Search:  
Gentoo Wiki

SECURITY_Encrypting_Root_Filesystem_with_loop-AES

This article is part of the Security series.
Warning: This page is currently in development and is far incomplete.

Contents

Disclaimer

THIS ARTICLE IS PROVIDED 'AS IS' WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT WILL ANY OF THE AUTHORS OF THIS ARTICLE BE LIABLE FOR ANY DAMAGES CAUSED BY FOLLOWING OR THE INABILITY TO FOLLOW, PROCEDURES, DESCRIBED IN THIS ARTICLE.

Process Overview

All procedures described here can be divided into seven simple steps:

  1. Backup and Verify your System
  2. Configure and Compile Utilities
  3. Configure and Re-compile your Kernel
  4. Create a Live CD
  5. Safely Delete Unencrypted Data
  6. Create Encrypted Root Partition
  7. Restore Data From Backup

Introduction

Why use encryption at all?

People against the use of cryptography might argue that "if you're innocent, you have nothing to hide." In a utopic society it would be true, unfortunately the world is not black and white, there is a lot of grey in between.

Quote: Cardinal Richelieu

If one would give me six lines written by the hand of the most honest man, I would find something in them to have him hanged.

I prefer it to dm-crypt, because it is faster?? and I like encryption applications that targets some particular method, not all of them. In general, what you choose is a matter of taste.

What is loop-AES?

A loop driver is a kind of driver stands between an application that uses a device and a device (or a file) itself. The Loop-AES is a kernel driver that provides additional functionality to /dev/loopX devices by replacing original loop driver. This results in capability of using AES encryption.

Modes of operation

Loop-AES is a kernel driver that must be available at boot time. There are two methods of getting loop-AES code working with the kernel, your can either compile it as a standalone kernel module or as a kernel code.

If you decide to stick to kernel module, you will need to use initramfs, because this driver must be available at boot time. The advantage of this method is that you don't need to recompile kernel every time there is a new version out. You will only need to update initramfs.

If you decide to get loop-AES code directly into kernel, you will have to use a patch against mainline kernel and recompile the whole kernel every time when loop-AES releases a new version or a new kernel becomes available. The advantage of this method is that you don't have to use initramfs.

Use of journaling file systems with loop-AES

As it was noted above, a loop device stands between an application and a device (or a file).

When loop device stands between an application and a file it is called file backed loop device. See example below.

filesystemA -> loop -> filesystemB -> device
Example: an ISO-image located on filesystem B that is, when mounted,
         provides filesystem A through functionality of a loop device

Otherwise it is called device backed loop device.

filesystemC -> loop -> device
Example: a notebook's hard drive that has a physical partition which,
         when mounted through loop-AES and decrypted, provides a filesystem C
===============================================================
= 			disc / partition 		      =
===============================================================
             ^                                ^
             |                                |
        normal mount                  mount via loop-aes
             |                                |
==============================   ==============================
=      host filesystem	     =   =     loop-aes filesystem    =
==============================  ==============================
= can use every supportet    =   = can use every supportet    =
= filesystem includs  	     =   = filesystem includs         =
= jornaling file systems     =   = jornaling file systems     =
= (ext2,ext3,xfs,nfs,smb...) =   = (ext2,ext3,xfs,nfs,smb...) =
==============================   ==============================
             ^
             |
   mount via loop-aes
             |
==============================
=     loop-aes filesystem    =
==============================
= don't use jornaling file   =
= systems!  	             =
= (ext2,nfs,smb...)          =
==============================

Loop-AES explicitly prohibits use of journaling on file backed loop devices. In this example on filesystem B. Virtual memory writes pages to disk in any order it wishes, which breaks journalling. If you still want filesystem B to be journalling, mount filesystem A read only.

Appendix A: Errors you might run into

ioctl: LOOP_SET_STATUS: Invalid argument,
       requested cipher or key length (128 bits) not supported by kernel

Either your kernel was not compiled with AES cipher and you need to recompile it or your didn't "modprobe" necessary module. Maybe you want to enable automatic kernel module loading.

ioctl: LOOP_MULTI_KEY_SETUP: Invalid argument

It is likely that:

localhost loop-AES-v3.1f # modprobe loop
FATAL: Error inserting loop (/lib/modules/2.6.x.y/block/loop.ko): Invalid module format
localhost loop-AES-v3.1f # dmesg | tail -1
loop: exports duplicate symbol loop_register_transfer (owned by kernel)

Old loop driver from the kernel is still loaded. If it was compiled as a module, use "rmmod" to unload it. Otherwise set CONFIG_BLK_DEV_LOOP=n, recompile your kernel and reboot.

