Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: How to make and burn an encrypted CD under Linux 2.6.x

  1. #1

    How to make and burn an encrypted CD under Linux 2.6.x

    You will first need to download the latest 2.6 kernel from http://www.kernel.org

    Untar the new kernel and copy it to your /usr/src directory. Then cd to /usr/src. You will need to use either 'make gconfig' or 'make menuconfig' to configure the kernel.

    In this tutorial, we will use menuconfig for our examples. Type in

    #make menuconfig

    You will have to go through and configure the kernel according to your system specifics. I can't do that for you as there are just too many variables. make sure you are familiar with your system specifics, and compile in support for the various components for your system. That is out of the scope of this tutorial, and we will only discuss configuration for encryption support in this paper.

    The first thing we will want to do, is enable loopback device support. This option is located under

    Device Drivers ---> Block Devices---> Loopback device support.

    There are two options here. We can either compile this support directly into the kernel or compile it as a module (as will be the case for each of our options) Do whichever you feel more comfortable with. Remember that if you compile these options as modules, you will either need to edit /etc/rc.d/rc.modules to load the modules on boot or load them manually with modprobe. For loopback support, I would suggest compiling support directly into the kernel, but the choice is yours. If you want to compile loopback support directly into the kernel, then scroll down to loopback support and enter 'y'. If you want to compile it as a module, type in 'm'

    Right below loopback support is the option for Cryptoloop support. I suggest compiling support for cryptoloop as a module. But again, you can you compile it directly into the kernel if you choose.

    Next, we need to enable our encryption algorithms. Choose 'Exit' to revert back to the former screen and exit that screen as well to return to the original screen. scroll down to 'Cryptographic options' and press 'enter'. You will be presented with the following options

    --- Cryptographic API
    --- HMAC support
    <M > Null algorithms
    <M> MD4 digest algorithm
    --- MD5 digest algorithm
    --- SHA1 digest algorithm
    <M> SHA256 digest algorithm
    <M> SHA384 and SHA512 digest algorithms
    <M> Whirlpool digest algorithms
    <M> Tiger digest algorithms
    -- DES and Triple DES EDE cipher algorithms
    <M> Blowfish cipher algorithm
    <M> Twofish cipher algorithm
    <M> Serpent cipher algorithm
    <M> AES cipher algorithms (i586)
    <M> CAST5 (CAST-128) cipher algorithm
    <M> CAST6 (CAST-256) cipher algorithm
    <M> TEA and XTEA cipher algorithms
    <M> ARC4 cipher algorithm
    <M> Khazad cipher algorithm
    <M> Anubis cipher algorithm
    <M> Michael MIC keyed digest algorithm
    <M> CRC32c CRC algorithm
    <M> Testing module
    Hardware crypto devices --->

    A few of these options are already selected by default. I would suggest selecting all of the remaining options and choose to compile them as modules. You may at various times need access to any one of these algorithms, but it's rather senseless to compile all of them directly into the kernel. If there is one particular algorithm that you tend to use a lot or exclusively, then you might want to consider compiling that algorithm directly into the kernel.

    This is all you really need to do for what we will discuss in this tutorial. However, there is another encryption option available to us, that would probably be a good idea to add also, This option is the md-crypt option, and will be the successor to cryptoloop. There are some good tutorials available for using this function, so before we finish up, lets go ahead and enable this option as well.

    Again, choose 'exit' to return to the main screen after you have selected the options mentioned above. Once you return back to the original screen, choose

    Device drivers ---> Multi-device support (RAID and LVM) --->

    Compile support for Multi-device support (RAID and LVM) directly into the kernel, as well as the 'Device mapper' option below that. Also, compile support for Crypt target support as a module. This is the actual 'md-crypt' option. That's all we need to do there, and we will have md-crypt and device mapper support for later projects.

    After you have finished selecting all the options you want to have in your new kernel, exit and save your work. Type in 'make modules' and 'make modules_install'. When this has finished, we will want to copy the new kernel into our 'boot' directory. First make a backup of your existing kernel, your config files and System.map files in the '/boot' directory. Then copy the new kernel over.

