Loopback Encrypted Filesystem HOWTO §@ªÌ¡GRyan T. Rhea, zzrhear@pobox.winthrop.edu ĶªÌ¡G»¯¥±æ tchao@worldnet.att.net v1.1, 29 November 1999 ½Ķ¤é´Á¡G2000¦~1¤ë15¤é _________________________________________________________________ ¥»¤å¥ó¸ÑÄÀ¦p¦ó¦w¸Ë©M¨Ï¥Î¤@ºØ¨Ï¥ÎªÌ¥[¸ü«á¥i°ÊºA©MµL»Ý±Ä¨ú¯S§O¨BÆJ´N¯à¥[ ±K¤åÀɤº®eªº¤åÀɨt²Î¡C³oºØ¤åÀɨt²Î¦s©ñ¦b³q±`¤å¥ó¤º¡A¥¦¥i§@¬°ÁôÂäå¥óÁô ÂáA¤]¥i¨Ï¥Î·¥¥i¯à·|³Q©¿²¤ªº¤@¯ë¤åÀɦWºÙ¦s©ñ¡A¥H¦¹´£°ª¼Æ¾Ú¸ê®ÆÀx¦sªº¦w ¥þ¡C _________________________________________________________________ 1. «e¨¥ 2. ¾É¨¥ 3. ºKn 4. ¸Ô²Ó¤º®e _________________________________________________________________ 1. «e¨¥ «Ø¥ß³oÓ¤åÀɨt²Î»Ýn¦³¤º®Öªº·½¥N½X¡B½s¿è¥N½Xªº¯à¤O©M@¤ß¡A¦P®É±j¯P«Øij ¤âÃäÀH®É¦³±Ò°Ê½L¥i¥Î¡C §â«n¸ê®Æªø´Á¦s©ñ¦b¥[±Kªº¤åÀɨt²Î¤§«e¡AÀ³º¥ý»s §@³Æ¥÷«O¦s¡A ¦]¬°¥ô¦ó¦s©ñ¦b¹q¸£ªº¸ê®Æ³£¦³¾D¨ì·lÃa¤£¥i¨ú¥Îªº¥i¯à¡C n§¹¦¨«Ø¥ß³oÓ¤åÀɨt²Î¡A°_½Xn×¸É Linux ¤º®Ö 2.2.9 ª©¡CÃö©ó׸ɪº²Ó¸` ¡A ¨£¤U¤å [1]¸Ô²Ó¤º®e ¤@¸`¤ºªº¤º®e¡C ¤º®Ö·½¥N½X¥i±q¤U¦Cºô§}¤U¸ü¡G [2]ftp://ftp.kerneli.org/ Ãö©ó«½s¤º®Öªºµ{§Ç¥i¬d¾\¬ÛÃö HOWTO ¤å¥ó¡Aºô§}¦p¤U¡G [3]http://metalab.unc.edu/LDP/HOWTO/ ³o¥÷¤å¥ó¥i¥þ¤å©Î³¡¤ÀÂà¸ü¡A¤£¦¬¶O¥Î¡A¦ý»Ý²Å¦X¤U¦C±ø¥ó¡G * ¦b¥þ¤å©Î³¡¤ÀÂà¸ü¤¤À³¥þ¤å¸ü¦Cª©Åv»¡©ú©M³o¥÷Âà¸ü¦P·N®Ñ¡C * ¥ô¦ó½Ķ©Î¥Ñ³o¥÷¤å¥ó¥Í¦¨ªº¤å¥»¦b´²µo«e§¡À³¨ú±o§@ªÌªº®Ñ±¦P·N¡C * ¦pªG¥u´²µo¥»¤å³¡¤À¤º®e¡A«hÀ³¦b´²µoªº¤å¥»¤º¦C¤J¨ú±o¥»¤å¥þ¤åªº¸Ô²Ó¤è ªk©M³~®|¡C * ¤å¤º©Ò¦³·½¥N½X§¡¨ü¨ì GNU ¤@¯ë¤½¦@³\¥iµýªº«OÅ@¡C³\¥iµý¤º®e¥i³q¹L°Î¦W FTP ºô§}¤U¸ü¡G [4]ftp://prep.ai.mit.edu/pub/gnu/COPYING/ 2. ¾É¨¥ ³o¶µ¹Lµ{¨Ï¥Î¡§/dev/loop*¡¨¡]¦b¦h¼Æ¦w¸Ë¨t²Î¤¤* ¬° 0-7 ¡^¥[¸ü loopback ¤å Àɨt²Î¡C ±Ä¥Î¦PºØ¤èªk¥i±N Linux ªº¤åÀɨt²Î¤£¥[±K¦a¦s©ñ¦b«D Linux ¤À³Î°Ï ¡C¦b«ez LDP ºô§}¤W¦s¦³Ãö¤_³o¤è±ªº HOWTO¡C ¤åÀÉ¥[±Kªº¤èªk˼¦h¡A¥]¬A XOR, DES, twofish, blowfish, cast128, serpent, MARS, RC6, DFC ©M IDEA¡C ¡§losetup¡¨µ{¦¡ªº¤u§@«K¬O±N¥[±K¤åÀÉ©M ¤åÀɨt²Î¤Î¨ä±K½XÁp¨t¦b¤@°_¡C®Ú¾ÚºÞ²z kerneli.org ©M°ê»Ú¥[±K׸ɳn¥ó ¡]international crypto patches¡^ªº Alexander Kjeldaas ¥ý¥Íªº¬Ýªk¡A DES ©M losetup ¥Ø«e¨Ã¤£Ý®e¡C ³o¬O¥Ñ¤_³o¨âºØ³n¥ó³B²z parity bit ªº¤èªk¤£¦P ªº½t¬G¡C¥Ø«e Linux ¨t²Î¨ÃµL¤ä«ù DES ªºpµe¡A¦]¬° DES ±K½Xªº¥[±Kµ{«×¤ñ¸û ¤£°÷ÄY±K¡C Twofish, blowfish, cast128 ©M serpent ±K½X¥i¥ô·N¨Ï¥Î¡A¨S¦³¥ô¦ó³\¥iµýªº ¨î¡C ¨ä¥L±K½X¥i¯à¦³¤@¨Ç³\¥iµý¤è±ªº³W©w¡C¦³¨Ç±K½X¤J¿ï§@¬° AES ¼Ð·Ç¡C ³Ì«á¿ï©wªº±K½X±N§@¬°¥þ¥@¬É§K¶O¨Ï¥Îªº±K½X¡C ¥»¤å¨Ï¥Î serpent ¥[±Kªk¥[±K¡A¦]¬°³oºØ¥[±Kªk«O±K©Ê±j¡A¹B¦æ·¥§Ö¡A¦P®É®Ú¾Ú GPL ªº³W©w¥i§K¶O´²µo¡C ¦b serpent ¦³Ãöªº¤å¥ó¤¤«ü¥X¡Aserpent ³n¥ó¨Ï¥Î Ross Anderson, Eli Biham ©M Lars Knudsen ³]pªºªø«× 128-bit ªº±K½X²Õ¡C ³o¹ï¨Ï¥ÎªÌªº«O±Kn¨D´£¨Ñ¤F³Ì°ª«OÃÒ¡A ¦]¬°¨ì¥Ø«e¬°¤î¡A¨ÃµL¸Ñ½XªºÂ²³æ¿ìªk ¡C¦³Ãö serpent ªº¤å¥ó¤Î¨ä·½¥N½X¥i±q¤U¦Cºô§}¤U¸ü¡G [5]http://www.cl.cam.ac.uk/~rja14/serpent.html ³o¥÷¤å¥ó°²³]¨Ï¥ÎªÌ±N±K½Xª½±µ½s¤J¤º®Ö¡C¤£¹L¡A±K½X¤]¥i§@¬°¼Ò²Õ½s¤J¡A ¦ý¦b ¸Ó¤å¥ó¤¤¨Ã¥¼¹ï³oºØ¤èªk¥[¥H°Q½×¡C¤£¹L¤èªk¤]˼²³æ¡A¥u»Ý½s¿è ¡§/etc/conf.module¡¨; ¸Ô±¡¨£«e±´£¨ìªºÃö©ó½s¿è¤º®Öªº HOWTO ¤å¥ó¡C 3. ºKn ³o¶µ¹Lµ{¯A¤Î³\¦h¨BÆJ¡C¦b¤U¸` [6]¸Ô²Ó¤º®e ¤¤¹ï³o¨Ç¨BÆJ¦³¸Ô²Ó»¡©ú¡C ¥ý¹ï ³o¨Ç¨BÆJ§@¥XºKn»¡©ú¤]³\¬O¤£¿ùªº¥D·N¡A¦]¬° Unix ©M Linux ªº°ª¤â¤]³\¤£»Ý n¸Ô²Ó¨BÆJ¡C ³o¨Ç¨BÆJ¦p¤U¡G 1. ¤U¸ü³Ì·sªº°ê»Ú¥[±K׸ɳn¥ó (½s¼g¥»¤å®Éªº³Ì·sª©¥»¬° ¡§patch-int-2.2.10.4¡¨)¡G [7]http://ftp.kerneli.org/pub/kerneli/ 2. ׸ɤº®Ö 3. ¹B¦æ 'config' (©Î 'menuconfig' ©Î 'xconfig')¡A¬°·s¤º®Ö³]¸m 'MakeFile'¡C ³]©w¥[±Kªº¦Uӿﶵ¨Ã¤£¶°¤¤¦b¤@°_¡Cº¥ý¡An³]©w¥ô¦ó¿ï¶µ ³£±o¿ï¥Î 'Code Maturity level options' ¶µ¤Uªº 'Prompt for development and/or incomplete code/drivers'¡C¦b 'Crypto options' ¶µ ¤U¿ï¥Î 'crypto ciphers' ©M 'serpent' ¨â¶µ¡C¦b¦¹¦A¦¸°²³]¨Ï¥Î serpent ¥[±K¡A¤£¹L¤]¥i¸Õ¥Î¨ä¥Lªº¥[±K¿ìªk¡C ¦b¦¹¥²»Ý«ü¥X¡ADES ¨ì 2.2.10.4 ª©³£ÁÙ»P¨t²Î¤£Ý®e - ¦ôp¥¼¨Ó¤]¤£·|Ý®e¡C¦b 'Block Devices' ¤U¦³¤LÓ«n¿ï¶µ¥²»Ý¿ï©w¡C³o¥]¬A 'Loopback device support', 'Use relative block numbers as basis for transfer functions (RECOMMENDED)' ©M 'General encryption support' µ¥¦U¶µ¡C¦¹ ³B¤£n¿ï 'cast 128' ©Î 'twofish' ¥[±K¡C¦¹¥~¦b¦UºØºô¸ô¤¤¤]¤£»Ý¿ï¨ú¥ô ¦ó¥[±K¿ï¶µ¡C ¥ô¦ó¦³Ãö¤º®Öªº³]¸m¤èªk§¡¥i°Ñ¾\ LDP ¤å¥ó¡A¤£¦b¦¹³B¦A¦¸ ÂØz¡C 4. ½s¿è·s¤º®Ö 5. ½s¿è '/etc/lilo.conf'¡A¥H«K¦b³]¸m¤åÀɤº¼W¥[·s¤º®Ö¡C¹B¦æ 'lilo -v' ±N¤º®Ö¥[¨ì boot loader ¤º¡C 6. ±q¤U¦Cºô§}¤U¸ü³Ì·sªº 'util-linux' ·½¥N½X (¦¹³B¨Ï¥Î 'util-linux-2.9v' ª©)¡G [8]ftp://ftp.kernel.org/pub/linux/utils/util-linux/ 7. ¸ÑÀ£ 'util-linux' ·½¥N½X¡C 8. §Q¥Î¦b '/usr/src/linux/Documentation/crypto/' ¥Ø¿ý¤ºªº¬ÛÀ³×¸É³n¥ó ¡C 9. ¥J²Ó¾\Ū 'INSTALL'¡C³o®M³n¥ó¤º¦³³\¦h»P¨t²Î¦³Ãöªº¤åÀɪº·½¥N½X ¡]«n ªº¤u¨ã¦p'login', 'passwd'©M'init'µ¥¡^¡C¦pªG¦b½s¿è³o¨Ç·½¥N½X¤§«e ¤£ ¥J²Ó¦a½s¿è