Swap encryption and GnuPG

pinotj at club-internet.fr pinotj at club-internet.fr
Sat Feb 19 07:29:30 PST 2005


Well, it seems the encrypted swap hint is actually quite complete.
I checked the source and all the new versions of loop_AES (> 3.0a) use, by default, multi-keys encryption. There is no need of special boot scripts anymore and GnuPG is not required for this.

Anyway, I did build GnuPG on the HLFS by:

 patch -Np1 -i ../gnupg-1.4.0-loop_AES-3.0b.patch &&
 sed  -e 's/^CFLAGS .*$/& -pie -fpie/g' \ 
  -i `find . -name Makefile.in` &&
 sed -e 's|/dev/urandom|/dev/frandom|g' -i configure &&
 ./configure --prefix=/usr --enable-static-rnd=linux \
  --disable-nls &&
 make && make install

The question is 'what random device to use' ?
We can define the NAME_OF_DEV_RANDOM and NAME_OF_DEV_URANDOM
First, I thought about using frandom instead of urandom to be sure to have always enough data but it seems not perfect for crypto and is not recommanded.
What do you think?

Do people think about adding GnuPG in the book?
If not, I will add all this to the eswap-hint.txt

PS: encrypting the /tmp could be really nice too but needs, like root encryption, special partitioning before the build. Annoying.

-- 
Jerome Pinot
http://ngc891.blogdns.net/ 




More information about the hlfs-dev mailing list