LDP
/
LDP
mirror of https://github.com/tLDP/LDP
0
1
Fork 0
Code Releases Activity

sgml to xml

This commit is contained in:
gferg 2005-03-13 22:11:45 +00:00
parent 937e250ec6
commit 1a35ba7826
1 changed files with 75 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

113
LDP/howto/docbook/Encrypted-Root-Filesystem-HOWTO.sgml → LDP/howto/docbook/Encrypted-Root-Filesystem-HOWTO.xml
View File

@ -1,4 +1,7 @@
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://docbook.org/xml/4.2/docbookx.dtd" []>
<article class="whitepaper" id="Encrypted-Root-Filesystem-HOWTO">
@ -27,6 +30,13 @@ Version 1.2.
<revhistory>
<revision>
<revnumber>v1.3</revnumber>
<date>2005-03-13</date>
<authorinitials>cd</authorinitials>
<revremark>Updated the packages version.</revremark>
</revision>
<revision>
<revnumber>v1.2</revnumber>
<date>2004-10-20</date>
@ -96,32 +106,46 @@ Units = cylinders of 16065 * 512 bytes
/dev/hda2 2 263 2104515 83 Linux
/dev/hda3 264 525 2104515 83 Linux
/dev/hda4 526 2047 12225465 83 Linux</screen>
</para>
</para>
</sect2>
<sect2 id="debian-packages">
<title>Required packages</title>
<para>
If you use Debian, the following packages are mandatory:
</para><para>
<screen>apt-get install gcc make libncurses5-dev patch bzip2 wget</screen>
</para><para>
To make copy &amp; paste easier, you should also install:
</para><para>
<screen>apt-get install lynx gpm</screen>
</para>
</sect2>
<sect2 id="install-kernel-2.4">
<title>Installing Linux-2.4.27</title>
<title>Installing Linux-2.4.29</title>
<para>
There are two main projects which add loopback encryption support in the
kernel: cryptoloop and loop-AES. This howto is based on loop-AES, since it
features an extremely fast and highly optimized implementation of Rijndael
in assembly language, and therefore provides maximum performance if
you have an IA-32 (x86) CPU. Besides, there are some
<ulink url="http://groups.google.fr/groups?selm=1emrG-1Ck-25%40gated-at.bofh.it">security concerns</ulink>
<ulink url="http://groups.google.com/groups?selm=1emrG-1Ck-25%40gated-at.bofh.it">security concerns</ulink>
about cryptoloop.
</para><para>
First of all, download and unpack the loop-AES package:
</para><para>
<screen>wget http://loop-aes.sourceforge.net/loop-AES/loop-AES-v2.2b.tar.bz2
tar -xvjf loop-AES-v2.2b.tar.bz2</screen>
<screen>cd /usr/src
wget http://loop-aes.sourceforge.net/loop-AES/loop-AES-v3.0b.tar.bz2
tar -xvjf loop-AES-v3.0b.tar.bz2</screen>
</para><para>
Then you must download and patch the kernel source:
</para><para>
<screen>wget http://ftp.kernel.org/pub/linux/kernel/v2.4/linux-2.4.27.tar.bz2
tar -xvjf linux-2.4.27.tar.bz2
cd linux-2.4.27
<screen>wget http://ftp.kernel.org/pub/linux/kernel/v2.4/linux-2.4.29.tar.bz2
tar -xvjf linux-2.4.29.tar.bz2
cd linux-2.4.29
rm include/linux/loop.h drivers/block/loop.c
patch -Np1 -i ../loop-AES-v2.2b/kernel-2.4.27.diff</screen>
patch -Np1 -i ../loop-AES-v3.0b/kernel-2.4.28.diff</screen>
</para><para>
Setup the keyboard map:
</para><para>
@ -171,7 +195,7 @@ Otherwise, update /etc/lilo.conf and run lilo:
lba32
boot=/dev/hda
prompt
timeout=100
timeout=60
image=/boot/vmlinuz
label=Linux
read-only
@ -184,33 +208,35 @@ You may now restart the system.
