| 1 |
Thanks, it sounds great!!! |
| 2 |
|
| 3 |
I will try it asap. |
| 4 |
|
| 5 |
|
| 6 |
Regards, |
| 7 |
Andres |
| 8 |
|
| 9 |
|
| 10 |
Hola Olivier, el 04 de feb de 2003, a las 12:36 +0100, Olivier Reisch decías: |
| 11 |
> -----BEGIN PGP SIGNED MESSAGE----- |
| 12 |
> Hash: SHA1 |
| 13 |
> |
| 14 |
> Hello, |
| 15 |
> |
| 16 |
> For those interested in advanced security, I put together a CryptoAPI enabled |
| 17 |
> PPC kernel for Gentoo. CryptoAPI allows you to attach a crypted partition or |
| 18 |
> virtual volume to a loopback device and then mount it as normal volume into |
| 19 |
> your file system. This for instance allows you to have your /home directory |
| 20 |
> fully encrypted, so if someone gets access to your box, he won't be able to |
| 21 |
> mount or read any data without authenticating first (even using a Boot CD), |
| 22 |
> as all the data is stored in encrypted form on your disk as soon as the |
| 23 |
> partition or virtual volume gets unmounted. Encryption used is pretty strong, |
| 24 |
> ciphers included are AES (aka Rijndael), MARS, RC6, Serpent, Twofish, 3DES, |
| 25 |
> Blowfish, CAST5 cipher, GOST, IDEA and some more. Most of them support the |
| 26 |
> use of 256 bit keys. |
| 27 |
> |
| 28 |
> For more information about the benefits of CryptoAPI, you can take a look at |
| 29 |
> their site at http://www.kerneli.org |
| 30 |
> |
| 31 |
> The current kernel in Portage is as follows: |
| 32 |
> |
| 33 |
> * sys-kernel/ppc-sources-crypto [ Masked ] |
| 34 |
> Latest version available: 2.4.20 |
| 35 |
> Latest version installed: 2.4.20 |
| 36 |
> Size of downloaded files: 26,980 kB |
| 37 |
> Homepage: http://www.kernel.org/ http://www.kerneli.org/ |
| 38 |
> http://www.gentoo.org/ |
| 39 |
> Description: Full cryptoapi enabled sources for the Gentoo Linux PPC |
| 40 |
> kernel |
| 41 |
> |
| 42 |
> It is currently ~ppc masked for further testing. It's basically a 2.4.20-ben5 |
| 43 |
> kernel with CryptoAPI 0.1.0, cryptoloop 0.0.1-pre1 and the loop-jari patch |
| 44 |
> for 2.4.20. |
| 45 |
> |
| 46 |
> To try it, you can do the following: |
| 47 |
> |
| 48 |
> emerge rsync |
| 49 |
> env ACCEPT_KEYWORDS="~ppc" emerge ppc-sources-crypto |
| 50 |
> USE="crypt" emerge linux-utils |
| 51 |
> |
| 52 |
> The sources for the kernel are still being mirrored to the Gentoo mirrors at |
| 53 |
> the moment. In the meantime the ebuild will automatically fetch them from my |
| 54 |
> local mirror, which may be a bit slower. |
| 55 |
> We have to remerge linux-utils to have mount and losetup patched for CryptoAPI |
| 56 |
> support. |
| 57 |
> |
| 58 |
> Next step is to go compile our new kernel: |
| 59 |
> |
| 60 |
> cd /usr/src/linux-ppc-crypto-2.4.20 |
| 61 |
> make oldconfig |
| 62 |
> #This will generate a default config which should work fine on most machines, |
| 63 |
> #it also already has all the ciphers enabled as modules, so you can load |
| 64 |
> #those you'll need into the kernel. |
| 65 |
> make menuconfig |
| 66 |
> #Only do this if you want to modify any kernel options; for the CryptoAPI |
| 67 |
> #settings, i suggest going with the default ones. |
| 68 |
> make dep clean vmlinux modules |
| 69 |
> make modules_install |
