Loop-AES

Loop-AES

This is a step by step tutorial on creating an encrypted partition using Loop-AES (using AES-256). This tutorial is known to work under sarge.

Loop-AES is more secure than dm-crypt (and possibly faster), although it requires a custom kernel module and is more work to install than dm-crypt.

prepare the system

note: this is old. for post-sarge distros, there is package for the modules. for sarge, you can now do this:

  # module-assistant prepare
  # module-assistant fakesource
  # module-assistant auto-install loop-aes

Building loop-AES requires a full kernel source tree, the headers
from kernel-headers packages are not sufficient. Supposedly this could all be simplified with module-assistant, but it doesn’t seem to work with loop-aes.

Get the necessary packages (note: you do not need loop-aes-ciphers-source unless you want to use twofish, serpent or blowfish):

 # apt-get install kernel-source-2.6.8 loop-aes-source kernel-tree-2.6.8 kernel-headers-2.6.8-2-686-smp kernel-image-2.6.8-2-686-smp loop-aes-utils

Then unpack and prepare the source:

  # cd /usr/src
  # tar -xjf kernel-source-2.6.8.tar.bz2
  # tar -xjf loop-aes.tar.bz2
  # apt-get source kernel-image-2.6.8-2-686-smp
  # cd /usr/src/kernel-image-2.6.8-i386-2.6.8
  # debian/rules unpack
  # cd build-686-smp
  # ln -s /usr/src/kernel-headers--2.6.8-2-686-smp/Module.symvers .

Then build the modules:

  # apt-get install kernel-package
  # make-kpkg modules --append-to-version -2-686-smp
Then install the modules: 
  # cd ..
  # dpkg -i loop-aes-2.6.8-2-686-smp_2.2d-2+2.6.8-13_i386.deb

You might have the old linux kernel loop loaded, so before you proceed, remove the old loop module and load the new one:

  # rmmod loop
  # modprobe loop

create key file

Create 64 random encryption keys and encrypt those keys using gpg. Reading
from /dev/random may take indefinitely long if kernel’s random entropy pool
is empty. If that happens, do some other work on some other console (use
keyboard, mouse and disks). Use of gpg encrypted key file depends on
encrypted swap.

Make sure your /tmp is mounted as a memory filesystem, you dont want to be writing the loop-aes gpg key to an unencrypted disk, so get that setup before you continue.

  # apt-get install gnupg sharutils
  # head -c 2880 /dev/random | uuencode -m - | head -n 65 | tail -n 64 | gpg --symmetric -a > /tmp/keyfile.gpg

It will ask you for a passphrase. This will be the passphrase required to mount the partition.

fill partition

Fill the partition with random looking data. “dd” command may take a while
to execute if partition is large. (replace /dev/md4 with whatever partition you want to encrypt. replace /dev/loop3 with whichever loop device you wish to use).

# head -c 15 /dev/urandom | uuencode -m - | head -n 2 | tail -n 1 | losetup -p 0 -e AES256  /dev/loop3 /dev/md4
# dd if=/dev/zero of=/dev/loop3 bs=4k conv=notrunc 2>/dev/null
# losetup -d /dev/loop3

set up fstab

Add this to your /etc/fstab file:

 /dev/md4 /var/maildir reiserfs defaults,noauto,loop=/dev/loop3,encryption=AES256,gpgkey=/tmp/keyfile.gpg 0 0

create the filesystem

The “losetup -F” command asks for passphrase to unlock your key file.
Losetup -F option reads loop related options from /etc/fstab. Partition name
/dev/md4, encryption=AES256 and gpgkey=/root/keyfile.gpg come from
/etc/fstab.

# losetup -F /dev/loop3
# mkfs.reiserfs -h r5 /dev/loop3
# losetup -d /dev/loop3

mount filesystem

Now you should be able to mount the file system like this. The “mount”
command asks for passphrase to unlock your key file.

# mkdir /var/maildir
# mount /var/maildir

setup loop-aes encrypted swap

stop any running swap

# swapoff -a

configure your fstab

  /dev/hdaxxx   none   swap   sw,loop=/dev/loop6,encryption=AES256   0   0
  /dev/hdbyyy   none   swap   sw,loop=/dev/loop7,encryption=AES256   0   0

Scrub old unencrypted data from swap

# dd if=/dev/zero of=/dev/hda666 bs=64k conv=notrunc

Make new swap and enable it

# mkswap /dev/hdaxxx
# mkswap /dev/hdbyyy
# swapon -a
# rm -rf /var/log/ksymoops

how to change a loop-aes key passphrase

It doesn’t seem to be documented anywhere how you change the passphrase of a gpg multi-key loop-aes setup. I guess thats because the actual passphrase is the passphrase which unlocks the gpg key, so if you change that key you actually are changing the password. This is relatively easy to do if you just run gpg -d on the keyfile, this will give you the unencrypted 64 random encryption keys which are used to unlock the keyphrase. Once you have this, you just re-encrypt it with a new passphrase.

