mirror of https://github.com/tLDP/LDP
sgml to xml
This commit is contained in:
parent
937e250ec6
commit
1a35ba7826
|
@ -1,4 +1,7 @@
|
||||||
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
|
<?xml version="1.0" encoding="ISO-8859-1"?>
|
||||||
|
|
||||||
|
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
||||||
|
"http://docbook.org/xml/4.2/docbookx.dtd" []>
|
||||||
|
|
||||||
<article class="whitepaper" id="Encrypted-Root-Filesystem-HOWTO">
|
<article class="whitepaper" id="Encrypted-Root-Filesystem-HOWTO">
|
||||||
|
|
||||||
|
@ -27,6 +30,13 @@ Version 1.2.
|
||||||
|
|
||||||
<revhistory>
|
<revhistory>
|
||||||
|
|
||||||
|
<revision>
|
||||||
|
<revnumber>v1.3</revnumber>
|
||||||
|
<date>2005-03-13</date>
|
||||||
|
<authorinitials>cd</authorinitials>
|
||||||
|
<revremark>Updated the packages version.</revremark>
|
||||||
|
</revision>
|
||||||
|
|
||||||
<revision>
|
<revision>
|
||||||
<revnumber>v1.2</revnumber>
|
<revnumber>v1.2</revnumber>
|
||||||
<date>2004-10-20</date>
|
<date>2004-10-20</date>
|
||||||
|
@ -96,32 +106,46 @@ Units = cylinders of 16065 * 512 bytes
|
||||||
/dev/hda2 2 263 2104515 83 Linux
|
/dev/hda2 2 263 2104515 83 Linux
|
||||||
/dev/hda3 264 525 2104515 83 Linux
|
/dev/hda3 264 525 2104515 83 Linux
|
||||||
/dev/hda4 526 2047 12225465 83 Linux</screen>
|
/dev/hda4 526 2047 12225465 83 Linux</screen>
|
||||||
</para>
|
</para>
|
||||||
|
</sect2>
|
||||||
|
|
||||||
|
<sect2 id="debian-packages">
|
||||||
|
<title>Required packages</title>
|
||||||
|
<para>
|
||||||
|
If you use Debian, the following packages are mandatory:
|
||||||
|
</para><para>
|
||||||
|
<screen>apt-get install gcc make libncurses5-dev patch bzip2 wget</screen>
|
||||||
|
</para><para>
|
||||||
|
To make copy & paste easier, you should also install:
|
||||||
|
</para><para>
|
||||||
|
<screen>apt-get install lynx gpm</screen>
|
||||||
|
</para>
|
||||||
</sect2>
|
</sect2>
|
||||||
|
|
||||||
<sect2 id="install-kernel-2.4">
|
<sect2 id="install-kernel-2.4">
|
||||||
<title>Installing Linux-2.4.27</title>
|
<title>Installing Linux-2.4.29</title>
|
||||||
<para>
|
<para>
|
||||||
There are two main projects which add loopback encryption support in the
|
There are two main projects which add loopback encryption support in the
|
||||||
kernel: cryptoloop and loop-AES. This howto is based on loop-AES, since it
|
kernel: cryptoloop and loop-AES. This howto is based on loop-AES, since it
|
||||||
features an extremely fast and highly optimized implementation of Rijndael
|
features an extremely fast and highly optimized implementation of Rijndael
|
||||||
in assembly language, and therefore provides maximum performance if
|
in assembly language, and therefore provides maximum performance if
|
||||||
you have an IA-32 (x86) CPU. Besides, there are some
|
you have an IA-32 (x86) CPU. Besides, there are some
|
||||||
<ulink url="http://groups.google.fr/groups?selm=1emrG-1Ck-25%40gated-at.bofh.it">security concerns</ulink>
|
<ulink url="http://groups.google.com/groups?selm=1emrG-1Ck-25%40gated-at.bofh.it">security concerns</ulink>
|
||||||
about cryptoloop.
|
about cryptoloop.
