1 |
-----BEGIN PGP SIGNED MESSAGE----- |
2 |
Hash: SHA1 |
3 |
|
4 |
Hello, |
5 |
|
6 |
For those interested in advanced security, I put together a CryptoAPI enabled |
7 |
PPC kernel for Gentoo. CryptoAPI allows you to attach a crypted partition or |
8 |
virtual volume to a loopback device and then mount it as normal volume into |
9 |
your file system. This for instance allows you to have your /home directory |
10 |
fully encrypted, so if someone gets access to your box, he won't be able to |
11 |
mount or read any data without authenticating first (even using a Boot CD), |
12 |
as all the data is stored in encrypted form on your disk as soon as the |
13 |
partition or virtual volume gets unmounted. Encryption used is pretty strong, |
14 |
ciphers included are AES (aka Rijndael), MARS, RC6, Serpent, Twofish, 3DES, |
15 |
Blowfish, CAST5 cipher, GOST, IDEA and some more. Most of them support the |
16 |
use of 256 bit keys. |
17 |
|
18 |
For more information about the benefits of CryptoAPI, you can take a look at |
19 |
their site at http://www.kerneli.org |
20 |
|
21 |
The current kernel in Portage is as follows: |
22 |
|
23 |
* sys-kernel/ppc-sources-crypto [ Masked ] |
24 |
Latest version available: 2.4.20 |
25 |
Latest version installed: 2.4.20 |
26 |
Size of downloaded files: 26,980 kB |
27 |
Homepage: http://www.kernel.org/ http://www.kerneli.org/ |
28 |
http://www.gentoo.org/ |
29 |
Description: Full cryptoapi enabled sources for the Gentoo Linux PPC |
30 |
kernel |
31 |
|
32 |
It is currently ~ppc masked for further testing. It's basically a 2.4.20-ben5 |
33 |
kernel with CryptoAPI 0.1.0, cryptoloop 0.0.1-pre1 and the loop-jari patch |
34 |
for 2.4.20. |
35 |
|
36 |
To try it, you can do the following: |
37 |
|
38 |
emerge rsync |
39 |
env ACCEPT_KEYWORDS="~ppc" emerge ppc-sources-crypto |
40 |
USE="crypt" emerge linux-utils |
41 |
|
42 |
The sources for the kernel are still being mirrored to the Gentoo mirrors at |
43 |
the moment. In the meantime the ebuild will automatically fetch them from my |
44 |
local mirror, which may be a bit slower. |
45 |
We have to remerge linux-utils to have mount and losetup patched for CryptoAPI |
46 |
support. |
47 |
|
48 |
Next step is to go compile our new kernel: |
49 |
|
50 |
cd /usr/src/linux-ppc-crypto-2.4.20 |
51 |
make oldconfig |
52 |
#This will generate a default config which should work fine on most machines, |
53 |
#it also already has all the ciphers enabled as modules, so you can load |
54 |
#those you'll need into the kernel. |
55 |
make menuconfig |
56 |
#Only do this if you want to modify any kernel options; for the CryptoAPI |
57 |
#settings, i suggest going with the default ones. |
58 |
make dep clean vmlinux modules |
59 |
make modules_install |
60 |
cp vmlinux /boot/vmlinux-2.4.20-ppc-crypto |
61 |
cp System.map /boot/System.map-2.4.20-ppc-crypto |
62 |
|
63 |
Add entry to /etc/yaboot.conf and run "ybin". |
64 |
|
65 |
Finally, we need to update /etc/modules.conf |
66 |
To do so, add a file cryptoapi to /etc/modules.d with the following content: |
67 |
|
68 |
keep |
69 |
path[cciphers]=/lib/modules/`uname -r`/kernel/crypto/ciphers |
70 |
keep |
71 |
path[cdigests]=/lib/modules/`uname -r`/kernel/crypto/digests |
72 |
keep |
73 |
path[cdrivers]=/lib/modules/`uname -r`/kernel/crypto/drivers |
74 |
|
75 |
Run modules-update |
76 |
|
77 |
Reboot. |
78 |
|
79 |
Once you are booted into the CryptoAPI kernel, we can start experimenting. As |
80 |
an example, we will create a 50MB virtual volume which we will crypt with the |
81 |
serpent cipher and mount to /mnt/secret. |
82 |
|
83 |
1) Create the virtual volume (replace /home/doctomoe by your homedir of |
84 |
course) |
85 |
|
86 |
cd /home/doctomoe |
87 |
dd if=/dev/urandom of=/home/doctomoe/secretvolume bs=1M count=50 |
88 |
|
89 |
This may take a while. We use urandom to better hide the crypted data within |
90 |
the volume. If we zeroed it, it would be easy to detect where the encrypted |
91 |
data is on the volume. |
92 |
|
93 |
2) Mount the volume to a loop device |
94 |
|
95 |
Make sure everything we need is loaded. If you have used the default kernel |
