Loopback Encrypted Filesystem HOWTO

Loopback Encrypted Filesystem HOWTO

�@�̡GRyan T. Rhea, [email protected]
Ķ�̡G�� [email protected]

v1.1, 29 November 1999 ½Ķ��G2000�~1��15��
_________________________________________________________________

��p��w�˩M�ϥΤ@�بϥΪ̥[��i�ʺA�M�L�ݱĨ��S�O�B�J�N��[
�K��ɤ��e��ɨt�ΡC�o�ؤ�ɨt�Φs��b�q�`��󤺡A��i�@��ä��
�áA�]�i�ϥη��i��|�Q��@��ɦW�٦s��A�H��ƾڸ��x�s��w
��C
_________________________________________________________________

1. �e��

2. �ɨ�

3. �K�n

4. �ԲӤ��e
_________________________________________________________________

1. �e��

�إ߳o�Ӥ�ɨt�λݭn��֪��N�X�B�s��N�X��O�M�@�ߡA�P�ɱj�P��ĳ
��H�ɦ��ҰʽL�i�ΡC �⭫�n��ƪ��s��b�[�K��ɨt�Τ��e�A��s
�@�ƥ��O�s�A �]��s��b�q��Ƴ��D��l�a��i��Ϊ��i��C

�n��إ߳o�Ӥ�ɨt�ΡA�_�X�n�׸� Linux �� 2.2.9 ��C��׸ɪ��Ӹ`
�A ��U�� [1]�ԲӤ��e �@�`��e�C

��ַ��N�X�i�q�U�C��}�U��G

[2]ftp://ftp.kerneli.org/

��󭫽s��֪��{�ǥi�d�\�� HOWTO ��A��}�p�U�G

[3]http://metalab.unc.edu/LDP/HOWTO/

�o��i��γ��A��O�ΡA��ݲŦX�U�C��G

* �b��γ��C��v��M�o��P�N�ѡC
* ��½Ķ�Υѳo��ͦ��奻�b��o�e��o�@�̪��ѭ��P�N�C
* �p�G�u��o��峡��e�A�h��b��o��奻��C�J��o��媺�ԲӤ�
�k�M�~�|�C
* �夺�Ҧ��N�X�� GNU �@�뤽�@�\�i��O�@�C�\�i��e�i�q�L�ΦW
FTP ��}�U��G

[4]ftp://prep.ai.mit.edu/pub/gnu/COPYING/

2. �ɨ�

�o��L�{�ϥΡ�/dev/loop*��]�b�h�Ʀw�˨t�Τ�* �� 0-7 �^�[�� loopback ��
�ɨt�ΡC �ĥΦP�ؤ�k�i�N Linux ��ɨt�Τ��[�K�a�s��b�D Linux ��ΰ�
�C�b�e�z LDP ��}�W�s��_�o�譱�� HOWTO�C

��ɥ[�K��k˼�h�A�]�A XOR, DES, twofish, blowfish, cast128,
serpent, MARS, RC6, DFC �M IDEA�C ��losetup��{��u�@�K�O�N�[�K��ɩM
��ɨt�ΤΨ�K�X�p�t�b�@�_�C�ھں޲z kerneli.org �M��ڥ[�K�׸ɳn��
�]international crypto patches�^�� Alexander Kjeldaas ��ͪ��ݪk�A DES
�M losetup �ثe�ä��ݮe�C �o�O�Ѥ_�o��سn��B�z parity bit ��k��P
��t�G�C�ثe Linux �t�ΨõL�� DES ��p�e�A�]�� DES �K�X��[�K�{�פ�
��Y�K�C

Twofish, blowfish, cast128 �M serpent �K�X�i��N�ϥΡA�S��\�i��
��C ��L�K�X�i�঳�@�ǳ\�i��譱��W�w�C��ǱK�X�J��@�� AES �зǡC
�̫��w��K�X�N�@��@�ɧK�O�ϥΪ��K�X�C

��ϥ� serpent �[�K�k�[�K�A�]��o�إ[�K�k�O�K�ʱj�A�B�淥�֡A�P�ɮھ�
GPL ��W�w�i�K�O��o�C �b serpent ��󤤫��X�Aserpent �n��ϥ�
Ross Anderson, Eli Biham �M Lars Knudsen �]�p�� 128-bit ��K�X�աC
�o��ϥΪ̪��O�K�n�D��ѤF�̰��O�ҡA �]��ثe��A�õL�ѽX��²��k
�C�� serpent ��Ψ䷽�N�X�i�q�U�C��}�U��G

