View previous topic :: View next topic |
Author |
Message |
Guest
|
Posted: Mon Apr 29, 2002 10:27 pm Post subject: CryptoAPI - Is there a better way ? |
|
|
Hello,
I was very pleased to see, that gentoo has a cryptoAPI package
in its tree. So I emerged the whole thing and it compiled wonderfully.
The Setup of the Loop-Devices (one plain HD-Partition and one
image-file) and the formatting with
xfs and ext3 went fine too. But mounting the loop-devices
failed. (block and filesystem errors).
After that i manually untared the package and found the
configure-option --enable-iv-mode-sector, which switches the
IV-Calculation of the Loop-Device to a fixed 512 Byte Blocksize.
To make this work, the Kernel Loop Driver has to be patched too,
which I did manually using the patch in /usr/doc/cryptoapi-2.4.7.0/.
After that I recompiled all cryptoapi modules and now everything
seems to work fine. (still testing though).
My question is:
Does It have to be this way, or was my solution the silliest and most
complicated method avaiable? How did this work for you?
Best regards
Martin |
|
Back to top |
|
|
zerogeny Tux's lil' helper
Joined: 17 Apr 2002 Posts: 85
|
Posted: Wed May 01, 2002 2:44 am Post subject: |
|
|
what exactly does cryptapi do? _________________ Searched the web for zerogeny.
Results 1 - 1 of 1. Search took 0.05 seconds |
|
Back to top |
|
|
vicay Tux's lil' helper
Joined: 29 Apr 2002 Posts: 97 Location: Dresden, Germany
|
Posted: Wed May 01, 2002 3:02 pm Post subject: Re: CryptoAPI |
|
|
zerogeny wrote: | what exactly does cryptapi do? |
It's a set of kernel-drivers which apply a layer of cryptographic
functions to the "normal" Loopback Block-Device Driver.
A typical use for the loopbackdevice is mounting of
imagefiles:
(First you create an image of a cd-rom or floppy)
# dd if=/dev/cdrom of=/path/to/imagefile
after that you can setup a loopbackdevice which is connected
to the imagefile
# losetup /dev/loop0 /path/to/imagefile
now you can mount the loopdevice and access it like the real
CD-ROM:
# mount -t iso9660 /dev/loop0 /path/to/mountpoint.
The CryptoAPI uses block-cipher-algorithms to encrypt and decrypt all
data before it is written to the loopdevice-container (after it is read from the container). if you want to use the API you won't take an imagefile from a real cd-rom etc. you have to create a container manually. if you want a 2GB crypto filesystem you first create an 2 GB
large containerfile
# dd if=/dev/urandom of=/path/to/image bs=1024 count=2097152
now you have a 2 GB large file prefilled with quasi random values.
After that you connect the loopdevice with the imagefile
# losetup -e aes -k 256 -P sha512 /dev/loop0 /path/to/image
Password:
you will be prompted for a password. (you should never forget that passwd,
it will not be safed anywhere but in your head)
in the example above we will use the AES cipher with a keysize
of 256 bits. your password is hashed via sha512 algorithm.
The generated hash results in the key which is used by the
AES-Cipher.
Next you have to create a filesystem the same way you do it with
a new harddisk partition.
(mkfs.XYZ /dev/loop0)
Now you can mount the filesystem.
# mount -t XYZ /dev/loop0 /path/to/mountpoint.
when you write files into /path/to/mountpoint, they will
be encrypted and stored in the corresponding imagefile.
If someone looks at the imagefile directly he sees nothing
than garbage...
If you don't want to use imagefiles, you can take whole
partitions too and attach them to a cryptoloop:
# losetup -e aes -k 256 -P sha512 /dev/loop0 /dev/hdxX
....
Best Regards
vicay |
|
Back to top |
|
|
manjit n00b
Joined: 18 Apr 2002 Posts: 5
|
Posted: Wed May 01, 2002 7:37 pm Post subject: |
|
|
vicay,
thanks for the easy-to-follow explanation on how CryptoAPI works! |
|
Back to top |
|
|
zerogeny Tux's lil' helper
Joined: 17 Apr 2002 Posts: 85
|
Posted: Thu May 02, 2002 8:27 am Post subject: |
|
|
thanks for that.
needs a patch to the gentoo-sources doesnt it?
might try a full encrypted filesystem when/if i format. _________________ Searched the web for zerogeny.
Results 1 - 1 of 1. Search took 0.05 seconds |
|
Back to top |
|
|
vicay Tux's lil' helper
Joined: 29 Apr 2002 Posts: 97 Location: Dresden, Germany
|
Posted: Thu May 02, 2002 7:20 pm Post subject: |
|
|
zerogeny wrote: | thanks for that.
needs a patch to the gentoo-sources doesnt it?
might try a full encrypted filesystem when/if i format. |
Hello,
when I tried the cryptoAPI (look at the first post - i posted as
guest) i had to patch the kernel manually with the loop-iv-patch and did a manual
./configure of the package instead of using the ebuild, because the --enable-iv-mode-sector
switch wasn't used for the configure-script. It only worked for me that way (as stated above)
But that was one day before the whole bunch of new kernel-flavours
appeared in the portage tree - i havent tried yet, whether the new
kernelsources still need the manual patching.
I still hope, that there is a better way to setup this cryptostuff
Best regards
vicay |
|
Back to top |
|
|
manjit n00b
Joined: 18 Apr 2002 Posts: 5
|
Posted: Thu May 02, 2002 8:27 pm Post subject: no kernel patch needed |
|
|
Hi,
You will not need to path the newer kernel. All I had to do was emerge cryptoapi and then load the module. Everything else magically worked. Portage is a great system! |
|
Back to top |
|
|
Guest
|
Posted: Sat May 04, 2002 7:56 am Post subject: |
|
|
mmm crypto...
must set it up when i have the time |
|
Back to top |
|
|
Guest
|
Posted: Sat May 04, 2002 8:00 am Post subject: |
|
|
do i need to format an existing partition to have it encrypted or will it allow my just to add it the loop thang? |
|
Back to top |
|
|
vicay Tux's lil' helper
Joined: 29 Apr 2002 Posts: 97 Location: Dresden, Germany
|
Posted: Sat May 04, 2002 8:57 pm Post subject: |
|
|
Anonymous wrote: | do i need to format an existing partition to have it encrypted or will it allow my just to add it the loop thang? |
Hello,
if you want to use an existing partition you dont need to format
the partition before attaching the cryptoloop device.
however, especially on new, unused partitions it seems to be a nice
idea, to overwrite the whole partition with random values
before you attaching the cryptoloop.
Code: |
# dd if=/dev/urandom of=/dev/hdxX
# losetup -e <cipher> -k <keysize> -P <hash> /dev/loopx /dev/hdxX
|
AFTER the attachment, you have to format the loopdevice (not the partition) with a filesystem of your choice...
Code: |
# mkfs.xfs [...options] /dev/loopx
|
Best regards
vicay |
|
Back to top |
|
|
zerogeny Tux's lil' helper
Joined: 17 Apr 2002 Posts: 85
|
Posted: Sun May 05, 2002 9:09 am Post subject: |
|
|
one more thing.
i read about some problems with cryptoapi, concerning file corruption...
do i have to do anything special with the current gentoo-sources?
and is linuxutils already patched?
and what 128bit cypher to use? _________________ Searched the web for zerogeny.
Results 1 - 1 of 1. Search took 0.05 seconds |
|
Back to top |
|
|
|