TUCoPS :: Linux :: Discontinued :: encryptd.txt

Linux CFS and encrypted swap HOWTO 

Tuxtendo Security
HOWTO on Linux CFS & Encrypted swap
http://www.tuxtendo.nl/
info@tuxtendo.nl
----------------------------

-----------------------------
--> Intro
-----------------------------

Well, first of all why would you have CFS & Encrytped swap ?
Imagine some day.. your box being cracked by Evil Hacker X..

He could read all your personal stuff just by a keyboard click.
Besides that why would u need encrypted swap  ?,
well just to enlighten some people,  strings /dev/hda* (your swap device)
Makes good reading for rainiy & stormy day... I even saw my SSH public keys flying by.

Also imagine one day, you're Evil Hacker X, and the feds come to your house and put that AK47 up ya ass, thats not nice.
They take all your computers with them and then they research them for exploits, rootlists and so on.. and they find that stuff right there, unecrypted in your swap and/or harddrive.

So thats why we want ENCRYPTED SWAP & Filesystems, OpenBSD has it even default ! ( you can control that function in OpenBSD with sysctl -w, correct me if im wrong )

-------------------------------
--> Preparations
-------------------------------
Linux kernel 2.4.18: 
http://www.nl.kernel.org/pub/linux/kernel/v2.4/linux-2.4.18.tar.bz2

Linux 2.4.18 Encryption patch: http://www.nl.kernel.org/pub/linux/kernel/crypto/v2.4/testing/patch-int-2.4.18.2.gz

Linux 2.4.18 loop-hvr patch:
http://www.nl.kernel.org/pub/linux/kernel/crypto/v2.4/testing/loop-hvr-2.4.18.0.patch

util-linux-2.11o:
http://www.nl.kernel.org/pub/linux/utils/util-linux/util-linux-2.11o.tar.gz

util-linux2.11o patch:
http://www.nl.kernel.org/pub/linux/kernel/people/hvr/util-linux-cryptoapi/util-linux-2.11o.patch.gz

First of all we extract each package in our own dir ( we use /root/crypt-inst )
and extract the Linux kernel etc /usr/src/

--> Kernel compile

root@blitzkrieg:/usr/src/linux# pwd
/usr/src/linux
root@blitzkrieg:/usr/src/linux#
root@blitzkrieg:/usr/src/linux# wget http://www.nl.kernel.org/pub/linux/kernel/crypto/v2.4/testing/patch-int-2.4.18.2.gz
--14:18:20--  http://www.nl.kernel.org/pub/linux/kernel/crypto/v2.4/testing/patch-int-2.4.18.2.gz
           => `patch-int-2.4.18.2.gz'
Connecting to wwwproxy.xs4all.nl:8080... connected!
Proxy request sent, awaiting response... 200 OK
Length: 105,658 [text/plain]

    0K .......... .......... .......... .......... .......... 48% @  35.64 KB/s
   50K .......... .......... .......... .......... .......... 96% @  77.64 KB/s
  100K ...                                                   100% @  90.90 KB/s

14:18:22 (49.51 KB/s) - `patch-int-2.4.18.2.gz' saved [105658/105658]

root@blitzkrieg:/usr/src/linux# gunzip -d patch-int-2.4.18.2.gz
root@blitzkrieg:/usr/src/linux# patch -p1 < patch-int-2.4.18.2
<bla bla> patching stuff>

root@blitzkrieg:/usr/src/linux# wget http://www.nl.kernel.org/pub/linux/kernel/crypto/v2.4/testing/loop-hvr-2.4.18.0.patch
--14:19:13--  http://www.nl.kernel.org/pub/linux/kernel/crypto/v2.4/testing/loop-hvr-2.4.18.0.patch
           => `loop-hvr-2.4.18.0.patch'
Connecting to wwwproxy.xs4all.nl:8080... connected!
Proxy request sent, awaiting response... 200 OK
Length: 4,909 [text/plain]

    0K ....                                                  100% @  72.64 KB/s

14:19:13 (71.55 KB/s) - `loop-hvr-2.4.18.0.patch' saved [4909/4909]

root@blitzkrieg:/usr/src/linux# patch -p1 < loop-hvr-2.4.18.0.patch
patching file drivers/block/loop.c
patching file include/linux/loop.h
root@blitzkrieg:/usr/src/linux#

Ok thats all ! your kernel is now Crypto Enabled ! :)

-- err -NOT- First of all offcourse you need to configure it ;)

root@blitzkrieg:/usr/src/linux# make menuconfig
<bla bla>

Configure your kernel like u are used too.

When configuring look for:
          Block devices  --->       
            <*> Loopback device support       
     Cryptography support (CryptoAPI)  --->    
  ¦ ¦                    <*> CryptoAPI support (NEW)                      ¦ ¦
			    -> Also * all sub
  ¦ ¦                    <*> Crypto Ciphers                               ¦ ¦
			    -> Also * all sub
  ¦ ¦                    <*> Digest Algorithms                            ¦ ¦
			    -> Also * all sub
  ¦ ¦                    <*> Crypto Devices                               ¦ ¦
			    -> Also * all sub

e.g :

  ¦ ¦  <*> Crypto Devices                                                 ¦ ¦
  ¦ ¦  <*>  Loop Crypto support                                           ¦ ¦
------
  ¦ ¦  <*> Crypto Ciphers                                                 ¦ ¦
  ¦ ¦  --- 128 bit blocksize                                              ¦ ¦
  ¦ ¦  <*>  AES (aka Rijndael) cipher (NEW)                               ¦ ¦

And so on...

