This document should help you to setup an encrypted file system on Redhat 9 (Shrike) systems using CryptoAPI. All you need is on your RH9 CDs, on the ftp.redhat.com FTP server or available from this site. If you know your root password and know how to enter commands in a linux shell, any requirements should be fulfilled.

An encrypted file systems allows you to store information in a manner that other people can only read the data when they know a pass-phrase (something like a password but usually longer and therefore harder to guess). Of course, as long as the encrypted file system is “opened by you”, anyone locally logged in may also access the data (according to the file permissions).

Today there are more or less two approaches how an encrypted file system can be installed under Linux: either with CryptoAPI or with loop-AES. CryptoAPI is more flexible since it can be used for other tasks and not only for encrypting file systems. If you want to use CryptoAPI for more, start with the CryptoAPI home page at http://www.kerneli.org/cryptoapi. If you don’t run Redhat 9 this URL is also the start point for you since you have to download the latest source tarball and try to patch your kernel sources and build the required binaries by yourself. Good luck.

On Redhat 9 it is much more simple since the basic modules of CryptoAPI are already included in the kernel. Unfortunately, except for cipher-aes and cipher-identity no cipher modules are included. Fortunately, we need only cipher-aes. But while the kernel is ready for CryptoAPI, the required tools like losetup are not. For whatever reason Redhat didn’t included the required patches for those tools so we must do.

Building updated RPMs for RH9

Redhat is built up using packages called RPMs. It would be possible to copy patched binaries over the existing ones but this approach is not very clean from my point of view. The following steps will take the original sources of the required tools, patch them, build the new binaries and also build new binary RPMs which are then used to update the system.

From your RH9 CDs you need only the ‘util-linux-2.11y-9.src.rpm’ source RPM. If you don’t have the CDs by hand, login to ftp://ftp.redhat.com/pub/redhat/linux/9/en/os/i386/SRPMS/ and get the package there. If you want to take a look in the source RPM, you may do so with the following command: rpm2cpio util-linux-2.11y-9.src.rpm | cpio -dimv. Anyway, if you don’t care about the package contents, you can step by.

Besides the original package you need two patches:

The following commands will patch the tool sources and build new RPMs. They commands shown expect the source RPM as well as the patches in the /storage/downloads/cryptoapi directory. Probably you have stored them somewhere else so use your download patch when entering the commands.

The first command will install the source RPM. Please note that the source RPM will not be displayed in the RPM list when entering ‘rpm -qa’. The sources will be installed in /usr/src/redhat.

[root@diablo]# rpm -i util-linux-2.11y-9.src.rpm

Next we copy the two patch files to their target locations and apply the ‘spec-patch’ (the other one will be applies when building the new RPMs).

[root@diablo]# cd /usr/src/redhat/SOURCES
[root@diablo]# cp /storage/downloads/cryptoapi/util-linux-2.11r-cryptoapi-81574.patch .
[root@diablo]# cd ../SPECS
[root@diablo]# patch util-linux.spec  /storage/downloads/cryptoapi/util-linux.spec.patch
[root@diablo]# cd ..

Now we rebuild the sources. The following command will apply all required patches (included in the source RPM as well as our second one), compile the sources and build the updated binary RPMs.

[root@diablo]# rpmbuild -ba SPECS/util-linux.spec
[root@diablo]# cd RPMS/i386
[root@diablo]# ls -l
total 2828
drwxr-xr-x    2 root     root         4096 Jun  8 14:05 .
drwxr-xr-x    8 root     root         4096 May 28 08:29 ..
-rw-r--r--    1 root     root        39989 Jun  8 14:05 losetup-2.11y-10.i386.rpm
-rw-r--r--    1 root     root       119404 Jun  8 14:05 mount-2.11y-10.i386.rpm
-rw-r--r--    1 root     root      1367925 Jun  8 14:05 util-linux-2.11y-10.i386.rpm
-rw-r--r--    1 root     root      1342689 Jun  8 14:05 util-linux-debuginfo-2.11y-10.i386.rpm

Time to install the new ‘CryptoAPI-ready’ tool set:

