| View previous topic :: View next topic |
| Author |
Message |
mihochan
Apprentice
Joined: 16 Apr 2002
Posts: 296
Location: Melbourne again
|
 Posted: Thu May 01, 2003 1:41 am Post subject: |
 |
|
| Quote: |
An intruder can't get a 'copy of ls' of an encrypted system / partition / file, you misunderstand how this encryption works. Check out Chadders first post or the loopAES README file for an overview.
|
No, actually, I think that you just don't understand my point.
'ls' is a freely available program like just about every part of the core linux system. Hence, there is no motivation to encrypt these things.
All you need to encrypt are your personal files - ie data that cannot be freely downloaded from elsewhere.
The second point I made was something of a guess, but I still think that it is likely to be true. It is much easier to break encryption when you have some known piece of data encrypted to test against. By encrypting the base system, you are probably just providing a wealth of known test-cases for the would-be hacker.
Tom
_________________
In the long run we are all dead - Keynes |
|
| Back to top |
|
 |
easykill
Apprentice
Joined: 07 Dec 2002
Posts: 230
|
| Posted: Thu May 01, 2003 5:39 am Post subject: |
|
|
true, but unless the person has a supercomputer, a lot of time (or a LARGE government case against you), and a huge urge to see your email or whatever, they're not gonna be able to encrypt it.
a DES256 encryption with a random seed is NOT easy to crack, even if you do have some data to guess with.
And, if you only want to encrypt some stuff, just don't do your root partition. only do /usr/local/encrypted or something like that.
This FAQ is mainly for encrypting an entire system. The steps on encrypting a single partition are trivial and well documented in the loop-AES readme |
|
| Back to top |
|
|
chadders
Tux's lil' helper
Joined: 21 Jan 2003
Posts: 113
|
| Posted: Fri May 02, 2003 10:49 am Post subject: |
|
|
I think EVERYTHING should be encrypted. ALL THE STUFF on the disk drive, ALL THE STUFF on the network, all the stuff between the keyboard and the mouse and the computer, EVERYTHING. Well maybe not the keyboard and the mouse YET.
Some people say stuff like "if I know what some of the unencrypted stuff is then I should be able to break in easier" and thats why encrypting root is a stupid idea. I DONT THINK THAT! AND THATS WRONG!
That idea is called a "known plain text attack" and it would work if you was using a stupid encryption implementation that uses ECB (electronic code book) that uses the same key for each block. Good encryption stuff uses CBC (cipher block chaining) that changes the key a little bit for EVERY BLOCK. Thats called a IV (initial vector).
I think maybe the FBI or someone like that MAYBE could break loop-AES but I don't think anyone that might want to steal my computer files can. If I had a laptop what I would do is make EVERYTHING encrypted. If I wanted to run Windoz stuff I would put Windoz under VMware all on the loop-AES encrypted disk. Then I would put /boot on a USB dongle or a little CDROM in my pocket. Then if someone stole the laptop they would just have a laptop and not all of my files too. AND THEY WOULDNT EVEN KNOW WHAT OPERATING SYSTEM IT RUNS WHICH IS WAY COOL.
Chad  |
|
| Back to top |
|
|
es0x279e
n00b
Joined: 16 Feb 2003
Posts: 15
Location: Terminus
|
| Posted: Sun May 04, 2003 1:24 am Post subject: I cant boot with an encrypted root fs |
|
|
Hi, and congratulations for such a good thread and tip!
But i have a problem when im trying to init a new encrypted root filesystem. It happens before it ask me for the password and I have tried at least four different ways to make it go ahead :~( It seems that it couldn't find the right ram0 or ram1 device or it is wrong made, i dont know.
I have tried to make it boot w/ and w/o devfs. The first one i used in my grub.conf - ro root=/dev/ram1 - and in the build-initrd.sh i have BOOTDEV=/dev/hda6 CRYPTROOT=/dev/hda5. In the second one (w/ devfs) i have tried two ways, always keeping the grub.conf to - root=/dev/ram0 init=/linuxrc - and the USEPIVOT and USEDEVFS to 1 as i saw in the thread but changing the BOOTDEV to /dev/discs/disc0/part6 and CRYPTROOT to /dev/discs0/disc0/part5. The last way i tried is to make it as it shows the README file of loop-AES. It didn't work anyway...
