Dear Sir: 1) I just downloaded/compiled/installed the 2.4.6 kernel from (http://www.kernel.org/pub/linux/kernel/v2.4/); I am standardizing on using the kernel.org kernel distributions from this day forward, no matter what distribution of Linux I use 2) I am going to grab the crypto patches from (http://www.kernel.org/pub/linux/kernel/crypto/v2.4/); and install them later tonight 3) I will download and read http://encryptionhowto.sourceforge.net/Encryption-HOWTO.html You referred to using a raw partition, perhaps I am not articulating my ideas properly, or worse not understand your response due to my own technical lack with regard to the crypto stuff (I am a "crypto" newbie, but do have 15 years of Unix Admin experience). Normally a raw partition would have a filesystem placed on it, my initial presumptions were you then place encryption on the filesystem, and I have now learned that after adding encryption a filesystem must be laid down again, thus adding a second layer of filesystem. I do not see the need for this, and have been advised that it is better to encrypt a raw partition, and then place a filesystem on top of the encrypted raw partition. Do I understand you correctly? Presuming what I understand is what you were recommending; do you see any problem with the filesystem that is going to overlay the encryption being a ReiserFS filesystem? If I understand all that you are saying with regard to the above; then I am presuming all I must do is wait for a resolution to the issues with in pursuit of patching 2.4.6, and I will be on my way. One person spoke in an email previously of using a smartcard and a pass phrase. I would like to expand on that a bit, and ask if anyone has thought of or tried using one of these USB or parallel port "eeprom" devices, which allows you to read it using a password. I have two USB ports on my laptop, and think that using two USB "keys" would be a nice way to avoid typing, and have a healthy level of security (or one USB key and one smartcard, etc.) Understanding I have not yet looked at the source to the International Patches, I wonder how difficult would it be have a "single location" to add code to pass a key read from a smart card or other device to the rest of the International Patch (or its entire API) for use whenever it needed the key. Predicated upon such a technology, we might even be able to integrate into the kernel a methodology of checking for a smart card's presence in general, thus taking an action (locking the keyboard, blanking the video display, hibernating the entire machine, etc.) upon detection that the user had removed the smart card, or USB device from the computer. Imagine, you are using the computer, your done, so you just pull your smart card or USB key out of its location, and the computer hibernates, shuts down, or just locks the keyboard and blanks the screen automatically! I am a laptop user, and currently do not have a manner to read smart cards on my laptop. Although, if I did have a manner to read smart cards on my laptop, it would be cool, since I am eventually going to get issued a smart card ID badge from the US Department of Defense ("US DOD") anyway (I am a Navy Reservist). That would make a wonderful key, as no one worldwide ought have the same information on it as me, as part of the information is medical history. I was told at one point, that the US DOD had chosen some sort of non-standard standard (it is a government standard, but not industry standard as I understand) to use with their smartcards. Is this true? Can an industry standard smartcard reader read a US DOD smartcard? Is it possible that if a US DOD smartcard was placed in an industry standard smartcard reader, that it would read the card dependably although never in an unencrypted manner, thus a user could use the encrypted data read as a key as well? Presuming for the sake of argument that I had a "SecureID" token (one with the changing numbers on it), is there a way to use it as a key for the crypto package? Very Respectfully, Stuart Blake Tener, IT3, USNR-R, N3GWG VTU 1904G (Volunteer Training Unit) stuart@xxxxxxxxxxx west coast: (310)-358-0202 P.O. Box 16043, Beverly Hills, CA 90209-2043 east coast: (215)-338-6005 P.O. Box 45859, Philadelphia, PA 19149-5859 Telecopier: (419)-715-6073 fax to email gateway via www.efax.com (it's free!) JOIN THE US NAVY RESERVE, SERVE YOUR COUNTRY, AND BENEFIT FROM IT ALL. Friday, July 06, 2001 11:30 PM -----Original Message----- From: owner-linux-crypto@xxxxxxxxxxxx [mailto:owner-linux-crypto@xxxxxxxxxxxx]On Behalf Of Adam Warner Sent: Friday, July 06, 2001 7:53 PM To: linux-crypto@xxxxxxxxxxxx Subject: Re: Crypto Choices Hi Stuart, Just joined the list so inline responding is difficult. You wrote: I have decided (for the moment) to standardize on the Mandrake 8.0 distribution of Linux for my installation. I have also read much more about the "International Patch" and its capabilities, and simply having an encrypted filesystem is not enough for me now. While that is the first and foremost issue I wish to tackle at the moment, I am interested in why some people the think the entire International Patch is garbage, and useless. I am told it does work to some extent. I reply: It is not garbage and useless. My advice would be to encrypt a separate partition. Then you don't have to worry about the underlying filesystem (because there won't be any). You wrote: In the Mandrake arena, does anyone know of a site which is keeping patches and such going for Mandrake folks? Does anyone know what Mandrakes position on supporting crypto will be in current and future releases (as Debian is rumored to be supporting crypto now). I reply: It's pretty much irrelevant. You're the one who has to patch the kernel and do whatever else in necessary as set out here: http://encryptionhowto.sourceforge.net/Encryption-HOWTO.html You may want to consider the overall security of your distribution of choice though. I trust Debian or Redhat to provide security patches in a timely manner. >I have gotten a spare HD to use as a "development" HD for this crypto project. Good. Then it will be easy to create a spare partition for testing. You wrote: I started by downloading the 2.4.5 source for Mandrake's kernel, and am going to build it once I get the crypto filesystem stuff working (rebuilding mount, umount, losetup, and loop.o currently). I reply: First mistake. You want to start with the "official" Linus kernel source available from here: http://www.kernel.org/pub/linux/kernel/v2.4/ And then patch the kernel using the patch available from here: http://www.kernel.org/pub/linux/kernel/crypto/v2.4/ See my next post. I'm sure someone will be able to help with the resulting patching failure. Regards, Adam Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/ Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/
