This method is designed to erase the contents of the asset before
encrypting it. If you already have data on the disk you intend to encrypt,
you should copy it somewhere else temporarily and then move it back once
the encryption is set up. It is possible to encrypt data in place, but for
now I consider such magic too advanced for this HOWTO. See loop-AES's
README
for more details if you're interested in that method.
To do the following operations you will need to be running a system
which has a loop-AES
capable kernel. If you don't have one already, I recommend using
KNOPPIX. It boots off a
CD-ROM and doesn't need to be installed, so it's very little
hassle.
For simplicity these instructions assume you'll be preparing the
keychain and the asset on the same computer, but this needn't be the
case. Adapt the instructions to whatever's convenient for you.
If you're taking the approach of encrypting only a file
instead of a disk or a partition, you may skip this section and proceed
directly to Section 2.2.
In the ideal setup you will use a bootable keychain device, such
as a USB flash drive or a business card size
CD-ROM. This is because we want to expose as little of your disk as
possible, but we're going to have to expose a minimal boot process
or the computer will never start. Since the boot process will be
necessarily unencrypted, it's better to have it away from your
computer (on your keychain). If you can't or don't want to use a
bootable keychain for some reason, then follow these instructions anyway
but instead apply them to a small boot partition on your disk instead of
the keychain.
In the following example the keychain shows up as the first SCSI
drive /dev/sda. Replace /dev/sda
with the device for your drive as appropriate.
The first step—zeroing out the keychain—is technically
unnecessary, but it will make the keychain backup smaller if you back
it up as an image as I suggest in Section 2.4.
bash# dd if=/dev/zero of=/dev/sda
Next, partition the keychain as you would any bootable
disk. See the Linux Partition
HOWTO if you need help with partitioning.
bash# cfdisk /dev/sda
Put a file system on the first partition.
bash# mkfs /dev/sda1
Mount the keychain.
bash# mkdir /tmp/keychainbash# mount /dev/sda1 /tmp/keychainbash# cd /tmp/keychain
If you use the keychain with multiple computers you may
want to build a different kernel for each one.
You probably need to build a custom kernel for your keychain so
you can ensure two things:
It has been patched correctly with loop-AES
and encryption support is turned on.
All the device drivers necessary to boot your computer and
make the asset accessible have been compiled in instead of loaded
as modules.
You can load device drivers as modules, since we're using an
initrd, but I chose to compile them into the kernel in order to keep
the boot disk as simple as possible. Feel free to do differently.
For help building a custom kernel read The Linux
Kernel HOWTO. Be sure to set CONFIG_BLK_DEV_RAM
in the kernel configuration so it can boot using an initrd.
Follow the directions that come with loop-AES to
build the new loop driver. Also follow the directions to rebuild
the util-linux
tools, some of which we'll copy to the keychain later. Your distribution may have
already built them for you (e.g., see the loop-aes-utils and loop-aes-source packages in Debian).
Once you've built the kernel, copy it to the keychain.
We boot the keychain using an initrd so we can remove it after
the boot process starts (who wants a USB flash drive hanging out of
their laptop while trying to look cool in a café?). To gain access to
the asset we create a loopback device attached to the initrd's
/dev/loop0. Putting the device file on the initrd
means the initrd will have to stay mounted while the asset is mounted (not a big deal).
We start by choosing 4MB for the size of the initial RAM disk,
all of which we won't need, but it's the conventional maximum
size (and it won't hurt) so that's one less decision to make.
Create the minimal set of devices we'll need. Note that
tty is necessary for the password prompt. This
command assumes your asset is the drive /dev/hda.
Change it as appropriate.
bash# cp -a /dev/{console,hda,loop0,loop1,tty} dev
We'll copy the six programs we'll need.
You can use which to find a program's
full pathname, e.g.:
It's possible to repeat these steps as many times as you want
to handle multiple computers using the same keychain. Each computer will
have its own key and probably its own kernel. The instructions here
assume the computer's name is laptop;
substitute the name of the computer you're working with each time
you repeat the steps.
No, stop, listen to me. Back up your data. Really. It's no fun
to have an encrypted hard disk if you can't decrypt it because of
some mistake you made. These tools are powerful magic; if you blow it
you can't just call up Computer Gurus Are Us
and expect them to get your data back for you. That's the whole
point of this exercise.
