|
Tuxtendo Security HOWTO on Linux CFS & Encrypted swap http://www.tuxtendo.nl/ info@tuxtendo.nl ---------------------------- ----------------------------- --> Intro ----------------------------- Well, first of all why would you have CFS & Encrytped swap ? Imagine some day.. your box being cracked by Evil Hacker X.. He could read all your personal stuff just by a keyboard click. Besides that why would u need encrypted swap ?, well just to enlighten some people, strings /dev/hda* (your swap device) Makes good reading for rainiy & stormy day... I even saw my SSH public keys flying by. Also imagine one day, you're Evil Hacker X, and the feds come to your house and put that AK47 up ya ass, thats not nice. They take all your computers with them and then they research them for exploits, rootlists and so on.. and they find that stuff right there, unecrypted in your swap and/or harddrive. So thats why we want ENCRYPTED SWAP & Filesystems, OpenBSD has it even default ! ( you can control that function in OpenBSD with sysctl -w, correct me if im wrong ) ------------------------------- --> Preparations ------------------------------- Linux kernel 2.4.18: http://www.nl.kernel.org/pub/linux/kernel/v2.4/linux-2.4.18.tar.bz2 Linux 2.4.18 Encryption patch: http://www.nl.kernel.org/pub/linux/kernel/crypto/v2.4/testing/patch-int-2.4.18.2.gz Linux 2.4.18 loop-hvr patch: http://www.nl.kernel.org/pub/linux/kernel/crypto/v2.4/testing/loop-hvr-2.4.18.0.patch util-linux-2.11o: http://www.nl.kernel.org/pub/linux/utils/util-linux/util-linux-2.11o.tar.gz util-linux2.11o patch: http://www.nl.kernel.org/pub/linux/kernel/people/hvr/util-linux-cryptoapi/util-linux-2.11o.patch.gz First of all we extract each package in our own dir ( we use /root/crypt-inst ) and extract the Linux kernel etc /usr/src/ --> Kernel compile root@blitzkrieg:/usr/src/linux# pwd /usr/src/linux root@blitzkrieg:/usr/src/linux# root@blitzkrieg:/usr/src/linux# wget http://www.nl.kernel.org/pub/linux/kernel/crypto/v2.4/testing/patch-int-2.4.18.2.gz --14:18:20-- http://www.nl.kernel.org/pub/linux/kernel/crypto/v2.4/testing/patch-int-2.4.18.2.gz => `patch-int-2.4.18.2.gz' Connecting to wwwproxy.xs4all.nl:8080... connected! Proxy request sent, awaiting response... 200 OK Length: 105,658 [text/plain] 0K .......... .......... .......... .......... .......... 48% @ 35.64 KB/s 50K .......... .......... .......... .......... .......... 96% @ 77.64 KB/s 100K ... 100% @ 90.90 KB/s 14:18:22 (49.51 KB/s) - `patch-int-2.4.18.2.gz' saved [105658/105658] root@blitzkrieg:/usr/src/linux# gunzip -d patch-int-2.4.18.2.gz root@blitzkrieg:/usr/src/linux# patch -p1 < patch-int-2.4.18.2 <bla bla> patching stuff> root@blitzkrieg:/usr/src/linux# wget http://www.nl.kernel.org/pub/linux/kernel/crypto/v2.4/testing/loop-hvr-2.4.18.0.patch --14:19:13-- http://www.nl.kernel.org/pub/linux/kernel/crypto/v2.4/testing/loop-hvr-2.4.18.0.patch => `loop-hvr-2.4.18.0.patch' Connecting to wwwproxy.xs4all.nl:8080... connected! Proxy request sent, awaiting response... 200 OK Length: 4,909 [text/plain] 0K .... 100% @ 72.64 KB/s 14:19:13 (71.55 KB/s) - `loop-hvr-2.4.18.0.patch' saved [4909/4909] root@blitzkrieg:/usr/src/linux# patch -p1 < loop-hvr-2.4.18.0.patch patching file drivers/block/loop.c patching file include/linux/loop.h root@blitzkrieg:/usr/src/linux# Ok thats all ! your kernel is now Crypto Enabled ! :) -- err -NOT- First of all offcourse you need to configure it ;) root@blitzkrieg:/usr/src/linux# make menuconfig <bla bla> Configure your kernel like u are used too. When configuring look for: Block devices ---> <*> Loopback device support Cryptography support (CryptoAPI) ---> ¦ ¦ <*> CryptoAPI support (NEW) ¦ ¦ -> Also * all sub ¦ ¦ <*> Crypto Ciphers ¦ ¦ -> Also * all sub ¦ ¦ <*> Digest Algorithms ¦ ¦ -> Also * all sub ¦ ¦ <*> Crypto Devices ¦ ¦ -> Also * all sub e.g : ¦ ¦ <*> Crypto Devices ¦ ¦ ¦ ¦ <*> Loop Crypto support ¦ ¦ ------ ¦ ¦ <*> Crypto Ciphers ¦ ¦ ¦ ¦ --- 128 bit blocksize ¦ ¦ ¦ ¦ <*> AES (aka Rijndael) cipher (NEW) ¦ ¦ And so on... Suggest that u put on all Crypto options.. after that make dep; make bzImage; make modules and so on... Reboot and ur all set ! root@blitzkrieg:/usr/src/linux# uname -a Linux blitzkrieg 2.4.18-Crypto #1 Wed May 1 00:32:44 EDT 2002 i686 unknown ----------------------------------- --> Util Linux ----------------------------------- We extract the util-linux etc.. --14:31:03-- http://www.nl.kernel.org/pub/linux/utils/util-linux/util-linux-2.11o.tar.gz => `util-linux-2.11o.tar.gz' Connecting to wwwproxy.xs4all.nl:8080... connected! Proxy request sent, awaiting response... 