Thats easy enough.

The hard part is to do it without writing the unencrypted encryption keys to a disk, as writing the keys to disk is what makes it a defacto insecure system. I suppose it might be argued that if you write them to an encrypted partition you might be fine, although you have to be sure that nobody has access to that filesystem while it is mounted (aka. unencrypted). So, you just need to do this by using regular ole unix pipes, and do it all in memory, right? Well…. not so simple, gpg doesn’t really let you do a simple:

gpg -d /tmp/foobar.gpg | gpg --symmetric -a -o /tmp/newfoo.gpg --

try it and you will see. The passphrase for the first decryption is somehow… lost and instead it asks you for the second right away. The reason it does this is because both gpg instances are fighting for the tty, if you use —no-tty (a gpg option) then it asks on stdin, and that gets screwed up. There is a way to do it using —passphrase-fd, but then your passphrase is in your shell history. You can of course turn that off if you manage to remember to set the right variable before executing it (in bash: typeset HISTCONTROL=ignoreboth; in zsh: setopt HIST_IGNORE_SPACE, and then prepend the command with a space). This seems ugly and prone to human error.

So how do you do it?!

Well, first make sure you have backups of your keyfile. Don’t mess with this file, you loose a lot of data if you screw up.

There are two ways, the first is to make a fifo, decrypt the keyfile into the fifo and then encrypt the data from the fifo, thats kinda ugly and requires the creation of the fifo, the two commands to decrypt and then encrypt and then you need to destroy the fifo, if you want to know how this is done you do this:

  /tmp$ mkfifo fifo
  /tmp$ cat /tmp/blubb | gpg > fifo
  gpg: CAST5 encrypted data
  gpg: encrypted with 1 passphrase
  gpg: WARNING: message was not integrity protected
  /tmp$

and in the other shell:

 /tmp$ gpg --symmetric < fifo > blubb2

Then you need to make sure you remove the fifo.

Did you notice the CAST5 encrypted data line above? This brings up an important point, since you are changing your passphrase, you should change from the CAST5 cipher. Why are you using CAST5? Do you have any idea? If you are encrypting your disks with AES, why trust your keys to a weak cipher? Is it all that weak? Well, gpg used it by default when the key was created, so isn’t that good enough? Well, gpg’s default is chosen not necessarily to be the most secure, but probably to be the most interoperable with much older version of pgp. Gross.

I’m not a big fan of the fifo method, so lets change the cipher algorithm to AES256, and do it all on the command line.

WARNING: Make sure you doing this in bash, or another shell that has a built-in “echo”, if your shell will use /bin/echo then you’ll leak the passphrases into the process table.

  /tmp$ read -p "Enter passphrase: " -s p1; echo ""; \
        read -p "Enter new passphrase: " -s p2; echo ""; \
        cat keyfile.gpg | gpg --passphrase-fd=3 3< <(echo $p1) \
        | gpg --cipher-algo AES256 --passphrase-fd=3 --symmetric \
         3< <(echo $p2) > newkeyfile.gpg

Holy crazy batman! You could put this in a script and make it ask you for the keyfile you want to change and the name of the new keyfile to write it to. Or you could just copy and paste the above and change it to what you need.

Thanks to weasel, error and dkg for invaluable advice on this.

other

Check that loop is really in multi-key mode. Losetup -a output should
include string “multi-key” indicating that loop is really in multi-key mode.
If no “multi-key” string shows up, you somehow managed to mess up gpg key
file generation part or you are trying to use old losetup/mount programs
that only understand single-key mode.

 # losetup -a

You can unmount partition like this:

 # umount /var/maildir

Unmounted filesystem can be fsck’ed like this. -F option reads loop related
options from /etc/fstab. Partition name
/dev/md4, encryption=AES256 and gpgkey=/root/keyfile.gpg come from
/etc/fstab.

# losetup -F /dev/loop3
# fsck -t ext2 -f -y /dev/loop3
# losetup -d /dev/loop3

see also

www.debian-administration.org/?article=81