Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-ppc-user

From: Olivier Reisch <gentoo@××××××××.net>
To: gentoo-ppc-dev@g.o, gentoo-ppc-user@g.o
Subject: [gentoo-ppc-user] CryptoAPI enabled PPC kernel available
Date: Tue, 04 Feb 2003 11:44:11
Message-Id: 200302041236.33016.gentoo@karasuma.net
1 -----BEGIN PGP SIGNED MESSAGE-----
2 Hash: SHA1
3
4 Hello,
5
6 For those interested in advanced security, I put together a CryptoAPI enabled
7 PPC kernel for Gentoo. CryptoAPI allows you to attach a crypted partition or
8 virtual volume to a loopback device and then mount it as normal volume into
9 your file system. This for instance allows you to have your /home directory
10 fully encrypted, so if someone gets access to your box, he won't be able to
11 mount or read any data without authenticating first (even using a Boot CD),
12 as all the data is stored in encrypted form on your disk as soon as the
13 partition or virtual volume gets unmounted. Encryption used is pretty strong,
14 ciphers included are AES (aka Rijndael), MARS, RC6, Serpent, Twofish, 3DES,
15 Blowfish, CAST5 cipher, GOST, IDEA and some more. Most of them support the
16 use of 256 bit keys.
17
18 For more information about the benefits of CryptoAPI, you can take a look at
19 their site at http://www.kerneli.org
20
21 The current kernel in Portage is as follows:
22
23 * sys-kernel/ppc-sources-crypto [ Masked ]
24 Latest version available: 2.4.20
25 Latest version installed: 2.4.20
26 Size of downloaded files: 26,980 kB
27 Homepage: http://www.kernel.org/ http://www.kerneli.org/
28 http://www.gentoo.org/
29 Description: Full cryptoapi enabled sources for the Gentoo Linux PPC
30 kernel
31
32 It is currently ~ppc masked for further testing. It's basically a 2.4.20-ben5
33 kernel with CryptoAPI 0.1.0, cryptoloop 0.0.1-pre1 and the loop-jari patch
34 for 2.4.20.
35
36 To try it, you can do the following:
37
38 emerge rsync
39 env ACCEPT_KEYWORDS="~ppc" emerge ppc-sources-crypto
40 USE="crypt" emerge linux-utils
41
42 The sources for the kernel are still being mirrored to the Gentoo mirrors at
43 the moment. In the meantime the ebuild will automatically fetch them from my
44 local mirror, which may be a bit slower.
45 We have to remerge linux-utils to have mount and losetup patched for CryptoAPI
46 support.
47
48 Next step is to go compile our new kernel:
49
50 cd /usr/src/linux-ppc-crypto-2.4.20
51 make oldconfig
52 #This will generate a default config which should work fine on most machines,
53 #it also already has all the ciphers enabled as modules, so you can load
54 #those you'll need into the kernel.
55 make menuconfig
56 #Only do this if you want to modify any kernel options; for the CryptoAPI
57 #settings, i suggest going with the default ones.
58 make dep clean vmlinux modules
59 make modules_install
60 cp vmlinux /boot/vmlinux-2.4.20-ppc-crypto
61 cp System.map /boot/System.map-2.4.20-ppc-crypto
62
63 Add entry to /etc/yaboot.conf and run "ybin".
64
65 Finally, we need to update /etc/modules.conf
66 To do so, add a file cryptoapi to /etc/modules.d with the following content:
67
68 keep
69 path[cciphers]=/lib/modules/`uname -r`/kernel/crypto/ciphers
70 keep
71 path[cdigests]=/lib/modules/`uname -r`/kernel/crypto/digests
72 keep
73 path[cdrivers]=/lib/modules/`uname -r`/kernel/crypto/drivers
74
75 Run modules-update
76
77 Reboot.
78
79 Once you are booted into the CryptoAPI kernel, we can start experimenting. As
80 an example, we will create a 50MB virtual volume which we will crypt with the
81 serpent cipher and mount to /mnt/secret.
82
83 1) Create the virtual volume (replace /home/doctomoe by your homedir of
84 course)
85
86 cd /home/doctomoe
87 dd if=/dev/urandom of=/home/doctomoe/secretvolume bs=1M count=50
88
89 This may take a while. We use urandom to better hide the crypted data within
90 the volume. If we zeroed it, it would be easy to detect where the encrypted
91 data is on the volume.