The real problem is that i don't know where is problem... im not sure if it is in the build-initrd.sh script or in the grub config or if i have made wrong the loop module or if the kernel is not compiled with the options it should be made...
My partitions are:
Boot /dev/hda6 ext3
Root /dev/hda5 xfs
If anyone have any idea or suggestion please, tell me because Google is empty of inspiration, or am i?
PS: forgive my "rare" English, im from Spain and English is not my better subject :)
_________________
----------------------------------------------
Alejandro Cámara Iglesias
<Arekusu,AT,gmail,DOT,com>
---------------------------------------------- |
|
| Back to top |
|
|
chadders
Tux's lil' helper
Joined: 21 Jan 2003
Posts: 113
|
| Posted: Mon May 05, 2003 1:24 am Post subject: |
|
|
Hi,
Make sure that you have /boot mounted before you run build-initrd.sh. Here is some of my config stuff that works ok. Maybe it will help you find out whats wrong.
This is part of my build_initrd.sh:
BOOTDEV=/dev/hda6
BOOTTYPE=ext2
CRYPTROOT=/dev/hda7
ROOTTYPE=xfs
CIPHERTYPE=AES256
# optional password seed for root partition
#PSEED="-S XXXXXX"
This is part of my grub.conf:
title=launch
root (hd0,5)
kernel /bzImage ro root=/dev/ram1
initrd /initrd.gz
This is my /etc/fstab:
/dev/hda6 /boot ext2 noauto,noatime 1 1
/dev/loop5 / xfs noatime 0 0
/dev/hda5 none swap sw,loop=/dev/loop6,encryption=AES256 0 0
Chad |
|
| Back to top |
|
|
es0x279e
n00b
Joined: 16 Feb 2003
Posts: 15
Location: Terminus
|
| Posted: Mon May 05, 2003 6:20 pm Post subject: |
|
|
Hi again! And thanks for such soon answer!
sorry, but i still getting errors on boot... and im so sure im doing it as the tutorial described... It all breaks there...
hub.c: USB hub found
hub.c: 2 ports detected
NET4: Linux TCP/IP 1.0 for NET4.0
IP Protocols: ICMP, UDP, TCP, IGMP
IP: routing cache hash table of 4096 buckets, 32Kbytes
TCP: Hash tables configured (established 32768 bind 65536)
NET4: Unix domain sockets 1.0/SMP for Linux NET4.0.
ds: no socket drivers loaded!
RAMDISK: Compressed image found at block 0
Freeing initrd memory: 1k freed
VFS: Mounted root (minix filesystem). < ----- ERROR !!!
loop: loaded (max 8 devices)
IT ASKS FOR PASSPHRASE RIGHT HERE
read_super_block: can't find a reiserfs filesystem on (dev 07:05, block 64, size
1024)
read_super_block: can't find a reiserfs filesystem on (dev 07:05, block 8, size
1024)
XFS mounting filesystem loop(7,5) < ---- This thing happens before the pass
VFS: Mounted root (xfs filesystem) readonly. _______ but i get and error there, couldnt
Trying to move old root to /initrd ... okay ______ find a xfs fs there...
Freeing unused kernel memory: 80k freed
I spend all my easter holyday to try to make it go... but i have no luck!! Im sure i had mounted /boot when ran build-initrd.sh and i used the same config as you less the /dev/hda7 what i have /dev/hda5 (my root) and ext2 on boot that i have ext3. The grub.conf, the /etc/fstab are almost exactly as yours... to encrypt the fs i use 'dd if=/dev/hda5 of=/dev/loop0 bs=64k conv=notrunc' and to setup the loop i use 'losetup -e AES256 -T /dev/loop0 /dev/hda5' (before the dd statement of course  ). I make my kernel to all the requirements that it needs and also, I had remaked the loop module when I finished compiling the kernel. I'm using util-linux v2.11z and loop-AES v1.7c... Im also running now knoppix v3.1 so the losetup error... well, you said that with this version of knoppix it should work, but anyway i'll try to do the losetup with the one is in my /boot, just to make tinier the circle...
