Next
Previous
Contents
There are many steps involved in the process. I will provide
Details
for these steps in the next section. I thought
it would
be nice to provide a summary first to provide reference (if you
are experienced with unix/linux you probably don't need the
details anyway). Here they are summarized as follows:
- Download the newest international crypto patch (I used
'patch-int-2.2.10.4' at the time this document was written) from:
http://ftp.kerneli.org/pub/kerneli/
- Patch the kernel
- Run 'config' (or 'menuconfig' or 'xconfig') to configure
your
'MakeFile' for the new kernel. The options to enable encryption
are
scattered. First of all, before you will see any other options
you must
enable 'Prompt for development and/or incomplete code/drivers'
under 'Code
Maturity level options'. Under 'Crypto options' enable 'crypto
ciphers' and
'serpent'. Once again, this document assumes you are using
serpent, but try
whatever you want. Remember that DES is known to be incompatible
as of
2.2.10.4 - it may never be supported at all. There are several
important options to select under 'Block Devices'. These include
'Loopback
device support', 'Use relative block numbers as basis for
transfer functions
(RECOMMENDED)', and 'General encryption support'. DO NOT select
'cast 128' or
'twofish' encryption here. Also note that you don't need any of
the crypto
options under the various network categories. I will not go any
further into
configuration of the kernel, it is out of the scope of this
document and can
be found at the LDP site.
- Compile the new kernel.
- Edit '/etc/lilo.conf' to add the new kernel image. Run
'lilo -v' to
add the kernel to the boot loader.
- Download the source for the newest 'util-linux' (I used
'util-linux-2.9v') package from:
ftp://ftp.kernel.org/pub/linux/utils/util-linux/
- Extract the 'util-linux' source.
- Apply the corresponding patch found in your
'/usr/src/linux/Documentation/crypto/' directory.
- CAREFULLY read the 'INSTALL' file! This package
contains the
sources for many system dependent files (important tools such as
'login', 'passwd', and 'init'). If you don't carefully edit the
MCONFIG
file before compiling these sources have a boot disk and/or
shotgun ready
because your system will be quite confused. Basically you want
to set almost
all of the 'HAVE_*' fields equal to yes so that the important
authentication
tools are not compiled and written over. The tools you do want
rebuilt
are 'mount' and 'losetup' to accommodate the new encryption
schemes. I
suggest that you refer to the
Details
section below
for this step.
- Compile and install the 'util-linux' source
- Reboot the machine with the new kernel.
- Edit '/etc/fstab', adding an entry for your mount point
as follows:
/dev/loop0 /mnt/crypt ext2 user,noauto,rw,loop 0 0
- Create the directory that will hold your filesystem, as
in
'/mnt/crypt' above.
- As the user, create your encrypted file as follows:
dd if=/dev/urandom of=/etc/cryptfile bs=1M count=10
- Run losetup as follows:
losetup -e serpent /dev/loop0 /etc/cryptfile
You only have one chance to enter the password, be careful. If
you want to
double-check your password, you can use the command:
losetup -d /dev/loop0
This will deactivate your loop device. Next you will run losetup
again to
test your password, as follows:
losetup -e serpent /dev/loop0 /etc/cryptfile
- Make your ext2 filesystem as follows:
mkfs -t ext2 /dev/loop0
- Now you can mount the encrypted filesystem with:
mount -t ext2 /dev/loop0 /mnt/crypt
- When your done, you want to unmount and protect your
filesystem as
follows:
umount /dev/loop0
losetup -d /dev/loop0
Next
Previous
Contents
Hosting by: Hurra Communications Ltd.
Generated: 2007-01-26 17:58:03