</sect2>
<sect2 id="install-kernel-2.6">
<title>Installing Linux-2.6.8.1</title>
<title>Installing Linux-2.6.10</title>
<para>
Proceed as described in the previous section, using loop-aes'
<emphasis>kernel-2.6.8.1.diff</emphasis> patch instead. Note that
modules support require that you have the module-init-tools
<emphasis>kernel-2.6.10.diff</emphasis> patch instead, and make
sure cryptoloop support is <emphasis>not</emphasis> activated.
Note that modules support require that you have the module-init-tools
package installed.
</para>
</sect2>
<sect2 id="install-util-linux">
<title>Installing util-linux-2.12b</title>
<title>Installing util-linux-2.12p</title>
<para>
The losetup program, which is part of the util-linux package, must be
patched and recompiled in order to add strong cryptography support.
Download, unpack and patch util-linux:
</para><para>
<screen>wget http://ftp.kernel.org/pub/linux/utils/util-linux/util-linux-2.12b.tar.bz2
tar -xvjf util-linux-2.12b.tar.bz2
cd util-linux-2.12b
patch -Np1 -i ../loop-AES-v2.2b/util-linux-2.12c.diff</screen>
<screen>cd /usr/src
wget http://ftp.kernel.org/pub/linux/utils/util-linux/util-linux-2.12p.tar.bz2
tar -xvjf util-linux-2.12p.tar.bz2
cd util-linux-2.12p
patch -Np1 -i ../loop-AES-v3.0b/util-linux-2.12p.diff</screen>
</para><para>
To use passwords that are less than 20 characters, enter:
</para><para>
<screen>CFLAGS=&quot;-O2 -DLOOP_PASSWORD_MIN_LENGTH=8&quot;; export CFLAGS</screen>
</para><para>
Security is probably one of your major concerns. For this reason, please do
not enable passwords shorter than 20 characters. Data privacy is not free,
Security is certainly your major concern. For this reason, please do not
enable passwords shorter than 20 characters. Data privacy is not free,
one has to 'pay' in form of long passwords.
</para><para>
Compile losetup and install it as root:
@ -221,7 +247,8 @@ rm -f /usr/share/man/man8/losetup.8*
cd mount
gzip losetup.8
cp losetup /sbin
cp losetup.8.gz /usr/share/man/man8/</screen>
cp losetup.8.gz /usr/share/man/man8/
chattr +i /sbin/losetup</screen>
</para>
</sect2>
</sect1>
@ -239,8 +266,9 @@ Setup the encrypted loopback device:
</para><para>
To prevent optimized dictionary attacks, it is recommended to add
the -S xxxxxx option, where "xxxxxx" is your randomly chosen
seed (for example, you might choose "gPk4lA"). Also, in order to
avoid boot-time problems with the keyboard map, do not use non-ASCII
seed (for example, you might choose "gPk4lA"). Write down your seed on
a piece of paper so that you don't loose it afterwards. Also, in order
to avoid boot-time problems with the keyboard map, do not use non-ASCII
characters (accents, etc.) in your password. The
<ulink url="http://www.diceware.com/">Diceware</ulink> site offers
a simple way to create strong, yet easy to remember, passphrases.
@ -343,20 +371,23 @@ EOF
gcc -s sleep.c -o ramdisk/bin/sleep
rm sleep.c</screen>
</para><para>
Create the init script (don't forget to replace "xxxxxx"
with your chosen seed):
Create the init script:
</para><para>
<screen>cat &gt; ramdisk/sbin/init &lt;&lt; &quot;EOF&quot;
#!/bin/sh
/bin/sleep 3
/sbin/losetup -e aes256 -S xxxxxx /dev/loop0 /dev/hda2
echo -n "Enter seed value: "
read SEED
/sbin/losetup -e aes256 -S $SEED /dev/loop0 /dev/hda2
/bin/mount -r -n -t ext3 /dev/loop0 /mnt
while [ $? -ne 0 ]
do
/sbin/losetup -d /dev/loop0
/sbin/losetup -e aes256 -S xxxxxx /dev/loop0 /dev/hda2
/sbin/losetup -e aes256 -S $SEED /dev/loop0 /dev/hda2
/bin/mount -r -n -t ext3 /dev/loop0 /mnt
done
@ -383,13 +414,13 @@ media, such as a bootable CD-ROM.
