LDP
/
LDP
mirror of https://github.com/tLDP/LDP
0
1
Fork 0
Code Releases Activity

updated

This commit is contained in:
gferg 2004-10-20 17:20:45 +00:00
parent 2048d88f7a
commit 661849613e
4 changed files with 174 additions and 82 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

250
LDP/howto/docbook/Encrypted-Root-Filesystem-HOWTO.sgml
View File

@ -27,6 +27,13 @@ Version 1.2.
<revhistory>
<revision>
<revnumber>v1.2</revnumber>
<date>2004-10-20</date>
<authorinitials>cd</authorinitials>
<revremark>Updated the packages version.</revremark>
</revision>
<revision>
<revnumber>v1.1</revnumber>
<date>2003-12-01</date>
@ -61,7 +68,7 @@ Version 1.2.
Your hard disk (hda) should contain at least three partitions:
<itemizedlist>
<listitem><para>
hda1: this small (~4 Mb) unencrypted partition will ask for
hda1: this small unencrypted partition will ask for
a password in order to mount the encrypted root filesystem.
</para></listitem>
<listitem><para>
@ -76,29 +83,45 @@ hda3: this partition holds the current GNU/Linux system.
At this point, both hda1 and hda2 are unused. hda3 is where your
Linux distribution is currently installed; /usr and /boot must
<emphasis>not</emphasis> be separated from this partition.
</para>
</para><para>
Here's an example of what your partition layout might look like:
</para><para>
<screen># fdisk -l /dev/hda
Disk /dev/hda: 255 heads, 63 sectors, 2432 cylinders
Units = cylinders of 16065 * 512 bytes
Device Boot Start End Blocks Id System
/dev/hda1 1 1 8001 83 Linux
/dev/hda2 2 263 2104515 83 Linux
/dev/hda3 264 525 2104515 83 Linux
/dev/hda4 526 2047 12225465 83 Linux</screen>
</para>
</sect2>
<sect2 id="install-kernel">
<title>Installing Linux-2.4.23</title>
<sect2 id="install-kernel-2.4">
<title>Installing Linux-2.4.27</title>
<para>
There are two main projects which add strong crypto support in the
kernel: CryptoAPI and loop-AES. This howto is based on loop-AES, since it
has an extremely fast and highly optimized implementation of Rijndael
There are two main projects which add loopback encryption support in the
kernel: cryptoloop and loop-AES. This howto is based on loop-AES, since it
features an extremely fast and highly optimized implementation of Rijndael
in assembly language, and therefore provides maximum performance if
you have an IA-32 (x86) CPU.
you have an IA-32 (x86) CPU. Besides, there are some
<ulink url="http://groups.google.fr/groups?selm=1emrG-1Ck-25%40gated-at.bofh.it">security concerns</ulink>
about cryptoloop.
</para><para>
First of all, download and unpack the loop-AES package:
</para><para>
<screen>wget http://loop-aes.sourceforge.net/loop-AES/loop-AES-v2.0b.tar.bz2
tar -xvjf loop-AES-v2.0b.tar.bz2</screen>
<screen>wget http://loop-aes.sourceforge.net/loop-AES/loop-AES-v2.2b.tar.bz2
tar -xvjf loop-AES-v2.2b.tar.bz2</screen>
</para><para>
Then you must download and patch the kernel source:
</para><para>
<screen>wget http://ftp.kernel.org/pub/linux/kernel/v2.4/linux-2.4.23.tar.bz2
tar -xvjf linux-2.4.23.tar.bz2
cd linux-2.4.23
patch -Np1 -i ../loop-AES-v2.0b/kernel-2.4.23.diff</screen>
<screen>wget http://ftp.kernel.org/pub/linux/kernel/v2.4/linux-2.4.27.tar.bz2
tar -xvjf linux-2.4.27.tar.bz2
cd linux-2.4.27
rm include/linux/loop.h drivers/block/loop.c
patch -Np1 -i ../loop-AES-v2.2b/kernel-2.4.27.diff</screen>
</para><para>
Setup the keyboard map:
</para><para>
@ -128,7 +151,7 @@ Compile the kernel and install it:
</para><para>
<screen>make dep bzImage
make modules modules_install
cp arch/i386/boot/bzImage /boot/vmlinuz-2.4.23</screen>
cp arch/i386/boot/bzImage /boot/vmlinuz</screen>
</para><para>
If grub is your bootloader, update /boot/grub/menu.lst
or /boot/grub/grub.conf:
@ -139,7 +162,7 @@ timeout 10
color green/black light-green/black
title Linux
root (hd0,2)
kernel /boot/vmlinuz-2.4.23 ro root=/dev/hda3 vga=4
kernel /boot/vmlinuz ro root=/dev/hda3
EOF</screen>
</para><para>
Otherwise, update /etc/lilo.conf and run lilo:
@ -149,11 +172,10 @@ lba32
boot=/dev/hda
prompt
timeout=100
image=/boot/vmlinuz-2.4.23
