LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 02-03-2004, 11:42 AM   #1
Slacker0815
Member
 
Registered: Jan 2004
Location: Germany
Distribution: Slack, Slack, Slack
Posts: 45

Rep: Reputation: 15
Crypto problems


Hi,

I'm trying to set up a crypto file system using cryptoloop/losetup on Slack 9.1, Kernel 2.6.1.

1.) How do you do the "losetup"? I mean, how do you set the keysize? I found three different ways in tutorials:

losetup -e aes -k 256 /dev/loop0 /dev/sda1
This doesn't work for me at all. Says -k is an unknown option

losetup -e aes-256 /dev/loop0 /dev/sda1
Doesn't work too

losetup -e aes /dev/loop0 /dev/sda1
This seems to work, but it doesn't ask me for a keysize.

So how can I set the keysize?

And more important, if I install aes or twofish, /proc/crypto says that min_keysize is 16 and max_keysize is 32?!?! Shouldn't that be something like 256 oder 512?


2.) The entry in /etc/fstab

Is it

/dev/loop0 /mnt/crypt ext3 user,noauto,rw,loop 0 0
or
/dev/sda1 /mnt/crypt ext3 noauto,encryption=aes-256 0 0
|
|__> this is what makes me think: /dev/sda1 or /dev/loop0


Any help is appreciated, I'm close to giving up...
 
Old 02-03-2004, 11:52 AM   #2
cjcuk
Member
 
Registered: Dec 2003
Distribution: Openwall, ~LFS
Posts: 128

Rep: Reputation: 15
Re: Crypto problems

Sorry, I cannot help you with the rest, but here is a guess for this part...

Quote:
Originally posted by Slacker0815
And more important, if I install aes or twofish, /proc/crypto says that min_keysize is 16 and max_keysize is 32?!?! Shouldn't that be something like 256 oder 512?
16byte == 128 bits and 32 bytes == 256 bits. AES is normally run as 128-bit, 196-bit or 256-bit.
 
Old 02-03-2004, 12:44 PM   #3
Slacker0815
Member
 
Registered: Jan 2004
Location: Germany
Distribution: Slack, Slack, Slack
Posts: 45

Original Poster
Rep: Reputation: 15
Smile

That explains the keysize, thanks

Still wondering how to set it. When I do "losetup -e aes /dev/loop0 /dev/sda1" it just asks me for a password and thats it. So if aes is normally run as 128 bit, I guess that is being used. But if I want to use higer bitrates, say 256, how would I do that?

MfG, Slacker0815
 
Old 02-04-2004, 11:06 AM   #4
qwijibow
Guru
 
Registered: Apr 2003
Location: nottingham england
Distribution: Gentoo
Posts: 2,672

Rep: Reputation: 47
losetup -e aes256 /dev/loop /dev/sda1



or you can just

mount -o loop,encryption=aes256 /dev/sda1

that will do the losetup for you.
(provided your version on mount supports it, i had to patch util-linux)
 
Old 02-04-2004, 01:47 PM   #5
Slacker0815
Member
 
Registered: Jan 2004
Location: Germany
Distribution: Slack, Slack, Slack
Posts: 45

Original Poster
Rep: Reputation: 15
Hi qwijibow, thanks for your answer. Did you do that with 2.4 or 2.6? There seem to be some differences (not to forget the differences between cryptoapi, loop-aes and patchint). I guess you're using loop-aes?

And can you tell me which patch you had to apply (url would be nice)?

MfG, Slacker0815
 
Old 02-05-2004, 07:07 AM   #6
qwijibow
Guru
 
Registered: Apr 2003
Location: nottingham england
Distribution: Gentoo
Posts: 2,672

Rep: Reputation: 47
url.... lol.... i dont have an url. but if you give me your email, i could email the source to you ???

i used the patch....
loop-AES-v2.0e.tar.bz2

to patch my kernel (2.4.24)
(if you are using 2.6, you do not need that patch, as im sure you know)

ALSO, that bz2 patch file contains a patch for the
mount version 2.12
losetup version 2.12
umount version 2.12

that you need to apply to the util-linux source package.
then ./configure
make
but do not make install...
just manually copy the umount mount and losetup into your /sbin and /bin 's

for some reason, the patched mount tool refuses to work uness you are root, so keep the origonals.
 
Old 02-06-2004, 05:06 AM   #7
di11rod
Member
 
Registered: Jan 2004
Location: Austin, TEXAS
Distribution: CentOS 6.5
Posts: 207

Rep: Reputation: 32
this sounds cool

Do any of you have any pointers to online tutorials that describe how to set up your own encrypted filesystem? Sounds cool.