[5]http://www.cl.cam.ac.uk/~rja14/serpent.html

�o��󰲳]�ϥΪ̱N�K�X��s�J��֡C��L�A�K�X�]�i�@��Ҳսs�J�A ��b
�Ӥ�󤤨å��o�ؤ�k�[�H�Q�סC��L��k�]˼²��A�u�ݽs��
��/etc/conf.module��; �Ա��e��쪺��s�褺�֪� HOWTO ��C

3. �K�n

�o��L�{�A�γ\�h�B�J�C�b�U�` [6]�ԲӤ��e ��o�ǨB�J��Բӻ��C ��
�o�ǨB�J�@�X�K�n��]�\�O��D�N�A�]�� Unix �M Linux ��]�\��
�n�ԲӨB�J�C �o�ǨB�J�p�U�G

1. �U��̷s��ڥ[�K�׸ɳn�� (�s�g��ɪ��̷s��
��patch-int-2.2.10.4��)�G

[7]http://ftp.kerneli.org/pub/kerneli/
2. �׸ɤ��
3. �B�� 'config' (�� 'menuconfig' �� 'xconfig')�A��s��ֳ]�m
'MakeFile'�C �]�w�[�K��U�ӿﶵ�ä��b�@�_�C��A�n�]�w��ﶵ
��o�� 'Code Maturity level options' ��U�� 'Prompt for
development and/or incomplete code/drivers'�C�b 'Crypto options' ��
�U�� 'crypto ciphers' �M 'serpent' �ⶵ�C�b��A��]�ϥ�
serpent �[�K�A��L�]�i�եΨ�L��[�K��k�C �b��ݫ��X�ADES ��
2.2.10.4 ��ٻP�t�Τ��ݮe - ��p��Ӥ]��|�ݮe�C�b 'Block
Devices' �U��L�ӭ��n�ﶵ��ݿ�w�C�o�]�A 'Loopback device
support', 'Use relative block numbers as basis for transfer
functions (RECOMMENDED)' �M 'General encryption support' ��U��C��
�B��n�� 'cast 128' �� 'twofish' �[�K�C��~�b�U�غ��]��ݿ��
��[�K�ﶵ�C ��֪��]�m��k��i�Ѿ\ LDP ��A��b��B�A��
�حz�C
4. �s��s��
5. �s�� '/etc/lilo.conf'�A�H�K�b�]�m��ɤ��W�[�s��֡C�B�� 'lilo -v'
�N��֥[�� boot loader ��C
6. �q�U�C��}�U��̷s�� 'util-linux' ��N�X (��B�ϥ�
'util-linux-2.9v' ��)�G

[8]ftp://ftp.kernel.org/pub/linux/utils/util-linux/
7. �� 'util-linux' ��N�X�C
8. �Q�Φb '/usr/src/linux/Documentation/crypto/' �ؿ��׸ɳn��
�C
9. �J�Ӿ\Ū 'INSTALL'�C�o�M�n�󤺦��\�h�P�t�Φ��ɪ��N�X �]��n
��u��p'login', 'passwd'�M'init'��^�C�p�G�b�s��o�Ƿ��N�X��e ��
�J�Ӧa�s�� MCONFIG�A�̦n��Y�H�ɦ��Ұʤ��i�ΡA�]��t��H�ɳ��|��
�C �򥻤W�A�N�Ҧ� 'HAVE_*' ��]��yes��A�ϩҦ��n��t�γn�󳣤�
�|�Q��C �ݭn��ت��u��O 'mount' �M 'losetup'�A�H�A�X�s��[�K��
�n�C �Ӹ`��ѬݤU�� [9]�ԲӤ��e �C
10. �s��M�w�� 'util-linux'�C
11. �ηs��֭��s�Ұʹq��C
12. �s�� '/etc/fstab'�A�W�[�[��I�A�B�J�p�U�G
______________________________________________________________

/dev/loop0 /mnt/crypt ext2 user,noauto,rw,loop 0 0
______________________________________________________________

13. �p�W�� '/mnt/crypt' ��覡�A�إ߯ব�s��ɨt�Ϊ��ؿ��C
14. �@��ϥΪ̡A��s�[�K��ɦp�U�G

dd if=/dev/urandom of=/etc/cryptfile bs=1M count=10

15. �B�� losetup �p�U�G

losetup -e serpent /dev/loop0 /etc/cryptfile

�`�N�G�]�w�ϥαK�X��|�u��@��C�i�ΤU�C��O�d�֨ϥαK�X�G

losetup -d /dev/loop0

�o��O�|�� loop device ��@�ΡC�H��A�Ұ� losetup �N�i��ըϥ�
�K�X�A��k�p�U�G

losetup -e serpent /dev/loop0 /etc/cryptfile

16. �]�w ext2 ��ɨt�Φp�U�G

mkfs -t ext2 /dev/loop0 100000

17. ��ɴN�i�[��[�K��ɨt�ΡG

mount -t ext2 /dev/loop0 /mnt/crypt

18. ��[�K��A�i��M�O�@��ɨt�Φp�U�G

umount /dev/loop0
losetup -d /dev/loop0'