This thing happens to anyone??
_________________
----------------------------------------------
Alejandro Cámara Iglesias
<Arekusu,AT,gmail,DOT,com>
---------------------------------------------- |
|
| Back to top |
|
|
es0x279e
n00b
Joined: 16 Feb 2003
Posts: 15
Location: Terminus
|
| Posted: Mon May 05, 2003 6:53 pm Post subject: |
|
|
I have tried to losetup from the /boot, but it does nothing. It doesnt ask for the pass but it doesnt end either, so i though that could be the problem. To mend it I copy the losetup from the knoppix to the /boot, but the error still there... so, it's not problem of losetup, i think...
I will trying googling that question!
_________________
----------------------------------------------
Alejandro Cámara Iglesias
<Arekusu,AT,gmail,DOT,com>
---------------------------------------------- |
|
| Back to top |
|
|
chadders
Tux's lil' helper
Joined: 21 Jan 2003
Posts: 113
|
| Posted: Tue May 06, 2003 2:42 am Post subject: |
|
|
How are you encrypting your /root? Are you using AESPIPE? Please paste the commands that you use to encrypt it. I have had problems with aespipe and dont like it to much. I don't know if aespipe is broke or if I was doing something wrong (I don't think I was doing anything wrong because I have done this stuff lots of times before but not with aespipe). I gave up and used the v1.7b instructions.
I like the procedure in loop-AES-v1.7b lots better tha aespipe!!!
Chad  |
|
| Back to top |
|
|
splooge
l33t
Joined: 30 Aug 2002
Posts: 636
|
| Posted: Tue May 06, 2003 5:38 am Post subject: |
|
|
Chad you're really not 13 are you?
If so I never have a chance of getting another job again =)
_________________
http://get.a.clue.de |
|
| Back to top |
|
|
chadders
Tux's lil' helper
Joined: 21 Jan 2003
Posts: 113
|
| Posted: Tue May 06, 2003 10:26 am Post subject: |
|
|
I'll be 14 in exactly one week. how come everyone thinks if you aren't old that you can't do stuff? Its not very fair sometimes.
Chad  |
|
| Back to top |
|
|
es0x279e
n00b
Joined: 16 Feb 2003
Posts: 15
Location: Terminus
|
| Posted: Tue May 06, 2003 2:16 pm Post subject: |
|
|
HI again!
well, i will try to enumerate what i have done to encrypt the root fs. I supposed i had to write what i've done after booting Knoppix, so there it is:
#> mount /dev/hda6 /mnt/hda6 // my boot fs
#> vim /mnt/hda6/grub/grub.conf // my grub.conf, i changed that to make it load initrd.gz
#> umount /mnt/hda6
#> mount /dev/hda5 /mnt/hda5 // my root fs
#> vim /mnt/hda5/etc/fstab // I changed the /dev/hda5 to /dev/loop5
#> umount /mnt/hda5
#> losetup -e AES256 -T /dev/loop0 /dev/hda5
-- I entered the passphrase --
#> dd if=/dev/hda5 of=/dev/loop0 bs=64k conv=notrunc
#> reboot
Thats all i did to encrypt using losetup instead of aespipe. With aespipe i had just chaged the losetup and dd sentences to:
#> dd if=/dev/hda5 bs=64k | /mnt/aespipe -e AES256 -T -S XXXXXX -C 100 \
| dd of=/dev/hda5 bs=64k conv=notrunc
But the error was the same... So i supose it's independent of the encrypting way. Also, because i could mount the encrypted fs using losetup again in the first way (with losetup and dd)... I don't know what the hell is wrong with it... I'll try to remake the kernel and be sure the requiremend are met...
Thanks to bear my slowness!!
