view · edit · attach · print · history

The contents of this website are Copyright (c)2004 by Brian Manning <brian at antlinux dot com>. Please do not reuse any of the content on this website without permission from the author.

FIXME add a header to this page for navigation

General Encryption Links

loop-aes Example

I've been working with a VIA EPIA board with Padlock support. The loop-aes kernel module has support for Padlock, so I decided to give it a spin. Go to the ViaPadlock page for more dirt. See also the LVMEncryption page for an example of using LVM with loop-aes.

Build a kernel with Loop-AES support

This is Debian specific.

Get the Debian packages needed for compiling loop-aes

 apt-get install loop-aes-utils aespipe  loop-aes-ciphers-source
 loop-aes-source curl libterm-size-perl libterm-readkey-perl
 libmail-sendmail-perl libcompress-zlib-perl dialog

Get fresh loop-aes if you want the latest and greatest

 wget http://loop-aes.sourceforge.net/loop-AES-latest.tar.bz2

bonnie++ is a good tool for beating up on disks

 apt-get install bonnie++

Unpack the packages you just downloaded

 cd /usr/src
 tar -jxvf loop-aes-ciphers.tar.bz2
 tar -jxvf loop-aes.tar.bz2
 tar -jxvf loop-AES-latest.tar.bz2

Move the debian tree from the existing (old) loop-aes source tree to the new one

 mv loop-aes/debian/ loop-AES-v3.1c/
 rm -rf loop-aes/
 mv loop-AES-v3.1c/ loop-aes

Fiddle with the debian package files

 cd loop-aes/debian
 vi changelog
 vi control

Add AES keyscrubbing and VIA Padlock (if you are using a board with a VIA processor with Padlock) to the rules file in the debian directory you just created above. Existing line in the rules file:

 make LINUX_SOURCE=$(KSRC) USE_KBUILD=$(USE_KBUILD) RUNDM=n MODINST=n

New line:

 make LINUX_SOURCE=$(KSRC) USE_KBUILD=$(USE_KBUILD) [backslash]
RUNDM=n MODINST=nmake KEYSCRUB=y PADLOCK=y

Fiddle with your kernel source

 cd /usr/src/linux
 make menuconfig

Build it

 time make-kpkg --bzimage --revision 200X.XXX.X kernel_image
 time make-kpkg modules_image

If you have the Debian control files set up correctly in the loop-aes source, everything should build and package cleanly.

If the automated build doesn't work, try this in the loop-aes source directory:

 make LINUX_SOURCE=/usr/src/linux KEYSCRUB=y PADLOCK=y EXTRA_CIPHERS=y

Add the modules needed to boot the machine to your /etc/mkinitrd/modules file, and then run:

 time mkinitrd -o /boot/initrd.img-<kernel version> <kernel version>

Hint: use the output of lsmod to take a gander at what modules are needed. When you run the mkinitrd command, any modules that are missing from your list will be pointed out to you so that you can fix it in the kernel source and recompile/reinstall the kernel binary packages.

Building into a different output directory

  1. create the kernel output directory
  2. make O=../2.6.26.5-viac7/ oldconfig
  3. make O=../2.6.26.5-viac7/ bzImage
  4. make O=../2.6.26.5-viac7/ modules
  5. sudo make O=../2.6.26.5-viac7/ modules_install
  6. unpack the loop-aes source and cd into it
  7. make O=../2.6.26.5-viac7/ LINUX_SOURCE=../2.6.26.5-viac7/ KEYSCRUB=y PADLOCK=y EXTRA_CIPHERS=y MODINST=n
  8. copy the loop-aes modules by hand to the kernel/drivers/block directory and rename as appropriate
  9. copy the System.map file to the /lib/modules/$KERNEL_VER directory
  10. copy the vmlinuz kernel file to the /lib/modules/$KERNEL_VER directory
  11. rebuild module dependencies:
    1. cd /lib/modules/$KERNEL_VER
    2. sudo /sbin/depmod -F System.map-$KERNEL_VER $KERNEL_VER
  12. tar up the directory if you need to build on another machine