[root@diablo]# rpm -qa | egrep "(losetup|mount|util-linux)"
losetup-2.11y-9
mount-2.11y-9
util-linux-2.11y-9
[root@diablo]# rpm -Uhv losetup-2.11y-10.i386.rpm
Preparing...                ########################################### [100%]
   1:losetup                ########################################### [100%]
[root@diablo]# rpm -Uhv mount-2.11y-10.i386.rpm
Preparing...                ########################################### [100%]
   1:mount                  ########################################### [100%]
[root@diablo]# rpm -Uhv util-linux-2.11y-10.i386.rpm
Preparing...                ########################################### [100%]
   1:util-linux             ########################################### [100%]
[root@diablo]# rpm -qa | egrep "(losetup|mount|util-linux)"
mount-2.11y-10
losetup-2.11y-10
util-linux-2.11y-10

If no errors occured up to now – welcome. You can now setup your encrypted file system. First we run a short test if anything works. Try to enter the following commands and compare the output – it should be roughly the same.

# export LANG=C
# modprobe cryptoloop
# modprobe cipher-aes
# lsmod | egrep "(crypto|cipher)"
cipher-aes             23508   0  (unused)
cryptoloop              2716   0  (unused)
cryptoapi               7084   5  [cipher-aes cryptoloop]
loop                   12152   0  [cryptoloop]
# dd if=/dev/urandom of=/root/cryptotemp bs=1M count=20
# losetup -e aes -k 256 /dev/loop0 /root/cryptotemp
# mke2fs -j /dev/loop0
# mkdir -p /mnt/crypto
# mount /dev/loop0 /mnt/crypto
# ls /mnt/crypto
lost+found
# umount /mnt/crypto
# losetup -d /dev/loop0

Setting up the “production file system”

Anything right? Hopefully. Now we setup our “production file system”. Two scripts for mounting and unmounting the file system are provided as well. In the following example the raid device “/dev/md1” is used. You may also use any free partition like e.g. ‘/dev/hda?’ or /dev/sda?’ or a flat file like ‘/crypted/filesystem.aes’ or likely.

First, we should fill the target devices with random data. In case that somebody tries to find out what is going on by taking a look on the dump of the file system he can’t see right from start where valid data is and where not. Attention: the following command destroys all data on the device!

# dd if=/dev/urandom of=/dev/md1

Next we create the file system on the encrypted device and create the target mount point (change myuser:mygroup to your username and group name). Think about your encryption password FIRST and make sure you remember it as long as the data is needed, the losetup command will ask for it. The bad thing: if you loose your password you’ll also loose your data. The good thing: that is more or less what you want to do (no access to the data without password).

# losetup -e aes -k 256 /dev/loop0 /dev/md1
# mke2fs -j /dev/loop0
# losetup -d /dev/loop0
# mkdir -p /home/crypted
# chown myuser:mygroup /home/crypted

Mounting and unmounting is done easily using two scripts. The following script should be saved in /usr/local/bin/mount-crypted:

#!/bin/bash

cryptdev=`df -k | grep "/home/crypted$" | awk '{ print $1 }'`
if test "$cryptdev" == "/dev/loop0"; then
  echo "/home/crypted already mounted (using $cryptdev)."
  exit
fi

modprobe cryptoloop
modprobe cipher-aes
losetup -e aes -k 256 /dev/loop0 /dev/md1
mount /dev/loop0 /home/crypted > /dev/null 2>&1

if test ! -d /home/crypted/lost+found; then
  umount /home/crypted > /dev/null 2>&1
  losetup -d /dev/loop0
  echo "Invalid password, /home/crypted not mounted."
fi

The second script should be saved in /usr/local/bin/umount-crypted:

#!/bin/bash

cryptdev=`df -k | grep "/home/crypted$" | awk '{ print $1 }'`
if test "$cryptdev" == ""; then
  echo "/home/crypted not mounted."
  exit
fi

umount /home/crypted
losetup -d $cryptdev

At last some notes about the backup. You should either backup your data to a device you then put at a safe place or copy the data to an encrypted flatfile and safe this. Anyway, data you want to hide against foreign eyes is usually data you won’t miss. So back it up and take care that the backup data can’t be read by others.

If this guide was helpful for you, please let me know. If you find something wrong in this guide, please let me know, too.

Download patched binaries

If you run into trouble while compiling the patched sources or if you want to save the time doing that, you may download the patched binaries directly from this site using the following links. Please note that the ´util-linux-debuginfo-2.11y-10.i386.rpm´ RPM is not required to get the CryptoAPI up and running.

References