDEV} ${DEVICE}
      ;;
      stop)
        echo "Deleting loop device used for cryptofs..."
        losetup -d ${LOOPDEV}
      ;;
      *)
        echo "usage: $0 {start|stop}"
        exit 1
    esac
    exit 0
    #------------------------ prepare-cryptofs.sh end --------------------------------------
   
<hr/>
$Id: notes_2003-07.twingle,v 1.1 2003/07/25 22:20:57 jonen Exp $
  
1	jonen	1.1	<hr/>
2
3			Debian-stable and AES-loop(crypto-api) file-system encryption(kernel 2.6.x):
4			- read:
5			http://www.mirrors.wiretapped.net/security/cryptography/filesystems/loop-aes/loop-AES.README
6			http://www.sdc.org/~leila/usb-dongle/readme.html
7			http://www.kerneli.org/howto/node3.php
8			http://www.linuxsecurity.com/docs/HOWTO/Encryption-HOWTO/
9			- updated/new packages needed for 2.6:
10			coreutils
11			modconf
12			modutils
13			module-init-tools
14			#: apt-get install modutils modconf module-init-tools coreutils -t testing
15			- updated/new packages needed for aes-cryptoloop:
16			loop-aes-utils
17			util-linux (testing)
18			- new packages needed for crypto-swap script:
19			sharutils (uuencode)
20			- create encrypted fs:
21			echo ${PASSPHRASE} \| losetup -p 0 -e aes-256 ${LOOPDEV} ${DEVICE}
22			- with special seed:
23			echo ${PASSPHRASE} \| losetup -p 0 -S ${SEED} -e aes-256 ${LOOPDEV} ${DEVICE}
24			- for crypto-swap, try this script:
25			#------------------------ crypto-swap begin ------------------------------------
26			#!/bin/sh
27			# Run this script somewhere in your startup scripts _after_ random
28			# number generator has been initialized and /usr has been mounted.
29			# (md5sum, uuencode, tail and head programs usually reside in /usr/bin/)
30
31			# encrypted swap partition
32			SWAPDEVICE=/dev/hda3
33
34			# loop device name
35			LOOPDEV=/dev/loop6
36
37			MD=`dd if=${SWAPDEVICE} bs=4k count=10 2>/dev/null \| md5sum`
38			for X in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 ; do
39			dd if=/dev/zero of=${SWAPDEVICE} bs=4k count=10 conv=notrunc 2>/dev/null
40			sync
41			done
42			UR=`dd if=/dev/urandom bs=18 count=1 2>/dev/null \
43			\| uuencode -m - \| head -n 2 \| tail -n 1`
44			echo ${MD}${UR} \| losetup -p 0 -e aes-256-cbc ${LOOPDEV} ${SWAPDEVICE}
45			MD=
46			UR=
47			dd if=/dev/zero of=${LOOPDEV} bs=4k count=10 conv=notrunc 2>/dev/null
48			sync
49			mkswap ${LOOPDEV}
50			sync
51			swapon ${LOOPDEV}
52			#------------------------ crypto-swap end --------------------------------------
53
54			- mounting encrypted file sytems at boot-time
55			- for interactive key-passphrase, add following at /etc/fstab:
56			/dev/hda6 <mount-point> <fs-type> defaults,loop=/dev/loop6,encryption=AES256 0 0
57
58			with this method you have to enter your passphrase at boot-time (when the encrypted fs will be mounted)
59
60			- with use of init script (WARNING: password/seed have to be written in PLAINTEXT!!):
61			- create follwing script at '/etc/init.d/prepare-cryptofs.sh':
62			#------------------------ prepare-cryptofs.sh begin ------------------------------------
63			#!/bin/sh
64			# encrypted partition
65			DEVICE=/dev/hda3
66			# loop device name
67			LOOPDEV=/dev/loop3
68
69			PASSPHRASE="WSyPeR1gh07fvoyNZjtxo7Y6F4o="
70			SEED="NUmdxSWIbPdYijbdo/0v"
71
72			case "$1" in
73			start)
74			echo "Setting up loop devices used for crypto-fs..."
75			echo ${PASSPHRASE} \| losetup -p 0 -S ${SEED} -e aes-256 ${LOOPDEV} ${DEVICE}
76			;;
77			stop)
78			echo "Deleting loop device used for cryptofs..."
79			losetup -d ${LOOPDEV}
80			;;
81			*)
82			echo "usage: $0 {start\|stop}"
83			exit 1
84			esac
85			exit 0
86			#------------------------ prepare-cryptofs.sh end --------------------------------------
87
88			<hr/>
89			$Id: notes_2003-07.twingle,v 1.1 2003/07/25 22:20:57 jonen Exp $
90
MailToCvsAdmin">MailToCvsAdmin	ViewVC Help
Powered by ViewVC 1.1.26