Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 15994 Details for
Bug 15178
Convert CryptoAPI forum thread into xml
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
The full XML of the guide.
crypto-ppc.xml (text/plain), 7.89 KB, created by
Zack Gilburd (RETIRED)
on 2003-08-12 15:01:27 UTC
(
hide
)
Description:
The full XML of the guide.
Filename:
MIME Type:
Creator:
Zack Gilburd (RETIRED)
Created:
2003-08-12 15:01:27 UTC
Size:
7.89 KB
patch
obsolete
><?xml version="1.0" encoding="UTF-8"?> ><?xml-stylesheet href="/xsl/guide.xsl" type="text/xsl"?> ><!DOCTYPE guide SYSTEM "/dtd/guide.dtd"> ><guide link="/doc/en/crypto-ppc.xml"> ><title>Gentoo Linux CryptoAPI on PPC Guide</title> > ><author title="Author"> > <mail link="doctomoe@gentoo.org">Oliver Reisch</mail> ></author> ><author title="Editor"> > <mail link="klasikahl@gentoo.org">Zack Gilburd</mail> ></author> > ><abstract> > This document will guide you through the steps necessary to attach a crypted partition or virtual volume to a loopback device and then mount it as normal volume into your file system. ></abstract> > ><license/> > ><version>0.1.0</version> ><date>12th of August 2003</date> > ><chapter> > <title>About the Technology</title> > <section> > <body> > > <p> > Once CryptoAPI is implemented on your system you can encrypt parts of your system that might hold sensitive information, for instance your <path>/home</path>. The ciphers available are AES, MARS, RC6, Serpent, Twofish, 3DES, Blowfish, CAST5 cipher, GOST, IDEA and a few others. Most of them support the use of 256 bit keys. > </p> > > </body> > </section> ></chapter> > ><chapter> > <title>Implementation</title> > <section> > <title>Emerging the Kernel</title> > <body> > > <p> > The first step we need to take is to emerge the necessary kernel for CryptoAPI support. > </p> ><pre caption="emerge sys-kernel/ppc-sources-crypto"> ># <c>emerge rsync</c> ># <c>emerge ppc-sources-crypto</c> ># <c>USE="crypt" emerge linux-utils</c> ></pre> > </body> > </section> > <section> > <title>Configuring and Installing the Kernel</title> > <body> > > <p> > We will now configure the kernel to our system's needs. > </p> > ><pre caption="Configuring"> ># <c>cd /usr/src/linux-ppc-crypto-2.4.20</c> ><comment>This will generate a default config which should work fine on most machines. >It also has all the ciphers enabled as modules so you can load those you need into >the kernel</comment> ># <c>make oldconfig</c> ># <c>make menuconfig</c> ><comment>You only need to do this if you want to modify any kernel options; for the CryptoAPI >settings: I suggest you go with the default ones.</comment> ></pre> > > <p> > We will now compile and install the kernel. > </p> > ><pre caption="Compiling and Installing"> ># <c>make dep && make clean vmlinux modules modules_install</c> ># <c>cp vmlinux /boot/vmlinux-2.4.20-ppc-crypto</c> ># <c>cp System.map /boot/System.map-2.4.20-ppc-crypto</c> ></pre> > > <p> > We now need to add an entry for the kernel to <path>/etc/yaboot.conf</path> and then run <c>ybin</c> > </p> > > <p> > Finally, we need to update the list of modules that will be loaded at boot. > </p> > ><pre caption="/etc/modules.d/cryptoapi"> ><comment>First you need to open up the file with your editor of choice then add the following lines.</comment> >keep >path[cciphers]=/lib/modules/`uname -r`/kernel/crypto/ciphers >keep >path[cdigests]=/lib/modules/`uname -r`/kernel/crypto/digests >keep >path[cdrivers]=/lib/modules/`uname -r`/kernel/crypto/drivers ></pre> > > <p> > Now we will take the final steps before rebooting into the new kernel. > </p> > ><pre caption="Update modules and reboot"> ># <c>modules-update</c> ># <c>reboot</c> ></pre> > > </body> > </section> ></chapter> > ><chapter> > <title>Configuration</title> > <section> > <title>Creating the encrypted volume</title> > <body> > > <p> > Now that you have booted into the CryptoAPI-enabled kernel, we can begin creating the encrypted volume(s). For an example, we will create a 50MB volume which we will crypt with the Serpent cipher and then mount to <path>/mnt/secret</path>. > </p> > > <warn> > Do not create the example volume in /tmp if you plan on putting data there that you need to keep. > </warn> > ><pre caption="Create the