|
||||||
</para><para>
|
</para><para>
|
||||||
First of all, download and unpack the loop-AES package:
|
First of all, download and unpack the loop-AES package:
|
||||||
</para><para>
|
</para><para>
|
||||||
<screen>wget http://loop-aes.sourceforge.net/loop-AES/loop-AES-v2.2b.tar.bz2
|
<screen>cd /usr/src
|
||||||
tar -xvjf loop-AES-v2.2b.tar.bz2</screen>
|
wget http://loop-aes.sourceforge.net/loop-AES/loop-AES-v3.0b.tar.bz2
|
||||||
|
tar -xvjf loop-AES-v3.0b.tar.bz2</screen>
|
||||||
</para><para>
|
</para><para>
|
||||||
Then you must download and patch the kernel source:
|
Then you must download and patch the kernel source:
|
||||||
</para><para>
|
</para><para>
|
||||||
<screen>wget http://ftp.kernel.org/pub/linux/kernel/v2.4/linux-2.4.27.tar.bz2
|
<screen>wget http://ftp.kernel.org/pub/linux/kernel/v2.4/linux-2.4.29.tar.bz2
|
||||||
tar -xvjf linux-2.4.27.tar.bz2
|
tar -xvjf linux-2.4.29.tar.bz2
|
||||||
cd linux-2.4.27
|
cd linux-2.4.29
|
||||||
rm include/linux/loop.h drivers/block/loop.c
|
rm include/linux/loop.h drivers/block/loop.c
|
||||||
patch -Np1 -i ../loop-AES-v2.2b/kernel-2.4.27.diff</screen>
|
patch -Np1 -i ../loop-AES-v3.0b/kernel-2.4.28.diff</screen>
|
||||||
</para><para>
|
</para><para>
|
||||||
Setup the keyboard map:
|
Setup the keyboard map:
|
||||||
</para><para>
|
</para><para>
|
||||||
|
@ -171,7 +195,7 @@ Otherwise, update /etc/lilo.conf and run lilo:
|
||||||
lba32
|
lba32
|
||||||
boot=/dev/hda
|
boot=/dev/hda
|
||||||
prompt
|
prompt
|
||||||
timeout=100
|
timeout=60
|
||||||
image=/boot/vmlinuz
|
image=/boot/vmlinuz
|
||||||
label=Linux
|
label=Linux
|
||||||
read-only
|
read-only
|
||||||
|
@ -184,33 +208,35 @@ You may now restart the system.
|
||||||
</sect2>
|
</sect2>
|
||||||
|
|
||||||
<sect2 id="install-kernel-2.6">
|
<sect2 id="install-kernel-2.6">
|
||||||
<title>Installing Linux-2.6.8.1</title>
|
<title>Installing Linux-2.6.10</title>
|
||||||
<para>
|
<para>
|
||||||
Proceed as described in the previous section, using loop-aes'
|
Proceed as described in the previous section, using loop-aes'
|
||||||
<emphasis>kernel-2.6.8.1.diff</emphasis> patch instead. Note that
|
<emphasis>kernel-2.6.10.diff</emphasis> patch instead, and make
|
||||||
modules support require that you have the module-init-tools
|
sure cryptoloop support is <emphasis>not</emphasis> activated.
|
||||||
|
Note that modules support require that you have the module-init-tools
|
||||||
package installed.
|
package installed.
|
||||||
</para>
|
</para>
|
||||||
</sect2>
|
</sect2>
|
||||||
|
|
||||||
<sect2 id="install-util-linux">
|
<sect2 id="install-util-linux">
|
||||||
<title>Installing util-linux-2.12b</title>
|
<title>Installing util-linux-2.12p</title>
|
||||||
<para>
|
<para>
|
||||||
The losetup program, which is part of the util-linux package, must be
|
The losetup program, which is part of the util-linux package, must be
|
||||||
patched and recompiled in order to add strong cryptography support.
|
patched and recompiled in order to add strong cryptography support.