If you are encrypting your whole disk (recommended), replace
/dev/hda with the device for your disk.
bash# ln -s /dev/hda /tmp/asset
If you are encrypting a partition (multiboot case), replace
/dev/hda3 with the device for your partition.
bash# ln -s /dev/hda3 /tmp/asset
If you are encrypting a file only, replace ~/encrypted
with the name of the file and create a link named /tmp/keychain
that points to where you decide to store your key file (an already
prepared removable medium, e.g., /mnt/cf).
Initialize the asset with random data. This will make it less
obvious to the attacker which parts are free space.
bash# shred -n 1 -v /tmp/asset
Here we create an encrypted file system to hold the keys. More
encryption, you say? Yes, in case your keychain is stolen (see Table 1), you don't want your keys to be exposed. I
chose one megabyte as the size of the file system because it's a
round number. There's no way we're going to need that much space
for keys so feel free to chose a smaller size if you like (each key file
will be 61 bytes long).
Again, initialize with random data.
bash# cd /tmp/initrdbash# head -c 1m /dev/urandom > keys
To make the passphrase resistant to dictionary attacks we'll
generate a seed. Whenever you see the symbol <seed>
be sure to replace it with the one you generated. The following command
will display a random seed on the screen.
bash# head -c 15 /dev/random | uuencode -m - | head -2 | tail -1
Set up the loopback device using the seed. This is where you
choose your passphrase, which must be at least 20 characters in length. Choose one with care that you know you won't forget. You may want to use the Diceware method for choosing a secure passphrase.
Format and mount the keys file system (the decrypt.sh script assumes you use the ext2
file system here).
bash# mke2fs /dev/loop1bash# mkdir /tmp/keysbash# mount /dev/loop1 /tmp/keys
Now for the actual asset key, 45 bytes as random as your computer
can make them. Try a dictionary attack against that, attacker! Ha! We
name the key after the computer with which it will be used (laptop). Substitute the name of your
computer instead.
bash# head -c 45 /dev/random | uuencode -m - | head -2 | tail -1 > /tmp/keys/laptop
Set up a loopback device with the key for encrypted access to the
asset.
If you're encrypting only a file, format it with a file
system like this and skip to Section 2.3.
bash# mkfs /dev/loop0
We'll create the root "partition" after the swap
space. I put the word 'partition' in quotes because it's
not a real partition. We're faking it using the offset argument of
losetup.
Notice how mkswap told us the actual size of
the swapspace, which is not necessarily the size requested. Use the
actual size (which was 2147471360 in the above example) when
specifying the offset to begin the root file system.
If the asset is the whole disk or the last partition on the
disk, then we needn't worry about specifying a size for the file
system. If this applies to you, do the following and skip to Section 2.2.2.1.
bash# mkfs /dev/loop1
Since the asset isn't the last partition on the disk, we
must give mkfs a size limitation or it will write
all over whatever partitions are between this one and the end of the
disk. I repeat, if you don't give mkfs
the correct size parameter here, you may lose data.
mkfs is actually just a front end, so to be as
careful as possible we'll choose an actual file system maker, in
this case mke2fs.
It's possible to limit the size of the file system by
specifying its size in blocks, but mke2fs chooses
the block size based on the size of the file system. A classic
Catch-22! We can ask it to do a dry run on the rest of the disk (more
than we want) to see what block size it would chose.
bash# mke2fs -n -j /dev/loop1mke2fs 1.34-WIP (21-May-2003)
Filesystem label=
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
9781248 inodes, 19544448 blocks
977222 blocks (5.00%) reserved for the super user
First data block=0
597 block groups
32768 blocks per group, 32768 fragments per group
16384 inodes per group
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,
4096000, 7962624, 11239424
In this case it chose 4096. Whatever it chooses is probably
close enough for our file system. Calculate the correct size in
blocks.
file system size = (size of partition − size of swap space) ÷
block size
Suppose the size of the partition is 10GB and the size of the
swap is 2GB. The correct size for mke2fs is (10 −
2) × 230 ÷ 4096 = 2097152. Don't get this wrong! Make backups!
Measure twice, cut once!
We have enough information to create the decryption script. Change
the variables at the beginning to reflect your setup (including the seed
you generated earlier).
If you're encrypting the whole disk or a partition, set
ROOT_OFFSET to the size you got from
mkswap. Put the script in /tmp/initrd
and name it decrypt.sh.
