2. Procedure

2.1. Prepare the Keychain

If you're taking the approach of encrypting only a file instead of a disk or a partition, you may skip this section and proceed directly to Section 2.2.

In the ideal setup you will use a bootable keychain device, such as a USB flash drive or a business card size CD-ROM. This is because we want to expose as little of your disk as possible, but we're going to have to expose a minimal boot process or the computer will never start. Since the boot process will be necessarily unencrypted, it's better to have it away from your computer (on your keychain). If you can't or don't want to use a bootable keychain for some reason, then follow these instructions anyway but instead apply them to a small boot partition on your disk instead of the keychain.

In the following example the keychain shows up as the first SCSI drive /dev/sda. Replace /dev/sda with the device for your drive as appropriate.

The first step—zeroing out the keychain—is technically unnecessary, but it will make the keychain backup smaller if you back it up as an image as I suggest in Section 2.4.

bash# dd if=/dev/zero of=/dev/sda

Next, partition the keychain as you would any bootable disk. See the Linux Partition HOWTO if you need help with partitioning.

bash# cfdisk /dev/sda

Put a file system on the first partition.

bash# mkfs /dev/sda1

Mount the keychain.

bash# mkdir /tmp/keychain bash# mount /dev/sda1 /tmp/keychain bash# cd /tmp/keychain

2.1.1. Build the Kernel

If you use the keychain with multiple computers you may want to build a different kernel for each one.

You probably need to build a custom kernel for your keychain so you can ensure two things:

• It has been patched correctly with loop-AES and encryption support is turned on.

• All the device drivers necessary to boot your computer and make the asset accessible have been compiled in instead of loaded as modules.

You can load device drivers as modules, since we're using an initrd, but I chose to compile them into the kernel in order to keep the boot disk as simple as possible. Feel free to do differently.

For help building a custom kernel read The Linux Kernel HOWTO. Be sure to set CONFIG_BLK_DEV_RAM in the kernel configuration so it can boot using an initrd.

Follow the directions that come with loop-AES to build the new loop driver. Also follow the directions to rebuild the util-linux tools, some of which we'll copy to the keychain later. Your distribution may have already built them for you (e.g., see the loop-aes-utils and loop-aes-source packages in Debian).

Once you've built the kernel, copy it to the keychain.

bash# mkdir boot bash# cp arch/i386/boot/bzImage boot/vmlinuz-laptop

Install GRUB or your favorite boot loader.

bash# grub-install --root-directory=. /dev/sda

Here is a sample menu.lst for GRUB. It has entries for two computers named laptop and desktop.

It is required to pass the name of the key (I suggest you name it after the computer) as the first parameter to linuxrc.

Example 1. /tmp/keychain/boot/grub/menu.lst

title laptop root (hd0,0) kernel /boot/vmlinuz-laptop root=/dev/ram0 init=/linuxrc laptop initrd /boot/initrd title desktop root (hd0,0) kernel /boot/vmlinuz-desktop root=/dev/ram0 init=/linuxrc desktop initrd /boot/initrd.old

2.1.2. Make the initrd

We boot the keychain using an initrd so we can remove it after the boot process starts (who wants a USB flash drive hanging out of their laptop while trying to look cool in a café?). To gain access to the asset we create a loopback device attached to the initrd's /dev/loop0. Putting the device file on the initrd means the initrd will have to stay mounted while the asset is mounted (not a big deal).

To learn all about making initial RAM disks you're welcome to read The Linux Bootdisk HOWTO and Linux's Documentation/initrd.txt, or don't bother and just follow along.

We start by choosing 4MB for the size of the initial RAM disk, all of which we won't need, but it's the conventional maximum size (and it won't hurt) so that's one less decision to make.

bash# head -c 4m /dev/zero > boot/initrd bash# mke2fs -F -m0 -b 1024 boot/initrd

Mount the initrd so we can work on it.

bash# mkdir /tmp/initrd bash# mount -o loop=/dev/loop3 boot/initrd /tmp/initrd bash# cd /tmp/initrd

Create the minimal directory structure we'll need.

bash# mkdir -p {bin,dev,lib,mnt/{keys,new-root},usr/sbin,sbin}

Create the minimal set of devices we'll need. Note that tty is necessary for the password prompt. This command assumes your asset is the drive /dev/hda. Change it as appropriate.

bash# cp -a /dev/{console,hda,loop0,loop1,tty} dev

We'll copy the six programs we'll need.