_________________
----------------------------------------------
Alejandro Cámara Iglesias
<Arekusu,AT,gmail,DOT,com>
---------------------------------------------- |
|
| Back to top |
|
|
es0x279e
n00b
Joined: 16 Feb 2003
Posts: 15
Location: Terminus
|
| Posted: Tue May 06, 2003 3:36 pm Post subject: |
|
|
By the way, this is part of my boot log. Its copied by hand, so it maybe have some errors...
...
ds: no socket devices loaded!
RAMDISK: Compressed image found at block 0
Freeing initrd memory: 1k freed
cramfs: wrong magic
FAT: Bogus logical sector size 0
FAT: Bogus logical sector size 0
read_super_block: can't find a reiserfs filesystem on (dev 01:00, block 64, size 1024)
read_super_block: can't find a reiserfs filesystem on (dev 01:00, block 8, size 1024)
XFS: Bad magic number
XFS: SB validate failed
Kernel Panic: VFS: Unable to mount root fs on 01:01
-- END --
any ideas?
_________________
----------------------------------------------
Alejandro Cámara Iglesias
<Arekusu,AT,gmail,DOT,com>
---------------------------------------------- |
|
| Back to top |
|
|
easykill
Apprentice
Joined: 07 Dec 2002
Posts: 230
|
| Posted: Tue May 06, 2003 3:52 pm Post subject: |
|
|
| you do have minix filesystem support configured into your kernel, not as a module? |
|
| Back to top |
|
|
es0x279e
n00b
Joined: 16 Feb 2003
Posts: 15
Location: Terminus
|
| Posted: Tue May 06, 2003 4:50 pm Post subject: |
|
|
I thought it was the problem and i checked it again. I checked my personal kernel config and the .config file is in /usr/src/linux... It was included not as module. I remade the kernel to short the circle, but it still not going. I have just finished trying to make initrd with /dev/ide/host0/bus0/target0/lun0/part5 instead od /dev/hda5 and /{bla}../part6 instead of /dev/hda6 but still wrong... The fact is that i think minix support is what is wrong... Could it be beacuse im using xfs sources? Im running out of ideas...
_________________
----------------------------------------------
Alejandro Cámara Iglesias
<Arekusu,AT,gmail,DOT,com>
---------------------------------------------- |
|
| Back to top |
|
|
es0x279e
n00b
Joined: 16 Feb 2003
Posts: 15
Location: Terminus
|
| Posted: Tue May 06, 2003 5:51 pm Post subject: |
|
|
well, it seems it worked, at least it ask me for the pass! After six or so days... I have just recompiled my kernel with other options... ill explain that: i compiled w/o ROM fs support, w/o JFS support and i have changed the NLS default charset from iso8859-15 to iso8859-1. So now, i don't know what was wrong with the last kernel... Now, it can't mount the root fs, but, for now, i have fresh air to carry on trying things... I think the problem is the seed, that i didn't put in build-initrd.sh.
Thanks Chadders ans Easykill!!
_________________
----------------------------------------------
Alejandro Cámara Iglesias
<Arekusu,AT,gmail,DOT,com>
---------------------------------------------- |
|
| Back to top |
|
|
tuXXer
Tux's lil' helper
Joined: 23 Apr 2003
Posts: 83
|
| Posted: Wed May 07, 2003 11:30 am Post subject: A stupid question |
|
|
Am I right? Your method results not in data loss? The other documentations (e.g. loop-aes) says that creating an encrypted partition lead to fully data loss...
Btw. not the age is important, only the skill and the ability for abstaction counts. |
|
| Back to top |
|
|
es0x279e
n00b
Joined: 16 Feb 2003
Posts: 15
Location: Terminus
|
| Posted: Wed May 07, 2003 2:02 pm Post subject: |
|
|
Refered to my own experience: Im running exactly the same system that i run last week. The only difference is that before was unencrypted and now it is encrypted... The only data i have lost it the boot partition that i have encrypted thinking it was the swap (imagine the mess up ), but it was for my fault...
Im not sure if i answered your question...  well, ill keep going investigating...