4. �ԲӤ��e

��֭׸ɳn��G

�i�q��2.2.x��ֶ}�l�׸ɤ��֡C��2.2.x��ֽs�g��׸ɳn��
��a��{�ǡ]bugfixes�^�C �s�\�ೣ�|�[�J Linux ��2.3.x��}�o��֡C
�׸ɤ��֪��k�O��o�Ҧ��׸ɳn��A �M��H�U�C��O�׸ɡG

cd /usr/src
gzip -cd patchXX.gz patch -p0

��_ xx �U��׸ɡA�q��ǧC�� xx ��V�̦��׸ɡC

��ַ��N�X��q�{�ؿ��O '/usr/src/linux'�C�p��N�X�b��L�ؿ��A�i�q
'/usr/src/linux' �إߤ@�ӲŸ��s��]symbolic link�^�C

�� 'util-linux' ��s��]�w 'MCONFIG'�G

�H�U�O�s�� 'util-linux' �ɭק� 'MCONFIG' �ɪ��e�C�H�ۨt�Ϊ��
�P�A�ק�覡�ä��ۦP�A ��B�򥻤W�H RedHat 5.2 ��ǡC��䤧�B�O��n
�л\��n��t�Τu��A�� p'login'�B'getty'��'passwd' ��C�H�U�C�X�@�ǭ�
�n��]�w�G
______________________________________________________________

CPU=$(shell uname -m sed s/I.86/intel/)

LOCALEDIR=/usr/share/locale

HAVE_PAM=no

HAVE_SHADOW=yes

HAVE_PASSWD=yes

REQUIRE_PASSWORD=yes

ONLY_LISTED_SHELLS=yes

HAVE_SYSVINIT=yes

HAVE_SYSVINIT_UTILS=yes

HAVE_GETTY=yes

USE_TTY_GROUP=yes

HAVE_RESET=yes

HAVE_SLN=yes

CC=gcc
______________________________________________________________

��ĳ�G

�q'dev/loop0' �� '/dev/loop7'�A�o 8 �� loopback devices ��i�Τ_��B�C
�Q�Υؿ��W�٤��㲴��ؿ��@��[��I�C��b home �ؿ��إߤ@��v��
700 ��[�K�ؿ��C �]�Τ��㲴��ؿ��s��[�K��ɡC��b '/etc' ��ϥ�
'sysfile' �� 'config.data' �o��W�١C �@��o��W�٪��ؿ��Τ�ɳ��Ө�
�H�`�N�C

�U�C Perl �}��i�Τ_�[��M��ɨt�ΡC�N��ۤJ�t�ΡA�令�i�B��
�]chmod u+x�^�A �M��s��b��|�ؿ��C
______________________________________________________________

#!/usr/bin/perl -w
#
#minimal utility to setup loopback encryption filesystem
#Copyright 1999 by Ryan T. Rhea
`losetup -e serpent /dev/loop0 /etc/cryptfile`;
`mount /mnt/crypt`;
______________________________________________________________

�N�W�z�}��٬� 'loop'�A�N�i�Τ@�ӫ��O�]'loop'�^�M�K�X�]�w loopback �[�K
��ɨt�ΡC
______________________________________________________________

#!/usr/bin/perl -w
#
#minimal utility to deactivate loopback encryption filesystem
#Copyright 1999 by Ryan T. Rhea
`umount /mount/crypt`;
`losetup -d /dev/loop0`;
______________________________________________________________

�N�o�Ӹ}��٬� 'unloop'�A�H��u�n��J 'unloop' �N�i�ߧY��o�Ӥ�ɨt��
��B�@�C

References

1. file://localhost/tmp/zh-sgmltools.26907/Loopback-Encrypted-Filesystem-HOWTO.txt.html#%B8%D4%B2%D3%A4%BA%AEe
2. ftp://ftp.kerneli.org/
3. http://metalab.unc.edu/LDP/HOWTO/
4. ftp://prep.ai.mit.edu/pub/gnu/COPYING/
5. http://www.cl.cam.ac.uk/~rja14/serpent.html
6. file://localhost/tmp/zh-sgmltools.26907/Loopback-Encrypted-Filesystem-HOWTO.txt.html#%B8%D4%B2%D3%A4%BA%AEe
7. http://ftp.kerneli.org/pub/kerneli/
8. ftp://ftp.kernel.org/pub/linux/utils/util-linux/
9. file://localhost/tmp/zh-sgmltools.26907/Loopback-Encrypted-Filesystem-HOWTO.txt.html#%B8%D4%B2%D3%A4%BA%AEe