/[cvs]/jonen/notes/notes_2004-06.twingle
ViewVC logotype

Annotation of /jonen/notes/notes_2004-06.twingle

Parent Directory Parent Directory | Revision Log Revision Log


Revision 1.3 - (hide annotations)
Thu Jun 10 19:13:40 2004 UTC (20 years, 6 months ago) by jonen
Branch: MAIN
Changes since 1.2: +33 -3 lines
updated

1 jonen 1.1 <hr/>
2    
3     Debian-stable and AES-loop(crypto-api) file-system encryption(kernel 2.6.x):
4     - read:
5     http://www.mirrors.wiretapped.net/security/cryptography/filesystems/loop-aes/loop-AES.README
6     http://www.sdc.org/~leila/usb-dongle/readme.html
7     http://www.kerneli.org/howto/node3.php
8     http://www.linuxsecurity.com/docs/HOWTO/Encryption-HOWTO/
9 jonen 1.2 http://debid.vlsm.org/share/HOWTO/Encrypted-Root-Filesystem-HOWTO
10 jonen 1.1 - updated/new packages needed for 2.6:
11     coreutils
12     modconf
13     modutils
14     module-init-tools
15     #: apt-get install modutils modconf module-init-tools coreutils -t testing
16     - updated/new packages needed for aes-cryptoloop:
17     loop-aes-utils
18     util-linux (testing)
19     - new packages needed for crypto-swap script:
20     sharutils (uuencode)
21 jonen 1.3 - create random passphrase/seed
22     #: head -c <LENGTH> /dev/urandom | uuencode -m - | head -n 2 | tail -n 1
23 jonen 1.1 - create encrypted fs:
24 jonen 1.3 (passphrase need min 20 characters!!)
25 jonen 1.1 echo ${PASSPHRASE} | losetup -p 0 -e aes-256 ${LOOPDEV} ${DEVICE}
26     - with special seed:
27     echo ${PASSPHRASE} | losetup -p 0 -S ${SEED} -e aes-256 ${LOOPDEV} ${DEVICE}
28     - for crypto-swap, try this script:
29     #------------------------ crypto-swap begin ------------------------------------
30     #!/bin/sh
31     # Run this script somewhere in your startup scripts _after_ random
32     # number generator has been initialized and /usr has been mounted.
33     # (md5sum, uuencode, tail and head programs usually reside in /usr/bin/)
34    
35     # encrypted swap partition
36     SWAPDEVICE=/dev/hda3
37    
38     # loop device name
39     LOOPDEV=/dev/loop6
40    
41     MD=`dd if=${SWAPDEVICE} bs=4k count=10 2>/dev/null | md5sum`
42     for X in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 ; do
43     dd if=/dev/zero of=${SWAPDEVICE} bs=4k count=10 conv=notrunc 2>/dev/null
44     sync
45     done
46     UR=`dd if=/dev/urandom bs=18 count=1 2>/dev/null \
47     | uuencode -m - | head -n 2 | tail -n 1`
48     echo ${MD}${UR} | losetup -p 0 -e aes-256-cbc ${LOOPDEV} ${SWAPDEVICE}
49     MD=
50     UR=
51     dd if=/dev/zero of=${LOOPDEV} bs=4k count=10 conv=notrunc 2>/dev/null
52     sync
53     mkswap ${LOOPDEV}
54     sync
55     swapon ${LOOPDEV}
56     #------------------------ crypto-swap end --------------------------------------
57    
58     - mounting encrypted file sytems at boot-time
59     - for interactive key-passphrase, add following at /etc/fstab:
60     /dev/hda6 <mount-point> <fs-type> defaults,loop=/dev/loop6,encryption=AES256 0 0
61    
62     with this method you have to enter your passphrase at boot-time (when the encrypted fs will be mounted)
63    
64     - with use of init script (WARNING: password/seed have to be written in PLAINTEXT!!):
65     - create follwing script at '/etc/init.d/prepare-cryptofs.sh':
66     #------------------------ prepare-cryptofs.sh begin ------------------------------------
67     #!/bin/sh
68     # encrypted partition
69     DEVICE=/dev/hda3
70     # loop device name
71     LOOPDEV=/dev/loop3
72    
73 jonen 1.3 PASSPHRASE="<YOUR_PASSPHRASE>" # min 20 characters
74     SEED="<YOUR_SEED>"
75 jonen 1.1
76     case "$1" in
77     start)
78     echo "Setting up loop devices used for crypto-fs..."
79     echo ${PASSPHRASE} | losetup -p 0 -S ${SEED} -e aes-256 ${LOOPDEV} ${DEVICE}
80     ;;
81     stop)
82     echo "Deleting loop device used for cryptofs..."
83     losetup -d ${LOOPDEV}
84     ;;
85     *)
86     echo "usage: $0 {start|stop}"
87     exit 1
88     esac
89     exit 0
90     #------------------------ prepare-cryptofs.sh end --------------------------------------
91 jonen 1.3
92    
93    
94     FreeBSD(stable) - port update bugs (06.2004)
95     BUG: php4 won't comile with e.g. gettext,imap,mcrypt
96     FIX: Add a '-lc_r' to the libraries php is linked against.
97     (from http://lists.freebsd.org/pipermail/freebsd-ports/2003-September/004231.html)
98     - for php4, do:
99     export LDDFLAGS='-lc_r'
100     change entries at Makefiles of following ports:
101     - gettext at /Makefile:
102     change
103     LDFLAGS="-L${LOCALBASE}/lib"
104     to
105     LDFLAGS="-lc_r -L${LOCALBASE}/lib"
106     - libxml2 at /Makefile:
107     change
108     LDFLAGS="-L${LOCALBASE}/lib"
109     to
110     LDFLAGS="-lc_r -L${LOCALBASE}/lib"
111     - cclient at work/libc-client/Makefile:
112     change
113     EXTRALDFLAGS=
114     to
115     EXTRALDFLAGS=-lc_r
116    
117    
118 jonen 1.1
119     <hr/>
120 jonen 1.3 $Id: notes_2004-06.twingle,v 1.2 2004/06/02 22:47:22 jonen Exp $
121 jonen 1.1

MailToCvsAdmin">MailToCvsAdmin
ViewVC Help
Powered by ViewVC 1.1.26 RSS 2.0 feed