Install report & encryption

pinotj at club-internet.fr pinotj at club-internet.fr
Sat Feb 5 17:50:39 PST 2005


Hi,

First, I would like to thanks people here because you're really doing a good job.

I did install the #135 revision with uClibc last week-end.
I got the uname segfault bug so I did a copy of the toolchain's one.

I heavily patched the kernel, using most of the -ac11 patch in addition to the patches of the book (and an other one I will talk about later).

Everything runned well except the checkfs startup script that kept on stopping the boot process, complaining about FS error even if actually, there was no problem. Could come from my custom kernel, though. I solved the problem by disabling the checkfs script.

Wanting to compile GnuPG, I got a lot of errors I'm dealing with now.

About the current revision, I would like to suggest using this:
http://www.kernel.org/pub/linux/utils/util-linux/util-linux-2.12q.tar.bz2
for the util-linux package. The one in packages.txt gives 404.


About encryption:
~~~~~~~~~~~~~~~~~

I wanted to enable encryption on my hlfs system. Aim was to provide native swap encryption and possibility to encrypt the root partition.

There is several ways to do this on Linux, mostly cryptoloop, dm-crypt, loop-AES and StegFS.

StegFS is a special encrypted file system. It sounds really great but I have no experience about it and is still under development.

Cryptoloop was removed from the kernel because of a security flaw in the design. He gave possibility to mount a device by loopback, encrypted way. It was replaced by...

dm-crypt, a device mapper created to replace cryptoloop. Unfortunately, you can find on the web that dm-crypt is not flawless and have the same problem of cryptoloop. So it's available natively in the kernel but considering what I read here and there I suggest strongly not to use it.

So there is loop-AES. I know it quite well because I did some system with it (LFS or custom floppy distro). It is stable and modular. I used it with the hlfs system.

You can find loop-AES here:
http://sourceforge.net/projects/loop-aes/
I did an untar copy on my blog if you want to check the files quickly:
http://ngc891.blogdns.net/kernel/loop-AES-v3.0b/ 

Encrypted swap
~~~~~~~~~~~~~~

First you need to apply the util-linux-2.12p.diff patch to util-linux-2.12q during chapter 6. It applies flawless.

In chapter 7, change the fstab line about swap from :
/dev/hdb2  swap  swap  pri=1  0  0
to:
/dev/hdb2  swap  swap  sw,loop=/dev/loop7,encryption=AES128,pri=1
(you can choose encryption=AES256 if you're really paranoid)

You can issue:
 # dd if=/dev/zero of=/dev/hdb2 bs=64k conv=notrunc
 # mkswap /dev/hdb2
To be sure your swap file will not leak old data if any.

Then, you need to remove drivers/block/loop.c and include/linux/loop.h from the kernel source tree during chapter 7 and then apply kernel-2.6.10.diff patch.
When configuring kernel, choose loop-AES option under the block section.

That's all. After reboot, you'll be using encrypted swap.

Encrypted root partition
~~~~~~~~~~~~~~~~~~~~~~~~

You need third part software to do this (including a patched GnuPG) so I think it belongs mostly to bhlfs.
The most important thing is to know that it requires an unencrypted /boot partition. It could be nice to warn about sparing a /boot partition at the beginning of the book for people that plan to encrypt /

Hope it's useful,

Regards,

-- 
Jerome Pinot
http://ngc891.blogdns.net/ 




More information about the hlfs-dev mailing list