This method is designed to erase the contents of the asset before encrypting it. If you already have data on the disk you intend to encrypt, you should copy it somewhere else temporarily and then move it back once the encryption is set up. It is possible to encrypt data in place, but for now I consider such magic too advanced for this HOWTO. See loop-AES's README for more details if you're interested in that method.
To do the following operations you will need to be running a system which has a loop-AES capable kernel. If you don't have one already, I recommend using KNOPPIX. It boots off a CD-ROM and doesn't need to be installed, so it's very little hassle.
For simplicity these instructions assume you'll be preparing the keychain and the asset on the same computer, but this needn't be the case. Adapt the instructions to whatever's convenient for you.
If you're taking the approach of encrypting only a file instead of a disk or a partition, you may skip this section and proceed directly to Section 2.2.
In the ideal setup you will use a bootable keychain device, such as a USB flash drive or a business card size CD-ROM. This is because we want to expose as little of your disk as possible, but we're going to have to expose a minimal boot process or the computer will never start. Since the boot process will be necessarily unencrypted, it's better to have it away from your computer (on your keychain). If you can't or don't want to use a bootable keychain for some reason, then follow these instructions anyway but instead apply them to a small boot partition on your disk instead of the keychain.
In the following example the keychain shows up as the first SCSI drive /dev/sda. Replace /dev/sda with the device for your drive as appropriate.
The first step—zeroing out the keychain—is technically unnecessary, but it will make the keychain backup smaller if you back it up as an image as I suggest in Section 2.4.
bash# dd if=/dev/zero of=/dev/sda
Next, partition the keychain as you would any bootable disk. See the Linux Partition HOWTO if you need help with partitioning.
bash# cfdisk /dev/sda
Put a file system on the first partition.
bash# mkfs /dev/sda1
Mount the keychain.
bash# mkdir /tmp/keychain bash# mount /dev/sda1 /tmp/keychain bash# cd /tmp/keychain
If you use the keychain with multiple computers you may want to build a different kernel for each one.
You probably need to build a custom kernel for your keychain so you can ensure two things:
It has been patched correctly with loop-AES and encryption support is turned on.
All the device drivers necessary to boot your computer and make the asset accessible have been compiled in instead of loaded as modules.
You can load device drivers as modules, since we're using an initrd, but I chose to compile them into the kernel in order to keep the boot disk as simple as possible. Feel free to do differently.
For help building a custom kernel read The Linux Kernel HOWTO. Be sure to set CONFIG_BLK_DEV_RAM in the kernel configuration so it can boot using an initrd.
Follow the directions that come with loop-AES to build the new loop driver. Also follow the directions to rebuild the util-linux tools, some of which we'll copy to the keychain later. Your distribution may have already built them for you (e.g., see the loop-aes-utils and loop-aes-source packages in Debian).
Once you've built the kernel, copy it to the keychain.
bash# mkdir boot bash# cp arch/i386/boot/bzImage boot/vmlinuz-laptop
Install GRUB or your favorite boot loader.
bash# grub-install --root-directory=. /dev/sda
Here is a sample menu.lst for GRUB. It has entries for two computers named laptop and desktop.
It is required to pass the name of the key (I suggest you name it after the computer) as the first parameter to linuxrc. |
We boot the keychain using an initrd so we can remove it after the boot process starts (who wants a USB flash drive hanging out of their laptop while trying to look cool in a caf�?). To gain access to the asset we create a loopback device attached to the initrd's /dev/loop0. Putting the device file on the initrd means the initrd will have to stay mounted while the asset is mounted (not a big deal).
To learn all about making initial RAM disks you're welcome to read The Linux Bootdisk HOWTO and Linux's Documentation/initrd.txt, or don't bother and just follow along.
We start by choosing 4MB for the size of the initial RAM disk, all of which we won't need, but it's the conventional maximum size (and it won't hurt) so that's one less decision to make.
bash# head -c 4m /dev/zero > boot/initrd bash# mke2fs -F -m0 -b 1024 boot/initrd
Mount the initrd so we can work on it.
bash# mkdir /tmp/initrd bash# mount -o loop=/dev/loop3 boot/initrd /tmp/initrd bash# cd /tmp/initrd
Create the minimal directory structure we'll need.
bash# mkdir -p {bin,dev,lib,mnt/{keys,new-root},usr/sbin,sbin}
Create the minimal set of devices we'll need. Note that tty is necessary for the password prompt. This command assumes your asset is the drive /dev/hda. Change it as appropriate.
bash# cp -a /dev/{console,hda,loop0,loop1,tty} dev
We'll copy the six programs we'll need.