|
||||||
Download, unpack and patch util-linux:
|
Download, unpack and patch util-linux:
|
||||||
</para><para>
|
</para><para>
|
||||||
<screen>wget http://ftp.kernel.org/pub/linux/utils/util-linux/util-linux-2.12b.tar.bz2
|
<screen>cd /usr/src
|
||||||
tar -xvjf util-linux-2.12b.tar.bz2
|
wget http://ftp.kernel.org/pub/linux/utils/util-linux/util-linux-2.12p.tar.bz2
|
||||||
cd util-linux-2.12b
|
tar -xvjf util-linux-2.12p.tar.bz2
|
||||||
patch -Np1 -i ../loop-AES-v2.2b/util-linux-2.12c.diff</screen>
|
cd util-linux-2.12p
|
||||||
|
patch -Np1 -i ../loop-AES-v3.0b/util-linux-2.12p.diff</screen>
|
||||||
</para><para>
|
</para><para>
|
||||||
To use passwords that are less than 20 characters, enter:
|
To use passwords that are less than 20 characters, enter:
|
||||||
</para><para>
|
</para><para>
|
||||||
<screen>CFLAGS="-O2 -DLOOP_PASSWORD_MIN_LENGTH=8"; export CFLAGS</screen>
|
<screen>CFLAGS="-O2 -DLOOP_PASSWORD_MIN_LENGTH=8"; export CFLAGS</screen>
|
||||||
</para><para>
|
</para><para>
|
||||||
Security is probably one of your major concerns. For this reason, please do
|
Security is certainly your major concern. For this reason, please do not
|
||||||
not enable passwords shorter than 20 characters. Data privacy is not free,
|
enable passwords shorter than 20 characters. Data privacy is not free,
|
||||||
one has to 'pay' in form of long passwords.
|
one has to 'pay' in form of long passwords.
|
||||||
</para><para>
|
</para><para>
|
||||||
Compile losetup and install it as root:
|
Compile losetup and install it as root:
|
||||||
|
@ -221,7 +247,8 @@ rm -f /usr/share/man/man8/losetup.8*
|
||||||
cd mount
|
cd mount
|
||||||
gzip losetup.8
|
gzip losetup.8
|
||||||
cp losetup /sbin
|
cp losetup /sbin
|
||||||
cp losetup.8.gz /usr/share/man/man8/</screen>
|
cp losetup.8.gz /usr/share/man/man8/
|
||||||
|
chattr +i /sbin/losetup</screen>
|
||||||
</para>
|
</para>
|
||||||
</sect2>
|
</sect2>
|
||||||
</sect1>
|
</sect1>
|
||||||
|
@ -239,8 +266,9 @@ Setup the encrypted loopback device:
|
||||||
</para><para>
|
</para><para>
|
||||||
To prevent optimized dictionary attacks, it is recommended to add
|
To prevent optimized dictionary attacks, it is recommended to add
|
||||||
the -S xxxxxx option, where "xxxxxx" is your randomly chosen
|
the -S xxxxxx option, where "xxxxxx" is your randomly chosen
|
||||||
seed (for example, you might choose "gPk4lA"). Also, in order to
|
seed (for example, you might choose "gPk4lA"). Write down your seed on
|
||||||
avoid boot-time problems with the keyboard map, do not use non-ASCII
|
a piece of paper so that you don't loose it afterwards. Also, in order
|
||||||
|
to avoid boot-time problems with the keyboard map, do not use non-ASCII
|
||||||
characters (accents, etc.) in your password. The
|
characters (accents, etc.) in your password. The
|
||||||
<ulink url="http://www.diceware.com/">Diceware</ulink> site offers
|
<ulink url="http://www.diceware.com/">Diceware</ulink> site offers
|
||||||
a simple way to create strong, yet easy to remember, passphrases.
|
a simple way to create strong, yet easy to remember, passphrases.
