jonen/notes/notes_2004-06.twingle

<hr/>

 Debian-stable/testing and AES-loop(crypto-api) file-system encryption(kernel 2.6.x):
  - read:
     http://www.mirrors.wiretapped.net/security/cryptography/filesystems/loop-aes/loop-AES.README
     http://www.sdc.org/~leila/usb-dongle/readme.html
     http://www.kerneli.org/howto/node3.php
     http://www.linuxsecurity.com/docs/HOWTO/Encryption-HOWTO/
     http://debid.vlsm.org/share/HOWTO/Encrypted-Root-Filesystem-HOWTO
  - updated/new packages needed for 2.6:
        coreutils
        modconf
        modutils
        module-init-tools
    #: apt-get install modutils modconf module-init-tools coreutils -t testing    
  - updated/new packages needed for aes-cryptoloop:
        loop-aes-utils
        util-linux (testing)
  - new packages needed for crypto-swap script:
        sharutils (uuencode)
  - create random passphrase/seed
    #: head -c <LENGTH> /dev/urandom | uuencode -m - | head -n 2 | tail -n 1
  - create encrypted fs:
     (passphrase need min 20 characters!!)
      echo ${PASSPHRASE} | losetup -p 0 -e aes-256 ${LOOPDEV} ${DEVICE}
    - with special seed:
      echo ${PASSPHRASE} | losetup -p 0 -S ${SEED} -e aes-256 ${LOOPDEV} ${DEVICE}
  - for crypto-swap, try this script:
    #------------------------ crypto-swap begin ------------------------------------
    #!/bin/sh
    # Run this script somewhere in your startup scripts _after_ random
    # number generator has been initialized and /usr has been mounted.
    # (md5sum, uuencode, tail and head programs usually reside in /usr/bin/)

    # encrypted swap partition
    SWAPDEVICE=/dev/hda3

    # loop device name
    LOOPDEV=/dev/loop6

    MD=`dd if=${SWAPDEVICE} bs=4k count=10 2>/dev/null | md5sum`
    for X in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 ; do
        dd if=/dev/zero of=${SWAPDEVICE} bs=4k count=10 conv=notrunc 2>/dev/null
        sync
    done
    UR=`dd if=/dev/urandom bs=18 count=1 2>/dev/null \
        | uuencode -m - | head -n 2 | tail -n 1`
    echo ${MD}${UR} | losetup -p 0 -e aes-256-cbc  ${LOOPDEV} ${SWAPDEVICE}
    MD=
    UR=
    dd if=/dev/zero of=${LOOPDEV} bs=4k count=10 conv=notrunc 2>/dev/null
    sync
    mkswap ${LOOPDEV}
    sync
    swapon ${LOOPDEV}
    #------------------------ crypto-swap end --------------------------------------
  
  - mounting encrypted file-systems at boot-time
   - for interactive key-passphrase, add following at /etc/fstab:
       /dev/hda6   <mount-point>   <fs-type>   defaults,loop=/dev/loop6,encryption=AES256   0   0
     
     with this method you have to enter your passphrase at boot-time (when the encrypted fs will be mounted)
    
  - with use of init script (WARNING: password/seed have to be written in PLAINTEXT!!):
   - create follwing script at '/etc/init.d/prepare-cryptofs.sh':
    #------------------------ prepare-cryptofs.sh begin ------------------------------------
    #!/bin/sh
    # encrypted partition
    DEVICE=/dev/hda3
    # loop device name
    LOOPDEV=/dev/loop3

    PASSPHRASE="<YOUR_PASSPHRASE>"    # min 20 characters
    SEED="<YOUR_SEED>"

    case "$1" in
      start)
        echo "Setting up loop devices used for crypto-fs..."
        echo ${PASSPHRASE} | losetup -p 0 -S ${SEED} -e aes-256 ${LOOPDEV} ${DEVICE}
      ;;
      stop)
        echo "Deleting loop device used for cryptofs..."
        losetup -d ${LOOPDEV}
      ;;
      *)
        echo "usage: $0 {start|stop}"
        exit 1
    esac
    exit 0
    #------------------------ prepare-cryptofs.sh end --------------------------------------


  FreeBSD(stable) - port update bugs (06.2004)
   BUG: php4 won't comile with e.g. gettext,imap,mcrypt
   FIX: Add a '-lc_r' to the libraries php is linked against.
     (from http://lists.freebsd.org/pipermail/freebsd-ports/2003-September/004231.html)
      - for php4, do:
       export LDDFLAGS='-lc_r' 
      change entries at Makefiles of following ports:
       - gettext at /Makefile:
          change
            LDFLAGS="-L${LOCALBASE}/lib"
          to
            LDFLAGS="-lc_r -L${LOCALBASE}/lib"
       - libxml2 at /Makefile:
          change
            LDFLAGS="-L${LOCALBASE}/lib"
          to
            LDFLAGS="-lc_r -L${LOCALBASE}/lib"
       - cclient at work/libc-client/Makefile:
          change 
            EXTRALDFLAGS= 
          to
            EXTRALDFLAGS=-lc_r
          
