583 lines
9.4 KiB
HTML
583 lines
9.4 KiB
HTML
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
|
|
<HTML
|
|
><HEAD
|
|
><TITLE
|
|
>Preparing the system</TITLE
|
|
><META
|
|
NAME="GENERATOR"
|
|
CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
|
|
REL="HOME"
|
|
TITLE="Encrypted Root Filesystem HOWTO"
|
|
HREF="index.html"><LINK
|
|
REL="PREVIOUS"
|
|
TITLE="Encrypted Root Filesystem HOWTO"
|
|
HREF="index.html"><LINK
|
|
REL="NEXT"
|
|
TITLE="Creating the encrypted root filesystem"
|
|
HREF="encrypt-root-filesystem.html"></HEAD
|
|
><BODY
|
|
CLASS="sect1"
|
|
BGCOLOR="#FFFFFF"
|
|
TEXT="#000000"
|
|
LINK="#0000FF"
|
|
VLINK="#840084"
|
|
ALINK="#0000FF"
|
|
><DIV
|
|
CLASS="NAVHEADER"
|
|
><TABLE
|
|
SUMMARY="Header navigation table"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TH
|
|
COLSPAN="3"
|
|
ALIGN="center"
|
|
>Encrypted Root Filesystem HOWTO</TH
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="left"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="index.html"
|
|
ACCESSKEY="P"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="80%"
|
|
ALIGN="center"
|
|
VALIGN="bottom"
|
|
></TD
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="right"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="encrypt-root-filesystem.html"
|
|
ACCESSKEY="N"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"></DIV
|
|
><DIV
|
|
CLASS="sect1"
|
|
><H1
|
|
CLASS="sect1"
|
|
><A
|
|
NAME="preparing-system"
|
|
></A
|
|
>1. Preparing the system</H1
|
|
><DIV
|
|
CLASS="sect2"
|
|
><H2
|
|
CLASS="sect2"
|
|
><A
|
|
NAME="partition-layout"
|
|
></A
|
|
>1.1. Setting up the partition layout</H2
|
|
><P
|
|
> Your hard disk (hda) should contain at least three partitions:
|
|
<P
|
|
></P
|
|
><UL
|
|
><LI
|
|
><P
|
|
> hda1: this small unencrypted partition will ask for
|
|
a password in order to mount the encrypted root filesystem.
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> hda2: this partition will contain your encrypted root filesystem;
|
|
make sure it is large enough.
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> hda3: this partition holds the current GNU/Linux system.
|
|
</P
|
|
></LI
|
|
></UL
|
|
>
|
|
</P
|
|
><P
|
|
> At this point, both hda1 and hda2 are unused. hda3 is where your
|
|
Linux distribution is currently installed; /usr and /boot must
|
|
<EM
|
|
>not</EM
|
|
> be separated from this partition.