image=/boot/vmlinuz
label=Linux
read-only
root=/dev/hda3
vga=4
EOF
lilo</screen>
</para><para>
@ -161,32 +183,45 @@ You may now restart the system.
</para>
</sect2>
<sect2 id="install-kernel-2.6">
<title>Installing Linux-2.6.8.1</title>
<para>
Proceed as described in the previous section, using loop-aes'
<emphasis>kernel-2.6.8.1.diff</emphasis> patch instead. Note that
modules support require that you have the module-init-tools
package installed.
</para>
</sect2>
<sect2 id="install-util-linux">
<title>Installing util-linux-2.12</title>
<title>Installing util-linux-2.12b</title>
<para>
The losetup program, which is part of the util-linux package, must be
patched and recompiled in order to add strong cryptography support.
Download, unpack and patch util-linux:
</para><para>
<screen>wget http://ftp.cwi.nl/aeb/util-linux/util-linux-2.12.tar.gz
tar -xvzf util-linux-2.12.tar.gz
cd util-linux-2.12
patch -Np1 -i ../loop-AES-v2.0b/util-linux-2.12.diff</screen>
<screen>wget http://ftp.kernel.org/pub/linux/utils/util-linux/util-linux-2.12b.tar.bz2
tar -xvjf util-linux-2.12b.tar.bz2
cd util-linux-2.12b
patch -Np1 -i ../loop-AES-v2.2b/util-linux-2.12c.diff</screen>
</para><para>
To use passwords that are less than 20 characters, enter:
</para><para>
<screen>CFLAGS=&quot;-O2 -DLOOP_PASSWORD_MIN_LENGTH=8&quot;; export CFLAGS</screen>
</para><para>
If security is important, please do not enable passwords shorter than
20 characters. Security is not free, one has to 'pay' in form of long
passwords.
Security is probably one of your major concerns. For this reason, please do
not enable passwords shorter than 20 characters. Data privacy is not free,
one has to 'pay' in form of long passwords.
</para><para>
Compile losetup and install it as root:
</para><para>
<screen>./configure &amp;&amp; make lib mount
cp -f mount/losetup /sbin
rm -f /usr/share/man/man8/losetup.8.gz
cp -f mount/losetup.8 /usr/share/man/man8</screen>
mv -f /sbin/losetup /sbin/losetup~
rm -f /usr/share/man/man8/losetup.8*
cd mount
gzip losetup.8
cp losetup /sbin
cp losetup.8.gz /usr/share/man/man8/</screen>
</para>
</sect2>
</sect1>
@ -200,23 +235,24 @@ Fill the target partition with random data:
</para><para>
Setup the encrypted loopback device:
</para><para>
<screen>losetup -e aes256 -S xxxxxxxxxx /dev/loop0 /dev/hda2
Password:</screen>
<screen>losetup -e aes256 -S xxxxxx /dev/loop0 /dev/hda2</screen>
</para><para>
To prevent optimized dictionary attacks, it is recommended to add
the -S xxxxxxxxxx option, where "xxxxxxxxxx" is your randomly chosen
seed. Also, in order to avoid boot-time problems with the keyboard
map, do not use non-ASCII characters (accents, etc.) in your password.
the -S xxxxxx option, where "xxxxxx" is your randomly chosen
seed (for example, you might choose "gPk4lA"). Also, in order to
avoid boot-time problems with the keyboard map, do not use non-ASCII
characters (accents, etc.) in your password. The
<ulink url="http://www.diceware.com/">Diceware</ulink> site offers
a simple way to create strong, yet easy to remember, passphrases.
</para><para>
Now create the ext3 filesystem:
</para><para>
<screen>mke2fs -j /dev/loop0</screen>
</para><para>
Check that you correctly entered the password:
Check that the password you entered is correct:
</para><para>
<screen>losetup -d /dev/loop0
losetup -e aes256 -S xxxxxxxxxx /dev/loop0 /dev/hda2
Password:</screen>
losetup -e aes256 -S xxxxxx /dev/loop0 /dev/hda2</screen>
</para><para>
<screen>mkdir /mnt/efs
mount /dev/loop0 /mnt/efs</screen>
@ -240,7 +276,7 @@ the manual, with the modifications below:
<para>Apply the loop-AES patch after unpacking the sources.</para>
</listitem><listitem>
<para>Chapter 8 - Making the LFS system bootable:</para>
<para>Refer to the next section.</para>
<para>Refer to the next section (Setting up the boot device).</para>
</listitem>
</itemizedlist>
</para>
@ -266,10 +302,13 @@ mke2fs -F initrd
mkdir ramdisk
mount -o loop initrd ramdisk</screen>
</para><para>
If you're using grsecurity, you may get a "Permission denied" error