| 70 |
> cp vmlinux /boot/vmlinux-2.4.20-ppc-crypto |
| 71 |
> cp System.map /boot/System.map-2.4.20-ppc-crypto |
| 72 |
> |
| 73 |
> Add entry to /etc/yaboot.conf and run "ybin". |
| 74 |
> |
| 75 |
> Finally, we need to update /etc/modules.conf |
| 76 |
> To do so, add a file cryptoapi to /etc/modules.d with the following content: |
| 77 |
> |
| 78 |
> keep |
| 79 |
> path[cciphers]=/lib/modules/`uname -r`/kernel/crypto/ciphers |
| 80 |
> keep |
| 81 |
> path[cdigests]=/lib/modules/`uname -r`/kernel/crypto/digests |
| 82 |
> keep |
| 83 |
> path[cdrivers]=/lib/modules/`uname -r`/kernel/crypto/drivers |
| 84 |
> |
| 85 |
> Run modules-update |
| 86 |
> |
| 87 |
> Reboot. |
| 88 |
> |
| 89 |
> Once you are booted into the CryptoAPI kernel, we can start experimenting. As |
| 90 |
> an example, we will create a 50MB virtual volume which we will crypt with the |
| 91 |
> serpent cipher and mount to /mnt/secret. |
| 92 |
> |
| 93 |
> 1) Create the virtual volume (replace /home/doctomoe by your homedir of |
| 94 |
> course) |
| 95 |
> |
| 96 |
> cd /home/doctomoe |
| 97 |
> dd if=/dev/urandom of=/home/doctomoe/secretvolume bs=1M count=50 |
| 98 |
> |
| 99 |
> This may take a while. We use urandom to better hide the crypted data within |
| 100 |
> the volume. If we zeroed it, it would be easy to detect where the encrypted |
| 101 |
> data is on the volume. |
| 102 |
> |
| 103 |
> 2) Mount the volume to a loop device |
| 104 |
> |
| 105 |
> Make sure everything we need is loaded. If you have used the default kernel |
| 106 |
> config, all you need to do is to modprobe the cipher you want to use. |
| 107 |
> |
| 108 |
> modprobe cipher-serpent |
| 109 |
> |
| 110 |
> If you compiled cryptoloop as a module (not default), make sure to load it |
| 111 |
> too: |
| 112 |
> |
| 113 |
> modprobe cryptoloop |
| 114 |
> |
| 115 |
> Ok, now to the serious stuff :) |
| 116 |
> |
| 117 |
> #Attach volume to a loop device |
| 118 |
> losetup -e serpent -k 256 /dev/loop0 /home/doctomoe/secretvolume |
| 119 |
> |
| 120 |
> You will be asked a password. Type it carefully, as you won't be asked twice |
| 121 |
> and the password is not stored within the volume, so if you want to mount it |
| 122 |
> again later, you have to carefully type it again to avoid screwing the volume |
| 123 |
> up. The argument after -e is the cipher algorithm used and the -k argument is |
| 124 |
> the keysize generated for the encryption. It has nothing to do with the size |
| 125 |
> of your password. |
| 126 |
> |
| 127 |
> Now we create a filesystem on it. |
| 128 |
> |
| 129 |
> mkfs -t ext3 /dev/loop0 |
| 130 |
> |
| 131 |
> Finally, we can mount it. |
| 132 |
> |
| 133 |
> mount -t ext3 /dev/loop0 /mnt/secret |
| 134 |
> |
| 135 |
> Voila, you can now access /mnt/secret like any other volume/directory on your |
| 136 |
> system. Once you have stored your sensitive data and want to unmount the |
| 137 |
> volume again, do as follows: |
| 138 |
> |
| 139 |
> umount /mnt/secret |
| 140 |
> losetup -d /dev/loop0 |
| 141 |
> |
| 142 |
> Do remount again, you do exactly like above, but you don't format the volume |
| 143 |
> again of course. If you typed in the wrong password, mount will give you a |
| 144 |
