> > It's easier to install Ubuntu in the normal way and then encrypt
> > the devices with aespipe,....
> That´s the way I do it and for which I need statically linked gpg and
> aespipe.
Just boot from a live-cd with aespipe to encrypt your root device.
I think, this is easier than the steps described in the README of
loop-AES.
> Kubuntu 7.04 and 7.10 don´t have usbcore, usbstorage or vfat built-in.
> So a kernel recompile is needed. Since I am not familiar with
> debian/ubuntu scripts it would be fine to understand your steps
> towards full disk-encryption a little better. Especially how to build
> an initial ramdisk for booting from usb memory without
> build-initrd.sh would be nice to learn.
No, recompling is necessary because the loop-aes package don't provide
multi-key mode. But perhaps this have changed with 7.10. I could
boot from usb-stick without touching the kernel in ubuntu 7.04 and
earlier. Below you can see my scripts for the initramfs-tool. See "man
initramfs-tools" for further explanations,...
First I wrote a script called 'crypt'.
It contains all commands to set up my encrypted disks (including root)
and all necessary passhrases in cleartext (I like to have only one
passphrase for all encrypted devices,....):
----------
echo "passwortxxxxxxxxxxxxxxxxxxxx" | losetup -p
0 ..... /dev/loop0 /dev/hdaY
# or multiy-key-mode :
echo -e -n
"passskddddddddddddsfaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\nadsfffffffffffffff[....]
| losetup -p 0 ..... /dev/loop1 /dev/hdaX
# temporay keys for swap and temp:
TEMP=$(gpg --gen-random 1 42 | openssl enc -base64)
KEY=$(echo
"$TEMP""YuKq9YvT1ckVOQAQ/nOTm4EyPpYRKLYsJKLh7/BWb2AB+oLkzqC/cUwc" | \
hashalot sha512 -n 63 | openssl enc -base64 | tr -d "\n")
echo "$KEY" | losetup -p 0 ..... /dev/loop2 /dev/hda88
mkfs.xfs /dev/loop2
TEMP=$(gpg --gen-random 1 42 | openssl enc -base64)
KEY=$(echo
"$TEMP""Ou/miNXJ3yjuj3HnAaaoTVcgd1jNkWbRGUjnS0hERymoQoYfWikLpwun" | \
hashalot sha512 -n 63 | openssl enc -base64 | tr -d "\n")
echo "$KEY" | losetup -p 0 ..... /dev/loop3 /dev/hda999
mkswap /dev/loop3
----------
If I would execute this script from live-cd, all devices would be
accessible according to my /etc/fstab (but not mounted of course):
------------
....
/dev/loop0 / ext3 defaults,errors=remount-ro 0 1
/dev/loop1 /home ext3 defaults 0 2
/dev/loop2 /tmp xfs defaults 0 0
/dev/loop3 none swap sw 0 0
.....
------------
Then I encrypt this script with gpg:
gpg -c --cipher-algo AES256 --s2k-mode 3 --s2k-cipher-algo AES256
--s2k-digest-algo SHA512 --s2k-count 65011712 --force-mdc --digest-algo
SHA512 crypt
The name of the encrypted file is '/home/crypt/crypt.gpg'
/etc/initramfs/modules:
-----------
loop
# loop_blowfish
# loop_serpent
# loop_twofish
# perhaps you have to add other modules here
# it depends on your hardware and kernel....
-----------
/etc/initramfs-tools/hooks/loopcrypt (this file is used when an
initramfs image is created):
-------------
#!/bin/bash
. /usr/share/initramfs-tools/hook-functions
mkdir -p ${DESTDIR}/boot
mkdir -p ${DESTDIR}/sbin
mkdir -p ${DESTDIR}/usr/bin
mkdir -p ${DESTDIR}/bin
mkdir -p ${DESTDIR}/gnupg
mkdir -p ${DESTDIR}/.gnupg
cp -p /home/crypt/crypt.gpg ${DESTDIR}/boot # my encrytped script
cp -p /usr/share/gnupg/options.skel ${DESTDIR}/gnupg
cp -p /usr/share/gnupg/options.skel ${DESTDIR}/.gnupg/gpg.conf
# you don't need to care about "statically linking"
# copy_exec will detect which libraries are necessary and copy
# them to your initrd,....
copy_exec /bin/bash /bin
copy_exec /sbin/mkfs.xfs /sbin
copy_exec /sbin/losetup /sbin
copy_exec /sbin/mkswap /sbin
copy_exec /usr/bin/gpg /usr/bin
copy_exec /usr/bin/tr /usr/bin
copy_exec /usr/bin/openssl /usr/bin
copy_exec /usr/sbin/hashalot /usr/bin
----------------
The following script will be executed at each boot-process, before the
root-partition is mounted.
/etc/initramfs-tools/scripts/local-top/loopcrypt:
---------------
#!/bin/bash
HD='/dev/hda' # the disk with the encrypted partitions
# if you have more than one disk with encrypted partitions,
# you need to modify the first while-loop
CRYPTFILE='/boot/crypt.gpg'
PREREQ="udev"
PASS=""
PLAIN=""
TEST=1
prereqs()
{
echo "$PREREQ"
}
case "$1" in
prereqs)
prereqs
exit 0
;;
esac
echo "Waiting ..."
slumber=1800
while [ ${slumber} -gt 0 -a ! -e "$HD" ]; do
/bin/sleep 0.1
slumber=$(( ${slumber} - 1 ))
done
while [ 0 != $TEST ] ; do
echo "password:"
read -s PASS
PLAIN=$(cat "$CRYPTFILE" | gpg --decrypt --no-tty --quiet
--no-verbose --passphrase-fd 8 8<<<"$PASS")
if [ ${#PLAIN} -ge 30 ]; then
TEST=0
else
echo "try it again..."
fi
done
oldIFS="$IFS"
IFS="${Newline}"
eval "$PLAIN"
IFS="$oldIFS"
PASS=""
PLAIN=""
TEST=1
---------------
You can build a new initrd with 'update-initramfs -u'.
Creation of the usb-stick (/dev/sdg).
The commands will destroy all data on the stick!
$ dd if=/dev/zero of=/dev/sdg bs=8192 count=22
$ mkdosfs /dev/sdg
$ syslinux /dev/sdg
$ mount /dev/sdg /mnt/stick
$ cp /boot/initrd.your.version /mnt/stick/initrd
$ cp /boot/vmlinuz-your.version /mnt/stick/vmlinuz
$ cp /path/to/syslinux.cfg /mnt/stick/syslinux.cfg
$ sync
syslinux.cfg:
---
default vmlinuz
append initrd=initrd root=/dev/loopX
---
/dev/loopX must be your root-partition according to /etc/fstab!
The size of your initrd.img doesn't matter as long as your usb-stick
and RAM is large enough,...
cu,
Rudi
-
Linux-crypto: cryptography in and on the Linux system
Archive: http://mail.nl.linux.org/linux-crypto/
