How to make and burn an encrypted CD under Linux 2.6.x

Printable View

Show 40 post(s) from this thread on one page

July 3rd, 2005, 08:40 PM
Dr. Psy

How to make and burn an encrypted CD under Linux 2.6.x

You will first need to download the latest 2.6 kernel from http://www.kernel.org

Untar the new kernel and copy it to your /usr/src directory. Then cd to /usr/src. You will need to use either 'make gconfig' or 'make menuconfig' to configure the kernel.

In this tutorial, we will use menuconfig for our examples. Type in

#make menuconfig

You will have to go through and configure the kernel according to your system specifics. I can't do that for you as there are just too many variables. make sure you are familiar with your system specifics, and compile in support for the various components for your system. That is out of the scope of this tutorial, and we will only discuss configuration for encryption support in this paper.

The first thing we will want to do, is enable loopback device support. This option is located under

Device Drivers ---> Block Devices---> Loopback device support.

There are two options here. We can either compile this support directly into the kernel or compile it as a module (as will be the case for each of our options) Do whichever you feel more comfortable with. Remember that if you compile these options as modules, you will either need to edit /etc/rc.d/rc.modules to load the modules on boot or load them manually with modprobe. For loopback support, I would suggest compiling support directly into the kernel, but the choice is yours. If you want to compile loopback support directly into the kernel, then scroll down to loopback support and enter 'y'. If you want to compile it as a module, type in 'm'

Right below loopback support is the option for Cryptoloop support. I suggest compiling support for cryptoloop as a module. But again, you can you compile it directly into the kernel if you choose.

Next, we need to enable our encryption algorithms. Choose 'Exit' to revert back to the former screen and exit that screen as well to return to the original screen. scroll down to 'Cryptographic options' and press 'enter'. You will be presented with the following options

--- Cryptographic API
--- HMAC support
<M > Null algorithms
<M> MD4 digest algorithm
--- MD5 digest algorithm
--- SHA1 digest algorithm
<M> SHA256 digest algorithm
<M> SHA384 and SHA512 digest algorithms
<M> Whirlpool digest algorithms
<M> Tiger digest algorithms
-- DES and Triple DES EDE cipher algorithms
<M> Blowfish cipher algorithm
<M> Twofish cipher algorithm
<M> Serpent cipher algorithm
<M> AES cipher algorithms (i586)
<M> CAST5 (CAST-128) cipher algorithm
<M> CAST6 (CAST-256) cipher algorithm
<M> TEA and XTEA cipher algorithms
<M> ARC4 cipher algorithm
<M> Khazad cipher algorithm
<M> Anubis cipher algorithm
<M> Michael MIC keyed digest algorithm
<M> CRC32c CRC algorithm
<M> Testing module
Hardware crypto devices --->

A few of these options are already selected by default. I would suggest selecting all of the remaining options and choose to compile them as modules. You may at various times need access to any one of these algorithms, but it's rather senseless to compile all of them directly into the kernel. If there is one particular algorithm that you tend to use a lot or exclusively, then you might want to consider compiling that algorithm directly into the kernel.

This is all you really need to do for what we will discuss in this tutorial. However, there is another encryption option available to us, that would probably be a good idea to add also, This option is the md-crypt option, and will be the successor to cryptoloop. There are some good tutorials available for using this function, so before we finish up, lets go ahead and enable this option as well.

Again, choose 'exit' to return to the main screen after you have selected the options mentioned above. Once you return back to the original screen, choose

Device drivers ---> Multi-device support (RAID and LVM) --->

Compile support for Multi-device support (RAID and LVM) directly into the kernel, as well as the 'Device mapper' option below that. Also, compile support for Crypt target support as a module. This is the actual 'md-crypt' option. That's all we need to do there, and we will have md-crypt and device mapper support for later projects.

After you have finished selecting all the options you want to have in your new kernel, exit and save your work. Type in 'make modules' and 'make modules_install'. When this has finished, we will want to copy the new kernel into our 'boot' directory. First make a backup of your existing kernel, your config files and System.map files in the '/boot' directory. Then copy the new kernel over.

