1 |
I agree with all of Ned's points, so here is a start... |
2 |
|
3 |
Enclosed you should find an initrd build environment (I'm in Iraq and |
4 |
can't get to my webserver so I enclosed it in this email). The initrd image |
5 |
it creates will mount an encrypted root directory. This is very rough |
6 |
right now. The process needs to be *automated* more. The method of |
7 |
providing a filesystem key needs to be more flexible. It may not even |
8 |
work for you without quite a bit of fiddling. |
9 |
|
10 |
In order to try this stuff out: |
11 |
|
12 |
0. Download busybox and install in ./busybox. |
13 |
1. Update src/etc/modules.initrd to include any modules needed to boot. |
14 |
2. Make sure you use literal = "root=/dev/ram0 init=/linuxrc rw" or LILO |
15 |
eqiv. on x86. |
16 |
3. Ensure romfs is compiled in your kernel (not a module). |
17 |
|
18 |
Then "make" and copy initrd.img.gz to where your bootloader expects it. |
19 |
|
20 |
The Makefile does a few things: |
21 |
|
22 |
1. Configures and builds busybox. |
23 |
2. Creates devices in src/dev. |
24 |
3. Generates a filesystem key at src/etc/efsk (encrypted with openssl and |
25 |
a passphrase). |
26 |
4. Collects some programs, libraries and kernel modules. |
27 |
|
28 |
Here is how you should create your encrypted root: |
29 |
|
30 |
openssl enc -d -aes-256-ecb -in /etc/efsk | losetup -p0 -e aes /dev/loop0 |
31 |
/dev/hdXY |
32 |
mkfs.Z /dev/loop0 |
33 |
|
34 |
Code contributions are very welcome! |
35 |
|
36 |
-- |
37 |
Mike |