Your hard disk (hda) should contain at least three partitions:
hda1: this small (~4 Mb) unencrypted partition will ask for a password in order to mount the encrypted root filesystem.
hda2: this partition will contain your encrypted root filesystem; make sure it is large enough.
hda3: this partition holds the current GNU/Linux system.
At this point, both hda1 and hda2 are unused. hda3 is where your Linux distribution is currently installed; /usr and /boot must not be separated from this partition.
There are two main projects which add strong crypto support in the kernel: CryptoAPI and loop-AES. This howto is based on loop-AES, since it has an extremely fast and highly optimized implementation of Rijndael in assembly language, and therefore provides maximum performance if you have an IA-32 (x86) CPU.
First of all, download and unpack the loop-AES package:
wget http://loop-aes.sourceforge.net/loop-AES/loop-AES-v2.0b.tar.bz2 tar -xvjf loop-AES-v2.0b.tar.bz2 |
Then you must download and patch the kernel source:
wget http://ftp.kernel.org/pub/linux/kernel/v2.4/linux-2.4.23.tar.bz2 tar -xvjf linux-2.4.23.tar.bz2 cd linux-2.4.23 patch -Np1 -i ../loop-AES-v2.0b/kernel-2.4.23.diff |
Setup the keyboard map:
dumpkeys | loadkeys -m - > drivers/char/defkeymap.c |
Next, configure your kernel; make sure the following options are set:
make menuconfig
Block devices --->
<*> Loopback device support
[*] AES encrypted loop device support (NEW)
<*> RAM disk support
(4096) Default RAM disk size (NEW)
[*] Initial RAM disk (initrd) support
File systems --->
<*> Ext3 journalling file system support
<*> Second extended fs support
(important note: do not enable /dev file system support) |
Compile the kernel and install it:
make dep bzImage make modules modules_install cp arch/i386/boot/bzImage /boot/vmlinuz-2.4.23 |
If grub is your bootloader, update /boot/grub/menu.lst or /boot/grub/grub.conf:
cat > /boot/grub/menu.lst << EOF
default 0
timeout 10
color green/black light-green/black
title Linux
root (hd0,2)
kernel /boot/vmlinuz-2.4.23 ro root=/dev/hda3 vga=4
EOF |
Otherwise, update /etc/lilo.conf and run lilo:
cat > /etc/lilo.conf << EOF
lba32
boot=/dev/hda
prompt
timeout=100
image=/boot/vmlinuz-2.4.23
label=Linux
read-only
root=/dev/hda3
vga=4
EOF
lilo |
You may now restart the system.
The losetup program, which is part of the util-linux package, must be patched and recompiled in order to add strong cryptography support. Download, unpack and patch util-linux:
wget http://ftp.cwi.nl/aeb/util-linux/util-linux-2.12.tar.gz tar -xvzf util-linux-2.12.tar.gz cd util-linux-2.12 patch -Np1 -i ../loop-AES-v2.0b/util-linux-2.12.diff |
To use passwords that are less than 20 characters, enter:
CFLAGS="-O2 -DLOOP_PASSWORD_MIN_LENGTH=8"; export CFLAGS |
If security is important, please do not enable passwords shorter than 20 characters. Security is not free, one has to 'pay' in form of long passwords.
Compile losetup and install it as root:
./configure && make lib mount cp -f mount/losetup /sbin rm -f /usr/share/man/man8/losetup.8.gz cp -f mount/losetup.8 /usr/share/man/man8 |