96 |
config, all you need to do is to modprobe the cipher you want to use. |
97 |
|
98 |
modprobe cipher-serpent |
99 |
|
100 |
If you compiled cryptoloop as a module (not default), make sure to load it |
101 |
too: |
102 |
|
103 |
modprobe cryptoloop |
104 |
|
105 |
Ok, now to the serious stuff :) |
106 |
|
107 |
#Attach volume to a loop device |
108 |
losetup -e serpent -k 256 /dev/loop0 /home/doctomoe/secretvolume |
109 |
|
110 |
You will be asked a password. Type it carefully, as you won't be asked twice |
111 |
and the password is not stored within the volume, so if you want to mount it |
112 |
again later, you have to carefully type it again to avoid screwing the volume |
113 |
up. The argument after -e is the cipher algorithm used and the -k argument is |
114 |
the keysize generated for the encryption. It has nothing to do with the size |
115 |
of your password. |
116 |
|
117 |
Now we create a filesystem on it. |
118 |
|
119 |
mkfs -t ext3 /dev/loop0 |
120 |
|
121 |
Finally, we can mount it. |
122 |
|
123 |
mount -t ext3 /dev/loop0 /mnt/secret |
124 |
|
125 |
Voila, you can now access /mnt/secret like any other volume/directory on your |
126 |
system. Once you have stored your sensitive data and want to unmount the |
127 |
volume again, do as follows: |
128 |
|
129 |
umount /mnt/secret |
130 |
losetup -d /dev/loop0 |
131 |
|
132 |
Do remount again, you do exactly like above, but you don't format the volume |
133 |
again of course. If you typed in the wrong password, mount will give you a |
134 |
bad filesystem error. Just detach (losetup -d) the loop device and try again. |
135 |
|
136 |
|
137 |
Tips and tricks: |
138 |
|
139 |
You can add a line to /etc/fstab which will allow you to mount the volume with |
140 |
a single command and also as normal user (no need to be root then): |
141 |
|
142 |
The line should look like: |
143 |
|
144 |
/home/doctomoe/secretvolume /mnt/secret ext3 |
145 |
user,defaults,noauto,loop,encryption=serpent,keybits=256 0 0 |
146 |
|
147 |
All on one single line of course. |
148 |
|
149 |
Once you added the line, you can attach and mount the drive by simply doing: |
150 |
|
151 |
mount /mnt/secret |
152 |
#enter password |
153 |
|
154 |
and unmount and detach it with: |
155 |
|
156 |
umount /mnt/secret |
157 |
|
158 |
Finally, you can also write a script that will ask you twice for the password |
159 |
and then mount the volume. That way, you will be less prone to enter a wrong |
160 |
password. Example: |
161 |
|
162 |
#!/bin/bash |
163 |
|
164 |
echo "Mounting crypted volume to /mnt/secret..." |
165 |
|
166 |
if cat /etc/mtab | grep "/mnt/secret" >/dev/null |
167 |
then |
168 |
echo "Volume already mounted..." |
169 |
exit |
170 |
else |
171 |
until [ "$PASS1" = "$PASS2" -a -n "$PASS1" ]; do |
172 |
# the bash read buitlin has to support the -s option. |
173 |
# Don't use read without -s!! |
174 |
read -s -p "Enter Passphrase: " PASS1; echo |
175 |
read -s -p "Re-enter Passphrase: " PASS2; echo |
176 |
done |
177 |
|
178 |
echo "$PASS1" | mount -p 0 "/mnt/secret" |
179 |
|
180 |
cd /mnt/secret |
181 |
|
182 |
fi |
183 |
|
184 |
|
185 |
That's it for now folks. I hope I didn't forget anything. If you want to |
186 |
report about your success or failure or have any questions about using the |
187 |
kernel, feel free to mail me (see email addy below) |
188 |
|
189 |
Greetings, |
190 |
Olivier Reisch aka DocTomoe |
191 |
|
192 |
- -- |
193 |
________________________________________________ |
194 |
Olivier Reisch doctomoe@g.o |
195 |
Gentoo PPC Developer |
196 |
http://www.gentoo.org |
197 |
|
198 |
For safe mail, get my PGP Key: |
199 |
http://perso.wanadoo.fr/olivier.reisch/oreisch_public_key.gpg |
200 |
________________________________________________ |
201 |
|
202 |
-----BEGIN PGP SIGNATURE----- |
203 |
Version: GnuPG v1.2.1 (GNU/Linux) |
204 |
|
205 |
iD8DBQE+P6XAXrXcgVpifr0RAtv8AJ9pJ5t84f7g3faAMveFDwKiZLKcsQCdFdMw |
206 |
xKrqM8+s0RS2uJ/mk+lbQwE= |
207 |
=CodP |
208 |
-----END PGP SIGNATURE----- |
209 |
|
210 |
|
211 |
-- |
212 |
gentoo-ppc-user@g.o mailing list |