            
<hr/>
$Id: notes_2004-06.twingle,v 1.3 2004/06/10 19:13:40 jonen Exp $
  
1	<hr/>
2
3	Debian-stable/testing and AES-loop(crypto-api) file-system encryption(kernel 2.6.x):
4	- read:
5	http://www.mirrors.wiretapped.net/security/cryptography/filesystems/loop-aes/loop-AES.README
6	http://www.sdc.org/~leila/usb-dongle/readme.html
7	http://www.kerneli.org/howto/node3.php
8	http://www.linuxsecurity.com/docs/HOWTO/Encryption-HOWTO/
9	http://debid.vlsm.org/share/HOWTO/Encrypted-Root-Filesystem-HOWTO
10	- updated/new packages needed for 2.6:
11	coreutils
12	modconf
13	modutils
14	module-init-tools
15	#: apt-get install modutils modconf module-init-tools coreutils -t testing
16	- updated/new packages needed for aes-cryptoloop:
17	loop-aes-utils
18	util-linux (testing)
19	- new packages needed for crypto-swap script:
20	sharutils (uuencode)
21	- create random passphrase/seed
22	#: head -c <LENGTH> /dev/urandom \| uuencode -m - \| head -n 2 \| tail -n 1
23	- create encrypted fs:
24	(passphrase need min 20 characters!!)
25	echo ${PASSPHRASE} \| losetup -p 0 -e aes-256 ${LOOPDEV} ${DEVICE}
26	- with special seed:
27	echo ${PASSPHRASE} \| losetup -p 0 -S ${SEED} -e aes-256 ${LOOPDEV} ${DEVICE}
28	- for crypto-swap, try this script:
29	#------------------------ crypto-swap begin ------------------------------------
30	#!/bin/sh
31	# Run this script somewhere in your startup scripts _after_ random
32	# number generator has been initialized and /usr has been mounted.
33	# (md5sum, uuencode, tail and head programs usually reside in /usr/bin/)
34
35	# encrypted swap partition
36	SWAPDEVICE=/dev/hda3
37
38	# loop device name
39	LOOPDEV=/dev/loop6
40
41	MD=`dd if=${SWAPDEVICE} bs=4k count=10 2>/dev/null \| md5sum`
42	for X in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 ; do
43	dd if=/dev/zero of=${SWAPDEVICE} bs=4k count=10 conv=notrunc 2>/dev/null
44	sync
45	done
46	UR=`dd if=/dev/urandom bs=18 count=1 2>/dev/null \
47	\| uuencode -m - \| head -n 2 \| tail -n 1`
48	echo ${MD}${UR} \| losetup -p 0 -e aes-256-cbc ${LOOPDEV} ${SWAPDEVICE}
49	MD=
50	UR=
51	dd if=/dev/zero of=${LOOPDEV} bs=4k count=10 conv=notrunc 2>/dev/null
52	sync
53	mkswap ${LOOPDEV}
54	sync
55	swapon ${LOOPDEV}
56	#------------------------ crypto-swap end --------------------------------------
57
58	- mounting encrypted file-systems at boot-time
59	- for interactive key-passphrase, add following at /etc/fstab:
60	/dev/hda6 <mount-point> <fs-type> defaults,loop=/dev/loop6,encryption=AES256 0 0
61
62	with this method you have to enter your passphrase at boot-time (when the encrypted fs will be mounted)
63
64	- with use of init script (WARNING: password/seed have to be written in PLAINTEXT!!):
65	- create follwing script at '/etc/init.d/prepare-cryptofs.sh':
66	#------------------------ prepare-cryptofs.sh begin ------------------------------------
67	#!/bin/sh
68	# encrypted partition
69	DEVICE=/dev/hda3
70	# loop device name
71	LOOPDEV=/dev/loop3
72
73	PASSPHRASE="<YOUR_PASSPHRASE>" # min 20 characters
74	SEED="<YOUR_SEED>"
75
76	case "$1" in
77	start)
78	echo "Setting up loop devices used for crypto-fs..."
79	echo ${PASSPHRASE} \| losetup -p 0 -S ${SEED} -e aes-256 ${LOOPDEV} ${DEVICE}
80	;;
81	stop)
82	echo "Deleting loop device used for cryptofs..."
83	losetup -d ${LOOPDEV}
84	;;
85	*)
86	echo "usage: $0 {start\|stop}"
87	exit 1
88	esac
89	exit 0
90	#------------------------ prepare-cryptofs.sh end --------------------------------------
91
92
93
94	FreeBSD(stable) - port update bugs (06.2004)
95	BUG: php4 won't comile with e.g. gettext,imap,mcrypt
96	FIX: Add a '-lc_r' to the libraries php is linked against.
97	(from http://lists.freebsd.org/pipermail/freebsd-ports/2003-September/004231.html)
98	- for php4, do:
99	export LDDFLAGS='-lc_r'
100	change entries at Makefiles of following ports:
101	- gettext at /Makefile:
102	change
103	LDFLAGS="-L${LOCALBASE}/lib"
104	to
105	LDFLAGS="-lc_r -L${LOCALBASE}/lib"
106	- libxml2 at /Makefile:
107	change
108	LDFLAGS="-L${LOCALBASE}/lib"
109	to
110	LDFLAGS="-lc_r -L${LOCALBASE}/lib"
111	- cclient at work/libc-client/Makefile:
112	change
113	EXTRALDFLAGS=
114	to
115	EXTRALDFLAGS=-lc_r
116
117
118
119	<hr/>
120	$Id: notes_2004-06.twingle,v 1.3 2004/06/10 19:13:40 jonen Exp $
121
MailToCvsAdmin">MailToCvsAdmin	ViewVC Help
Powered by ViewVC 1.1.26