July 3rd, 2005, 08:40 PM
How to make and burn an encrypted CD under Linux 2.6.x
You will first need to download the latest 2.6 kernel from http://www.kernel.org
Untar the new kernel and copy it to your /usr/src directory. Then cd to /usr/src. You will need to use either 'make gconfig' or 'make menuconfig' to configure the kernel.
In this tutorial, we will use menuconfig for our examples. Type in
You will have to go through and configure the kernel according to your system specifics. I can't do that for you as there are just too many variables. make sure you are familiar with your system specifics, and compile in support for the various components for your system. That is out of the scope of this tutorial, and we will only discuss configuration for encryption support in this paper.
The first thing we will want to do, is enable loopback device support. This option is located under
Device Drivers ---> Block Devices---> Loopback device support.
There are two options here. We can either compile this support directly into the kernel or compile it as a module (as will be the case for each of our options) Do whichever you feel more comfortable with. Remember that if you compile these options as modules, you will either need to edit /etc/rc.d/rc.modules to load the modules on boot or load them manually with modprobe. For loopback support, I would suggest compiling support directly into the kernel, but the choice is yours. If you want to compile loopback support directly into the kernel, then scroll down to loopback support and enter 'y'. If you want to compile it as a module, type in 'm'
Right below loopback support is the option for Cryptoloop support. I suggest compiling support for cryptoloop as a module. But again, you can you compile it directly into the kernel if you choose.
Next, we need to enable our encryption algorithms. Choose 'Exit' to revert back to the former screen and exit that screen as well to return to the original screen. scroll down to 'Cryptographic options' and press 'enter'. You will be presented with the following options
--- Cryptographic API
--- HMAC support
<M > Null algorithms
<M> MD4 digest algorithm
--- MD5 digest algorithm
--- SHA1 digest algorithm
<M> SHA256 digest algorithm
<M> SHA384 and SHA512 digest algorithms
<M> Whirlpool digest algorithms
<M> Tiger digest algorithms
-- DES and Triple DES EDE cipher algorithms
<M> Blowfish cipher algorithm
<M> Twofish cipher algorithm
<M> Serpent cipher algorithm
<M> AES cipher algorithms (i586)
<M> CAST5 (CAST-128) cipher algorithm
<M> CAST6 (CAST-256) cipher algorithm
<M> TEA and XTEA cipher algorithms
<M> ARC4 cipher algorithm
<M> Khazad cipher algorithm
<M> Anubis cipher algorithm
<M> Michael MIC keyed digest algorithm
<M> CRC32c CRC algorithm
<M> Testing module
Hardware crypto devices --->
A few of these options are already selected by default. I would suggest selecting all of the remaining options and choose to compile them as modules. You may at various times need access to any one of these algorithms, but it's rather senseless to compile all of them directly into the kernel. If there is one particular algorithm that you tend to use a lot or exclusively, then you might want to consider compiling that algorithm directly into the kernel.
This is all you really need to do for what we will discuss in this tutorial. However, there is another encryption option available to us, that would probably be a good idea to add also, This option is the md-crypt option, and will be the successor to cryptoloop. There are some good tutorials available for using this function, so before we finish up, lets go ahead and enable this option as well.
Again, choose 'exit' to return to the main screen after you have selected the options mentioned above. Once you return back to the original screen, choose
Device drivers ---> Multi-device support (RAID and LVM) --->
Compile support for Multi-device support (RAID and LVM) directly into the kernel, as well as the 'Device mapper' option below that. Also, compile support for Crypt target support as a module. This is the actual 'md-crypt' option. That's all we need to do there, and we will have md-crypt and device mapper support for later projects.
After you have finished selecting all the options you want to have in your new kernel, exit and save your work. Type in 'make modules' and 'make modules_install'. When this has finished, we will want to copy the new kernel into our 'boot' directory. First make a backup of your existing kernel, your config files and System.map files in the '/boot' directory. Then copy the new kernel over.
#cp /usr/src/linux-2.6.12/arch/i386/boot/bzImage /boot/vmlinuz-2.6.12
Then, copy over your new config file and System.map files
#cp System.map /boot/System.map-2.6.12
#cp .config /boot/config-2.6.12
Next, we will make some symbolic links in the boot directory.
#ln -s System.map-2.6.5 /boot/System.map
#ln -s config-2.6.5 /boot/config
#ln -s vmlinuz vmlinuz-2.6.12
And finally, we will edit /etc/lilo.conf to reflect the new changes. Comment out [or change] the old config section
#image = /boot/vmlinuz-ide-2.4.29
#root = /dev/hda3
#label = Slackware10
And add the new configuration
image = /boot/vmlinuz
root = /dev/hda3
label = Slackware10.1
Next, type in 'lilo' to reload the new configuration and then reboot. If everything works smoothly after a reboot, then you have done a great job! We are ready to proceed. If you have problems with anything, you will have to figure out what you forgot and go back and reconfigure the kernel again, and repeat the same process. Once you have gotten everything on your system running smoothly with the new kernel, we will move on to how we will create the encrypted ISO image that we will burn to a CD.
To create the encrypted ISO, we first start by filling an emtpty ISO image with random data. Make sure that you make the image large enough to hold the contents of the documents directory you wish to encrypt.
#dd if=/dev/urandom of=crypt.iso bs=1M count=650
next, setup the loop device
#losetup -e blowfish /dev/loop1 crypt.iso
Enter your password, again being careful in what you type, as you will not have a chance to verify the password.
Next, we will run mkisofs through the loop device using the documents folder we wish to encrypt
#mkisofs -r -o /dev/loop1 /documents
create a mountpoint for the ISO image.
And then mount the image, verifying that you have the correct password
#mount crypt.iso /mnt/crypto -t iso9660 -o loop=/dev/loop1,encryption=blowfish
If all has gone well, you should see your documents listed in unencrypted form in the /mnt/crypto directory
You are now ready to burn the ISO image to a CD. Unmount the image, unset the loop device and burn your ISO using cdrecord
#losetup -d /dev/loop1
#cdrecord -v -dev=/dev/hdc -data crypt.iso
Once you have the ISO image burned to the CD, you can then mount it and make sure that everything has gone well.
#mount /dev/hdc /mnt/crypto -t iso9660 -o loop=/dev/loop1,encryption=blowfish
If all has gone well, you should see the encrypted ISO image from the CD listed in unencrypted form in the /mnt/crypto directory.
The CD will not even be mountable without the encryption passphrase. This adds even more security to your CD in addition to the fact that the documents stored on the CD are encrypted. The files stored on the CD in encrypted form will not be copyable without first being mounted, and the CD will not mount without the passphrase. This adds quite a bit of protection for your sensitive files.
This tutorial is licensed under the GNU Free Documentation License and was extracted from my paper entitled "Encrypted partitions, filesystems, ISO images and CD's" located at Rootshell Security