[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Linux distro w/loop-aes

To: Peter_22@xxxxxx
Subject: Re: Linux distro w/loop-aes
From: Rudolf Deilmann <rudolf.deilmann@xxxxxxxxx>
Date: Thu, 14 Jun 2007 20:27:39 +0200
Cc: linux-crypto@xxxxxxxxxxxx
Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:date:from:to:cc:subject:message-id:in-reply-to:references:x-mailer:mime-version:content-type:content-transfer-encoding; b=b0Tcv3HCR0jnPJacEKvxMZBlh8OrZ5O6qLpPO6MBBZR9ciIVAgYRcymDKHIfMk6x+NHBKzmiivmoHLQtu6aGlsyU5L1lUEGd3NBGb2HHGRqralkYBeHibvkpeDwEHeBSEN/KLHzl4mU0B9S8u8bky/B/+eDLoXaJOEBuSQqnXz4=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:date:from:to:cc:subject:message-id:in-reply-to:references:x-mailer:mime-version:content-type:content-transfer-encoding; b=JU46DEKGmlknPnleVimBM6G7hRAL7x6L8Qq///ExpnsXqAZ4xe/xaPlzAtC1WVt8HyamDw/myr7ANWo7v9kLJHCQlz29tdCk1jnVRjnVTpHXtiU+cisyuzZlm7Hh2QteAwdDHdw5flQ2OXlykvT2pC9P9Wemwjy/P727uVE5yDM=
In-reply-to: <20070614135222.129540@gmx.net>
List-archive: <http://mail.nl.linux.org/linux-crypto/>
List-help: <mailto:ecartis@nl.linux.org?Subject=help>
List-id: <linux-crypto.nl.linux.org>
List-owner: <mailto:ecartis-owner@nl.linux.org>
List-post: <mailto:linux-crypto@nl.linux.org>
List-software: Ecartis version 1.0.0
List-subscribe: <mailto:linux-crypto-request@nl.linux.org?Subject=subscribe>
List-unsubscribe: <mailto:linux-crypto-request@nl.linux.org?Subject=unsubscribe>
References: <73cfbf220703282034j1cd8072bm343cfb6cb1767fb2@mail.gmail.com> <20070331141106.74840@gmx.net> <20070404162316.GF4034@tatooine.rebelbase.local> <20070405212057.64580@gmx.net> <20070428113051.GK13982@tatooine.rebelbase.local> <20070502202641.204800@gmx.net> <20070503222316.GA17107@dp.vpn.nusquama.org> <20070504224244.21310@gmx.net> <20070609134804.GB2852@dp.vpn.nusquama.org> <20070613101223.327240@gmx.net> <20070614115304.356c1f07@axel-desktop> <20070614135222.129540@gmx.net>
Sender: linux-crypto-bounce@xxxxxxxxxxxx

> > It's easier to install Ubuntu in the normal way and then encrypt
> > the devices with aespipe,....  
> That´s the way I do it and for which I need statically linked gpg and
> aespipe.

Just boot from a live-cd with aespipe to encrypt your root device. 
I think, this is easier than the steps described in the README of
loop-AES.


> Kubuntu 7.04 and 7.10 don´t have usbcore, usbstorage or vfat built-in.
> So a  kernel recompile is needed. Since I am not familiar with 
> debian/ubuntu scripts it would be fine to understand your steps
> towards full disk-encryption a little better. Especially how to build
> an initial ramdisk for booting from usb memory without
> build-initrd.sh would be nice to learn.

No, recompling is necessary because the loop-aes package don't provide
multi-key mode. But perhaps this have changed with 7.10. I could
boot from usb-stick without touching the kernel in ubuntu 7.04 and
earlier. Below you can see my scripts for the initramfs-tool. See "man
initramfs-tools" for further explanations,...

First I wrote a script called 'crypt'.
It contains all commands to set up my encrypted disks (including root)
and all necessary passhrases in cleartext (I like to have only one
passphrase for all encrypted devices,....): 
----------
echo "passwortxxxxxxxxxxxxxxxxxxxx" | losetup  -p
0 ..... /dev/loop0 /dev/hdaY 

# or multiy-key-mode : 
echo -e -n
"passskddddddddddddsfaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\nadsfffffffffffffff[....]
| losetup -p 0 ..... /dev/loop1 /dev/hdaX

# temporay keys for swap and temp:
TEMP=$(gpg --gen-random 1 42 | openssl enc -base64)
KEY=$(echo
"$TEMP""YuKq9YvT1ckVOQAQ/nOTm4EyPpYRKLYsJKLh7/BWb2AB+oLkzqC/cUwc" | \
hashalot sha512 -n 63 | openssl enc -base64 | tr -d "\n")

echo "$KEY" | losetup -p 0 ..... /dev/loop2 /dev/hda88
mkfs.xfs /dev/loop2

TEMP=$(gpg --gen-random 1 42 | openssl enc -base64)
KEY=$(echo
"$TEMP""Ou/miNXJ3yjuj3HnAaaoTVcgd1jNkWbRGUjnS0hERymoQoYfWikLpwun" | \
hashalot sha512 -n 63 | openssl enc -base64 | tr -d "\n") 
echo "$KEY" | losetup -p 0 ..... /dev/loop3 /dev/hda999

mkswap /dev/loop3
----------

If I would execute this script from live-cd, all devices would be
accessible according to my /etc/fstab (but not mounted of course):
------------
....
/dev/loop0      /       ext3    defaults,errors=remount-ro 0       1
/dev/loop1      /home           ext3    defaults        0       2
/dev/loop2              /tmp    xfs     defaults        0       0
/dev/loop3              none    swap    sw              0       0
.....
------------

