jonen/notes/notes_2004-06.twingle

<hr/>

 Debian-stable and AES-loop(crypto-api) file-system encryption(kernel 2.6.x):
  - read:
     http://www.mirrors.wiretapped.net/security/cryptography/filesystems/loop-aes/loop-AES.README
     http://www.sdc.org/~leila/usb-dongle/readme.html
     http://www.kerneli.org/howto/node3.php
     http://www.linuxsecurity.com/docs/HOWTO/Encryption-HOWTO/
     http://debid.vlsm.org/share/HOWTO/Encrypted-Root-Filesystem-HOWTO
  - updated/new packages needed for 2.6:
        coreutils
        modconf
        modutils
        module-init-tools
    #: apt-get install modutils modconf module-init-tools coreutils -t testing    
  - updated/new packages needed for aes-cryptoloop:
        loop-aes-utils
        util-linux (testing)
  - new packages needed for crypto-swap script:
        sharutils (uuencode)
  - create encrypted fs:
      echo ${PASSPHRASE} | losetup -p 0 -e aes-256 ${LOOPDEV} ${DEVICE}
    - with special seed:
      echo ${PASSPHRASE} | losetup -p 0 -S ${SEED} -e aes-256 ${LOOPDEV} ${DEVICE}
  - for crypto-swap, try this script:
    #------------------------ crypto-swap begin ------------------------------------
    #!/bin/sh
    # Run this script somewhere in your startup scripts _after_ random
    # number generator has been initialized and /usr has been mounted.
    # (md5sum, uuencode, tail and head programs usually reside in /usr/bin/)

    # encrypted swap partition
    SWAPDEVICE=/dev/hda3

    # loop device name
    LOOPDEV=/dev/loop6

    MD=`dd if=${SWAPDEVICE} bs=4k count=10 2>/dev/null | md5sum`
    for X in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 ; do
        dd if=/dev/zero of=${SWAPDEVICE} bs=4k count=10 conv=notrunc 2>/dev/null
        sync
    done
    UR=`dd if=/dev/urandom bs=18 count=1 2>/dev/null \
        | uuencode -m - | head -n 2 | tail -n 1`
    echo ${MD}${UR} | losetup -p 0 -e aes-256-cbc  ${LOOPDEV} ${SWAPDEVICE}
    MD=
    UR=
    dd if=/dev/zero of=${LOOPDEV} bs=4k count=10 conv=notrunc 2>/dev/null
    sync
    mkswap ${LOOPDEV}
    sync
    swapon ${LOOPDEV}
    #------------------------ crypto-swap end --------------------------------------
  
  - mounting encrypted file sytems at boot-time
   - for interactive key-passphrase, add following at /etc/fstab:
       /dev/hda6   <mount-point>   <fs-type>   defaults,loop=/dev/loop6,encryption=AES256   0   0
     
     with this method you have to enter your passphrase at boot-time (when the encrypted fs will be mounted)
    
  - with use of init script (WARNING: password/seed have to be written in PLAINTEXT!!):
   - create follwing script at '/etc/init.d/prepare-cryptofs.sh':
    #------------------------ prepare-cryptofs.sh begin ------------------------------------
    #!/bin/sh
    # encrypted partition
    DEVICE=/dev/hda3
    # loop device name
    LOOPDEV=/dev/loop3

    PASSPHRASE="WSyPeR1gh07fvoyNZjtxo7Y6F4o="
    SEED="NUmdxSWIbPdYijbdo/0v"

    case "$1" in
      start)
        echo "Setting up loop devices used for crypto-fs..."
        echo ${PASSPHRASE} | losetup -p 0 -S ${SEED} -e aes-256 ${LOOPDEV} ${DEVICE}
      ;;
      stop)
        echo "Deleting loop device used for cryptofs..."
        losetup -d ${LOOPDEV}
      ;;
      *)
        echo "usage: $0 {start|stop}"
        exit 1
    esac
    exit 0
    #------------------------ prepare-cryptofs.sh end --------------------------------------
   