You can use which to find a program's full pathname, e.g.:
|
Copy the programs:
bash# cp /bin/{mount,sh,umount} bin bash# cp /sbin/{losetup,pivot_root} sbin bash# cp /usr/sbin/chroot usr/sbin
Use ldd to find out which shared libraries are used by each program:
bash# ldd /bin/{mount,sh,umount} /sbin/{losetup,pivot_root} /usr/sbin/chroot /bin/mount: libc.so.6 => /lib/libc.so.6 (0x40023000) /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000) /bin/sh: libncurses.so.5 => /lib/libncurses.so.5 (0x40020000) libdl.so.2 => /lib/libdl.so.2 (0x4005c000) libc.so.6 => /lib/libc.so.6 (0x4005f000) /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000) /bin/umount: libc.so.6 => /lib/libc.so.6 (0x40023000) /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000) /sbin/losetup: libc.so.6 => /lib/libc.so.6 (0x40023000) /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000) /sbin/pivot_root: libc.so.6 => /lib/libc.so.6 (0x40023000) /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000) /usr/sbin/chroot: libc.so.6 => /lib/libc.so.6 (0x40023000) /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
Copy the libraries. On my system I copied these libraries (yours may be different):
bash# cp /lib/{ld-linux.so.2,libc.so.6,libdl.so.2,libncurses.so.5} lib
It's possible to repeat these steps as many times as you want to handle multiple computers using the same keychain. Each computer will have its own key and probably its own kernel. The instructions here assume the computer's name is laptop; substitute the name of the computer you're working with each time you repeat the steps.
First, back up your data. See the Linux Complete Backup and Recovery HOWTO.
No, stop, listen to me. Back up your data. Really. It's no fun to have an encrypted hard disk if you can't decrypt it because of some mistake you made. These tools are powerful magic; if you blow it you can't just call up Computer Gurus Are Us and expect them to get your data back for you. That's the whole point of this exercise.
If you are encrypting your whole disk (recommended), replace /dev/hda with the device for your disk.
bash# ln -s /dev/hda /tmp/asset
If you are encrypting a partition (multiboot case), replace /dev/hda3 with the device for your partition.
bash# ln -s /dev/hda3 /tmp/asset
If you are encrypting a file only, replace ~/encrypted with the name of the file and create a link named /tmp/keychain that points to where you decide to store your key file (an already prepared removable medium, e.g., /mnt/cf).
bash# ln -s ~/encrypted /tmp/asset bash# ln -s /mnt/cf /tmp/keychain
Initialize the asset with random data. This will make it less obvious to the attacker which parts are free space.
bash# shred -n 1 -v /tmp/asset
Here we create an encrypted file system to hold the keys. More encryption, you say? Yes, in case your keychain is stolen (see Table 1), you don't want your keys to be exposed. I chose one megabyte as the size of the file system because it's a round number. There's no way we're going to need that much space for keys so feel free to chose a smaller size if you like (each key file will be 61 bytes long).
Again, initialize with random data.
bash# cd /tmp/initrd bash# head -c 1m /dev/urandom > keys
To make the passphrase resistant to dictionary attacks we'll generate a seed. Whenever you see the symbol <seed> be sure to replace it with the one you generated. The following command will display a random seed on the screen.
bash# head -c 15 /dev/random | uuencode -m - | head -2 | tail -1
Set up the loopback device using the seed. This is where you choose your passphrase, which must be at least 20 characters in length. Choose one with care that you know you won't forget. You may want to use the Diceware method for choosing a secure passphrase.
bash# losetup -e AES128 -C 100 -S <seed> -T /dev/loop1 keys
Format and mount the keys file system (the decrypt.sh script assumes you use the ext2 file system here).
bash# mke2fs /dev/loop1 bash# mkdir /tmp/keys bash# mount /dev/loop1 /tmp/keys
Now for the actual asset key, 45 bytes as random as your computer can make them. Try a dictionary attack against that, attacker! Ha! We name the key after the computer with which it will be used (laptop). Substitute the name of your computer instead.
bash# head -c 45 /dev/random | uuencode -m - | head -2 | tail -1 > /tmp/keys/laptop
Set up a loopback device with the key for encrypted access to the asset.
bash# losetup -e AES128 -p 0 /dev/loop0 /tmp/asset < /tmp/keys/laptop
Unmount the keys file system.
bash# umount /tmp/keys bash# losetup -d /dev/loop1
Skip this section if you're encrypting only a file.