200 OK Length: 1,490,079 [application/x-tar] root@blitzkrieg:~/crypt-in# tar -zxvf util-linux-2.11o.tar.gz root@blitzkrieg:~/crypt-in/util-linux-2.11o# wget http://www.nl.kernel.org/pub/linux/kernel/people/hvr/util-linux-cryptoapi/util-linux-2.11o.patch.gz root@blitzkrieg:~/crypt-in/util-linux-2.11o# gunzip -d util-linux-2.11o.patch.gz root@blitzkrieg:~/crypt-in/util-linux-2.11o# patch -p0 < util-linux-2.11o.patch < bla bla bla patching..) root@blitzkrieg:~/crypt-in/util-linux-2.11o# ./configure; make; make install Now everything is set! We first will create encrypted swap.. -------------------------------------- --> Encrypted swap partitions -------------------------------------- Ok this is tricky.. First off all disable your swap: root@blitzkrieg:~# swapoff -a root@blitzkrieg:~# Then you edit /etc/fstab: /dev/hda2 swap swap defaults 0 0 Change it to: /dev/loop0 swap swap defaults 0 0 after that: execute this command: /bin/dd if=/dev/urandom bs=1 count=16 | \ /sbin/losetup -e twofish -k 128 -p 0 /dev/loop0 /dev/hda2 /sbin/mkswap /dev/loop0 /sbin/swapon -a And then your swap partition is encrypted ! But only for this runtime... put in /etc/rc.d/rc.sysinit like this: -- CUT HERE -- # Now turn on swap in case we swap to files. /bin/dd if=/dev/urandom bs=1 count=16 | \ /sbin/losetup -e twofish -k 128 -p 0 /dev/loop0 /dev/hda6 1>/dev/null 2>/dev/null /sbin/mkswap /dev/loop0 1>/dev/null 2>/dev/null /sbin/swapon -a action $"Enabling encryptedswap space: " /bin/true -- CUT HERE -- After that reboot, and from now on, your swap paritions are encrypted.. ------------------------------------- --> Encrypted file systems ------------------------------------- Encrypted folers / file systems is not very diferent.. First of all become a "simple" user.. then execute Where BS = Bytes (1024k = 1 MB) And then how many times (count=10) so it would create a 10 MB disk... rayden@blitzkrieg:~$ dd if=/dev/urandom of=~/.crypto bs=1024k count=10 after that become root and execute: root@blitzkrieg:/home/rayden# losetup -e blowfish /dev/loop1 /home/rayden/.crypto Available keysizes (bits): 128 160 192 256 Keysize: 256 Password: root@blitzkrieg:/home/rayden# ALWAYS use loop1 !! becuase loop0 is already in use.. when creating multiple swap / folders use it like /dev/loop0 /dev/loop1 After that we are going to encrypt our encrypted folder like: root@blitzkrieg:/home/rayden# mke2fs /dev/loop1 Then we create the mount point for it. rayden@blitzkrieg:~$ mkdir ~/crypto After that we are going to mount it, ( notice the dot!) oot@blitzkrieg:/home/rayden# mount -t ext2 /dev/loop1 /home/rayden//crypto If all worked well, you now have a filesystem that encryptedly resides in the file ~/.crypto and is mounted on ~/crypto. root@blitzkrieg:/home/rayden# mount -t ext2 /dev/loop1 /home/rayden/crypto root@blitzkrieg:/home/rayden# When u are done, set permissions right (chmod etc) and unmount the filesystem: root@blitzkrieg:/home/rayden# umount /dev/loop0 root@blitzkrieg:/home/rayden# losetup -d /dev/loop0 After that put in /etc/fstab home/rayden/.crypto /home/rayden/crypto ext2 \ defaults,noauto,loop,encryption=blowfish,user 0 0 So you always can mount the file system at command If everything worked well u now can mount the file system rayden@blitzkrieg:~$ mount /home/rayden/crypto Available keysizes (bits): 128 160 192 256 Keysize: 256 Password: rayden@blitzkrieg:~$ -------------------------- --> Final -------------------------- Hey, so thats about it ! Now u have encrypted filesystems + swap which should it make more harder for the feds / or the hacker to find out about your data ;) But it improves privacy in generally too.. Dont forget to umount and losetup -d /dev/loop* everytime when you finished working! Well thats all for now, checkout http://www.tuxtendo.nl/ for latest updates etc Flames / comments etc can be send to info@tuxtendo.nl