message; in this case you'll have to run the mount command outside chroot.
</para><para>
Create the filesystem hierarchy and copy the required files in it:
</para><para>
<screen>mkdir ramdisk/{bin,dev,lib,mnt,sbin}
cp /bin/{bash,mount,umount} ramdisk/bin/
cp /bin/{bash,mount} ramdisk/bin/
ln -s bash ramdisk/bin/sh
mknod -m 600 ramdisk/dev/console c 5 1
mknod -m 600 ramdisk/dev/hda2 b 3 2
@ -281,24 +320,44 @@ cp /sbin/{losetup,pivot_root} ramdisk/sbin/</screen>
It's ok if you see a message like "/lib/libncurses.so.5: No such file
or directory", or "/lib/libtermcap.so.2: No such file or directory";
bash only requires one of these two libraries. You can check which one
is actually needed with:
is actually required with:
</para><para>
<screen>ldd /bin/bash</screen>
</para><para>
Create the init script (don't forget to replace "xxxxxxxxxx"
Compile the sleep program, which will prevent the password prompt
being flooded by kernel messages (such as usb devices being registered).
</para><para>
<screen>cat &gt; sleep.c &lt;&lt; &quot;EOF&quot;
#include &lt;unistd.h&gt;
#include &lt;stdlib.h&gt;
int main( int argc, char *argv[] )
{
if( argc == 2 )
sleep( atoi( argv[1] ) );
return( 0 );
}
EOF
gcc -s sleep.c -o ramdisk/bin/sleep
rm sleep.c</screen>
</para><para>
Create the init script (don't forget to replace "xxxxxx"
with your chosen seed):
</para><para>
<screen>cat &gt; ramdisk/sbin/init &lt;&lt; &quot;EOF&quot;
#!/bin/sh
/sbin/losetup -e aes256 -S xxxxxxxxxx /dev/loop0 /dev/hda2
/bin/mount -r -n -t ext2 /dev/loop0 /mnt
/bin/sleep 3
/sbin/losetup -e aes256 -S xxxxxx /dev/loop0 /dev/hda2
/bin/mount -r -n -t ext3 /dev/loop0 /mnt
while [ $? -ne 0 ]
do
/sbin/losetup -d /dev/loop0
/sbin/losetup -e aes256 -S xxxxxxxxxx /dev/loop0 /dev/hda2
/bin/mount -r -n -t ext2 /dev/loop0 /mnt
/sbin/losetup -e aes256 -S xxxxxx /dev/loop0 /dev/hda2
/bin/mount -r -n -t ext3 /dev/loop0 /mnt
done
cd /mnt
@ -317,22 +376,21 @@ mv initrd.gz /boot/</screen>
</para>
</sect2>
<sect2 id="bootable-cd">
<title>Booting with a CD-ROM</title>
<title>Booting from a CD-ROM</title>
<para>
I strongly advise you to start your system with a read-only
media, such as a bootable CD-ROM.
</para><para>
Download and unpack syslinux:
</para><para>
<screen>wget ftp://ftp.kernel.org/pub/linux/utils/boot/syslinux/syslinux-2.07.tar.gz
tar -xvzf syslinux-2.07.tar.gz</screen>
<screen>wget http://ftp.kernel.org/pub/linux/utils/boot/syslinux/syslinux-2.10.tar.bz2
tar -xvjf syslinux-2.10.tar.bz2</screen>
</para><para>
Configure isolinux:
</para><para>
<screen>mkdir bootcd
cp /boot/vmlinuz-2.4.23 bootcd/vmlinuz
cp /boot/initrd.gz syslinux-2.07/isolinux.bin bootcd/
echo &quot;DEFAULT vmlinuz initrd=initrd.gz ro root=/dev/ram0 vga=4&quot; \
cp /boot/{vmlinuz,initrd.gz} syslinux-2.10/isolinux.bin bootcd
echo &quot;DEFAULT /vmlinuz initrd=initrd.gz ro root=/dev/ram0&quot; \
&gt; bootcd/isolinux.cfg</screen>
</para><para>
Create and burn the bootable cd-rom iso image:
@ -346,13 +404,13 @@ cdrecord -dev 0,0,0 -speed 4 -v bootcd.iso
rm -rf bootcd{,.iso}</screen>
</para>
</sect2>
<sect2 id="boot-partition">
<title>Booting from a partition</title>
<title>Booting from a HD partition</title>
<para>
The boot partition is an alternate boot device: you might need it
if your bootable CD gets lost. <emphasis>Remember that hda1
is a writable media and is thus insecure; use it only in case of
emergency!</emphasis>
The boot partition can come in handy if you happen to lose your bootable
CD. <emphasis>Remember that hda1 is a writable media and is thus insecure;
use it only in case of emergency!</emphasis>
</para><para>
Create and mount the ext2 filesystem:
</para><para>
@ -362,8 +420,7 @@ mount /dev/hda1 /loader</screen>
</para><para>
Copy the kernel and the initial ramdisk:
</para><para>
<screen>cp /boot/vmlinuz-2.4.23 /loader/vmlinuz
cp /boot/initrd.gz /loader/</screen>
<screen>cp /boot/{vmlinuz,initrd.gz} /loader</screen>
</para><para>
If you use grub:
</para><para>
@ -375,7 +432,7 @@ timeout 10
color green/black light-green/black