> bad filesystem error. Just detach (losetup -d) the loop device and try again. |
| 145 |
> |
| 146 |
> |
| 147 |
> Tips and tricks: |
| 148 |
> |
| 149 |
> You can add a line to /etc/fstab which will allow you to mount the volume with |
| 150 |
> a single command and also as normal user (no need to be root then): |
| 151 |
> |
| 152 |
> The line should look like: |
| 153 |
> |
| 154 |
> /home/doctomoe/secretvolume /mnt/secret ext3 |
| 155 |
> user,defaults,noauto,loop,encryption=serpent,keybits=256 0 0 |
| 156 |
> |
| 157 |
> All on one single line of course. |
| 158 |
> |
| 159 |
> Once you added the line, you can attach and mount the drive by simply doing: |
| 160 |
> |
| 161 |
> mount /mnt/secret |
| 162 |
> #enter password |
| 163 |
> |
| 164 |
> and unmount and detach it with: |
| 165 |
> |
| 166 |
> umount /mnt/secret |
| 167 |
> |
| 168 |
> Finally, you can also write a script that will ask you twice for the password |
| 169 |
> and then mount the volume. That way, you will be less prone to enter a wrong |
| 170 |
> password. Example: |
| 171 |
> |
| 172 |
> #!/bin/bash |
| 173 |
> |
| 174 |
> echo "Mounting crypted volume to /mnt/secret..." |
| 175 |
> |
| 176 |
> if cat /etc/mtab | grep "/mnt/secret" >/dev/null |
| 177 |
> then |
| 178 |
> echo "Volume already mounted..." |
| 179 |
> exit |
| 180 |
> else |
| 181 |
> until [ "$PASS1" = "$PASS2" -a -n "$PASS1" ]; do |
| 182 |
> # the bash read buitlin has to support the -s option. |
| 183 |
> # Don't use read without -s!! |
| 184 |
> read -s -p "Enter Passphrase: " PASS1; echo |
| 185 |
> read -s -p "Re-enter Passphrase: " PASS2; echo |
| 186 |
> done |
| 187 |
> |
| 188 |
> echo "$PASS1" | mount -p 0 "/mnt/secret" |
| 189 |
> |
| 190 |
> cd /mnt/secret |
| 191 |
> |
| 192 |
> fi |
| 193 |
> |
| 194 |
> |
| 195 |
> That's it for now folks. I hope I didn't forget anything. If you want to |
| 196 |
> report about your success or failure or have any questions about using the |
| 197 |
> kernel, feel free to mail me (see email addy below) |
| 198 |
> |
| 199 |
> Greetings, |
| 200 |
> Olivier Reisch aka DocTomoe |
| 201 |
> |
| 202 |
> - -- |
| 203 |
> ________________________________________________ |
| 204 |
> Olivier Reisch doctomoe@g.o |
| 205 |
> Gentoo PPC Developer |
| 206 |
> http://www.gentoo.org |
| 207 |
> |
| 208 |
> For safe mail, get my PGP Key: |
| 209 |
> http://perso.wanadoo.fr/olivier.reisch/oreisch_public_key.gpg |
| 210 |
> ________________________________________________ |
| 211 |
> |
| 212 |
> -----BEGIN PGP SIGNATURE----- |
| 213 |
> Version: GnuPG v1.2.1 (GNU/Linux) |
| 214 |
> |
| 215 |
> iD8DBQE+P6XAXrXcgVpifr0RAtv8AJ9pJ5t84f7g3faAMveFDwKiZLKcsQCdFdMw |
| 216 |
> xKrqM8+s0RS2uJ/mk+lbQwE= |
| 217 |
> =CodP |
| 218 |
> -----END PGP SIGNATURE----- |
| 219 |
> |
| 220 |
> |
| 221 |
> -- |
| 222 |
> gentoo-ppc-user@g.o mailing list |
| 223 |
--- |
| 224 |
|
| 225 |
-- |
| 226 |
------------------------------------------------------------- |
| 227 |
José Andrés Arias Velichko Grupo de Usuarios de Linux |
| 228 |
locke@××××××××.es Universidad Carlos III de Madrid |
| 229 |
http://gul.uc3m.es/~locke http://gul.uc3m.es |
| 230 |
|
| 231 |
-- |
| 232 |
gentoo-ppc-user@g.o mailing list |
Archives