Your hard disk (hda) should contain at least three partitions:
hda1: this small unencrypted partition will ask for a password in order to mount the encrypted root filesystem.
hda2: this partition will contain your encrypted root filesystem; make sure it is large enough.
hda3: this partition holds the current GNU/Linux system.
At this point, both hda1 and hda2 are unused. hda3 is where your Linux distribution is currently installed; /usr and /boot must not be separated from this partition.
Here's an example of what your partition layout might look like:
# fdisk -l /dev/hda Disk /dev/hda: 255 heads, 63 sectors, 2432 cylinders Units = cylinders of 16065 * 512 bytes Device Boot Start End Blocks Id System /dev/hda1 1 1 8001 83 Linux /dev/hda2 2 263 2104515 83 Linux /dev/hda3 264 525 2104515 83 Linux /dev/hda4 526 2047 12225465 83 Linux
If you use Debian, the following packages are mandatory:
apt-get install gcc make libncurses5-dev patch bzip2 wget
To make copy & paste easier, you should also install:
apt-get install lynx gpm
There are two main projects which add loopback encryption support in the kernel: cryptoloop and loop-AES. This howto is based on loop-AES, since it features an extremely fast and highly optimized implementation of Rijndael in assembly language, and therefore provides maximum performance if you have an IA-32 (x86) CPU. Besides, there are some security concerns about cryptoloop.
First of all, download and unpack the loop-AES package:
cd /usr/src wget http://loop-aes.sourceforge.net/loop-AES/loop-AES-v3.0b.tar.bz2 tar -xvjf loop-AES-v3.0b.tar.bz2
Then you must download and patch the kernel source:
wget http://ftp.kernel.org/pub/linux/kernel/v2.4/linux-2.4.29.tar.bz2 tar -xvjf linux-2.4.29.tar.bz2 cd linux-2.4.29 rm include/linux/loop.h drivers/block/loop.c patch -Np1 -i ../loop-AES-v3.0b/kernel-2.4.28.diff
Setup the keyboard map:
dumpkeys | loadkeys -m - > drivers/char/defkeymap.c
Next, configure your kernel; make sure the following options are set:
make menuconfig Block devices ---> <*> Loopback device support [*] AES encrypted loop device support (NEW) <*> RAM disk support (4096) Default RAM disk size (NEW) [*] Initial RAM disk (initrd) support File systems ---> <*> Ext3 journalling file system support <*> Second extended fs support (important note: do not enable /dev file system support)
Compile the kernel and install it:
make dep bzImage make modules modules_install cp arch/i386/boot/bzImage /boot/vmlinuz
If grub is your bootloader, update /boot/grub/menu.lst or /boot/grub/grub.conf:
cat > /boot/grub/menu.lst << EOF default 0 timeout 10 color green/black light-green/black title Linux root (hd0,2) kernel /boot/vmlinuz ro root=/dev/hda3 EOF
Otherwise, update /etc/lilo.conf and run lilo:
cat > /etc/lilo.conf << EOF lba32 boot=/dev/hda prompt timeout=60 image=/boot/vmlinuz label=Linux read-only root=/dev/hda3 EOF lilo
You may now restart the system.
Proceed as described in the previous section, using loop-aes' kernel-2.6.10.diff patch instead, and make sure cryptoloop support is not activated. Note that modules support require that you have the module-init-tools package installed.
The losetup program, which is part of the util-linux package, must be patched and recompiled in order to add strong cryptography support. Download, unpack and patch util-linux:
cd /usr/src wget http://ftp.kernel.org/pub/linux/utils/util-linux/util-linux-2.12p.tar.bz2 tar -xvjf util-linux-2.12p.tar.bz2 cd util-linux-2.12p patch -Np1 -i ../loop-AES-v3.0b/util-linux-2.12p.diff
To use passwords that are less than 20 characters, enter:
CFLAGS="-O2 -DLOOP_PASSWORD_MIN_LENGTH=8"; export CFLAGS
Security is certainly your major concern. For this reason, please do not enable passwords shorter than 20 characters. Data privacy is not free, one has to 'pay' in form of long passwords.
Compile losetup and install it as root:
./configure && make lib mount mv -f /sbin/losetup /sbin/losetup~ rm -f /usr/share/man/man8/losetup.8* cd mount gzip losetup.8 cp losetup /sbin cp losetup.8.gz /usr/share/man/man8/ chattr +i /sbin/losetup