1 |
Thanks, it sounds great!!! |
2 |
|
3 |
I will try it asap. |
4 |
|
5 |
|
6 |
Regards, |
7 |
Andres |
8 |
|
9 |
|
10 |
Hola Olivier, el 04 de feb de 2003, a las 12:36 +0100, Olivier Reisch decías: |
11 |
> -----BEGIN PGP SIGNED MESSAGE----- |
12 |
> Hash: SHA1 |
13 |
> |
14 |
> Hello, |
15 |
> |
16 |
> For those interested in advanced security, I put together a CryptoAPI enabled |
17 |
> PPC kernel for Gentoo. CryptoAPI allows you to attach a crypted partition or |
18 |
> virtual volume to a loopback device and then mount it as normal volume into |
19 |
> your file system. This for instance allows you to have your /home directory |
20 |
> fully encrypted, so if someone gets access to your box, he won't be able to |
21 |
> mount or read any data without authenticating first (even using a Boot CD), |
22 |
> as all the data is stored in encrypted form on your disk as soon as the |
23 |
> partition or virtual volume gets unmounted. Encryption used is pretty strong, |
24 |
> ciphers included are AES (aka Rijndael), MARS, RC6, Serpent, Twofish, 3DES, |
25 |
> Blowfish, CAST5 cipher, GOST, IDEA and some more. Most of them support the |
26 |
> use of 256 bit keys. |
27 |
> |
28 |
> For more information about the benefits of CryptoAPI, you can take a look at |
29 |
> their site at http://www.kerneli.org |
30 |
> |
31 |
> The current kernel in Portage is as follows: |
32 |
> |
33 |
> * sys-kernel/ppc-sources-crypto [ Masked ] |
34 |
> Latest version available: 2.4.20 |
35 |
> Latest version installed: 2.4.20 |
36 |
> Size of downloaded files: 26,980 kB |
37 |
> Homepage: http://www.kernel.org/ http://www.kerneli.org/ |
38 |
> http://www.gentoo.org/ |
39 |
> Description: Full cryptoapi enabled sources for the Gentoo Linux PPC |
40 |
> kernel |
41 |
> |
42 |
> It is currently ~ppc masked for further testing. It's basically a 2.4.20-ben5 |
43 |
> kernel with CryptoAPI 0.1.0, cryptoloop 0.0.1-pre1 and the loop-jari patch |
44 |
> for 2.4.20. |
45 |
> |
46 |
> To try it, you can do the following: |
47 |
> |
48 |
> emerge rsync |
49 |
> env ACCEPT_KEYWORDS="~ppc" emerge ppc-sources-crypto |
50 |
> USE="crypt" emerge linux-utils |
51 |
> |
52 |
> The sources for the kernel are still being mirrored to the Gentoo mirrors at |
53 |
> the moment. In the meantime the ebuild will automatically fetch them from my |
54 |
> local mirror, which may be a bit slower. |
55 |
> We have to remerge linux-utils to have mount and losetup patched for CryptoAPI |
56 |
> support. |
57 |
> |
58 |
> Next step is to go compile our new kernel: |
59 |
> |
60 |
> cd /usr/src/linux-ppc-crypto-2.4.20 |
61 |
> make oldconfig |
62 |
> #This will generate a default config which should work fine on most machines, |
63 |
> #it also already has all the ciphers enabled as modules, so you can load |
64 |
> #those you'll need into the kernel. |
65 |
> make menuconfig |
66 |
> #Only do this if you want to modify any kernel options; for the CryptoAPI |
67 |
> #settings, i suggest going with the default ones. |
68 |
> make dep clean vmlinux modules |
69 |
> make modules_install |
70 |
> cp vmlinux /boot/vmlinux-2.4.20-ppc-crypto |
71 |
> cp System.map /boot/System.map-2.4.20-ppc-crypto |
72 |
> |
73 |
> Add entry to /etc/yaboot.conf and run "ybin". |
74 |
> |
75 |
> Finally, we need to update /etc/modules.conf |
76 |
> To do so, add a file cryptoapi to /etc/modules.d with the following content: |
77 |
> |
78 |
> keep |
79 |
> path[cciphers]=/lib/modules/`uname -r`/kernel/crypto/ciphers |
80 |
> keep |
81 |
> path[cdigests]=/lib/modules/`uname -r`/kernel/crypto/digests |
82 |
> keep |
83 |
> path[cdrivers]=/lib/modules/`uname -r`/kernel/crypto/drivers |
84 |
> |
85 |
> Run modules-update |
86 |
> |
87 |
> Reboot. |
88 |
> |
89 |
> Once you are booted into the CryptoAPI kernel, we can start experimenting. As |
90 |
> an example, we will create a 50MB virtual volume which we will crypt with the |
91 |
> serpent cipher and mount to /mnt/secret. |
92 |
> |
93 |
> 1) Create the virtual volume (replace /home/doctomoe by your homedir of |
94 |
> course) |
95 |
> |
96 |
> cd /home/doctomoe |
97 |
> dd if=/dev/urandom of=/home/doctomoe/secretvolume bs=1M count=50 |
98 |
> |
99 |
> This may take a while. We use urandom to better hide the crypted data within |
100 |
> the volume. If we zeroed it, it would be easy to detect where the encrypted |
101 |
> data is on the volume. |
102 |
> |
103 |
> 2) Mount the volume to a loop device |
104 |
> |
105 |
> Make sure everything we need is loaded. If you have used the default kernel |
106 |
> config, all you need to do is to modprobe the cipher you want to use. |
