Once CryptoAPI is implemented on your system you can encrypt parts of your system that might hold sensitive information, for instance your
The first step we need to take is to emerge the necessary kernel for CryptoAPI support.
#emerge rsync #emerge ppc-sources-crypto #USE="crypt" emerge linux-utils
We will now configure the kernel to our system's needs.
#cd /usr/src/linux-ppc-crypto-2.4.20 This will generate a default config which should work fine on most machines. It also has all the ciphers enabled as modules so you can load those you need into the kernel #make oldconfig #make menuconfig You only need to do this if you want to modify any kernel options; for the CryptoAPI settings: I suggest you go with the default ones.
We will now compile and install the kernel.
#make dep && make clean vmlinux modules modules_install #cp vmlinux /boot/vmlinux-2.4.20-ppc-crypto #cp System.map /boot/System.map-2.4.20-ppc-crypto
We now need to add an entry for the kernel to
Finally, we need to update the list of modules that will be loaded at boot.
First you need to open up the file with your editor of choice then add the following lines. keep path[cciphers]=/lib/modules/`uname -r`/kernel/crypto/ciphers keep path[cdigests]=/lib/modules/`uname -r`/kernel/crypto/digests keep path[cdrivers]=/lib/modules/`uname -r`/kernel/crypto/drivers
Now we will take the final steps before rebooting into the new kernel.
#modules-update #reboot
Now that you have booted into the CryptoAPI-enabled kernel, we can begin creating the encrypted volume(s). For an example, we will create a 50MB volume which we will crypt with the Serpent cipher and then mount to
#dd if=/dev/urandom of=/tmp/secretvolume bs=1M count=50
This may take a while. We used urandom instead of zero to better hide the crypted data within the volume. If we had zeroed it, it would be easy to detect where the crypted data was located.
First we need to make sure that the modules we need are loaded into the system. If you have used the default kernel configuration, all you need to do is
#modprobe cipher-serpent
We will now attach the volume to a loop device along with creating a passphrase to unencrypt the information contained in the volume.
#losetup -e serpent -k 256 /dev/loop0 /tmp/secretvolume
We will now create a filesystem on the encrypted volume. You can choose almost whatever file system you would like, however for the purpose of this guide we will be using ext3.
#mkfs -t ext3 /dev/loop0
We can now finally mount the volume.
Make the mount point if you have not already done so. #mkdir /mnt/secret #mount -t ext3 /dev/loop0 /mnt/secret
You now have access to
#umount /mnt/secret #losetup -d /dev/loop0
You can make an entry in your fstab that will allow you to mount and unmount the volume without having to enter the
/tmp/secretvolume /mnt/secret ext3 user,defaults,noauto,loop,encryption=serpent,keybits=256 0 0
Once you have added the line, you can easily mount the volume.
#mount /mnt/secret You will now be prompted for your passphrase.
Unmounting the volume also becomes easier.
#umount /mnt/secret
This script will ask you for the passphrase twice and then mount the volume. That way, you will be less prone to entering a wrong passphrase. We will call the script
#!/bin/bash
echo "Mounting crypted volume to /mnt/secret..."
if cat /etc/mtab | grep "/mnt/secret" >/dev/null
then
echo "Volume already mounted..."
exit
else
until [ "$PASS1" = "$PASS2" -a -n "$PASS1" ]; do
# the bash read buitlin has to support the -s option.
# Don't use read without -s!!
read -s -p "Enter Passphrase: " PASS1; echo
read -s -p "Re-enter Passphrase: " PASS2; echo
done
echo "$PASS1" | mount -p 0 "/mnt/secret"
cd /mnt/secret
fi
We now need to make the script executable.
#chmod +x mount-secret
Once we have chmodded the script, we can execute it.
#./mount-secret