Then I encrypt this script with gpg:
gpg -c --cipher-algo AES256 --s2k-mode 3 --s2k-cipher-algo AES256
--s2k-digest-algo SHA512 --s2k-count 65011712 --force-mdc --digest-algo
SHA512 crypt

The name of the encrypted file is '/home/crypt/crypt.gpg'

/etc/initramfs/modules:
-----------
loop
# loop_blowfish
# loop_serpent
# loop_twofish 
# perhaps you have to add other modules here
# it depends on your hardware and kernel....
-----------


/etc/initramfs-tools/hooks/loopcrypt (this file is used  when an
initramfs image is created):
-------------
#!/bin/bash 
. /usr/share/initramfs-tools/hook-functions

mkdir -p ${DESTDIR}/boot
mkdir -p ${DESTDIR}/sbin
mkdir -p ${DESTDIR}/usr/bin
mkdir -p ${DESTDIR}/bin
mkdir -p ${DESTDIR}/gnupg
mkdir -p ${DESTDIR}/.gnupg

cp -p /home/crypt/crypt.gpg ${DESTDIR}/boot  # my encrytped script
cp -p /usr/share/gnupg/options.skel ${DESTDIR}/gnupg
cp -p /usr/share/gnupg/options.skel ${DESTDIR}/.gnupg/gpg.conf

# you don't need to care about "statically linking"
# copy_exec will detect which libraries are necessary and copy
# them to your initrd,....
copy_exec /bin/bash /bin
copy_exec /sbin/mkfs.xfs /sbin
copy_exec /sbin/losetup /sbin
copy_exec /sbin/mkswap /sbin
copy_exec /usr/bin/gpg /usr/bin
copy_exec /usr/bin/tr /usr/bin
copy_exec /usr/bin/openssl /usr/bin
copy_exec /usr/sbin/hashalot /usr/bin
----------------


The following script will be executed at each boot-process, before the
root-partition is mounted.
/etc/initramfs-tools/scripts/local-top/loopcrypt:
--------------- 
#!/bin/bash
HD='/dev/hda' # the disk with the encrypted partitions
# if you have more than one disk with encrypted partitions,
# you need to modify the first while-loop

CRYPTFILE='/boot/crypt.gpg'

PREREQ="udev"

PASS=""
PLAIN=""
TEST=1

prereqs()
{
        echo "$PREREQ"
}

case "$1" in
    prereqs)
        prereqs
        exit 0
        ;;
esac


echo "Waiting ..."

slumber=1800
while [ ${slumber} -gt 0 -a ! -e "$HD" ]; do
        /bin/sleep 0.1
        slumber=$(( ${slumber} - 1 ))
done

while [ 0 != $TEST ] ; do
  echo "password:"
  read -s PASS
  PLAIN=$(cat "$CRYPTFILE" | gpg --decrypt --no-tty --quiet
--no-verbose --passphrase-fd 8 8<<<"$PASS") 
   if [ ${#PLAIN} -ge 30 ]; then 
	TEST=0
   else
     echo "try it again..."
   fi
done

oldIFS="$IFS"
IFS="${Newline}"
  eval "$PLAIN"
IFS="$oldIFS"

PASS=""
PLAIN=""
TEST=1
---------------

You can build a new initrd with 'update-initramfs -u'. 


Creation of the usb-stick (/dev/sdg). 
The commands will destroy all data on the stick!

$ dd if=/dev/zero of=/dev/sdg bs=8192 count=22
$ mkdosfs /dev/sdg
$ syslinux /dev/sdg
$ mount /dev/sdg /mnt/stick
$ cp /boot/initrd.your.version /mnt/stick/initrd
$ cp /boot/vmlinuz-your.version /mnt/stick/vmlinuz
$ cp /path/to/syslinux.cfg /mnt/stick/syslinux.cfg
$ sync

syslinux.cfg:
---
default vmlinuz
append initrd=initrd root=/dev/loopX
---
/dev/loopX must be your root-partition according to /etc/fstab!


The size of your initrd.img doesn't matter as long as your usb-stick
and RAM is large enough,...

cu,
 Rudi


-
Linux-crypto:  cryptography in and on the Linux system
Archive:       http://mail.nl.linux.org/linux-crypto/

References:
- Re: Linux distro w/loop-aes
  - From: Max Vozeler
- Re: Linux distro w/loop-aes
  - From: Peter_22
- Re: Linux distro w/loop-aes
  - From: Rudolf Deilmann
- Re: Linux distro w/loop-aes
  - From: Peter_22

Prev by Date: Re: Linux distro w/loop-aes
Next by Date: Claustrophobia & MRI
Previous by thread: Re: Linux distro w/loop-aes
Next by thread: Re: Linux distro w/loop-aes
Index(es):
- Date
- Thread