| 1 |
I agree with all of Ned's points, so here is a start... |
| 2 |
|
| 3 |
Enclosed you should find an initrd build environment (I'm in Iraq and |
| 4 |
can't get to my webserver so I enclosed it in this email). The initrd image |
| 5 |
it creates will mount an encrypted root directory. This is very rough |
| 6 |
right now. The process needs to be *automated* more. The method of |
| 7 |
providing a filesystem key needs to be more flexible. It may not even |
| 8 |
work for you without quite a bit of fiddling. |
| 9 |
|
| 10 |
In order to try this stuff out: |
| 11 |
|
| 12 |
0. Download busybox and install in ./busybox. |
| 13 |
1. Update src/etc/modules.initrd to include any modules needed to boot. |
| 14 |
2. Make sure you use literal = "root=/dev/ram0 init=/linuxrc rw" or LILO |
| 15 |
eqiv. on x86. |
| 16 |
3. Ensure romfs is compiled in your kernel (not a module). |
| 17 |
|
| 18 |
Then "make" and copy initrd.img.gz to where your bootloader expects it. |
| 19 |
|
| 20 |
The Makefile does a few things: |
| 21 |
|
| 22 |
1. Configures and builds busybox. |
| 23 |
2. Creates devices in src/dev. |
| 24 |
3. Generates a filesystem key at src/etc/efsk (encrypted with openssl and |
| 25 |
a passphrase). |
| 26 |
4. Collects some programs, libraries and kernel modules. |
| 27 |
|
| 28 |
Here is how you should create your encrypted root: |
| 29 |
|
| 30 |
openssl enc -d -aes-256-ecb -in /etc/efsk | losetup -p0 -e aes /dev/loop0 |
| 31 |
/dev/hdXY |
| 32 |
mkfs.Z /dev/loop0 |
| 33 |
|
| 34 |
Code contributions are very welcome! |
| 35 |
|
| 36 |
-- |
| 37 |
Mike |
Archives