| 1 |
<hr/> |
| 2 |
|
| 3 |
Debian-stable and AES-loop(crypto-api) file-system encryption(kernel 2.6.x): |
| 4 |
- read: |
| 5 |
http://www.mirrors.wiretapped.net/security/cryptography/filesystems/loop-aes/loop-AES.README |
| 6 |
http://www.sdc.org/~leila/usb-dongle/readme.html |
| 7 |
http://www.kerneli.org/howto/node3.php |
| 8 |
http://www.linuxsecurity.com/docs/HOWTO/Encryption-HOWTO/ |
| 9 |
- updated/new packages needed for 2.6: |
| 10 |
coreutils |
| 11 |
modconf |
| 12 |
modutils |
| 13 |
module-init-tools |
| 14 |
#: apt-get install modutils modconf module-init-tools coreutils -t testing |
| 15 |
- updated/new packages needed for aes-cryptoloop: |
| 16 |
loop-aes-utils |
| 17 |
util-linux (testing) |
| 18 |
- new packages needed for crypto-swap script: |
| 19 |
sharutils (uuencode) |
| 20 |
- create encrypted fs: |
| 21 |
echo ${PASSPHRASE} | losetup -p 0 -e aes-256 ${LOOPDEV} ${DEVICE} |
| 22 |
- with special seed: |
| 23 |
echo ${PASSPHRASE} | losetup -p 0 -S ${SEED} -e aes-256 ${LOOPDEV} ${DEVICE} |
| 24 |
- for crypto-swap, try this script: |
| 25 |
#------------------------ crypto-swap begin ------------------------------------ |
| 26 |
#!/bin/sh |
| 27 |
# Run this script somewhere in your startup scripts _after_ random |
| 28 |
# number generator has been initialized and /usr has been mounted. |
| 29 |
# (md5sum, uuencode, tail and head programs usually reside in /usr/bin/) |
| 30 |
|
| 31 |
# encrypted swap partition |
| 32 |
SWAPDEVICE=/dev/hda3 |
| 33 |
|
| 34 |
# loop device name |
| 35 |
LOOPDEV=/dev/loop6 |
| 36 |
|
| 37 |
MD=`dd if=${SWAPDEVICE} bs=4k count=10 2>/dev/null | md5sum` |
| 38 |
for X in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 ; do |
| 39 |
dd if=/dev/zero of=${SWAPDEVICE} bs=4k count=10 conv=notrunc 2>/dev/null |
| 40 |
sync |
| 41 |
done |
| 42 |
UR=`dd if=/dev/urandom bs=18 count=1 2>/dev/null \ |
| 43 |
| uuencode -m - | head -n 2 | tail -n 1` |
| 44 |
echo ${MD}${UR} | losetup -p 0 -e aes-256-cbc ${LOOPDEV} ${SWAPDEVICE} |
| 45 |
MD= |
| 46 |
UR= |
| 47 |
dd if=/dev/zero of=${LOOPDEV} bs=4k count=10 conv=notrunc 2>/dev/null |
| 48 |
sync |
| 49 |
mkswap ${LOOPDEV} |
| 50 |
sync |
| 51 |
swapon ${LOOPDEV} |
| 52 |
#------------------------ crypto-swap end -------------------------------------- |
| 53 |
|
| 54 |
- mounting encrypted file sytems at boot-time |
| 55 |
- for interactive key-passphrase, add following at /etc/fstab: |
| 56 |
/dev/hda6 <mount-point> <fs-type> defaults,loop=/dev/loop6,encryption=AES256 0 0 |
| 57 |
|
| 58 |
with this method you have to enter your passphrase at boot-time (when the encrypted fs will be mounted) |
| 59 |
|
| 60 |
- with use of init script (WARNING: password/seed have to be written in PLAINTEXT!!): |
| 61 |
- create follwing script at '/etc/init.d/prepare-cryptofs.sh': |
| 62 |
#------------------------ prepare-cryptofs.sh begin ------------------------------------ |
| 63 |
#!/bin/sh |
| 64 |
# encrypted partition |
| 65 |
DEVICE=/dev/hda3 |
| 66 |
# loop device name |
| 67 |
LOOPDEV=/dev/loop3 |
| 68 |
|
| 69 |
PASSPHRASE="WSyPeR1gh07fvoyNZjtxo7Y6F4o=" |
| 70 |
SEED="NUmdxSWIbPdYijbdo/0v" |
| 71 |
|
| 72 |
case "$1" in |
| 73 |
start) |
| 74 |
echo "Setting up loop devices used for crypto-fs..." |
| 75 |
echo ${PASSPHRASE} | losetup -p 0 -S ${SEED} -e aes-256 ${LOOPDEV} ${DEVICE} |
| 76 |
;; |
| 77 |
stop) |
| 78 |
echo "Deleting loop device used for cryptofs..." |
| 79 |
losetup -d ${LOOPDEV} |
| 80 |
;; |
| 81 |
*) |
| 82 |
echo "usage: $0 {start|stop}" |
| 83 |
exit 1 |
| 84 |
esac |
| 85 |
exit 0 |
| 86 |
#------------------------ prepare-cryptofs.sh end -------------------------------------- |
| 87 |
|
| 88 |
<hr/> |
| 89 |
$Id: notes_2003-07.twingle,v 1.1 2003/07/25 22:20:57 jonen Exp $ |
| 90 |
|
Parent Directory
| 
Revision Log