If you're encrypting only a file then this script can live
anywhere. In this case be sure to set ROOT_OFFSET to
zero and set MOUNT to a convenient mount point
(probably not /mnt/new-root).
Figure 1. /tmp/initrd/decrypt.sh
#!/bin/sh
SEED=<seed>
ASSET=/dev/hda
ROOT_OFFSET=<root offset>
ROOT_TYPE=ext3
MOUNT=/mnt/new-root
KEY="$1"
# Ask for a passphrase to open the keys (this prevents exposure of the keys in
# case the owner loses the keychain). Give the user three tries to get the
# passphrase right.
for ((FAILED=1, TRY=1; ($FAILED != 0) && (TRY <= 3); TRY++))
do
mount -n -t ext2 -o loop=/dev/loop1,encryption=AES128,itercountk=100,pseed=$SEED keys /mnt/keys
FAILED=$?
done
if [ $FAILED -ne 0 ]; then
echo "Sorry, you get only three attempts to guess the password."
exit 1
fi
# Use the key to decrypt the asset.
losetup -e AES128 -p 0 /dev/loop0 $ASSET < "/mnt/keys/$KEY"
# Close the keys.
umount -n /mnt/keys
losetup -d /dev/loop1
# Set up the root "partition" device.
losetup -o $ROOT_OFFSET /dev/loop1 /dev/loop0
# Mount the root file system (read-only, so it can be checked with fsck).
mount -n -r -t $ROOT_TYPE /dev/loop1 $MOUNT
Make the script executable.
bash# chmod +x decrypt.sh
If you're encrypting only a file, skip to Section 2.4. Otherwise, save the following boot
script as linuxrc and place it in
/tmp/initrd.
Figure 2. /tmp/initrd/linuxrc
#!/bin/sh
# Decrypt the asset
source decrypt.sh "$1"
# Pivot to the asset's root file system.
cd $MOUNT
/sbin/pivot_root . initrd
# Pass control to init.
shift 1
exec chroot . /sbin/init $* <dev/console >dev/console 2>&1
Make the script executable.
bash# chmod +x linuxrc
Okay, the keychain and asset are now ready. Unmount everything.
bash# umount /tmp/{initrd,keychain}
You now have an empty, encrypted file system. Hurray!
Test your system by booting the keychain or executing the decrypt.sh script as appropriate (give it the name of the
key you want to use as a parameter). After booting there may be a
complaint about a nonexistent /sbin/init but
that's okay for now.
Check to make sure your root file system mounted successfully.
When you're confident everything is working, back up your keychain.
In fact, make lots of backups. You might ask, "But isn't it
insecure to have a copy of my keychain somewhere?" The answer is
yes, it is, but not as insecure as losing your only keychain, if you
define security as also meaning "securing access to my data".
Because my keychain is small I decided to back up the whole image
so it's easy to restore:
bash# bzip2 -c /dev/sda > keychain.img.bz2
If you're encrypting only a file, you can pat yourself on your
back at this point because you've finished.
Rescue disks are useful when a system isn't behaving properly
and/or refuses to boot. Check to make sure your rescue disk has loop-AES support
in its kernel and has the correctly patched util-linux
tools such as losetup and mount,
otherwise it will be worthless with your newly encrypted asset. In the
future, all rescue disks will include this support because it will come
standard with the 2.6 kernel. In the meantime, KNOPPIX (for example) already has
all the necessary support and can be used as a rescue disk.
After booting an appropriate rescue disk, mount your keychain and
execute the decrypt.sh script.
bash# mkdir /tmp/{keychain,initrd}bash# mount /dev/sda1 /tmp/keychainbash# mount -o loop=/dev/loop3 /tmp/keychain/boot/initrd /tmp/initrdbash# pushd /tmp/initrdbash# ./decrypt.sh laptopbash# popdbash# umount /tmp/{initrd,keychain}
You can now access your asset through the mount point you
specified in decrypt.sh.
Your final task is to install Linux to your new encrypted file system. As you do this make sure the entries in your /etc/fstab for the root and swap look like those below:
The procedure for a fresh installation of Linux is different for
each distribution. Please send me
instructions for distributions not listed below and I will include them here.
Once your system is up and running, consider configuring it to log out automatically after a period of inactivity. This will lessen (but not eliminate) the risk of exposing your asset if the laptop is stolen while on (see Table 1).