Appreciatively,

di11rod
 
Old 02-06-2004, 09:38 AM   #8
Slacker0815
Member
 
Registered: Jan 2004
Location: Germany
Distribution: Slack, Slack, Slack
Posts: 45

Original Poster
Rep: Reputation: 15
First thanks to qwijibow, still dont know what I'll do now, but anyway


Hi di11rod, actually there are quite a few, I found around 10-15. The problem is that they all deal with different kernel versions, for each kernel (<2.4.22, >=2.4.22, 2.6x) you need different patches. Some tutorials dont even mention which kernel they are talking about and once you think you understand which paches you need, you find out that your kernel already supports that and you're again confused. There are also different methods, basically loop-aes and cryptoloop/cryptoapi.

http://symlink.dk/linux/cryptofs.php
http://www.tldp.org/HOWTO/Cryptoloop-HOWTO/index.html
http://loop-aes.sourceforge.net/ (view the README) and http://sourceforge.net/projects/loop-aes/
http://encryptionhowto.sourceforge.n...ion-HOWTO.html

These are the links I found right at the moment, I'mworking under two different systems at the moment and dont find the other ones now, but that should get you started.

One particular thing that I still dont understand although reading and trying for more than two weeks is on which kernel you need to patch util-linux, or do you have to do that for all kernels?

I tried crypto api so far, but I kinda gave up and will probably TRY to setup loop-aes.

Good luck, if you find something interesting/good tutorial/information, please post it here

Last edited by Slacker0815; 02-06-2004 at 12:28 PM.
 
Old 02-06-2004, 11:10 AM   #9
qwijibow
Guru
 
Registered: Apr 2003
Location: nottingham england
Distribution: Gentoo
Posts: 2,672

Rep: Reputation: 47
loop-aes worked easy... cryptoAPI was confusing !

its quite easy actually.... u need....

loop-aes patch tar.gz
kernel source.
util-linux source.

use the patch's inside loop-aes to patch the kernel source (kernel 2.4 only, 2.6 is done for u)
then patch util-linux (latest versiion)

cd into the patched util-linux source directory
./configure
make

backup your mount binary's
mv /bin/mount /bin/old-mount
same with umount

then copy the new compiled mount and umount binary's into /bin/

now for your kernel...
cd into kernel source (patched if its 2.4 only !)
make xconfig
load the config gile from /boot/config-XXXXXXX
and in the block devices section, say YES to compile loop-aes.
now
make dep (kernel 2.4 only)
make bzImage
make modules
make modules_install
make install

now add the lines
alias mount='mount-old'
alias umount='umount-old'

to your Home directorys ./.bash_profile file.
This will make normal users use normal mount, and bootup and root use the new mount.

now Re boot your system.

now lets say u want an excrypted Home directory.

cd /home
dd if=/dev/urandom of=/username.img bs=1M count=1024 (makes a 1024 meg home directory)

now make an encrypted loop.
losetup -e aes256 /dev/loop3 /home/username.img
[password]

now format the system
mkfs.ext3 /dev/loop3

now kill the loop
losetup -d /dev/loop3

now mount with
mount -o loop,encryption=aes256 /home/username.img /home/username

NOW... use passwd command to change your main linux login password to match
the password of the encryption.

install the program pam_mount
configure it following the read me.

and when you login, it will automatically mount the home directory.

the encryption it totally transparent.

and if any1 steals your pc / lapto, they cant read your files...
even better, if the police swarm your house for stealing mp3's
they will never find the evidence to prosicute
lol.
 
Old 02-06-2004, 11:27 AM   #10
Slacker0815
Member
 
Registered: Jan 2004
Location: Germany
Distribution: Slack, Slack, Slack
Posts: 45

Original Poster
Rep: Reputation: 15
Wow , will try that tomorrow. Have to get drunk now....
 
Old 02-09-2004, 12:24 AM   #11
di11rod
Member
 
Registered: Jan 2004
Location: Austin, TEXAS
Distribution: CentOS 6.5
Posts: 207

Rep: Reputation: 32
thanks a lot

Hey,

I really appreciate these pointers. Especially the step-by-step from Quijibow!

That seems pretty damn doable for my skill level.

Appreciatively,

di11rod
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
OpenSSL Crypto headers not found. jmoulinier Linux - Software 17 09-16-2011 06:19 PM
linux crypto api saajii Programming 3 08-31-2004 09:16 PM
Enabling Crypto Library Support Corallis Linux - Newbie 5 07-11-2004 11:18 PM
Crypto Challenge jeremy Linux - Security 2 11-18-2003 07:56 AM
UK - DTI Goes Crypto Crazy jharris General 0 05-22-2003 05:56 AM


All times are GMT -5. The time now is 01:59 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration