Mr. Ruusu: I am curious if you think it would be possible to modify lilo, in order to allow for a even the kernel to be encrypted for boot? As well, I think all of this is going to be moot soon, as ReiserFS (which I personally use as my filesystem, even for root partitions), will have an encryption API for it by SEP 2002. Thus, at some point, filesystem encryption will be indigenous to the ReiserFS, and would only become requisite of a developer writing an implementation of an algorithm following their API structure. I would wonder how you would feel about modifying your code to work with ReiserFS once the API is properly documented? Very Respectfully, Stuart Blake Tener, IT3, USNR-R, N3GWG Beverly Hills, California VTU 1904G (Volunteer Training Unit) stuart@xxxxxxxxxxx west coast: (310)-358-0202 P.O. Box 16043, Beverly Hills, CA 90209-2043 east coast: (215)-338-6005 P.O. Box 45859, Philadelphia, PA 19149-5859 Telecopier: (419)-715-6073 fax to email gateway via www.efax.com (it's free!) JOIN THE US NAVY RESERVE, SERVE YOUR COUNTRY, AND BENEFIT FROM IT ALL. Friday, October 05, 2001 11:51 AM -----Original Message----- From: owner-linux-crypto@xxxxxxxxxxxx [mailto:owner-linux-crypto@xxxxxxxxxxxx]On Behalf Of Jari Ruusu Sent: Friday, October 05, 2001 11:50 AM To: Antti Koskimäki Cc: linux-crypto@xxxxxxxxxxxx Subject: Re: encrypting the whole disk / all the data Antti Koskimäki wrote: > Simple question: How do I guarantee that not a single bit of my > essential data is written non-crypted on my Linux (laptop-)box ? > > Swap is trivial - it just has to be encrypted :) and Jari has provided > good-looking boot-scripts for that. Is loop-AES currently the only one > managing swap ? > > Then root-filesystem. > > If I want simply the root-filesystem encrypted, what are my options ? > > Another solution that comes into my mind is mounting root etc. read-only. The > problem arises with logging, i.e. /var. If I need it encrypted it seems to > me that problem is quite analog to encrypting the whole root-filesystem. > On the other hand I could use RAM-disk to avoid boot-time problems but > then I have to use RAM-disk all the way, am I right ? > > For performance reasons I would prefer the read-only-like solutions. Encrypting root partition requires a small unencrypted /boot partition. Everything else (root, swap and other partitions) can be encrypted. Kernels and tools required to boot kernels reside in the /boot partition. To encrypt root partition, I have attached a shell script that builds a small "initrd" ram-disk that works with 2.2 and 2.4 kernels. To use it, do something like this: 1) Backup all important data before experimenting. 2) Recompile kernel. These are required: CONFIG_BLK_DEV_RAM=y CONFIG_BLK_DEV_RAM_SIZE=4096 CONFIG_BLK_DEV_INITRD=y CONFIG_MINIX_FS=y cd /usr/src/linux-2.4.10-ac4 make distclean cp ../somewhere/.config .config make config make dep && make clean && make bzlilo make modules && make modules_install 3) Compile loop-AES loop.o module cd ../loop-AES-v1.4e make LINUX_SOURCE=/usr/src/linux-2.4.10-ac4 4) Copy kernel specific loop.o to /boot cp -p /lib/modules/2.4.10-ac4/block/loop.o /boot/loop-2.4.10-ac4.o Note: you need to have a kernel version specific loop.o module in /boot directory for every kernel you intend to use. 5) Edit build-initrd.sh to match your setup. At least set BOOTDEV, BOOTTYPE and CRYPTROOT variables to correct values. 6) Edit /etc/lilo.conf (or whatever) and set these: root=/dev/ram1 initrd=/boot/initrd.gz 7) Build a new /boot/initrd.gz and run lilo (or whatever) ./build-initrd.sh lilo Note: /boot/initrd.gz is supposed to be small (1.6 KB on my systems). All other utilities (loop-KERNELRELEASE.o module, insmod, losetup and possibly glibc) are copied to /boot directory. Glibc is not copied if both insmod and losetup are statically linked. 8) Reboot system from rescue floppy / cdrom / other partition on your system, so that the partition you are about to encrypt is _not_ mounted. Note: you must use loop-AES' loop.o module and loop-AES modified losetup program for this. insmod loop losetup -e AES128 /dev/loop5 /dev/hda2 dd if=/dev/hda2 of=/dev/loop5 bs=8192 conv=notrunc sync mount -t ext2 /dev/loop5 /mnt 9) Edit root partition entry in /mnt/etc/fstab file. Replace old /dev/hda2 with /dev/loop5 (or whatever you are using). 10) Clean up and reboot umount /mnt losetup -d /dev/loop5 sync shutdown -r now Regards, Jari Ruusu <jari.ruusu@xxxxxxxxxx> Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/
