Re: Partitions on loopback

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Gabriel Jägenstedt wrote:
> I was thinking in the lines of creating one big loopback device that
> could then be "partitioned" using the offset and size parameters.

That would mean that all accesses would have to go through two loop devices,
which causes small overhead that can be avoided using what I suggested.

> I think it would be quite nice if there could be no visible parts
> outside the system. I have a feeling that creating loopback devices
> directly from the hda would expose how big they are, which is not
> desirable.

If you set up encrypted root using build-initrd.sh script from loop-AES
package and boot from USB-stick, then your hard disk will not have any info
where your partitions are and how big they are (Assuming that partition
table is erased).

The initrd boot from USB-stick will have plaintext info where and how big
your root partition is. Once you have booted to encrypted root, then init
scripts can set up the remaining encrypted "partitions" using losetup -o and
-s options. Init script reside on encrypted root so those offset+size infos
are not visible to attacker possessing "cold" disk.

Extra partition-table-less encrypted "partitions" can be automatically set
up like this in some init script that is run early in the boot process:

losetup -p 3 -e AES256 -o @32256    -s 24643584   /dev/loop1 /dev/hda 3</etc/fskey1.txt
losetup -p 3 -e AES256 -o @24675840 -s 5733020160 /dev/loop2 /dev/hda 3</etc/fskey2.txt

where /etc/fskey{1,2}.txt are text files containing 65 lines of random data,
preferably readable only by root user. Since these files reside on encrypted
root, they are always protected on "cold" disk.

> losetup -e AES128 -K key.gpg -S <seed> -C 100 /dev/loop0 /dev/hda

gpg does salted and iterated key setup on its own, so those -S and -C
options are not needed here. In other words, -K option is mutually exclusive
with -S and -C options.

-- 
Jari Ruusu  1024R/3A220F51 5B 4B F9 BB D3 3F 52 E9  DB 1D EB E3 24 0E A9 DD

-
Linux-crypto:  cryptography in and on the Linux system
Archive:       http://mail.nl.linux.org/linux-crypto/
[Index of Archives]     [Kernel]     [Linux Crypto]     [Gnu Crypto]     [Gnu Classpath]     [Netfilter]     [Bugtraq]
  Powered by Linux