Suggest that u put on all Crypto options..

after that
make dep; make bzImage; make modules and so on...

Reboot and ur all set !

root@blitzkrieg:/usr/src/linux# uname -a
Linux blitzkrieg 2.4.18-Crypto #1 Wed May 1 00:32:44 EDT 2002 i686 unknown

-----------------------------------
--> Util Linux
-----------------------------------

We extract the util-linux etc..
--14:31:03--  http://www.nl.kernel.org/pub/linux/utils/util-linux/util-linux-2.11o.tar.gz
           => `util-linux-2.11o.tar.gz'
Connecting to wwwproxy.xs4all.nl:8080... connected!
Proxy request sent, awaiting response... 200 OK
Length: 1,490,079 [application/x-tar]

root@blitzkrieg:~/crypt-in# tar -zxvf util-linux-2.11o.tar.gz
root@blitzkrieg:~/crypt-in/util-linux-2.11o# wget http://www.nl.kernel.org/pub/linux/kernel/people/hvr/util-linux-cryptoapi/util-linux-2.11o.patch.gz

root@blitzkrieg:~/crypt-in/util-linux-2.11o# gunzip -d util-linux-2.11o.patch.gz
root@blitzkrieg:~/crypt-in/util-linux-2.11o# patch -p0 < util-linux-2.11o.patch
< bla bla bla patching..)
root@blitzkrieg:~/crypt-in/util-linux-2.11o# ./configure; make; make install

Now everything is set! We first will create encrypted swap..

--------------------------------------
--> Encrypted swap partitions 
--------------------------------------
Ok this is tricky..

First off all disable your swap:
root@blitzkrieg:~# swapoff -a
root@blitzkrieg:~#

Then you edit /etc/fstab:

/dev/hda2              swap                    swap    defaults        0 0

Change it to:
/dev/loop0              swap                    swap    defaults        0 0

after that: 
execute this command:

/bin/dd if=/dev/urandom bs=1 count=16 | \
    /sbin/losetup -e twofish -k 128 -p 0 /dev/loop0 /dev/hda2
/sbin/mkswap /dev/loop0
/sbin/swapon -a

And then your swap partition is encrypted !

But only for this runtime... put in /etc/rc.d/rc.sysinit like this:

-- CUT HERE --
# Now turn on swap in case we swap to files.
/bin/dd if=/dev/urandom bs=1 count=16 | \
    /sbin/losetup -e twofish -k 128 -p 0 /dev/loop0 /dev/hda6 1>/dev/null 2>/dev/null
/sbin/mkswap /dev/loop0 1>/dev/null 2>/dev/null
/sbin/swapon -a
action $"Enabling encryptedswap space: " /bin/true
-- CUT HERE --

After that reboot, and from now on, your swap paritions are encrypted..

-------------------------------------
--> Encrypted file systems
-------------------------------------

Encrypted folers / file systems is not very diferent..

First of all become a "simple" user..

then execute
Where BS = Bytes (1024k = 1 MB) And then how many times (count=10) so it would create a 10 MB disk...

rayden@blitzkrieg:~$ dd if=/dev/urandom of=~/.crypto bs=1024k count=10

after that become root and execute:

root@blitzkrieg:/home/rayden# losetup -e blowfish /dev/loop1 /home/rayden/.crypto
Available keysizes (bits): 128 160 192 256
Keysize: 256
Password:
root@blitzkrieg:/home/rayden#

ALWAYS use loop1 !! becuase loop0 is already in use.. when creating multiple swap / folders use it like /dev/loop0 /dev/loop1

After that we are going to encrypt our encrypted folder like:
root@blitzkrieg:/home/rayden# mke2fs /dev/loop1

Then we create the mount point for it.
rayden@blitzkrieg:~$ mkdir ~/crypto

After that we are going to mount it, ( notice the dot!)

oot@blitzkrieg:/home/rayden# mount -t ext2 /dev/loop1 /home/rayden//crypto

If all worked well, you now have a filesystem that encryptedly resides in the file ~/.crypto and is mounted on ~/crypto. 

root@blitzkrieg:/home/rayden# mount -t ext2 /dev/loop1 /home/rayden/crypto
root@blitzkrieg:/home/rayden#

When u are done, set permissions right (chmod etc) and unmount the filesystem:
root@blitzkrieg:/home/rayden# umount /dev/loop0
root@blitzkrieg:/home/rayden# losetup -d /dev/loop0

After that put in /etc/fstab
home/rayden/.crypto  /home/rayden/crypto  ext2  \
      defaults,noauto,loop,encryption=blowfish,user  0   0

So you always can mount the file system at command

If everything worked well u now can mount the file system

rayden@blitzkrieg:~$ mount /home/rayden/crypto
Available keysizes (bits): 128 160 192 256
Keysize: 256
Password:
rayden@blitzkrieg:~$

-------------------------- 
--> Final 
--------------------------

Hey, so thats about it ! Now u have encrypted filesystems + swap which should it make more harder for the feds / or the hacker to find out about your data ;)

But it improves privacy in generally too..

Dont forget to umount and losetup -d /dev/loop* everytime when you finished working!

Well thats all for now, checkout http://www.tuxtendo.nl/ for latest updates etc

Flames / comments etc can be send to info@tuxtendo.nl

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH