Next Previous Contents

3. Summary

There are many steps involved in the process. I will provide Details for these steps in the next section. I thought it would be nice to provide a summary first to provide reference (if you are experienced with unix/linux you probably don't need the details anyway). Here they are summarized as follows:

  1. Download the newest international crypto patch (I used 'patch-int-2.2.10.4' at the time this document was written) from:

    http://ftp.kerneli.org/pub/kerneli/

  2. Patch the kernel

  3. Run 'config' (or 'menuconfig' or 'xconfig') to configure your 'MakeFile' for the new kernel. The options to enable encryption are scattered. First of all, before you will see any other options you must enable 'Prompt for development and/or incomplete code/drivers' under 'Code Maturity level options'. Under 'Crypto options' enable 'crypto ciphers' and 'serpent'. Once again, this document assumes you are using serpent, but try whatever you want. Remember that DES is known to be incompatible as of 2.2.10.4 - it may never be supported at all. There are several important options to select under 'Block Devices'. These include 'Loopback device support', 'Use relative block numbers as basis for transfer functions (RECOMMENDED)', and 'General encryption support'. DO NOT select 'cast 128' or 'twofish' encryption here. Also note that you don't need any of the crypto options under the various network categories. I will not go any further into configuration of the kernel, it is out of the scope of this document and can be found at the LDP site.

  4. Compile the new kernel.

  5. Edit '/etc/lilo.conf' to add the new kernel image. Run 'lilo -v' to add the kernel to the boot loader.

  6. Download the source for the newest 'util-linux' (I used 'util-linux-2.9v') package from:

    ftp://ftp.kernel.org/pub/linux/utils/util-linux/

  7. Extract the 'util-linux' source.

  8. Apply the corresponding patch found in your '/usr/src/linux/Documentation/crypto/' directory.

  9. CAREFULLY read the 'INSTALL' file! This package contains the sources for many system dependent files (important tools such as 'login', 'passwd', and 'init'). If you don't carefully edit the MCONFIG file before compiling these sources have a boot disk and/or shotgun ready because your system will be quite confused. Basically you want to set almost all of the 'HAVE_*' fields equal to yes so that the important authentication tools are not compiled and written over. The tools you do want rebuilt are 'mount' and 'losetup' to accommodate the new encryption schemes. I suggest that you refer to the Details section below for this step.

  10. Compile and install the 'util-linux' source

  11. Reboot the machine with the new kernel.

  12. Edit '/etc/fstab', adding an entry for your mount point as follows:


    
    /dev/loop0  /mnt/crypt  ext2  user,noauto,rw,loop 0 0
    

  13. Create the directory that will hold your filesystem, as in '/mnt/crypt' above.

  14. As the user, create your encrypted file as follows:

    
    dd if=/dev/urandom of=/etc/cryptfile bs=1M count=10
    

  15. Run losetup as follows:

    
    losetup -e serpent /dev/loop0 /etc/cryptfile
    

    You only have one chance to enter the password, be careful. If you want to double-check your password, you can use the command:

    
    losetup -d /dev/loop0
    

    This will deactivate your loop device. Next you will run losetup again to test your password, as follows:

    
    losetup -e serpent /dev/loop0 /etc/cryptfile
    

  16. Make your ext2 filesystem as follows:

    
    mkfs -t ext2 /dev/loop0
    

  17. Now you can mount the encrypted filesystem with:

    
    mount -t ext2 /dev/loop0 /mnt/crypt
    

  18. When your done, you want to unmount and protect your filesystem as follows:

    
    umount /dev/loop0
    losetup -d /dev/loop0
    


Next Previous Contents