#cp /usr/src/linux-2.6.12/arch/i386/boot/bzImage /boot/vmlinuz-2.6.12

Then, copy over your new config file and System.map files

#cp System.map /boot/System.map-2.6.12
#cp .config /boot/config-2.6.12

Next, we will make some symbolic links in the boot directory.

#ln -s System.map-2.6.5 /boot/System.map
#ln -s config-2.6.5 /boot/config
#ln -s vmlinuz vmlinuz-2.6.12

And finally, we will edit /etc/lilo.conf to reflect the new changes. Comment out [or change] the old config section

#image = /boot/vmlinuz-ide-2.4.29
#root = /dev/hda3
#label = Slackware10
#read-only

And add the new configuration

image = /boot/vmlinuz
root = /dev/hda3
label = Slackware10.1
read-only

Next, type in 'lilo' to reload the new configuration and then reboot. If everything works smoothly after a reboot, then you have done a great job! We are ready to proceed. If you have problems with anything, you will have to figure out what you forgot and go back and reconfigure the kernel again, and repeat the same process. Once you have gotten everything on your system running smoothly with the new kernel, we will move on to how we will create the encrypted ISO image that we will burn to a CD.

To create the encrypted ISO, we first start by filling an emtpty ISO image with random data. Make sure that you make the image large enough to hold the contents of the documents directory you wish to encrypt.

#dd if=/dev/urandom of=crypt.iso bs=1M count=650

next, setup the loop device

#losetup -e blowfish /dev/loop1 crypt.iso

Enter your password, again being careful in what you type, as you will not have a chance to verify the password.

Next, we will run mkisofs through the loop device using the documents folder we wish to encrypt

#mkisofs -r -o /dev/loop1 /documents

create a mountpoint for the ISO image.
#mkdir /mnt/crypto

And then mount the image, verifying that you have the correct password

#mount crypt.iso /mnt/crypto -t iso9660 -o loop=/dev/loop1,encryption=blowfish
password:

If all has gone well, you should see your documents listed in unencrypted form in the /mnt/crypto directory

#cd /mnt/crypto
#ls
Doc1
Doc2
etc

You are now ready to burn the ISO image to a CD. Unmount the image, unset the loop device and burn your ISO using cdrecord

#umount /mnt/crypto
#losetup -d /dev/loop1
#cdrecord -v -dev=/dev/hdc -data crypt.iso

Once you have the ISO image burned to the CD, you can then mount it and make sure that everything has gone well.

#mount /dev/hdc /mnt/crypto -t iso9660 -o loop=/dev/loop1,encryption=blowfish
password:

If all has gone well, you should see the encrypted ISO image from the CD listed in unencrypted form in the /mnt/crypto directory.

The CD will not even be mountable without the encryption passphrase. This adds even more security to your CD in addition to the fact that the documents stored on the CD are encrypted. The files stored on the CD in encrypted form will not be copyable without first being mounted, and the CD will not mount without the passphrase. This adds quite a bit of protection for your sensitive files.

This tutorial is licensed under the GNU Free Documentation License and was extracted from my paper entitled "Encrypted partitions, filesystems, ISO images and CD's" located at Rootshell Security
July 3rd, 2005, 11:58 PM
the_JinX

Great stuff on this tutorial, al..

I realy like your site..

But I've noticed an error in a piece of (my own) script in http://www.rootshellsecurity.com/papers/chroot.html
Where it says PARAS="$PARAMETERS $parameter" it should say PARAMETERS="$PARAMETERS $parameter"
It is indeed wrong in my old tutorial but AO won't allow me to fix it (there is a note in the thread linking to an updated version)
The fixed version of the script (and rest of the tutorial) can be found here.