    #cp /usr/src/linux-2.6.12/arch/i386/boot/bzImage /boot/vmlinuz-2.6.12

    Then, copy over your new config file and System.map files

    #cp System.map /boot/System.map-2.6.12
    #cp .config /boot/config-2.6.12

    Next, we will make some symbolic links in the boot directory.

    #ln -s System.map-2.6.5 /boot/System.map
    #ln -s config-2.6.5 /boot/config
    #ln -s vmlinuz vmlinuz-2.6.12

    And finally, we will edit /etc/lilo.conf to reflect the new changes. Comment out [or change] the old config section

    #image = /boot/vmlinuz-ide-2.4.29
    #root = /dev/hda3
    #label = Slackware10

    And add the new configuration

    image = /boot/vmlinuz
    root = /dev/hda3
    label = Slackware10.1

    Next, type in 'lilo' to reload the new configuration and then reboot. If everything works smoothly after a reboot, then you have done a great job! We are ready to proceed. If you have problems with anything, you will have to figure out what you forgot and go back and reconfigure the kernel again, and repeat the same process. Once you have gotten everything on your system running smoothly with the new kernel, we will move on to how we will create the encrypted ISO image that we will burn to a CD.

    To create the encrypted ISO, we first start by filling an emtpty ISO image with random data. Make sure that you make the image large enough to hold the contents of the documents directory you wish to encrypt.

    #dd if=/dev/urandom of=crypt.iso bs=1M count=650

    next, setup the loop device

    #losetup -e blowfish /dev/loop1 crypt.iso

    Enter your password, again being careful in what you type, as you will not have a chance to verify the password.

    Next, we will run mkisofs through the loop device using the documents folder we wish to encrypt

    #mkisofs -r -o /dev/loop1 /documents

    create a mountpoint for the ISO image.
    #mkdir /mnt/crypto

    And then mount the image, verifying that you have the correct password

    #mount crypt.iso /mnt/crypto -t iso9660 -o loop=/dev/loop1,encryption=blowfish

    If all has gone well, you should see your documents listed in unencrypted form in the /mnt/crypto directory

    #cd /mnt/crypto

    You are now ready to burn the ISO image to a CD. Unmount the image, unset the loop device and burn your ISO using cdrecord

    #umount /mnt/crypto
    #losetup -d /dev/loop1
    #cdrecord -v -dev=/dev/hdc -data crypt.iso

    Once you have the ISO image burned to the CD, you can then mount it and make sure that everything has gone well.

    #mount /dev/hdc /mnt/crypto -t iso9660 -o loop=/dev/loop1,encryption=blowfish

    If all has gone well, you should see the encrypted ISO image from the CD listed in unencrypted form in the /mnt/crypto directory.

    The CD will not even be mountable without the encryption passphrase. This adds even more security to your CD in addition to the fact that the documents stored on the CD are encrypted. The files stored on the CD in encrypted form will not be copyable without first being mounted, and the CD will not mount without the passphrase. This adds quite a bit of protection for your sensitive files.

    This tutorial is licensed under the GNU Free Documentation License and was extracted from my paper entitled "Encrypted partitions, filesystems, ISO images and CD's" located at Rootshell Security

  2. #2
    Leftie Linux Lover the_JinX's Avatar
    Join Date
    Nov 2001
    Beverwijk Netherlands
    Great stuff on this tutorial, al..

    I realy like your site..

    But I've noticed an error in a piece of (my own) script in http://www.rootshellsecurity.com/papers/chroot.html
    Where it says PARAS="$PARAMETERS $parameter" it should say PARAMETERS="$PARAMETERS $parameter"
    It is indeed wrong in my old tutorial but AO won't allow me to fix it (there is a note in the thread linking to an updated version)
    The fixed version of the script (and rest of the tutorial) can be found here.

    It's nice how you kept my copyright in the script..
    But replacing my CC licence (for the origiona tut) with a GNU one is a bit on the edge, it might be nice if you'd link to my tutorial as a source..
    ASCII stupid question, get a stupid ANSI.
    When in Russia, pet a PETSCII.

    Get your ass over to SLAYRadio the best station for C64 Remixes !

  3. #3
    Hey, thanks for catching that. It's most appreciated! Although this is more of a personal matter, (I sent you a PM) since, you posted in the forum, I will also reply here.