_________________
----------------------------------------------
Alejandro Cámara Iglesias
<Arekusu,AT,gmail,DOT,com>
---------------------------------------------- |
|
| Back to top |
|
|
easykill
Apprentice
Joined: 07 Dec 2002
Posts: 230
|
| Posted: Wed May 07, 2003 4:12 pm Post subject: Re: A stupid question |
|
|
| tuXXer wrote: | Am I right? Your method results not in data loss? The other documentations (e.g. loop-aes) says that creating an encrypted partition lead to fully data loss...
Btw. not the age is important, only the skill and the ability for abstaction counts. |
I have encrypted 3 partitions and had no data loss. There is a possibility for data loss if you screw something up, or have a power failure while doing the dd, but other than that, there should be no data loss. |
|
| Back to top |
|
|
repugnant
Tux's lil' helper
Joined: 16 Apr 2003
Posts: 86
|
| Posted: Wed May 07, 2003 5:26 pm Post subject: |
|
|
| To ask a dumb question, what is to prevent someone using a knoppix disk to put a different kernel in /boot? Did I miss something? |
|
| Back to top |
|
|
es0x279e
n00b
Joined: 16 Feb 2003
Posts: 15
Location: Terminus
|
| Posted: Wed May 07, 2003 7:03 pm Post subject: |
|
|
Im not sure if this is the answer of your question... anyway, you can't change your kernel version since the loop-kernel-v.v.v-rc.o on /boot was made for the especific kernel you had then. So if you chage the kernel version that module won't work. And it makes everything to go, so without it you wont boot your system... it's not a good idea to change the kenel version when in knoppix... But as i said before, im not sure if I answered right to your question (remember Im spanish! )
Cheers!
_________________
----------------------------------------------
Alejandro Cámara Iglesias
<Arekusu,AT,gmail,DOT,com>
---------------------------------------------- |
|
| Back to top |
|
|
repugnant
Tux's lil' helper
Joined: 16 Apr 2003
Posts: 86
|
| Posted: Wed May 07, 2003 8:09 pm Post subject: |
|
|
| Thanks for the reply. But if an evil-doer watches your boot sequence, can't they figure out that a) what version of the linux you have and b) that you're using loop-aes? And so they go and build a loop-aes-enabled kernel and put it in boot. The new malicious kernel maybe can do keystroke logging or something. I don't know |
|
| Back to top |
|
|
chadders
Tux's lil' helper
Joined: 21 Jan 2003
Posts: 113
|
| Posted: Wed May 07, 2003 11:15 pm Post subject: |
|
|
Not if the whole /boot partition is on a USB dongle or on a cdrom in my pocket!
Chad |
|
| Back to top |
|
|
watersb
Apprentice
Joined: 04 Sep 2002
Posts: 297
Location: take a left turn in Tesuque
|
| Posted: Tue May 20, 2003 2:24 pm Post subject: |
|
|
Chadders, this is a GREAT how-to! I am VERY pleased to see people excited about this!
EDIT [2003-May-24]: The technique described here uses the built-in cryptoapi, not loop-AES. CryptoAPI is undergoing active development churn in the development kernels, so if you're using a 2.5 kernel you will probably want to IGNORE this post. Eventually, cryptoloop will work with the overall kernel crypto, so that there will be a single implementation of each cipher for all kernel functions: IPSec as well as disk encryption. But loop-AES is working better at the moment...
I am trying the loop-AES technique with the optional ciphers, against a 2.5.69-mm8 kernel. So far I have been able to get losetup to work just fine manually, so the loop-AES technique similar to Chadders' original post might actually work with 2.5. I will post an update when I know more.
To summarize: The loop-AES technique discussed on this thread seems to work for both 2.4 and 2.5, while the technique in this post may not work as well. I leave it here for informational purposes.
The stuff in this quote is the original post, and should probably not be used (use loop-AES instead):
| Quote: |
Folks, I have been running an encrypted-EVERYTHING (root and swap) laptop for 10+ months now with NO problems since I got it to work.
This technique is rather out-dated, and does not incorporate the great suggestions seen so far on this thread, but I wanted post it here for those that are interested, and I will update this technique and report back... The advantage IMHO is that we use twofish rather than AES...
