I'm sorry if I'm a big pain in the ass here but I really want to get
this done right. =)
I would really like to use the loop-aes way.
However I'd prefer if I could format my usb as ext2 since I'm having
such problems with vfat detecting on my kernel.
However syslinux complains about that.
Is there any alternative?
I also can't find information about setting up with grub.
in DE HOWTO this is what happens:
title desktop
root (hd0.0)
kernel /boot/vmlinuz-desktop root=/dev/ram0 init=/linuxrc desktop
How would that be handled with loop-aes way?
and what on earth shoul KBUILD_OUTPUT be set to when compiling loop.ko?
On Sun, 03 Apr 2005 19:19:05 +0300
Jari Ruusu <jariruusu@xxxxxxxxxxxxxxxxxxxxx> wrote:
> Gabriel Jägenstedt wrote:
> > I was thinking in the lines of creating one big loopback device that
> > could then be "partitioned" using the offset and size parameters.
>
> That would mean that all accesses would have to go through two loop
> devices, which causes small overhead that can be avoided using what I
> suggested.
>
> > I think it would be quite nice if there could be no visible parts
> > outside the system. I have a feeling that creating loopback devices
> > directly from the hda would expose how big they are, which is not
> > desirable.
>
> If you set up encrypted root using build-initrd.sh script from
> loop-AES package and boot from USB-stick, then your hard disk will not
> have any info where your partitions are and how big they are (Assuming
> that partition table is erased).
>
> The initrd boot from USB-stick will have plaintext info where and how
> big your root partition is. Once you have booted to encrypted root,
> then init scripts can set up the remaining encrypted "partitions"
> using losetup -o and -s options. Init script reside on encrypted root
> so those offset+size infos are not visible to attacker possessing
> "cold" disk.
>
> Extra partition-table-less encrypted "partitions" can be automatically
> set up like this in some init script that is run early in the boot
> process:
>
> losetup -p 3 -e AES256 -o @32256 -s 24643584 /dev/loop1 /dev/hda
> 3</etc/fskey1.txt losetup -p 3 -e AES256 -o @24675840 -s 5733020160
> /dev/loop2 /dev/hda 3</etc/fskey2.txt
>
> where /etc/fskey{1,2}.txt are text files containing 65 lines of random
> data, preferably readable only by root user. Since these files reside
> on encrypted root, they are always protected on "cold" disk.
>
> > losetup -e AES128 -K key.gpg -S <seed> -C 100 /dev/loop0 /dev/hda
>
> gpg does salted and iterated key setup on its own, so those -S and -C
> options are not needed here. In other words, -K option is mutually
> exclusive with -S and -C options.
>
> --
> Jari Ruusu 1024R/3A220F51 5B 4B F9 BB D3 3F 52 E9 DB 1D EB E3 24 0E
> A9 DD
---
//gabriel - a true believer
-
Linux-crypto: cryptography in and on the Linux system
Archive: http://mail.nl.linux.org/linux-crypto/