Appendix B: Notes on dm-crypt and cryptloop security

Please consider the following: in the beginning of 2004 it was known that Markku-Juhani O. Saarinen working for the Helsinki University of Technology published a scientific paper called "Linux for the Information Smuggler" describing a watermark attack on encrypted files.

Quote: http://www.uwsg.iu.edu/hypermail/linux/kernel/0402.2/1137.html

This attack makes it possible to detect presense of specially crafted watermarked files, such as, unreleased Hollywood movies, cruise missile service manuals, and other content that you did not create yourself. Watermarked files contain special bit patterns that can be detected without decryption.

At that time dm-crypt and cryptloop were vulnerable. As well as loop-AES in single-key mode. But at that time loop-AES already had multi-key mode.

Quote: http://www.shimari.com/dm-crypt-on-raid/

If you are running a kernel older than 2.6.12 then loop-AES is still your only viable option. If you want a securely encrypted system with a 2.2 or 2.4 kernel your only option is to abandon your package manager and install and maintain the loop-AES utilities by hand.

Various sources report different kernel versions from which dm-crypt became secure. I believe that security for this package starts somewhere in between 2.6.10 and 2.6.12.

About

Written by Denis Scherbakov for Gentoo Wiki project.

Raw Notes for further editing

CFLAGS="-O2" LDFLAGS="-static -s" ./configure make make tests

umask 077 head -c 2925 /dev/random | uuencode -m - | head -n 66 | tail -n 65 | gpg --symmetric -a > /boot/rootkey.gpg

file "uuencode" is located in app-arch/sharutils

--cipher-algo AES256 --s2k-count 8388608 to gpg commandline

head -c 2925 /dev/random | uuencode -m - | head -n 66 | tail -n 65 | gpg --cipher-algo AES256 --s2k-count 8388608 --symmetric -a > /boot/rootkey.gpg

must be run as indicated in order not to save any part of unencrypted key to the disk

env CFLAGS="-O2" CXXFLAGS="-O2" LDFLAGS="-static -s" ../configure --disable-largefile --disable-card-support --disable-agent-support --disable-keyserver-helpers --disable-photo-viewers --disable-twofish --disable-blowfish --disable-cast5 --disable-idea --without-zlib --without-bzip2 --disable-asm --disable-rsa

can test decryption with /path/to/gpg /boot/rootkey.gpg

wipe free space on / and /boot for security

swapoff -a

edit fastab: /dev/hda666 none swap sw,loop=/dev/loop6,encryption=AES128 0 0

shred --verbose -z /dev/hda666

losetup -e AES128 -K /path/to/key.gpg /dev/loop0 /dev/hda666

mkswap /dev/loop0

??? swapon -a

rm -rf /var/log/ksymoops

gpp location cppsource: /lib location

tar cpsf - -P --numeric-owner / | bzip2 -cz9 > archive.tar.bz2

tar cpsf - -P --numeric-owner / | gzip -c9 > archive.tar.gz

tar cpf - --numeric-owner -C /mnt/gentoo ./ | bzip2 -cz9 | aespipe -e AES256 -K /path/to/key-for-backup.gpg > /backup/file.crypt

tar cpf - --numeric-owner -C /mnt/gentoo ./ | gzip -c9 | aespipe -e AES256 -K /path/to/key-for-backup.gpg > /backup/file.crypt

bzip2 -cd < archive.tar.bz2 | tar df - -P

gzip -cd < archive.tar.gz | tar df - -P

aespipe -d -e AES256 -K /path/to/key-for-backup.gpg < /backup/file.crypt | bzip2 -cd | tar df - -C /mnt/gentoo

aespipe -d -e AES256 -K /path/to/key-for-backup.gpg < /backup/file.crypt | gzip -cd | tar df - -C /mnt/gentoo

AES with S-Boxes is vulnerable to timing attack. With known plaintext and ciphertext it is possible to guess the key by analyzing time it took to encrypt a given block. E.g. if your key begins with 1A it would take different time to encrypt that if it were beginning with A1 and so on. http://cr.yp.to/antiforgery/cachetiming-20050414.pdf

- VIA Padlock is AES encryption in hadrware

- Close Ctrl+Alt+Backspace and Ctrl+Alt+Fn,Ctrl+C

Retrieved from "http://www.gentoo-wiki.info/SECURITY_Encrypting_Root_Filesystem_with_loop-AES"

Last modified: Thu, 04 Sep 2008 22:50:00 +0000 Hits: 3,334