107 |
> |
108 |
> modprobe cipher-serpent |
109 |
> |
110 |
> If you compiled cryptoloop as a module (not default), make sure to load it |
111 |
> too: |
112 |
> |
113 |
> modprobe cryptoloop |
114 |
> |
115 |
> Ok, now to the serious stuff :) |
116 |
> |
117 |
> #Attach volume to a loop device |
118 |
> losetup -e serpent -k 256 /dev/loop0 /home/doctomoe/secretvolume |
119 |
> |
120 |
> You will be asked a password. Type it carefully, as you won't be asked twice |
121 |
> and the password is not stored within the volume, so if you want to mount it |
122 |
> again later, you have to carefully type it again to avoid screwing the volume |
123 |
> up. The argument after -e is the cipher algorithm used and the -k argument is |
124 |
> the keysize generated for the encryption. It has nothing to do with the size |
125 |
> of your password. |
126 |
> |
127 |
> Now we create a filesystem on it. |
128 |
> |
129 |
> mkfs -t ext3 /dev/loop0 |
130 |
> |
131 |
> Finally, we can mount it. |
132 |
> |
133 |
> mount -t ext3 /dev/loop0 /mnt/secret |
134 |
> |
135 |
> Voila, you can now access /mnt/secret like any other volume/directory on your |
136 |
> system. Once you have stored your sensitive data and want to unmount the |
137 |
> volume again, do as follows: |
138 |
> |
139 |
> umount /mnt/secret |
140 |
> losetup -d /dev/loop0 |
141 |
> |
142 |
> Do remount again, you do exactly like above, but you don't format the volume |
143 |
> again of course. If you typed in the wrong password, mount will give you a |
144 |
> bad filesystem error. Just detach (losetup -d) the loop device and try again. |
145 |
> |
146 |
> |
147 |
> Tips and tricks: |
148 |
> |
149 |
> You can add a line to /etc/fstab which will allow you to mount the volume with |
150 |
> a single command and also as normal user (no need to be root then): |
151 |
> |
152 |
> The line should look like: |
153 |
> |
154 |
> /home/doctomoe/secretvolume /mnt/secret ext3 |
155 |
> user,defaults,noauto,loop,encryption=serpent,keybits=256 0 0 |
156 |
> |
157 |
> All on one single line of course. |
158 |
> |
159 |
> Once you added the line, you can attach and mount the drive by simply doing: |
160 |
> |
161 |
> mount /mnt/secret |
162 |
> #enter password |
163 |
> |
164 |
> and unmount and detach it with: |
165 |
> |
166 |
> umount /mnt/secret |
167 |
> |
168 |
> Finally, you can also write a script that will ask you twice for the password |
169 |
> and then mount the volume. That way, you will be less prone to enter a wrong |
170 |
> password. Example: |
171 |
> |
172 |
> #!/bin/bash |
173 |
> |
174 |
> echo "Mounting crypted volume to /mnt/secret..." |
175 |
> |
176 |
> if cat /etc/mtab | grep "/mnt/secret" >/dev/null |
177 |
> then |
178 |
> echo "Volume already mounted..." |
179 |
> exit |
180 |
> else |
181 |
> until [ "$PASS1" = "$PASS2" -a -n "$PASS1" ]; do |
182 |
> # the bash read buitlin has to support the -s option. |
183 |
> # Don't use read without -s!! |
184 |
> read -s -p "Enter Passphrase: " PASS1; echo |
185 |
> read -s -p "Re-enter Passphrase: " PASS2; echo |
186 |
> done |
187 |
> |
188 |
> echo "$PASS1" | mount -p 0 "/mnt/secret" |
189 |
> |
190 |
> cd /mnt/secret |
191 |
> |
192 |
> fi |
193 |
> |
194 |
> |
195 |
> That's it for now folks. I hope I didn't forget anything. If you want to |
196 |
> report about your success or failure or have any questions about using the |
197 |
> kernel, feel free to mail me (see email addy below) |
198 |
> |
199 |
> Greetings, |
200 |
> Olivier Reisch aka DocTomoe |
201 |
> |
202 |
> - -- |
203 |
> ________________________________________________ |
204 |
> Olivier Reisch doctomoe@g.o |
205 |
> Gentoo PPC Developer |
206 |
> http://www.gentoo.org |
207 |
> |
208 |
> For safe mail, get my PGP Key: |
209 |
> http://perso.wanadoo.fr/olivier.reisch/oreisch_public_key.gpg |
210 |
> ________________________________________________ |
211 |
> |
212 |
> -----BEGIN PGP SIGNATURE----- |
213 |
> Version: GnuPG v1.2.1 (GNU/Linux) |
214 |
> |
215 |
> iD8DBQE+P6XAXrXcgVpifr0RAtv8AJ9pJ5t84f7g3faAMveFDwKiZLKcsQCdFdMw |
216 |
> xKrqM8+s0RS2uJ/mk+lbQwE= |
217 |
> =CodP |
218 |
> -----END PGP SIGNATURE----- |
219 |
> |
220 |
> |
221 |
> -- |
222 |
> gentoo-ppc-user@g.o mailing list |
223 |
--- |
224 |
|
225 |
-- |
226 |
------------------------------------------------------------- |
227 |
José Andrés Arias Velichko Grupo de Usuarios de Linux |
228 |
locke@××××××××.es Universidad Carlos III de Madrid |
229 |
http://gul.uc3m.es/~locke http://gul.uc3m.es |
230 |
|
231 |
-- |
232 |
gentoo-ppc-user@g.o mailing list |