|
||||||
|
@ -343,20 +371,23 @@ EOF
|
||||||
gcc -s sleep.c -o ramdisk/bin/sleep
|
gcc -s sleep.c -o ramdisk/bin/sleep
|
||||||
rm sleep.c</screen>
|
rm sleep.c</screen>
|
||||||
</para><para>
|
</para><para>
|
||||||
Create the init script (don't forget to replace "xxxxxx"
|
Create the init script:
|
||||||
with your chosen seed):
|
|
||||||
</para><para>
|
</para><para>
|
||||||
<screen>cat > ramdisk/sbin/init << "EOF"
|
<screen>cat > ramdisk/sbin/init << "EOF"
|
||||||
#!/bin/sh
|
#!/bin/sh
|
||||||
|
|
||||||
/bin/sleep 3
|
/bin/sleep 3
|
||||||
/sbin/losetup -e aes256 -S xxxxxx /dev/loop0 /dev/hda2
|
|
||||||
|
echo -n "Enter seed value: "
|
||||||
|
read SEED
|
||||||
|
|
||||||
|
/sbin/losetup -e aes256 -S $SEED /dev/loop0 /dev/hda2
|
||||||
/bin/mount -r -n -t ext3 /dev/loop0 /mnt
|
/bin/mount -r -n -t ext3 /dev/loop0 /mnt
|
||||||
|
|
||||||
while [ $? -ne 0 ]
|
while [ $? -ne 0 ]
|
||||||
do
|
do
|
||||||
/sbin/losetup -d /dev/loop0
|
/sbin/losetup -d /dev/loop0
|
||||||
/sbin/losetup -e aes256 -S xxxxxx /dev/loop0 /dev/hda2
|
/sbin/losetup -e aes256 -S $SEED /dev/loop0 /dev/hda2
|
||||||
/bin/mount -r -n -t ext3 /dev/loop0 /mnt
|
/bin/mount -r -n -t ext3 /dev/loop0 /mnt
|
||||||
done
|
done
|
||||||
|
|
||||||
|
@ -383,13 +414,13 @@ media, such as a bootable CD-ROM.
|
||||||
</para><para>
|
</para><para>
|
||||||
Download and unpack syslinux:
|
Download and unpack syslinux:
|
||||||
</para><para>
|
</para><para>
|
||||||
<screen>wget http://ftp.kernel.org/pub/linux/utils/boot/syslinux/syslinux-2.10.tar.bz2
|
<screen>wget http://ftp.kernel.org/pub/linux/utils/boot/syslinux/syslinux-3.07.tar.bz2
|
||||||
tar -xvjf syslinux-2.10.tar.bz2</screen>
|
tar -xvjf syslinux-3.07.tar.bz2</screen>
|
||||||
</para><para>
|
</para><para>
|
||||||
Configure isolinux:
|
Configure isolinux:
|
||||||
</para><para>
|
</para><para>
|
||||||
<screen>mkdir bootcd
|
<screen>mkdir bootcd
|
||||||
cp /boot/{vmlinuz,initrd.gz} syslinux-2.10/isolinux.bin bootcd
|
cp /boot/{vmlinuz,initrd.gz} syslinux-3.07/isolinux.bin bootcd
|
||||||
echo "DEFAULT /vmlinuz initrd=initrd.gz ro root=/dev/ram0" \
|
echo "DEFAULT /vmlinuz initrd=initrd.gz ro root=/dev/ram0" \
|
||||||
> bootcd/isolinux.cfg</screen>
|
> bootcd/isolinux.cfg</screen>
|
||||||
</para><para>
|
</para><para>
|
||||||
|
@ -444,12 +475,15 @@ If you use lilo:
|
||||||
cp /boot/boot.b /loader/boot/
|
cp /boot/boot.b /loader/boot/
|
||||||
mknod -m 600 /loader/dev/hda b 3 0
|
mknod -m 600 /loader/dev/hda b 3 0
|
||||||
mknod -m 600 /loader/dev/hda1 b 3 1
|
mknod -m 600 /loader/dev/hda1 b 3 1
|
||||||
|
mknod -m 600 /loader/dev/hda2 b 3 2
|
||||||
|
mknod -m 600 /loader/dev/hda3 b 3 3
|
||||||
|
mknod -m 600 /loader/dev/hda4 b 3 4
|
||||||
mknod -m 600 /loader/dev/ram0 b 1 0
|
mknod -m 600 /loader/dev/ram0 b 1 0
|
||||||
cat > /loader/etc/lilo.conf << EOF
|
cat > /loader/etc/lilo.conf << EOF
|
||||||
lba32
|
lba32
|
||||||
boot=/dev/hda
|
boot=/dev/hda
|
||||||
prompt
|
prompt
|
||||||
timeout=100
|
timeout=60
|
||||||
image=/vmlinuz
|
image=/vmlinuz
|
||||||
label=Linux
|
label=Linux
|
||||||
initrd=/initrd.gz
|
initrd=/initrd.gz
|
||||||
|
@ -469,7 +503,7 @@ Still inside chroot, modify /etc/fstab so that it contains:
|
||||||
</para><para>
|
</para><para>
|
||||||
<screen>/dev/loop0 / ext3 defaults 0 1</screen>
|
<screen>/dev/loop0 / ext3 defaults 0 1</screen>
|
||||||
</para><para>
|
</para><para>
|
||||||
Remove /etc/mtab and exit from chroot. Finally, run "umount -d /mnt/efs"
|
Delete /etc/mtab and exit from chroot. Finally, run "umount -d /mnt/efs"
|
||||||
and reboot. If something goes wrong, you can still boot your unencrypted
|
and reboot. If something goes wrong, you can still boot your unencrypted
|
||||||
partition by entering "Linux root=/dev/hda3" at the LILO: prompt.