Volume"> ># <c>dd if=/dev/urandom of=/tmp/secretvolume bs=1M count=50</c> ></pre> > > <p> > This may take a while. We used urandom instead of zero to better hide the crypted data within the volume. If we had zeroed it, it would be easy to detect where the crypted data was located. > </p> > </body> > </section> > <section> > <title>Mounting the Volume</title> > <body> > <p> > First we need to make sure that the modules we need are loaded into the system. If you have used the default kernel configuration, all you need to do is <c>modprobe</c> the cipher you want to use (in this case: Serpent). > </p> > ><pre caption="Loading the Module"> ># <c>modprobe cipher-serpent</c> ></pre> > > <p> > We will now attach the volume to a loop device along with creating a passphrase to unencrypt the information contained in the volume. > </p> > > <impo> > When asked for the passphrase, type it carefully because you will not be asked to verify the password by typing it again. Also, do not worry about the size of your passphrase - it is irrelevant since it will be drawn out to 256 bits. > </impo> > ><pre caption="Attaching the Volume"> ># <c>losetup -e serpent -k 256 /dev/loop0 /tmp/secretvolume</c> ></pre> > > <p> > We will now create a filesystem on the encrypted volume. You can choose almost whatever file system you would like, however for the purpose of this guide we will be using ext3. > </p> > > <impo> > Make sure you have support for the filesystem you plan on using either compiled into the kernel or made as a module. > </impo> > ><pre caption="Creating the Filesystem"> ># <c>mkfs -t ext3 /dev/loop0</c> ></pre> > <p> > We can now finally mount the volume. > </p> > ><pre caption="Mounting the Volume"> ><comment>Make the mount point if you have not already done so.</comment> ># <c>mkdir /mnt/secret</c> ># <c>mount -t ext3 /dev/loop0 /mnt/secret</c> ></pre> > <p> > You now have access to <path>/mnt/secret</path> just like you would any other directory or volume on your system. Once you have stored your sensitive data on the volume you can unmount it. > </p> > ><pre caption="Unmounting the Volume"> ># <c>umount /mnt/secret</c> ># <c>losetup -d /dev/loop0</c> ></pre> > > </body> > </section> ></chapter> ><chapter> > <title>Tips and Tricks</title> > <section> > <title>Configuring for Greater Accessability</title> > <body> > <p> > You can make an entry in your fstab that will allow you to mount and unmount the volume without having to enter the <c>losetup</c> command each time. > </p> > ><pre caption="/etc/fstab"> >/tmp/secretvolume /mnt/secret ext3 user,defaults,noauto,loop,encryption=serpent,keybits=256 0 0 ></pre> > <p> > Once you have added the line, you can easily mount the volume. > </p> > ><pre caption="Mounting the Volume"> ># <c>mount /mnt/secret</c> ><comment>You will now be prompted for your passphrase.</comment> ></pre> > > <p> > Unmounting the volume also becomes easier. > </p> > ><pre caption="Unmounting the Volume"> ># <c>umount /mnt/secret</c> ></pre> > </body> > </section> > <section> > <title>Scripts for Easier Mounting</title> > <body> > > <p> > This script will ask you for the passphrase twice and then mount the volume. That way, you will be less prone to entering a wrong passphrase. We will call the script <c>mount-secret</c> > </p> > ><pre caption="mount-secret"> >#!/bin/bash > >echo "Mounting crypted volume to /mnt/secret..." > >if cat /etc/mtab | grep "/mnt/secret" >/dev/null > then > echo "Volume already mounted..." > exit > else > until [ "$PASS1" = "$PASS2" -a -n "$PASS1" ]; do > # the bash read buitlin has to support the -s option. > # Don't use read without -s!! > read -s -p "Enter Passphrase: " PASS1; echo > read -s -p "Re-enter Passphrase: " PASS2; echo >done > >echo "$PASS1" | mount -p 0 "/mnt/secret" > >cd /mnt/secret > >fi ></pre> > > <p> > We now need to make the script executable. > </p> > ><pre caption="chmodding the Script"> ># <c>chmod +x mount-secret</c> ></pre> > > <p> > Once we have chmodded the script, we can execute it. > </p> > ><pre caption="Executing the Script"> ># <c>./mount-secret</c> ></pre> > </body> ></section> ></chapter> ></guide>
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=15994">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 15178
: 15994