title Linux
root (hd0,0)
kernel /vmlinuz ro root=/dev/ram0 vga=4
kernel /vmlinuz ro root=/dev/ram0
initrd /initrd.gz
EOF
grub-install --root-directory=/loader /dev/hda
@ -398,7 +455,6 @@ image=/vmlinuz
initrd=/initrd.gz
read-only
root=/dev/ram0
vga=4
EOF
lilo -r /loader
umount /loader</screen>
@ -409,30 +465,58 @@ umount /loader</screen>
<sect1 id="final-steps">
<title>Final steps</title>
<para>
Modify /etc/fstab so that it contains:
Still inside chroot, modify /etc/fstab so that it contains:
</para><para>
<screen>/dev/loop0 / ext3 defaults 0 1</screen>
<screen>/dev/loop0 / ext3 defaults 0 1</screen>
</para><para>
Remove /etc/mtab and exit from chroot. Finally, run "umount -d /mnt/efs"
and reboot. hda3 is not needed anymore, so you can create an encrypted
filesystem on this partition and use it as a backup.
and reboot. If something goes wrong, you can still boot your unencrypted
partition by entering "Linux root=/dev/hda3" at the LILO: prompt.
</para><para>
Now, if you're low on RAM you'll need some swap space. Let's
suppose hda4 will hold your encrypted swap partition; you must
create the swap device first:
If everything went well, you can now re-partition your disk and encrypt
hda3 as well as hda4. In the following scripts, we assume that hda3 will
hold the swap device and hda4 will contain /home; you should initialize
both partitions first:
</para><para>
<screen>shred -n 1 -v /dev/hda4
losetup -e aes256 /dev/loop1 /dev/hda4
mkswap /dev/loop1</screen>
<screen>shred -n 1 -v /dev/hda3
shred -n 1 -v /dev/hda4
losetup -e aes256 -S xxxxxx /dev/loop1 /dev/hda3
losetup -e aes256 -S xxxxxx /dev/loop2 /dev/hda4
mkswap /dev/loop1
mke2fs -j /dev/loop2</screen>
</para><para>
Then create a script (S00swap) in the system startup directory
(/etc/rcS.d/ under Debian):
Then create a script in the system startup directory and update fstab:
</para><para>
<screen>#!/bin/sh
<screen>cat &gt; /etc/init.d/loop &lt;&lt; &quot;EOF&quot;
#!/bin/sh
echo &quot;password chosen above&quot; | \
losetup -p 0 -e aes256 /dev/loop1 /dev/hda4
swapon /dev/loop1</screen>
if [ "`/usr/bin/md5sum /dev/hda1`" != \
"5671cebdb3bed87c3b3c345f0101d016 /dev/hda1" ]
then
echo -n "WARNING! hda1 integrity verification FAILED - press enter."
read
fi
echo &quot;1st password chosen above&quot; | \
/sbin/losetup -p 0 -e aes256 -S xxxxxx /dev/loop1 /dev/hda3
echo &quot;2nd password chosen above&quot; | \
/sbin/losetup -p 0 -e aes256 -S xxxxxx /dev/loop2 /dev/hda4
/sbin/swapon /dev/loop1
for i in `seq 0 63`
do
echo -n -e "\33[10;10]\33[11;10]" > /dev/tty$i
done
EOF
chmod 700 /etc/init.d/loop
ln -s ../init.d/loop /etc/rcS.d/S00loop
vi /etc/fstab
...
/dev/loop2 /home ext3 defaults 0 2</screen>
</para>
</sect1>
@ -442,9 +526,17 @@ swapon /dev/loop1</screen>
The Encrypted Root Filesystem HOWTO was first written in november 2002 for the
<ulink url="http://www.linuxfromscratch.org/lfs/news.html">Linux From Scratch</ulink>
project. I'd like to thank the many people who have since helped me improve
this howto (in reverse chronological order): Julien Perrot, Grant Stephenson,
Cary W. Gilmer, James Howells, Pedro Baez, Josh Purinton, Jari Ruusu and
Zibeli Aton.
this document (in reverse chronological order): Luc Vo Van, Jacobus Brink,
Ernesto Pérez Estévez, Matthew Ploessel, Mike Lorek, Lars Bungum, Michael
Shields, Julien Perrot, Grant Stephenson, Cary W. Gilmer, James Howells,
Pedro Baez, Josh Purinton, Jari Ruusu and Zibeli Aton.
</para><para>
This HOWTO has been translated in various languages:
<itemizedlist>
<listitem><para><ulink url="http://www.traduc.org/docs/HOWTO/lecture/Encrypted-Root-Filesystem-HOWTO.html">French</ulink></para></listitem>
<listitem><para><ulink url="http://www.linux.it/~gaetano/erfs/">Italian</ulink></para></listitem>
<listitem><para><ulink url="http://tldp.fsf.hu/HOWTO/Encrypted-Root-Filesystem-HOWTO-hu/">Hungarian</ulink></para></listitem>
</itemizedlist>
</para><para>
Please send any comment to
<ulink url="http://www.cr0.net:8040/about/">Christophe Devine</ulink>.