It's nice how you kept my copyright in the script..
But replacing my CC licence (for the origiona tut) with a GNU one is a bit on the edge, it might be nice if you'd link to my tutorial as a source..
July 4th, 2005, 01:06 AM
Dr. Psy

Hey, thanks for catching that. It's most appreciated! Although this is more of a personal matter, (I sent you a PM) since, you posted in the forum, I will also reply here.

As you can see, the page itself was written by me, using your tut as a source. But absolutely, your tut WAS the source of the outline. I would be more than happy to post a copy of your paper, replacing the one I wrote, with full credits to you of course if you would like to submit one.

As far as 'replacing your GPL license' with the GNU documentation License. That was not my intention. Your GPL for the script is on that page. The GNU documentation license was intended for the page in it's entirety.

But like I said, by all means! If you want full credit, I will absolutely give that to you. In fact, I would prefer that you submit your own version where I CAN give you full credit since your tut was the source of the paper.

If all you want is just a link to your post, I can accomodate you there as well. But consider rewriting your tutorial and submitting it. Like I said, I will replace the one I wrote, with the one you wrote, and you will have full credit!

Great tutorial BTW!
July 4th, 2005, 01:16 AM
Dr. Psy

Actually jinx, I just found this url in my apache log

http://www.stumbleupon.com/url/www.r...rs/chroot.html

Stolen??? You have got to be kidding me!

I thought you wrote a great tut, and thought it deserved to be reposted! That was intended to be something gracious in that more people would see it, as well your credit for the script. was posted! not to STEAL it! I coulda swore I read a GPL there. Geezus man. Hey, if you think I stole it, you just let me know, I'll be happy to remove it!
July 4th, 2005, 01:20 AM
Dr. Psy

The papers listed at rootshellsecurity.com were all written by myself. I haven't 'stolen' anyones 'tuts!' lol!

The one exception is the paper on chrooting, which I DID by the way write! Just because I used your tut as a source (which BTW..again...did have a GPL statement) doesnt mean I 'stole' it from you! ESPECIALLY considering I reprinted credit to you!

Why would you say I 'stole' this?

Hell, nevermind. The paper is removed.

If you think I 'STOLE' your paper, then I really apologize. Why? because I do not want to 'STEAL' anyone elses work! If you knew me peronally jinx, you would know that no harm was intended. I absolutely wanted you to have credit for your work, which I DID! Your Name and your GPL stateent! I also gave myself credit for the paper itself becasue I DID write the paper! I definately did not copy and paste your work!

I don't know why you think that I 'STOLE' your work. But if you do, then you absolutely have my apology. As I said, the paper was taken offline.
July 4th, 2005, 01:29 AM
the_JinX

You are right, was a blur of the moment thing..

I've revised it :)

As the message now states it's OK..

I was (am) a bit intoxicated !
July 4th, 2005, 01:31 AM
the_JinX

You don't have to remove the paper..

A tiny little link is OK.. And the GNU free doc licence is compattible with the CC It is under...

I'm sorry if you were shocked by my drunk behavior..
July 4th, 2005, 01:55 AM
Dr. Psy

jinx,

The only thing that bothered me was that I was being made to look like a thief! And that just is not my style! But the way you are handling this since I responded makes me feel a lot better! I'm sure you can understand what I'm saying!

In regards to reposting the paper, like I said..I would really prefer to have you submit your original paper. All the papers that have my name on them, were written solely from within my own head, no parts of which were reprinted from anyone elses work.

You wrote a great tutorial there! And you also have the chroot shell script you wrote. I would love to have your paper posted, but I will leave it up to you if you would like to submit your original paper. That way, it's written from the source and I can give you full credit. And I wont have any papers up that have any reprinted parts!

I appreciate the way you have handled this. Thank you.

Thank you spyder.
July 4th, 2005, 01:59 AM
Spyder32

Moreso Dr.Psy then Jinx (see the other thread this was discussed in), but you guys need to learn the powers of the edit button (again, mostly Dr. Psy). :D
July 4th, 2005, 02:39 AM
Computernerd22

Thank you for the useful information greatly appreciated. CN22

Show 40 post(s) from this thread on one page