|
|
</P
|
|
><P
|
|
> Here's an example of what your partition layout might look like:
|
|
</P
|
|
><P
|
|
> <TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="screen"
|
|
># fdisk -l /dev/hda
|
|
|
|
Disk /dev/hda: 255 heads, 63 sectors, 2432 cylinders
|
|
Units = cylinders of 16065 * 512 bytes
|
|
|
|
Device Boot Start End Blocks Id System
|
|
/dev/hda1 1 1 8001 83 Linux
|
|
/dev/hda2 2 263 2104515 83 Linux
|
|
/dev/hda3 264 525 2104515 83 Linux
|
|
/dev/hda4 526 2047 12225465 83 Linux</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
>
|
|
</P
|
|
></DIV
|
|
><DIV
|
|
CLASS="sect2"
|
|
><H2
|
|
CLASS="sect2"
|
|
><A
|
|
NAME="debian-packages"
|
|
></A
|
|
>1.2. Required packages</H2
|
|
><P
|
|
> If you use Debian, the following packages are mandatory:
|
|
</P
|
|
><P
|
|
> <TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="screen"
|
|
>apt-get install gcc make libncurses5-dev patch bzip2 wget</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
>
|
|
</P
|
|
><P
|
|
> To make copy & paste easier, you should also install:
|
|
</P
|
|
><P
|
|
> <TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="screen"
|
|
>apt-get install lynx gpm</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
>
|
|
</P
|
|
></DIV
|
|
><DIV
|
|
CLASS="sect2"
|
|
><H2
|
|
CLASS="sect2"
|
|
><A
|
|
NAME="install-kernel-2.4"
|
|
></A
|
|
>1.3. Installing Linux-2.4.29</H2
|
|
><P
|
|
> There are two main projects which add loopback encryption support in the
|
|
kernel: cryptoloop and loop-AES. This howto is based on loop-AES, since it
|
|
features an extremely fast and highly optimized implementation of Rijndael
|
|
in assembly language, and therefore provides maximum performance if
|
|
you have an IA-32 (x86) CPU. Besides, there are some
|
|
<A
|
|
HREF="http://groups.google.com/groups?selm=1emrG-1Ck-25%40gated-at.bofh.it"
|
|
TARGET="_top"
|
|
>security concerns</A
|
|
>
|
|
about cryptoloop.
|
|
</P
|
|
><P
|
|
> First of all, download and unpack the loop-AES package:
|
|
</P
|
|
><P
|
|
> <TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="screen"
|
|
>cd /usr/src
|
|
wget http://loop-aes.sourceforge.net/loop-AES/loop-AES-v3.0b.tar.bz2
|
|
tar -xvjf loop-AES-v3.0b.tar.bz2</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
>
|
|
</P
|
|
><P
|
|
> Then you must download and patch the kernel source:
|
|
</P
|
|
><P
|
|
> <TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="screen"
|
|
>wget http://ftp.kernel.org/pub/linux/kernel/v2.4/linux-2.4.29.tar.bz2
|
|
tar -xvjf linux-2.4.29.tar.bz2
|
|
cd linux-2.4.29
|
|
rm include/linux/loop.h drivers/block/loop.c
|
|
patch -Np1 -i ../loop-AES-v3.0b/kernel-2.4.28.diff</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
>
|
|
</P
|
|
><P
|
|
> Setup the keyboard map:
|
|
</P
|
|
><P
|
|
> <TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="screen"
|
|
>dumpkeys | loadkeys -m - > drivers/char/defkeymap.c</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
>
|
|
</P
|
|
><P
|
|
> Next, configure your kernel; make sure the following options are set:
|
|
</P
|
|
><P
|
|
> <TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="screen"
|
|
>make menuconfig
|
|
|
|
Block devices --->
|
|
|
|
<*> Loopback device support
|
|
[*] AES encrypted loop device support (NEW)
|
|
|
|
<*> RAM disk support
|
|
(4096) Default RAM disk size (NEW)
|
|
[*] Initial RAM disk (initrd) support
|
|
|
|
File systems --->
|
|
|
|
<*> Ext3 journalling file system support
|
|
<*> Second extended fs support
|
|
|
|
(important note: do not enable /dev file system support)</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
>
|
|
</P
|
|
><P
|
|
> Compile the kernel and install it:
|
|
</P
|
|
><P
|
|
> <TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="screen"
|
|
>make dep bzImage
|
|
make modules modules_install
|
|
cp arch/i386/boot/bzImage /boot/vmlinuz</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
>
|
|
</P
|
|
><P
|
|
> If grub is your bootloader, update /boot/grub/menu.lst
|
|
or /boot/grub/grub.conf:
|
|
</P
|
|
><P
|
|
> <TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="screen"
|
|
>cat > /boot/grub/menu.lst << EOF
|
|
default 0
|
|
timeout 10
|
|
color green/black light-green/black
|
|
title Linux
|
|
root (hd0,2)
|
|
kernel /boot/vmlinuz ro root=/dev/hda3
|
|
EOF</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
>
|
|
</P
|
|
><P
|
|
> Otherwise, update /etc/lilo.conf and run lilo:
|
|
</P
|
|
><P
|
|
> <TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="screen"
|
|
>cat > /etc/lilo.conf << EOF
|
|
lba32
|
|
boot=/dev/hda
|
|
prompt
|
|
timeout=60
|
|
image=/boot/vmlinuz
|
|
label=Linux
|
|
read-only
|
|
root=/dev/hda3
|
|
EOF
|
|
lilo</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
>
|
|
</P
|
|
><P
|
|
> You may now restart the system.
|
|
</P
|
|
></DIV
|
|
><DIV
|
|
CLASS="sect2"
|
|
><H2
|
|
CLASS="sect2"
|
|
><A
|
|
NAME="install-kernel-2.6"
|
|
></A
|
|
>1.4. Installing Linux-2.6.10</H2
|
|
><P
|
|
> Proceed as described in the previous section, using loop-aes'
|
|
<EM
|
|
>kernel-2.6.10.diff</EM
|
|
> patch instead, and make
|
|
sure cryptoloop support is <EM
|
|
>not</EM
|
|
> activated.
|
|
Note that modules support require that you have the module-init-tools
|
|
package installed.
|
|
</P
|
|
></DIV
|
|
><DIV
|
|
CLASS="sect2"
|
|
><H2
|
|
CLASS="sect2"
|
|
><A
|
|
NAME="install-util-linux"
|
|
></A
|
|
>1.5. Installing util-linux-2.12p</H2
|
|
><P
|
|
> The losetup program, which is part of the util-linux package, must be
|
|
patched and recompiled in order to add strong cryptography support.
|
|
Download, unpack and patch util-linux:
|
|
</P
|
|
><P
|
|
> <TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="screen"
|
|
>cd /usr/src
|
|
wget http://ftp.kernel.org/pub/linux/utils/util-linux/util-linux-2.12p.tar.bz2
|
|
tar -xvjf util-linux-2.12p.tar.bz2
|
|
cd util-linux-2.12p
|
|
patch -Np1 -i ../loop-AES-v3.0b/util-linux-2.12p.diff</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
>
|
|
</P
|
|
><P
|
|
> To use passwords that are less than 20 characters, enter:
|
|
</P
|
|
><P
|
|
> <TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="screen"
|
|
>CFLAGS="-O2 -DLOOP_PASSWORD_MIN_LENGTH=8"; export CFLAGS</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
>
|
|
</P
|
|
><P
|
|
> Security is certainly your major concern. For this reason, please do not
|
|
enable passwords shorter than 20 characters. Data privacy is not free,
|
|
one has to 'pay' in form of long passwords.
|
|
</P
|
|
><P
|
|
> Compile losetup and install it as root:
|
|
</P
|
|
><P
|
|
> <TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="screen"
|
|
>./configure && make lib mount
|
|
mv -f /sbin/losetup /sbin/losetup~
|
|
rm -f /usr/share/man/man8/losetup.8*
|
|
cd mount
|
|
gzip losetup.8
|
|
cp losetup /sbin
|
|
cp losetup.8.gz /usr/share/man/man8/
|
|
chattr +i /sbin/losetup</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
>
|
|
</P
|
|
></DIV
|
|
></DIV
|
|
><DIV
|
|
CLASS="NAVFOOTER"
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"><TABLE
|
|
SUMMARY="Footer navigation table"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="index.html"
|
|
ACCESSKEY="P"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="index.html"
|
|
ACCESSKEY="H"
|
|
>Home</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="encrypt-root-filesystem.html"
|
|
ACCESSKEY="N"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
>Encrypted Root Filesystem HOWTO</TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
> </TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
>Creating the encrypted root filesystem</TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
></BODY
|
|
></HTML
|
|
> |