|
partition by entering "Linux root=/dev/hda3" at the LILO: prompt.
|
||||||
</para><para>
|
</para><para>
|
||||||
|
@ -525,17 +559,20 @@ vi /etc/fstab
|
||||||
<para>
|
<para>
|
||||||
The Encrypted Root Filesystem HOWTO was first written in november 2002 for the
|
The Encrypted Root Filesystem HOWTO was first written in november 2002 for the
|
||||||
<ulink url="http://www.linuxfromscratch.org/lfs/news.html">Linux From Scratch</ulink>
|
<ulink url="http://www.linuxfromscratch.org/lfs/news.html">Linux From Scratch</ulink>
|
||||||
project. I'd like to thank the many people who have since helped me improve
|
project. I'd like to thank the many people who have since contributed to
|
||||||
this document (in reverse chronological order): Luc Vo Van, Jacobus Brink,
|
this document (in reverse chronological order): Micha Borrmann,
|
||||||
Ernesto Pérez Estévez, Matthew Ploessel, Mike Lorek, Lars Bungum, Michael
|
Dennis Lemckert, Oleg Vyushin, Ellen Bokhorst, Daczi László, Gaetano Zappulla,
|
||||||
Shields, Julien Perrot, Grant Stephenson, Cary W. Gilmer, James Howells,
|
Guillaume Lehmann, Claude Thomassin, Jean-Philippe Guérard, Luc Vo Van,
|
||||||
Pedro Baez, Josh Purinton, Jari Ruusu and Zibeli Aton.
|
Jacobus Brink, Ernesto Pérez Estévez, Matthew Ploessel, Mike Lorek,
|
||||||
|
Lars Bungum, Michael Shields, Julien Perrot, Grant Stephenson, Cary W. Gilmer,
|
||||||
|
James Howells, Pedro Baez, Josh Purinton, Jari Ruusu and Zibeli Aton.
|
||||||
</para><para>
|
</para><para>
|
||||||
This HOWTO has been translated in various languages:
|
This HOWTO has been translated in various languages:
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem><para><ulink url="http://www.traduc.org/docs/HOWTO/lecture/Encrypted-Root-Filesystem-HOWTO.html">French</ulink></para></listitem>
|
<listitem><para><ulink url="http://www.traduc.org/docs/HOWTO/lecture/Encrypted-Root-Filesystem-HOWTO.html">French</ulink></para></listitem>
|
||||||
<listitem><para><ulink url="http://www.linux.it/~gaetano/erfs/">Italian</ulink></para></listitem>
|
<listitem><para><ulink url="http://www.linux.it/~gaetano/erfs/">Italian</ulink></para></listitem>
|
||||||
<listitem><para><ulink url="http://tldp.fsf.hu/HOWTO/Encrypted-Root-Filesystem-HOWTO-hu/">Hungarian</ulink></para></listitem>
|
<listitem><para><ulink url="http://tldp.fsf.hu/HOWTO/Encrypted-Root-Filesystem-HOWTO-hu/">Hungarian</ulink></para></listitem>
|
||||||
|
<listitem><para><ulink url="http://doc.nl.linux.org/HOWTO/Encrypted-Root-Filesystem-HOWTO-NL/article.html">Dutch</ulink></para></listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
</para><para>
|
</para><para>
|
||||||
Please send any comment to
|
Please send any comment to
|
Loading…
Reference in New Issue