It's critical to give mkswap a size parameter here because we're not handing it a dedicated partition. Choose whatever size you want; I chose 2GB.
bash# mkswap /dev/loop0 $((2*1024*1024)) mkswap: warning: truncating swap area to 2097144kB Setting up swapspace version 1, size = 2147471360 bytes
If you're encrypting only a file, format it with a file system like this and skip to Section 2.3.
bash# mkfs /dev/loop0
We'll create the root "partition" after the swap space. I put the word 'partition' in quotes because it's not a real partition. We're faking it using the offset argument of losetup.
Notice how mkswap told us the actual size of the swapspace, which is not necessarily the size requested. Use the actual size (which was 2147471360 in the above example) when specifying the offset to begin the root file system.
bash# losetup -o <root offset> /dev/loop1 /dev/loop0
If the asset is the whole disk or the last partition on the disk, then we needn't worry about specifying a size for the file system. If this applies to you, do the following and skip to Section 2.2.2.1.
bash# mkfs /dev/loop1
Since the asset isn't the last partition on the disk, we must give mkfs a size limitation or it will write all over whatever partitions are between this one and the end of the disk. I repeat, if you don't give mkfs the correct size parameter here, you may lose data. mkfs is actually just a front end, so to be as careful as possible we'll choose an actual file system maker, in this case mke2fs.
It's possible to limit the size of the file system by specifying its size in blocks, but mke2fs chooses the block size based on the size of the file system. A classic Catch-22! We can ask it to do a dry run on the rest of the disk (more than we want) to see what block size it would chose.
bash# mke2fs -n -j /dev/loop1 mke2fs 1.34-WIP (21-May-2003) Filesystem label= OS type: Linux Block size=4096 (log=2) Fragment size=4096 (log=2) 9781248 inodes, 19544448 blocks 977222 blocks (5.00%) reserved for the super user First data block=0 597 block groups 32768 blocks per group, 32768 fragments per group 16384 inodes per group Superblock backups stored on blocks: 32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208, 4096000, 7962624, 11239424
In this case it chose 4096. Whatever it chooses is probably close enough for our file system. Calculate the correct size in blocks.
file system size = (size of partition − size of swap space) � block size
Suppose the size of the partition is 10GB and the size of the swap is 2GB. The correct size for mke2fs is (10 − 2) � 230 � 4096 = 2097152. Don't get this wrong! Make backups! Measure twice, cut once!
bash# mke2fs -j /dev/loop1 2097152
Mount the new root file system and create the initrd mount point. This is necessary for the linuxrc script's call to pivot_root.
bash# mount /dev/loop1 mnt/new-root bash# mkdir mnt/new-root/initrd bash# umount mnt/new-root
We have enough information to create the decryption script. Change the variables at the beginning to reflect your setup (including the seed you generated earlier).
If you're encrypting the whole disk or a partition, set ROOT_OFFSET to the size you got from mkswap. Put the script in /tmp/initrd and name it decrypt.sh.
If you're encrypting only a file then this script can live anywhere. In this case be sure to set ROOT_OFFSET to zero and set MOUNT to a convenient mount point (probably not /mnt/new-root).