2
LDP/howto/docbook/HOWTO-INDEX/adminSect.sgml
View File

@ -653,7 +653,7 @@ settings. </Para>
Encrypted-Root-Filesystem-HOWTO</ULink>,
<CiteTitle>Encrypted Root Filesystem HOWTO</CiteTitle>
</Para><Para>
<CiteTitle>Updated: Dec 2003</CiteTitle>.
<CiteTitle>Updated: Oct 2004</CiteTitle>.
Explains how to make your personal
data secure by encrypting your Linux root filesystem
using strong cryptography. </Para>

2
LDP/howto/docbook/HOWTO-INDEX/howtoChap.sgml
View File

@ -1290,7 +1290,7 @@ participation by women. </Para>
Encrypted-Root-Filesystem-HOWTO</ULink>,
<CiteTitle>Encrypted Root Filesystem HOWTO</CiteTitle>
</Para><Para>
<CiteTitle>Updated: Dec 2003</CiteTitle>.
<CiteTitle>Updated: Oct 2004</CiteTitle>.
Explains how to make your personal
data secure by encrypting your Linux root filesystem
using strong cryptography. </Para>

2
LDP/howto/docbook/HOWTO-INDEX/hwSect.sgml
View File

@ -813,7 +813,7 @@ How to set up hardware RAID under Linux. </Para>
Encrypted-Root-Filesystem-HOWTO</ULink>,
<CiteTitle>Encrypted Root Filesystem HOWTO</CiteTitle>
</Para><Para>
<CiteTitle>Updated: Dec 2003</CiteTitle>.
<CiteTitle>Updated: Oct 2004</CiteTitle>.
Explains how to make your personal
data secure by encrypting your Linux root filesystem
using strong cryptography. </Para>