You can use which to find a program's full pathname, e.g.: bash# which mount /bin/mount

Copy the programs:

bash# cp /bin/{mount,sh,umount} bin bash# cp /sbin/{losetup,pivot_root} sbin bash# cp /usr/sbin/chroot usr/sbin

Use ldd to find out which shared libraries are used by each program:

bash# ldd /bin/{mount,sh,umount} /sbin/{losetup,pivot_root} /usr/sbin/chroot /bin/mount: libc.so.6 => /lib/libc.so.6 (0x40023000) /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000) /bin/sh: libncurses.so.5 => /lib/libncurses.so.5 (0x40020000) libdl.so.2 => /lib/libdl.so.2 (0x4005c000) libc.so.6 => /lib/libc.so.6 (0x4005f000) /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000) /bin/umount: libc.so.6 => /lib/libc.so.6 (0x40023000) /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000) /sbin/losetup: libc.so.6 => /lib/libc.so.6 (0x40023000) /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000) /sbin/pivot_root: libc.so.6 => /lib/libc.so.6 (0x40023000) /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000) /usr/sbin/chroot: libc.so.6 => /lib/libc.so.6 (0x40023000) /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)

Copy the libraries. On my system I copied these libraries (yours may be different):

bash# cp /lib/{ld-linux.so.2,libc.so.6,libdl.so.2,libncurses.so.5} lib

2.2. Prepare the Asset

It's possible to repeat these steps as many times as you want to handle multiple computers using the same keychain. Each computer will have its own key and probably its own kernel. The instructions here assume the computer's name is laptop; substitute the name of the computer you're working with each time you repeat the steps.

First, back up your data. See the Linux Complete Backup and Recovery HOWTO.

No, stop, listen to me. Back up your data. Really. It's no fun to have an encrypted hard disk if you can't decrypt it because of some mistake you made. These tools are powerful magic; if you blow it you can't just call up Computer Gurus Are Us and expect them to get your data back for you. That's the whole point of this exercise.

If you are encrypting your whole disk (recommended), replace /dev/hda with the device for your disk.

bash# ln -s /dev/hda /tmp/asset

If you are encrypting a partition (multiboot case), replace /dev/hda3 with the device for your partition.

bash# ln -s /dev/hda3 /tmp/asset

If you are encrypting a file only, replace ~/encrypted with the name of the file and create a link named /tmp/keychain that points to where you decide to store your key file (an already prepared removable medium, e.g., /mnt/cf).

bash# ln -s ~/encrypted /tmp/asset bash# ln -s /mnt/cf /tmp/keychain

Initialize the asset with random data. This will make it less obvious to the attacker which parts are free space.

bash# shred -n 1 -v /tmp/asset

Here we create an encrypted file system to hold the keys. More encryption, you say? Yes, in case your keychain is stolen (see Table 1), you don't want your keys to be exposed. I chose one megabyte as the size of the file system because it's a round number. There's no way we're going to need that much space for keys so feel free to chose a smaller size if you like (each key file will be 61 bytes long).

Again, initialize with random data.

bash# cd /tmp/initrd bash# head -c 1m /dev/urandom > keys

To make the passphrase resistant to dictionary attacks we'll generate a seed. Whenever you see the symbol <seed> be sure to replace it with the one you generated. The following command will display a random seed on the screen.

bash# head -c 15 /dev/random | uuencode -m - | head -2 | tail -1

Set up the loopback device using the seed. This is where you choose your passphrase, which must be at least 20 characters in length. Choose one with care that you know you won't forget. You may want to use the Diceware method for choosing a secure passphrase.

bash# losetup -e AES128 -C 100 -S <seed> -T /dev/loop1 keys

Format and mount the keys file system (the decrypt.sh script assumes you use the ext2 file system here).

bash# mke2fs /dev/loop1 bash# mkdir /tmp/keys bash# mount /dev/loop1 /tmp/keys

Now for the actual asset key, 45 bytes as random as your computer can make them. Try a dictionary attack against that, attacker! Ha! We name the key after the computer with which it will be used (laptop). Substitute the name of your computer instead.

bash# head -c 45 /dev/random | uuencode -m - | head -2 | tail -1 > /tmp/keys/laptop

Set up a loopback device with the key for encrypted access to the asset.

bash# losetup -e AES128 -p 0 /dev/loop0 /tmp/asset < /tmp/keys/laptop

Unmount the keys file system.

bash# umount /tmp/keys bash# losetup -d /dev/loop1

2.3. Scripts

We have enough information to create the decryption script. Change the variables at the beginning to reflect your setup (including the seed you generated earlier).

If you're encrypting the whole disk or a partition, set ROOT_OFFSET to the size you got from mkswap. Put the script in /tmp/initrd and name it decrypt.sh.

If you're encrypting only a file then this script can live anywhere. In this case be sure to set ROOT_OFFSET to zero and set MOUNT to a convenient mount point (probably not /mnt/new-root).

#!/bin/sh

SEED=<seed>
ASSET=/dev/hda
ROOT_OFFSET=<root offset>
ROOT_TYPE=ext3
MOUNT=/mnt/new-root
KEY="$1"

# Ask for a passphrase to open the keys (this prevents exposure of the keys in
# case the owner loses the keychain).  Give the user three tries to get the
# passphrase right.
for ((FAILED=1, TRY=1; ($FAILED != 0) && (TRY <= 3); TRY++))
do
        mount -n -t ext2 -o loop=/dev/loop1,encryption=AES128,itercountk=100,pseed=$SEED keys /mnt/keys
        FAILED=$?
done
                                                                                
if [ $FAILED -ne 0 ]; then
        echo "Sorry, you get only three attempts to guess the password."
        exit 1
fi

# Use the key to decrypt the asset.
losetup -e AES128 -p 0 /dev/loop0 $ASSET < "/mnt/keys/$KEY"
 
# Close the keys.
umount -n /mnt/keys
losetup -d /dev/loop1
 
# Set up the root "partition" device.
losetup -o $ROOT_OFFSET /dev/loop1 /dev/loop0
 
# Mount the root file system (read-only, so it can be checked with fsck).
mount -n -r -t $ROOT_TYPE /dev/loop1 $MOUNT

Make the script executable.

bash# chmod +x decrypt.sh

If you're encrypting only a file, skip to Section 2.4. Otherwise, save the following boot script as linuxrc and place it in /tmp/initrd.

#!/bin/sh

# Decrypt the asset
source decrypt.sh "$1"

# Pivot to the asset's root file system.
cd $MOUNT
/sbin/pivot_root . initrd

# Pass control to init.
shift 1
exec chroot . /sbin/init $* <dev/console >dev/console 2>&1

Make the script executable.

bash# chmod +x linuxrc

Okay, the keychain and asset are now ready. Unmount everything.

bash# umount /tmp/{initrd,keychain}

You now have an empty, encrypted file system. Hurray!

2.4. Testing and Backup

Test your system by booting the keychain or executing the decrypt.sh script as appropriate (give it the name of the key you want to use as a parameter). After booting there may be a complaint about a nonexistent /sbin/init but that's okay for now.

Check to make sure your root file system mounted successfully. When you're confident everything is working, back up your keychain. In fact, make lots of backups. You might ask, "But isn't it insecure to have a copy of my keychain somewhere?" The answer is yes, it is, but not as insecure as losing your only keychain, if you define security as also meaning "securing access to my data".

Because my keychain is small I decided to back up the whole image so it's easy to restore:

bash# bzip2 -c /dev/sda > keychain.img.bz2

If you're encrypting only a file, you can pat yourself on your back at this point because you've finished.

2.5. Rescue Disk

Rescue disks are useful when a system isn't behaving properly and/or refuses to boot. Check to make sure your rescue disk has loop-AES support in its kernel and has the correctly patched util-linux tools such as losetup and mount, otherwise it will be worthless with your newly encrypted asset. In the future, all rescue disks will include this support because it will come standard with the 2.6 kernel. In the meantime, KNOPPIX (for example) already has all the necessary support and can be used as a rescue disk.

After booting an appropriate rescue disk, mount your keychain and execute the decrypt.sh script.

bash# mkdir /tmp/{keychain,initrd} bash# mount /dev/sda1 /tmp/keychain bash# mount -o loop=/dev/loop3 /tmp/keychain/boot/initrd /tmp/initrd bash# pushd /tmp/initrd bash# ./decrypt.sh laptop bash# popd bash# umount /tmp/{initrd,keychain}

You can now access your asset through the mount point you specified in decrypt.sh.

2.6. Installing Linux

Your final task is to install Linux to your new encrypted file system. As you do this make sure the entries in your /etc/fstab for the root and swap look like those below:

# /etc/fstab: static file system information.
#
# <file system> <mount point>   <type>  <options>               <dump>  <pass>
/dev/loop0      none            swap    sw                      0       0
/dev/loop1      /               ext3    errors=remount-ro       0       1

If you already have an installation elsewhere, read the Hard Disk Upgrade Mini How-To to learn how to copy it over.

The procedure for a fresh installation of Linux is different for each distribution. Please send me instructions for distributions not listed below and I will include them here.