Antti Koskimäki wrote:
> Simple question: How do I guarantee that not a single bit of my
> essential data is written non-crypted on my Linux (laptop-)box ?
>
> Swap is trivial - it just has to be encrypted :) and Jari has provided
> good-looking boot-scripts for that. Is loop-AES currently the only one
> managing swap ?
>
> Then root-filesystem.
>
> If I want simply the root-filesystem encrypted, what are my options ?
>
> Another solution that comes into my mind is mounting root etc. read-only. The
> problem arises with logging, i.e. /var. If I need it encrypted it seems to
> me that problem is quite analog to encrypting the whole root-filesystem.
> On the other hand I could use RAM-disk to avoid boot-time problems but
> then I have to use RAM-disk all the way, am I right ?
>
> For performance reasons I would prefer the read-only-like solutions.
Encrypting root partition requires a small unencrypted /boot partition.
Everything else (root, swap and other partitions) can be encrypted. Kernels
and tools required to boot kernels reside in the /boot partition.
To encrypt root partition, I have attached a shell script that builds a
small "initrd" ram-disk that works with 2.2 and 2.4 kernels. To use it, do
something like this:
1) Backup all important data before experimenting.
2) Recompile kernel. These are required: CONFIG_BLK_DEV_RAM=y
CONFIG_BLK_DEV_RAM_SIZE=4096 CONFIG_BLK_DEV_INITRD=y CONFIG_MINIX_FS=y
cd /usr/src/linux-2.4.10-ac4
make distclean
cp ../somewhere/.config .config
make config
make dep && make clean && make bzlilo
make modules && make modules_install
3) Compile loop-AES loop.o module
cd ../loop-AES-v1.4e
make LINUX_SOURCE=/usr/src/linux-2.4.10-ac4
4) Copy kernel specific loop.o to /boot
cp -p /lib/modules/2.4.10-ac4/block/loop.o /boot/loop-2.4.10-ac4.o
Note: you need to have a kernel version specific loop.o module in /boot
directory for every kernel you intend to use.
5) Edit build-initrd.sh to match your setup. At least set BOOTDEV, BOOTTYPE
and CRYPTROOT variables to correct values.
6) Edit /etc/lilo.conf (or whatever) and set these: root=/dev/ram1
initrd=/boot/initrd.gz
7) Build a new /boot/initrd.gz and run lilo (or whatever)
./build-initrd.sh
lilo
Note: /boot/initrd.gz is supposed to be small (1.6 KB on my systems).
All other utilities (loop-KERNELRELEASE.o module, insmod, losetup and
possibly glibc) are copied to /boot directory. Glibc is not copied if
both insmod and losetup are statically linked.
8) Reboot system from rescue floppy / cdrom / other partition on your
system, so that the partition you are about to encrypt is _not_ mounted.
Note: you must use loop-AES' loop.o module and loop-AES modified losetup
program for this.
insmod loop
losetup -e AES128 /dev/loop5 /dev/hda2
dd if=/dev/hda2 of=/dev/loop5 bs=8192 conv=notrunc
sync
mount -t ext2 /dev/loop5 /mnt
9) Edit root partition entry in /mnt/etc/fstab file. Replace old /dev/hda2
with /dev/loop5 (or whatever you are using).
10) Clean up and reboot
umount /mnt
losetup -d /dev/loop5
sync
shutdown -r now
Regards,
Jari Ruusu <jari.ruusu@xxxxxxxxxx>Attachment:
build-initrd.sh
Description: Bourne shell script
-----BEGIN PGP MESSAGE----- Version: 2.6.3ia Comment: http://loop-aes.sourceforge.net/PGP-public-key.asc iQCVAwUAO73z4jMKg0M6Ig9RAQFRnwP8DdNma2TaYFRrrbrZO96GB7FYHA+hw66j FmMGeFwpW0OEH0HjOD04W8wMGMl0wXA/6K5KGPNfFHTY0NJhGH+k1ojJSAGlfPY9 lHIUVxwepJ4tF+yg5Ve0MJ1hCz9/TGBqiHUpgsV6iIqrYZrXZw0yjmoPHjw8Ktvz epXuj3YTX/o= =8Y9W -----END PGP MESSAGE-----