Figure 1. /tmp/initrd/decrypt.sh
#!/bin/sh SEED=<seed> ASSET=/dev/hda ROOT_OFFSET=<root offset> ROOT_TYPE=ext3 MOUNT=/mnt/new-root KEY="$1" # Ask for a passphrase to open the keys (this prevents exposure of the keys in # case the owner loses the keychain). Give the user three tries to get the # passphrase right. for ((FAILED=1, TRY=1; ($FAILED != 0) && (TRY <= 3); TRY++)) do mount -n -t ext2 -o loop=/dev/loop1,encryption=AES128,itercountk=100,pseed=$SEED keys /mnt/keys FAILED=$? done if [ $FAILED -ne 0 ]; then echo "Sorry, you get only three attempts to guess the password." exit 1 fi # Use the key to decrypt the asset. losetup -e AES128 -p 0 /dev/loop0 $ASSET < "/mnt/keys/$KEY" # Close the keys. umount -n /mnt/keys losetup -d /dev/loop1 # Set up the root "partition" device. losetup -o $ROOT_OFFSET /dev/loop1 /dev/loop0 # Mount the root file system (read-only, so it can be checked with fsck). mount -n -r -t $ROOT_TYPE /dev/loop1 $MOUNT |
Make the script executable.
bash# chmod +x decrypt.sh
If you're encrypting only a file, skip to Section 2.4. Otherwise, save the following boot script as linuxrc and place it in /tmp/initrd.
Figure 2. /tmp/initrd/linuxrc
#!/bin/sh # Decrypt the asset source decrypt.sh "$1" # Pivot to the asset's root file system. cd $MOUNT /sbin/pivot_root . initrd # Pass control to init. shift 1 exec chroot . /sbin/init $* <dev/console >dev/console 2>&1 |
Make the script executable.
bash# chmod +x linuxrc
Okay, the keychain and asset are now ready. Unmount everything.
bash# umount /tmp/{initrd,keychain}
You now have an empty, encrypted file system. Hurray!
Test your system by booting the keychain or executing the decrypt.sh script as appropriate (give it the name of the key you want to use as a parameter). After booting there may be a complaint about a nonexistent /sbin/init but that's okay for now.
Check to make sure your root file system mounted successfully. When you're confident everything is working, back up your keychain. In fact, make lots of backups. You might ask, "But isn't it insecure to have a copy of my keychain somewhere?" The answer is yes, it is, but not as insecure as losing your only keychain, if you define security as also meaning "securing access to my data".
Because my keychain is small I decided to back up the whole image so it's easy to restore:
bash# bzip2 -c /dev/sda > keychain.img.bz2
If you're encrypting only a file, you can pat yourself on your back at this point because you've finished.
Rescue disks are useful when a system isn't behaving properly and/or refuses to boot. Check to make sure your rescue disk has loop-AES support in its kernel and has the correctly patched util-linux tools such as losetup and mount, otherwise it will be worthless with your newly encrypted asset. In the future, all rescue disks will include this support because it will come standard with the 2.6 kernel. In the meantime, KNOPPIX (for example) already has all the necessary support and can be used as a rescue disk.
After booting an appropriate rescue disk, mount your keychain and execute the decrypt.sh script.
bash# mkdir /tmp/{keychain,initrd} bash# mount /dev/sda1 /tmp/keychain bash# mount -o loop=/dev/loop3 /tmp/keychain/boot/initrd /tmp/initrd bash# pushd /tmp/initrd bash# ./decrypt.sh laptop bash# popd bash# umount /tmp/{initrd,keychain}
You can now access your asset through the mount point you specified in decrypt.sh.
Your final task is to install Linux to your new encrypted file system. As you do this make sure the entries in your /etc/fstab for the root and swap look like those below:
# /etc/fstab: static file system information. # # <file system> <mount point> <type> <options> <dump> <pass> /dev/loop0 none swap sw 0 0 /dev/loop1 / ext3 errors=remount-ro 0 1 |
If you already have an installation elsewhere, read the Hard Disk Upgrade Mini How-To to learn how to copy it over.
The procedure for a fresh installation of Linux is different for each distribution. Please send me instructions for distributions not listed below and I will include them here.
Boot from a rescue disk by following the instructions in Section 2.5.
Install using the method 3.7 Installing Debian GNU/Linux from a Unix/Linux System.
Boot from a rescue disk (Gentoo's Live CD 1.4 won't work) by following the instructions in Section 2.5.
Activate the swap partition if you created one.
bash# swapon /dev/loop0
Point /mnt/gentoo to the root file system.
bash# ln -s new-root /mnt/gentoo
Skip to Chapter 8. Stage tarballs and chroot in the Gentoo Linux 1.4 Installation Instructions.
Once your system is up and running, consider configuring it to log out automatically after a period of inactivity. This will lessen (but not eliminate) the risk of exposing your asset if the laptop is stolen while on (see Table 1).