The contents of this website are Copyright (c)2004 by Brian Manning <brian at antlinux dot com>. Please do not reuse any of the content on this website without permission from the author.
FIXME add a header to this page for navigation
I've been working with a VIA EPIA board with Padlock support. The loop-aes kernel module has support for Padlock, so I decided to give it a spin. Go to the ViaPadlock page for more dirt. See also the LVMEncryption page for an example of using LVM with loop-aes.
This is Debian specific.
Get the Debian packages needed for compiling loop-aes
apt-get install loop-aes-utils aespipe loop-aes-ciphers-source loop-aes-source curl libterm-size-perl libterm-readkey-perl libmail-sendmail-perl libcompress-zlib-perl dialog
Get fresh loop-aes if you want the latest and greatest
wget http://loop-aes.sourceforge.net/loop-AES-latest.tar.bz2
bonnie++ is a good tool for beating up on disks
apt-get install bonnie++
Unpack the packages you just downloaded
cd /usr/src tar -jxvf loop-aes-ciphers.tar.bz2 tar -jxvf loop-aes.tar.bz2 tar -jxvf loop-AES-latest.tar.bz2
Move the debian tree from the existing (old) loop-aes source tree to the new one
mv loop-aes/debian/ loop-AES-v3.1c/ rm -rf loop-aes/ mv loop-AES-v3.1c/ loop-aes
Fiddle with the debian package files
cd loop-aes/debian vi changelog vi control
Add AES keyscrubbing and VIA Padlock (if you are using a board with a VIA processor with Padlock) to the rules file in the debian directory you just created above. Existing line in the rules file:
make LINUX_SOURCE=$(KSRC) USE_KBUILD=$(USE_KBUILD) RUNDM=n MODINST=n
New line:
make LINUX_SOURCE=$(KSRC) USE_KBUILD=$(USE_KBUILD) [backslash]
RUNDM=n MODINST=nmake KEYSCRUB=y PADLOCK=y
Fiddle with your kernel source
cd /usr/src/linux make menuconfig
Build it
time make-kpkg --bzimage --revision 200X.XXX.X kernel_image time make-kpkg modules_image
If you have the Debian control files set up correctly in the loop-aes source, everything should build and package cleanly.
If the automated build doesn't work, try this in the loop-aes source directory:
make LINUX_SOURCE=/usr/src/linux KEYSCRUB=y PADLOCK=y EXTRA_CIPHERS=y
Add the modules needed to boot the machine to your /etc/mkinitrd/modules file, and then run:
time mkinitrd -o /boot/initrd.img-<kernel version> <kernel version>
Hint: use the output of lsmod to take a gander at what modules are needed. When you run the mkinitrd command, any modules that are missing from your list will be pointed out to you so that you can fix it in the kernel source and recompile/reinstall the kernel binary packages.
make O=../2.6.26.5-viac7/ oldconfig
make O=../2.6.26.5-viac7/ bzImage
make O=../2.6.26.5-viac7/ modules
sudo make O=../2.6.26.5-viac7/ modules_install
cd into it
make O=../2.6.26.5-viac7/ LINUX_SOURCE=../2.6.26.5-viac7/ KEYSCRUB=y PADLOCK=y EXTRA_CIPHERS=y MODINST=n
kernel/drivers/block directory and rename as appropriate
System.map file to the /lib/modules/$KERNEL_VER directory
vmlinuz kernel file to the /lib/modules/$KERNEL_VER directory
cd /lib/modules/$KERNEL_VER
sudo /sbin/depmod -F System.map-$KERNEL_VER $KERNEL_VER
./configure --prefix=/usr/local/stow/aespipe-2.3b make sudo make install cd /usr/local/stow stow aespipe-2.3b
For each user that will access the filesystem, create a new GnuPG key for that user if that user doesn't already have one.
gpg --gen-key
Please select what kind of key you want:
(1) DSA and Elgamal (default)
DSA keypair will have 1024 bits.
ELG-E keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Please specify how long the key should be valid.
0 = key does not expire
Key is valid for? (0)
Export that key to a file:
gpg --export 0xABCD1234 > filename.key
Import the key into your keyring
gpg --import filename.key
Create a new set of filesystem encryption keys. You will create this set of encryption keys as one file, then encrypt with root's GPG key. The creation of the filesystem encryption keys will take a while, as the command blocks when /dev/random runs out of random data
head -c 2880 /dev/random | uuencode -m - | head -n 65 | tail -n 64 | gpg -e -a -r 0xABCD1234 > /root/.gnupg/masterkey-secret.gpg
Use the filesystem key created above to setup a loopback device with the raw partition, then create the filesystem on the loopback device.
losetup -e AES128 -K /root/.gnupg/masterkey-secret.gpg /dev/loop? /dev/hdXX mkreiserfs /dev/loop? losetup -d /dev/loop? mkdir /mount/point
Add the new filesystem to /etc/fstab
/dev/hdaXX /mount/point defaults,user,noauto,encryption=AES128, loop=/dev/loop0,gpgkey=/etc/signed-filesystem-key.gpg 0 0
Create a new file that contains the file system key signed with all of the signatures of the users who are permitted to mount that filesystem.
gpg --decrypt < /root/.gnupg/masterkey-secret.gpg | gpg -e -a --always-trust -r 0xABCD1234 -r 0x4321DCBA -r 0x9876FEDC > /etc/signed-filesystem-key.gpg
addgroup --gid 65530 somegrp adduser --uid 65330 --gid 65530 --home /opt/someuser someuser
Create a new set of filesystem encryption keys. You will create this set of encryption keys as one file, then encrypt with root's GPG key. The creation of the filesystem encryption keys will take a while, as the command blocks when /dev/random runs out of random data
head -c 2925 /dev/random | uuencode -m - | head -n 66 | tail -n 65 | gpg --symmetric -a >/mnt/usbstick/keyfile.gpg
Add the new filesystem to /etc/fstab
/dev/hdaXX /mount/point defaults,noauto,encryption=AES128, loop=/dev/loop?,gpgkey=/mnt/usbstick/keyfile.gpg 0 0
Use the filesystem key created above to setup a loopback device with the raw partition, then create the filesystem on the loopback device.
losetup -F /dev/loop? mkreiserfs /dev/loop? losetup -d /dev/loop? mkdir /mount/point
Mount the new filesystem
mount /mount/point
Check that loop is really in multi-key-v3 mode. Losetup -a output should include string "multi-key-v3" indicating that loop is really in multi-key-v3 mode. If no "multi-key-v3" string shows up, you somehow managed to mess up gpg key file generation part or you are trying to use old losetup/mount programs that only understand single-key or multi-key-v2 modes.
losetup -a