<hr/>
$Id: notes_2004-06.twingle,v 1.1 2004/06/02 22:45:38 jonen Exp $
  
1	<hr/>
2
3	Debian-stable and AES-loop(crypto-api) file-system encryption(kernel 2.6.x):
4	- read:
5	http://www.mirrors.wiretapped.net/security/cryptography/filesystems/loop-aes/loop-AES.README
6	http://www.sdc.org/~leila/usb-dongle/readme.html
7	http://www.kerneli.org/howto/node3.php
8	http://www.linuxsecurity.com/docs/HOWTO/Encryption-HOWTO/
9	http://debid.vlsm.org/share/HOWTO/Encrypted-Root-Filesystem-HOWTO
10	- updated/new packages needed for 2.6:
11	coreutils
12	modconf
13	modutils
14	module-init-tools
15	#: apt-get install modutils modconf module-init-tools coreutils -t testing
16	- updated/new packages needed for aes-cryptoloop:
17	loop-aes-utils
18	util-linux (testing)
19	- new packages needed for crypto-swap script:
20	sharutils (uuencode)
21	- create encrypted fs:
22	echo ${PASSPHRASE} \| losetup -p 0 -e aes-256 ${LOOPDEV} ${DEVICE}
23	- with special seed:
24	echo ${PASSPHRASE} \| losetup -p 0 -S ${SEED} -e aes-256 ${LOOPDEV} ${DEVICE}
25	- for crypto-swap, try this script:
26	#------------------------ crypto-swap begin ------------------------------------
27	#!/bin/sh
28	# Run this script somewhere in your startup scripts _after_ random
29	# number generator has been initialized and /usr has been mounted.
30	# (md5sum, uuencode, tail and head programs usually reside in /usr/bin/)
31
32	# encrypted swap partition
33	SWAPDEVICE=/dev/hda3
34
35	# loop device name
36	LOOPDEV=/dev/loop6
37
38	MD=`dd if=${SWAPDEVICE} bs=4k count=10 2>/dev/null \| md5sum`
39	for X in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 ; do
40	dd if=/dev/zero of=${SWAPDEVICE} bs=4k count=10 conv=notrunc 2>/dev/null
41	sync
42	done
43	UR=`dd if=/dev/urandom bs=18 count=1 2>/dev/null \
44	\| uuencode -m - \| head -n 2 \| tail -n 1`
45	echo ${MD}${UR} \| losetup -p 0 -e aes-256-cbc ${LOOPDEV} ${SWAPDEVICE}
46	MD=
47	UR=
48	dd if=/dev/zero of=${LOOPDEV} bs=4k count=10 conv=notrunc 2>/dev/null
49	sync
50	mkswap ${LOOPDEV}
51	sync
52	swapon ${LOOPDEV}
53	#------------------------ crypto-swap end --------------------------------------
54
55	- mounting encrypted file sytems at boot-time
56	- for interactive key-passphrase, add following at /etc/fstab:
57	/dev/hda6 <mount-point> <fs-type> defaults,loop=/dev/loop6,encryption=AES256 0 0
58
59	with this method you have to enter your passphrase at boot-time (when the encrypted fs will be mounted)
60
61	- with use of init script (WARNING: password/seed have to be written in PLAINTEXT!!):
62	- create follwing script at '/etc/init.d/prepare-cryptofs.sh':
63	#------------------------ prepare-cryptofs.sh begin ------------------------------------
64	#!/bin/sh
65	# encrypted partition
66	DEVICE=/dev/hda3
67	# loop device name
68	LOOPDEV=/dev/loop3
69
70	PASSPHRASE="WSyPeR1gh07fvoyNZjtxo7Y6F4o="
71	SEED="NUmdxSWIbPdYijbdo/0v"
72
73	case "$1" in
74	start)
75	echo "Setting up loop devices used for crypto-fs..."
76	echo ${PASSPHRASE} \| losetup -p 0 -S ${SEED} -e aes-256 ${LOOPDEV} ${DEVICE}
77	;;
78	stop)
79	echo "Deleting loop device used for cryptofs..."
80	losetup -d ${LOOPDEV}
81	;;
82	*)
83	echo "usage: $0 {start\|stop}"
84	exit 1
85	esac
86	exit 0
87	#------------------------ prepare-cryptofs.sh end --------------------------------------
88
89	<hr/>
90	$Id: notes_2004-06.twingle,v 1.1 2004/06/02 22:45:38 jonen Exp $
91
MailToCvsAdmin">MailToCvsAdmin	ViewVC Help
Powered by ViewVC 1.1.26