    As you can see, the page itself was written by me, using your tut as a source. But absolutely, your tut WAS the source of the outline. I would be more than happy to post a copy of your paper, replacing the one I wrote, with full credits to you of course if you would like to submit one.

    As far as 'replacing your GPL license' with the GNU documentation License. That was not my intention. Your GPL for the script is on that page. The GNU documentation license was intended for the page in it's entirety.

    But like I said, by all means! If you want full credit, I will absolutely give that to you. In fact, I would prefer that you submit your own version where I CAN give you full credit since your tut was the source of the paper.

    If all you want is just a link to your post, I can accomodate you there as well. But consider rewriting your tutorial and submitting it. Like I said, I will replace the one I wrote, with the one you wrote, and you will have full credit!

    Great tutorial BTW!

  4. #4
    Actually jinx, I just found this url in my apache log


    Stolen??? You have got to be kidding me!

    I thought you wrote a great tut, and thought it deserved to be reposted! That was intended to be something gracious in that more people would see it, as well your credit for the script. was posted! not to STEAL it! I coulda swore I read a GPL there. Geezus man. Hey, if you think I stole it, you just let me know, I'll be happy to remove it!

  5. #5
    The papers listed at rootshellsecurity.com were all written by myself. I haven't 'stolen' anyones 'tuts!' lol!

    The one exception is the paper on chrooting, which I DID by the way write! Just because I used your tut as a source (which BTW..again...did have a GPL statement) doesnt mean I 'stole' it from you! ESPECIALLY considering I reprinted credit to you!

    Why would you say I 'stole' this?

    Hell, nevermind. The paper is removed.

    If you think I 'STOLE' your paper, then I really apologize. Why? because I do not want to 'STEAL' anyone elses work! If you knew me peronally jinx, you would know that no harm was intended. I absolutely wanted you to have credit for your work, which I DID! Your Name and your GPL stateent! I also gave myself credit for the paper itself becasue I DID write the paper! I definately did not copy and paste your work!

    I don't know why you think that I 'STOLE' your work. But if you do, then you absolutely have my apology. As I said, the paper was taken offline.

  6. #6
    Leftie Linux Lover the_JinX's Avatar
    Join Date
    Nov 2001
    Beverwijk Netherlands
    You are right, was a blur of the moment thing..

    I've revised it

    As the message now states it's OK..

    I was (am) a bit intoxicated !
    ASCII stupid question, get a stupid ANSI.
    When in Russia, pet a PETSCII.

    Get your ass over to SLAYRadio the best station for C64 Remixes !

  7. #7
    Leftie Linux Lover the_JinX's Avatar
    Join Date
    Nov 2001
    Beverwijk Netherlands
    You don't have to remove the paper..

    A tiny little link is OK.. And the GNU free doc licence is compattible with the CC It is under...

    I'm sorry if you were shocked by my drunk behavior..
    ASCII stupid question, get a stupid ANSI.
    When in Russia, pet a PETSCII.

    Get your ass over to SLAYRadio the best station for C64 Remixes !

  8. #8

    The only thing that bothered me was that I was being made to look like a thief! And that just is not my style! But the way you are handling this since I responded makes me feel a lot better! I'm sure you can understand what I'm saying!

    In regards to reposting the paper, like I said..I would really prefer to have you submit your original paper. All the papers that have my name on them, were written solely from within my own head, no parts of which were reprinted from anyone elses work.

    You wrote a great tutorial there! And you also have the chroot shell script you wrote. I would love to have your paper posted, but I will leave it up to you if you would like to submit your original paper. That way, it's written from the source and I can give you full credit. And I wont have any papers up that have any reprinted parts!

    I appreciate the way you have handled this. Thank you.

    Thank you spyder.

  9. #9
    Senior Member
    Join Date
    Oct 2002
    Moreso Dr.Psy then Jinx (see the other thread this was discussed in), but you guys need to learn the powers of the edit button (again, mostly Dr. Psy).
    Space For Rent.. =]

  10. #10
    AO's MMA Fanatic! Computernerd22's Avatar
    Join Date
    Mar 2003
    Miami, FL
    Thank you for the useful information greatly appreciated. CN22

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts