1. rebuild module dependencies:
   1. cd /lib/modules/$KERNEL_VER
   2. sudo /sbin/depmod -F System.map-$KERNEL_VER $KERNEL_VER

1. copy the System.map file to the /lib/modules/$KERNEL_VER directory
2. copy the vmlinuz kernel file to the /lib/modules/$KERNEL_VER directory
3. tar up the directory if you need to build on another machine

Building into a different output directory

1. create the kernel output directory
2. make O=../2.6.26.5-viac7/ oldconfig
3. make O=../2.6.26.5-viac7/ bzImage
4. make O=../2.6.26.5-viac7/ modules
5. sudo make O=../2.6.26.5-viac7/ modules_install
6. unpack the loop-aes source and cd into it
7. make O=../2.6.26.5-viac7/ LINUX_SOURCE=../2.6.26.5-viac7/ KEYSCRUB=y PADLOCK=y EXTRA_CIPHERS=y MODINST=n
8. copy the loop-aes modules by hand to the kernel/drivers/block directory and rename as appropriate

 make LINUX_SOURCE=/usr/src/linux KEYSCRUB=y PADLOCK=y EXTRA_CIPHERS=y

• Crypto Law Survey updated January 2007

General Encryption Links

• 1997 Survey of Cryptography Legality
• 1998 Survey of Cryptography Legality
• Snake Oil FAQ

1997 Survey of Cryptography Legality

I've been working with a VIA EPIA board with Padlock support. The loop-aes kernel module has support for Padlock, so I decided to give it a spin. Go to the ViaPadlock page for more dirt. See also the LVMEncryption page for an example of using LVM with loop-aes.

If you have the Debian control files set up correctly in the loop-aes source, everything should build and package cleanly.

If the automated build doesn't work, try this in the loop-aes source directory:

 make LINUX_SOURCE=/usr/src/linux KEYSCRUB=y PADLOCK=y

and this in the loop-aes-ciphers directory:

 make LINUX_SOURCE=/usr/src/linux

Add the modules needed to boot the machine to your /etc/mkinitrd/modules file, and then run:

FIXME add a header to this page for navigation

 make LINUX_SOURCE=$(KSRC) USE_KBUILD=$(USE_KBUILD) [backslash]\\

 make LINUX_SOURCE=$(KSRC) USE_KBUILD=$(USE_KBUILD) 
 RUNDM=n MODINST=nmake KEYSCRUB=y PADLOCK=y

Building aespipe

 ./configure --prefix=/usr/local/stow/aespipe-2.3b 
 make
 sudo make install
 cd /usr/local/stow
 stow aespipe-2.3b

I've been working with a VIA EPIA board with Padlock support. The loop-aes kernel module has support for Padlock, so I decided to give it a spin. Go to the HowTos.ViaPadlock page for more dirt.

Multi-key Access

 adduser --uid 65330 --gid 65530 --home /opt/someuser someuser

Single-key Access

Prepare the filesystem key

Create a new set of filesystem encryption keys. You will create this set of encryption keys as one file, then encrypt with root's GPG key. The creation of the filesystem encryption keys will take a while, as the command blocks when /dev/random runs out of random data

 head -c 2925 /dev/random | uuencode -m - | head -n 66 | tail -n 65
 | gpg --symmetric -a >/mnt/usbstick/keyfile.gpg

Add the new filesystem to /etc/fstab

 /dev/hdaXX /mount/point
 defaults,noauto,encryption=AES128,
 loop=/dev/loop?,gpgkey=/mnt/usbstick/keyfile.gpg 0 0

Use the filesystem key created above to setup a loopback device with the raw partition, then create the filesystem on the loopback device.

 losetup -F /dev/loop?
 mkreiserfs /dev/loop?
 losetup -d /dev/loop?
 mkdir /mount/point

Mount the new filesystem

 mount /mount/point

Verification of Encryption type

Check that loop is really in multi-key-v3 mode. Losetup -a output should include string "multi-key-v3" indicating that loop is really in multi-key-v3 mode. If no "multi-key-v3" string shows up, you somehow managed to mess up gpg key file generation part or you are trying to use old losetup/mount programs that only understand single-key or multi-key-v2 modes.

 losetup -a

Add AES keyscrubbing and VIA Padlock (if you are using a board with a VIA processor with Padlock) to the rules file in the debian directory you just created above. Existing line in the rules file:

 make LINUX_SOURCE=$(KSRC) USE_KBUILD=$(USE_KBUILD) RUNDM=n MODINST=n

New line:

 make LINUX_SOURCE=$(KSRC) USE_KBUILD=$(USE_KBUILD) RUNDM=n MODINST=nmake KEYSCRUB=y PADLOCK=y

 apt-get install loop-aes-utils aespipe  loop-aes-ciphers-source
 loop-aes-source curl libterm-size-perl libterm-readkey-perl

 vi /usr/src/modules/loop-aes/loop.c-2.6.patched
 static int max_loop = 255;

 <*> Device Drivers -> Memory Technology Devices -> Self-contained MTD device drivers 
 -> MTD emulation using block device

Change max_loop in the loop-aes source tree

Make sure you have MTD drivers and the JFFS2? filesystem turned on if you are going to store keys on a flash drive

 <*> Device Drivers -> Memory Technology Devices -> Memory Technology Device (MTD) support
 <*> Device Drivers -> Memory Technology Devices -> Self-contained MTD device drivers -> MTD emulation using block device
 <*> Filesystems -> Miscellanious Filesystems -> Journalling Flash Filesystem v2 

 Please select what kind of key you want:
   (1) DSA and Elgamal (default)