</para><para>
Download and unpack syslinux:
</para><para>
<screen>wget http://ftp.kernel.org/pub/linux/utils/boot/syslinux/syslinux-2.10.tar.bz2
tar -xvjf syslinux-2.10.tar.bz2</screen>
<screen>wget http://ftp.kernel.org/pub/linux/utils/boot/syslinux/syslinux-3.07.tar.bz2
tar -xvjf syslinux-3.07.tar.bz2</screen>
</para><para>
Configure isolinux:
</para><para>
<screen>mkdir bootcd
cp /boot/{vmlinuz,initrd.gz} syslinux-2.10/isolinux.bin bootcd
cp /boot/{vmlinuz,initrd.gz} syslinux-3.07/isolinux.bin bootcd
echo &quot;DEFAULT /vmlinuz initrd=initrd.gz ro root=/dev/ram0&quot; \
&gt; bootcd/isolinux.cfg</screen>
</para><para>
@ -444,12 +475,15 @@ If you use lilo:
cp /boot/boot.b /loader/boot/
mknod -m 600 /loader/dev/hda b 3 0
mknod -m 600 /loader/dev/hda1 b 3 1
mknod -m 600 /loader/dev/hda2 b 3 2
mknod -m 600 /loader/dev/hda3 b 3 3
mknod -m 600 /loader/dev/hda4 b 3 4
mknod -m 600 /loader/dev/ram0 b 1 0
cat &gt; /loader/etc/lilo.conf &lt;&lt; EOF
lba32
boot=/dev/hda
prompt
timeout=100
timeout=60
image=/vmlinuz
label=Linux
initrd=/initrd.gz
@ -469,7 +503,7 @@ Still inside chroot, modify /etc/fstab so that it contains:
</para><para>
<screen>/dev/loop0 / ext3 defaults 0 1</screen>
</para><para>
Remove /etc/mtab and exit from chroot. Finally, run "umount -d /mnt/efs"
Delete /etc/mtab and exit from chroot. Finally, run "umount -d /mnt/efs"
and reboot. If something goes wrong, you can still boot your unencrypted
partition by entering "Linux root=/dev/hda3" at the LILO: prompt.
</para><para>
@ -525,17 +559,20 @@ vi /etc/fstab
<para>
The Encrypted Root Filesystem HOWTO was first written in november 2002 for the
<ulink url="http://www.linuxfromscratch.org/lfs/news.html">Linux From Scratch</ulink>
project. I'd like to thank the many people who have since helped me improve
this document (in reverse chronological order): Luc Vo Van, Jacobus Brink,
Ernesto Pérez Estévez, Matthew Ploessel, Mike Lorek, Lars Bungum, Michael
Shields, Julien Perrot, Grant Stephenson, Cary W. Gilmer, James Howells,
Pedro Baez, Josh Purinton, Jari Ruusu and Zibeli Aton.
project. I'd like to thank the many people who have since contributed to
this document (in reverse chronological order): Micha Borrmann,
Dennis Lemckert, Oleg Vyushin, Ellen Bokhorst, Daczi László, Gaetano Zappulla,
Guillaume Lehmann, Claude Thomassin, Jean-Philippe Guérard, Luc Vo Van,
Jacobus Brink, Ernesto Pérez Estévez, Matthew Ploessel, Mike Lorek,
Lars Bungum, Michael Shields, Julien Perrot, Grant Stephenson, Cary W. Gilmer,
James Howells, Pedro Baez, Josh Purinton, Jari Ruusu and Zibeli Aton.
</para><para>
This HOWTO has been translated in various languages:
<itemizedlist>
<listitem><para><ulink url="http://www.traduc.org/docs/HOWTO/lecture/Encrypted-Root-Filesystem-HOWTO.html">French</ulink></para></listitem>
<listitem><para><ulink url="http://www.linux.it/~gaetano/erfs/">Italian</ulink></para></listitem>
<listitem><para><ulink url="http://tldp.fsf.hu/HOWTO/Encrypted-Root-Filesystem-HOWTO-hu/">Hungarian</ulink></para></listitem>
<listitem><para><ulink url="http://doc.nl.linux.org/HOWTO/Encrypted-Root-Filesystem-HOWTO-NL/article.html">Dutch</ulink></para></listitem>
</itemizedlist>
</para><para>
Please send any comment to