I use an initrd RAMDISK with the MINIX filesystem, just enough to run a little boot-script - this initial ramdisk is only about 300K because I created it with uClinux, a linux library usually used for embedded systems.
So far, my technique requires kernel 2.4, but I am trying to get this to work with 2.5.
Please see my instructions (posted this past January) at
https://forums.gentoo.org/viewtopic.php?t=15425#171782
You can get the minix initrd here:
http://www.aoc.nrao.edu/~bwaters/projects/gentoo/tiny-linux.gz
You will probably need to edit the initrc script that is on this tiny-linux image to point to your root partition; the image as downloaded will try to mount /dev/hda4 as the encrypted root using twofish.
1) Download the tiny-linux image
2) gunzip tiny-linux.gz
3) mkdir my-tiny-linux
4) mount -o loop tiny-linux my-tiny-linux
5) nano -w my-tiny-linux/initrc
(edit the line containing the losetup command to fit your circumstances)
6) umount my-tiny-linux
7) gzip tiny-linux
8) mount /boot
9) mkdir /boot/ramdisks
10) cp tiny-linux.gz !$
|
The swap-encryption script on this post will still work:
Here is how to ensure that your swap partition is encrypted:
Add this script at /usr/local/sbin/crypto-swap:
| Code: |
#!/bin/sh
# Run this script somewhere in your startup scripts _after_ random
# number generator has been initialized and /usr has been mounted.
# (md5sum, uuencode, tail and head programs usually reside in /usr/bin/)
# encrypted swap partition
SWAPDEVICE=/dev/hda5
# loop device name
LOOPDEV=/dev/loop6
MD=`dd if=${SWAPDEVICE} bs=4k count=10 2>/dev/null | md5sum`
for X in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 ; do
dd if=/dev/zero of=${SWAPDEVICE} bs=4k count=10 conv=notrunc 2>/dev/null
sync
done
UR=`dd if=/dev/urandom bs=18 count=1 2>/dev/null \
| uuencode -m - | head -2 | tail -1`
echo ${MD}${UR} | losetup -p 0 -e twofish -k 256 ${LOOPDEV} ${SWAPDEVICE}
MD=
UR=
dd if=/dev/zero of=${LOOPDEV} bs=4k count=10 conv=notrunc 2>/dev/null
sync
mkswap ${LOOPDEV}
sync
swapon ${LOOPDEV}
|
You will need to edit the value of the SWAPDEVICE to point to your swap partition. Be very careful -- this script will DESTROY the data on the partition that you point it to if you do not want to use it for swap!
Test this script by running it as a root user. Then to use this encrypted swap automatically, edit the init script at /etc/init.d/localmount:
| Code: |
REPLACE THESE LINES AT THE BOTTOM:
#swap on loopback devices, and other weirdnesses
ebegin "Activating (possibly) more swap"
/sbin/swapon -a &>/dev/null
eend 0
WITH THIS:
#swap on loopback devices, and other weirdnesses
ebegin "Activating (possibly) more swap"
/usr/local/crypto-loop
eend 0
|
Chadders, I will create a bootable CD-ROM and let you know.
Last edited by watersb on Sat May 24, 2003 5:54 pm; edited 2 times in total |
|
| Back to top |
|
|
Aonoa
Guru
Joined: 23 May 2002
Posts: 589
|
| Posted: Wed May 21, 2003 4:02 pm Post subject: |
|
|
Very nice documentation you made here Chadders, I used it and successfully made my system encrypted (root + swap).
Thank you for posting it.
What I also did, was make a bootable 8cm cd-rw to use as boot media instead of a partition on my hd. It works great.
I made a grub boot floppy and used it to make a boot.img file to use with cdrecord to burn the cd with the contents of my /boot partition.
Call me paranoid, but this was just fun to accomplish |
|
| Back to top |
|
|
xi
n00b
Joined: 26 Jan 2003
Posts: 37
|
| Posted: Wed May 21, 2003 7:19 pm Post subject: |
|
|
| is it possible to use encrypted swap (cryptoloop or loop-aes) with swsusp (suspend to disk) ? |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Documentation, Tips & Tricks