Building aespipe

 ./configure --prefix=/usr/local/stow/aespipe-2.3b 
 make
 sudo make install
 cd /usr/local/stow
 stow aespipe-2.3b

Multi-key Access

Prepare your personal keys

For each user that will access the filesystem, create a new GnuPG key for that user if that user doesn't already have one.

 gpg --gen-key

 Please select what kind of key you want:
   (1) DSA and Elgamal (default)

 DSA keypair will have 1024 bits.
 ELG-E keys may be between 1024 and 4096 bits long.
 What keysize do you want? (2048) 

 Please specify how long the key should be valid.
         0 = key does not expire
 Key is valid for? (0) 

Export that key to a file:

 gpg --export 0xABCD1234 > filename.key

Import the key into your keyring

 gpg --import filename.key

Prepare the filesystem key

Create a new set of filesystem encryption keys. You will create this set of encryption keys as one file, then encrypt with root's GPG key. The creation of the filesystem encryption keys will take a while, as the command blocks when /dev/random runs out of random data

 head -c 2880 /dev/random | uuencode -m - | head -n 65 | 
 tail -n 64 | gpg -e -a -r 0xABCD1234 >
 /root/.gnupg/masterkey-secret.gpg

Use the filesystem key created above to setup a loopback device with the raw partition, then create the filesystem on the loopback device.

 losetup -e AES128 -K /root/.gnupg/masterkey-secret.gpg /dev/loop? /dev/hdXX
 mkreiserfs /dev/loop?
 losetup -d /dev/loop?
 mkdir /mount/point

Add the new filesystem to /etc/fstab

 /dev/hdaXX /mount/point
 defaults,user,noauto,encryption=AES128,
 loop=/dev/loop0,gpgkey=/etc/signed-filesystem-key.gpg 0 0

Create a new file that contains the file system key signed with all of the signatures of the users who are permitted to mount that filesystem.

 gpg --decrypt < /root/.gnupg/masterkey-secret.gpg
 | gpg -e -a --always-trust 
 -r 0xABCD1234 -r 0x4321DCBA -r 0x9876FEDC >
 /etc/signed-filesystem-key.gpg

Add a New User for emergency administration

 addgroup --gid 65530 somegrp
 adduser --uid 65330 --gid 65530 --home /opt/someuser someuser

Single-key Access

Prepare the filesystem key

Create a new set of filesystem encryption keys. You will create this set of encryption keys as one file, then encrypt with root's GPG key. The creation of the filesystem encryption keys will take a while, as the command blocks when /dev/random runs out of random data

 head -c 2925 /dev/random | uuencode -m - | head -n 66 | tail -n 65
 | gpg --symmetric -a >/mnt/usbstick/keyfile.gpg

Add the new filesystem to /etc/fstab

 /dev/hdaXX /mount/point
 defaults,noauto,encryption=AES128,
 loop=/dev/loop?,gpgkey=/mnt/usbstick/keyfile.gpg 0 0

Use the filesystem key created above to setup a loopback device with the raw partition, then create the filesystem on the loopback device.

 losetup -F /dev/loop?
 mkreiserfs /dev/loop?
 losetup -d /dev/loop?
 mkdir /mount/point

Mount the new filesystem

 mount /mount/point

Verification of Encryption type

Check that loop is really in multi-key-v3 mode. Losetup -a output should include string "multi-key-v3" indicating that loop is really in multi-key-v3 mode. If no "multi-key-v3" string shows up, you somehow managed to mess up gpg key file generation part or you are trying to use old losetup/mount programs that only understand single-key or multi-key-v2 modes.

 losetup -a
view · edit · attach · print · history
Page last modified on September 30, 2008, at 06:23 PM