 DSA keypair will have 1024 bits.
 ELG-E keys may be between 1024 and 4096 bits long.
 What keysize do you want? (2048) 

 Please specify how long the key should be valid.
         0 = key does not expire
 Key is valid for? (0) 

 gpg --gen-key

 gpg --export 0xABCD1234 > filename.key

 gpg --import filename.key

Build it

 time make-kpkg --bzimage --revision 200X.XXX.X kernel_image
 time make-kpkg modules_image

If you have the Debian control files set up correctly in the loop-aes source, everything should build and package cleanly. Add the modules needed to boot the machine to your /etc/mkinitrd/modules file, and then run:

 time mkinitrd -o /boot/initrd.img-<kernel version> <kernel version>

Hint: use the output of lsmod to take a gander at what modules are needed. When you run the mkinitrd command, any modules that are missing from your list will be pointed out to you so that you can fix it in the kernel source and recompile/reinstall the kernel binary packages.

 cd /usr/src

Build a kernel with Loop-AES support

This is Debian specific.

Get the Debian packages needed for compiling loop-aes

 apt-get install loop-aes-utils aespipe  loop-aes-ciphers-source  loop-aes-source curl libterm-size-perl libterm-readkey-perl  libmail-sendmail-perl libcompress-zlib-perl dialog

Get fresh loop-aes if you want the latest and greatest

 wget http://loop-aes.sourceforge.net/loop-AES-latest.tar.bz2

bonnie++ is a good tool for beating up on disks

 apt-get install bonnie++

Unpack the packages you just downloaded

 tar -jxvf loop-aes-ciphers.tar.bz2

bonnie++ is a good tool for beating up on disks

 apt-get install bonnie++
 tar -jxvf loop-aes.tar.bz2
 tar -jxvf loop-AES-latest.tar.bz2

Move the debian tree from the existing (old) loop-aes source tree to the new one

 mv loop-aes/debian/ loop-AES-v3.1c/
 rm -rf loop-aes/
 mv loop-AES-v3.1c/ loop-aes

Fiddle with the debian package files

 cd loop-aes/debian
 vi changelog
 vi control

Fiddle with your kernel source

 cd /usr/src/linux
 make menuconfig

• loop-aes README

loop-aes Example

• loop-aes README

Prepare your personal keys

For each user that will access the filesystem, create a new GnuPG key for that user if that user doesn't already have one.

Export that key to a file:

 gnupg --export 0xABCD1234 > filename.key

Import the key into your keyring

 gnupg --import filename.key

Prepare the filesystem key

 head -c 2880 /dev/random | uuencode -m - | head -n 65 | 
 tail -n 64 | gpg -e -a -r 0xABCD1234 >
 /root/.gnupg/masterkey-secret.gpg

 losetup -e AES128 -K /root/.gnupg/masterkey-secret.gpg /dev/loop? /dev/hdXX

 defaults,user,noauto,encryption=AES128,

 -r 0xABCD1234 -r 0x4321DCBA -r 0x9876FEDC >

Add a New User for emergency administration

 addgroup --gid 65530 somegrp
 adduser --uid 65330 --gid 65530 --home /opt/someuser someuser

• CryptoLoop HOWTO - for 2.6 series kernels. See example below

• Google search for Linux NFS Encrypted Filesystems

CryptoLoop Example

Create a new GnuPG? key:

 gnupg --gen-key

Create a new set of filesystem encryption keys. You will create this set of encryption keys as one file, then encrypt with root's GPG key. The creation of the filesystem encryption keys will take a while, as the command blocks when /dev/random runs out of random data

 head -c 2880 /dev/random | uuencode -m - | head -n 65 | tail -n 64  | gpg -e -a -r 0x4FA2582C > /root/.gnupg/masterkey-secret.gpg

Use the filesystem key created above to setup a loopback device with the raw partition, then create the filesystem on the loopback device.

 losetup -e AES128? -K /root/.gnupg/masterkey-secret.gpg /dev/loop? /dev/hdXX
 mkreiserfs /dev/loop?
 losetup -d /dev/loop?
 mkdir /mount/point

Add the new filesystem to /etc/fstab

 /dev/hdaXX /mount/point
 defaults,user,noauto,encryption=AES128,
 loop=/dev/loop0,gpgkey=/etc/signed-filesystem-key.gpg 0 0

Create a new file that contains the file system key signed with all of the signatures of the users who are permitted to mount that filesystem.

 gpg --decrypt < /root/.gnupg/masterkey-secret.gpg
 | gpg -e -a --always-trust 
 -r 0x4FA2582C -r 0xA20FE45E -r 0x6A935339 >
 /etc/signed-filesystem-key.gpg

The contents of this website are Copyright (c)2004 by Brian Manning <brian at antlinux dot com>. Please do not reuse any of the content on this website without permission from the author.

• Encrypting Filesystems ( pingu.salk.edu mirror copies )
  • Filesystem HOWTO
  • Network Filesystems Page
  • Loopback Encrypted Filesystem HOWTO - (obsoleted by the Disk Encryption HOWTO)
  • Loopback Root Filesystem HOWTO
  • Disk Encryption HOWTO
  • CryptoLoop HOWTO - for 2.6 series kernels
  • Encrypted Root Filesystem HOWTO
  • Comparison of Linux Encrypted Filesystems
  • Cryptographic Filesystem Article on Linux Journal
  • EncFS - Encrypted filesystem for Linux, using the FUSE (Filesystem in Userspace) libraries
  • LinuxSecurity article on cryptographic filesystems
  • Google search for Linux NFS Encrypted Filesystems