92
93 2) Mount the volume to a loop device
94
95 Make sure everything we need is loaded. If you have used the default kernel
96 config, all you need to do is to modprobe the cipher you want to use.
97
98 modprobe cipher-serpent
99
100 If you compiled cryptoloop as a module (not default), make sure to load it
101 too:
102
103 modprobe cryptoloop
104
105 Ok, now to the serious stuff :)
106
107 #Attach volume to a loop device
108 losetup -e serpent -k 256 /dev/loop0 /home/doctomoe/secretvolume
109
110 You will be asked a password. Type it carefully, as you won't be asked twice
111 and the password is not stored within the volume, so if you want to mount it
112 again later, you have to carefully type it again to avoid screwing the volume
113 up. The argument after -e is the cipher algorithm used and the -k argument is
114 the keysize generated for the encryption. It has nothing to do with the size
115 of your password.
116
117 Now we create a filesystem on it.
118
119 mkfs -t ext3 /dev/loop0
120
121 Finally, we can mount it.
122
123 mount -t ext3 /dev/loop0 /mnt/secret
124
125 Voila, you can now access /mnt/secret like any other volume/directory on your
126 system. Once you have stored your sensitive data and want to unmount the
127 volume again, do as follows:
128
129 umount /mnt/secret
130 losetup -d /dev/loop0
131
132 Do remount again, you do exactly like above, but you don't format the volume
133 again of course. If you typed in the wrong password, mount will give you a
134 bad filesystem error. Just detach (losetup -d) the loop device and try again.
135
136
137 Tips and tricks:
138
139 You can add a line to /etc/fstab which will allow you to mount the volume with
140 a single command and also as normal user (no need to be root then):
141
142 The line should look like:
143
144 /home/doctomoe/secretvolume /mnt/secret ext3
145 user,defaults,noauto,loop,encryption=serpent,keybits=256 0 0
146
147 All on one single line of course.
148
149 Once you added the line, you can attach and mount the drive by simply doing:
150
151 mount /mnt/secret
152 #enter password
153
154 and unmount and detach it with:
155
156 umount /mnt/secret
157
158 Finally, you can also write a script that will ask you twice for the password
159 and then mount the volume. That way, you will be less prone to enter a wrong
160 password. Example:
161
162 #!/bin/bash
163
164 echo "Mounting crypted volume to /mnt/secret..."
165
166 if cat /etc/mtab | grep "/mnt/secret" >/dev/null
167 then
168 echo "Volume already mounted..."
169 exit
170 else
171 until [ "$PASS1" = "$PASS2" -a -n "$PASS1" ]; do
172 # the bash read buitlin has to support the -s option.
173 # Don't use read without -s!!
174 read -s -p "Enter Passphrase: " PASS1; echo
175 read -s -p "Re-enter Passphrase: " PASS2; echo
176 done
177
178 echo "$PASS1" | mount -p 0 "/mnt/secret"
179
180 cd /mnt/secret
181
182 fi
183
184
185 That's it for now folks. I hope I didn't forget anything. If you want to
186 report about your success or failure or have any questions about using the
187 kernel, feel free to mail me (see email addy below)
188
189 Greetings,
190 Olivier Reisch aka DocTomoe
191
192 - --
193 ________________________________________________
194 Olivier Reisch doctomoe@g.o
195 Gentoo PPC Developer
196 http://www.gentoo.org
197
198 For safe mail, get my PGP Key:
199 http://perso.wanadoo.fr/olivier.reisch/oreisch_public_key.gpg
200 ________________________________________________
201
202 -----BEGIN PGP SIGNATURE-----
203 Version: GnuPG v1.2.1 (GNU/Linux)
204
205 iD8DBQE+P6XAXrXcgVpifr0RAtv8AJ9pJ5t84f7g3faAMveFDwKiZLKcsQCdFdMw
206 xKrqM8+s0RS2uJ/mk+lbQwE=
207 =CodP
208 -----END PGP SIGNATURE-----
209
210
211 --
212 gentoo-ppc-user@g.o mailing list

Replies

Subject Author
Re: [gentoo-ppc-user] CryptoAPI enabled PPC kernel available "José Andrés Arias Velichko" <locke@××××××××.es>
Report Message
Find on MARC Find on Google Groups