MCONFIG¡A³Ì¦n¤âÀYÀH®É¦³±Ò°Ê¤ù¥i¥Î¡A¦]¬°¨t²ÎÀH®É³£·|¿ù¶Ã ¡C °ò¥»¤W¡A±N©Ò¦³ 'HAVE_*' ³£³]¦¨¡§yes¡¨¡A¨Ï©Ò¦³«nªº¨t²Î³n¥ó³£¤£ ·|³Q§ó§ï¡C »Ýn««Øªº¤u¨ã¬O 'mount' ©M 'losetup'¡A¥H¾A¦X·sªº¥[±K»Ý n¡C ²Ó¸`¤£§«°Ñ¬Ý¤U¤å [9]¸Ô²Ó¤º®e ¡C 10. ½s¿è©M¦w¸Ë 'util-linux'¡C 11. ¥Î·s¤º®Ö«·s±Ò°Ê¹q¸£¡C 12. ½s¿è '/etc/fstab'¡A¼W¥[¥[¸üÂI¡A¨BÆJ¦p¤U¡G ______________________________________________________________ /dev/loop0 /mnt/crypt ext2 user,noauto,rw,loop 0 0 ______________________________________________________________ 13. ¦p¤W¤å '/mnt/crypt' ªº¤è¦¡¡A«Ø¥ß¯à¦¬¦s¤åÀɨt²Îªº¥Ø¿ý¡C 14. §@¬°¨Ï¥ÎªÌ¡A¦¬¦s¥[±Kªº¤åÀɦp¤U¡G dd if=/dev/urandom of=/etc/cryptfile bs=1M count=10 15. ¹B¦æ losetup ¦p¤U¡G losetup -e serpent /dev/loop0 /etc/cryptfile ª`·N¡G³]©w¨Ï¥Î±K½Xªº¾÷·|¥u¦³¤@¦¸¡C¥i¥Î¤U¦C«ü¥O¬d®Ö¨Ï¥Î±K½X¡G losetup -d /dev/loop0 ³o±ø«ü¥O·|¨Ï loop device °±¤î§@¥Î¡CÀH«á¦A±Ò°Ê losetup ´N¥i´ú¸Õ¨Ï¥Î ±K½X¡A¤èªk¦p¤U¡G losetup -e serpent /dev/loop0 /etc/cryptfile 16. ³]©w ext2 ¤åÀɨt²Î¦p¤U¡G mkfs -t ext2 /dev/loop0 100000 17. ¦¹®É´N¥i¥[¸ü¥[±Kªº¤åÀɨt²Î¡G mount -t ext2 /dev/loop0 /mnt/crypt 18. §¹¦¨¥[±K¤§«á¡A¥i¨ø¸ü©M«OÅ@¤åÀɨt²Î¦p¤U¡G umount /dev/loop0 losetup -d /dev/loop0' 4. ¸Ô²Ó¤º®e ¤º®Ö׸ɳn¥ó¡G ¥i±q¡§2.2.x¡¨ª©ªº¤º®Ö¶}©l׸ɤº®Ö¡C¬°¡§2.2.x¡¨ª©ªº¤º®Ö½s¼gªº×¸É³n¥ó³£ ªþ±a°£¿ùµ{§Ç¡]bugfixes¡^¡C ·s¥\¯à³£·|¥[¤J Linux ¡§2.3.x¡¨ª©ªº¶}µo¤º®Ö¡C ׸ɤº®Öªº¿ìªk¬Oº¥ý¨ú±o©Ò¦³×¸É³n¥ó¡A µM«á¥H¤U¦C«ü¥O׸ɡG cd /usr/src gzip -cd patchXX.gz patch -p0 «´_ xx ¦Uª©¥»ªº×¸É¡A±q¦¸§Ç§Cªº xx ©¹°ªªº¤è¦V¨Ì¦¸×¸É¡C ¤º®Ö·½¥N½XªºÀq»{¥Ø¿ý¬O '/usr/src/linux'¡C¦p·½¥N½X¦b¨ä¥L¥Ø¿ý¡A¥i±q '/usr/src/linux' «Ø¥ß¤@ӲŸ¹³s±µ¡]symbolic link¡^¡C ¬° 'util-linux' ªº½s¿è³]©w 'MCONFIG'¡G ¥H¤U¬O½s¿è 'util-linux' ®Éקï 'MCONFIG' Àɪº³¡¤À¤º®e¡CÀHµÛ¨t²Îª©¥»ªº¤£ ¦P¡Aקï¤è¦¡¨Ã¤£§¹¥þ¬Û¦P¡A ¦¹³B°ò¥»¤W¥H RedHat 5.2 ¬°·Ç¡CÃöÁ䤧³B¬O¤£n Âл\«nªº¨t²Î¤u¨ã¡A¨Ò ¦p'login'¡B'getty'©Î'passwd' µ¥¡C¥H¤U¦C¥X¤@¨Ç« nªº³]©w¡G ______________________________________________________________ CPU=$(shell uname -m sed s/I.86/intel/) LOCALEDIR=/usr/share/locale HAVE_PAM=no HAVE_SHADOW=yes HAVE_PASSWD=yes REQUIRE_PASSWORD=yes ONLY_LISTED_SHELLS=yes HAVE_SYSVINIT=yes HAVE_SYSVINIT_UTILS=yes HAVE_GETTY=yes USE_TTY_GROUP=yes HAVE_RESET=yes HAVE_SLN=yes CC=gcc ______________________________________________________________ «Øij¡G ±q'dev/loop0' ¨ì '/dev/loop7'¡A³o 8 Ó loopback devices §¡¥i¥Î¤_¦¹³B¡C §Q¥Î¥Ø¿ý¦WºÙ¤£¤ÓÅã²´ªº¥Ø¿ý§@¬°¥[¸üÂI¡C¤£§«¦b home ¥Ø¿ý¤º«Ø¥ß¤@ÓÅv¬° 700 ªº¥[±K¥Ø¿ý¡C ¤]¥Î¤£Åã²´ªº¥Ø¿ý¦s©ñ¥[±K¤åÀÉ¡C¤£§«¦b '/etc' ¤º¨Ï¥Î 'sysfile' ©Î 'config.data' ³oÃþ¦WºÙ¡C ¤@¯ë³oÃþ¦WºÙªº¥Ø¿ý©Î¤åÀɳ£¤£¤Ó¨ü ¤Hª`·N¡C ¤U¦C Perl ¸}¥»¥i¥Î¤_¥[¸ü©M¨ø¸ü¤åÀɨt²Î¡C±N¨ä§Û¤J¨t²Î¡A§ï¦¨¥i¹B¦æ ¡]chmod u+x¡^¡A µM«á¦s©ñ¦b¸ô®|¥Ø¿ý¤¤¡C ______________________________________________________________ #!/usr/bin/perl -w # #minimal utility to setup loopback encryption filesystem #Copyright 1999 by Ryan T. Rhea `losetup -e serpent /dev/loop0 /etc/cryptfile`; `mount /mnt/crypt`; ______________________________________________________________ ±N¤Wz¸}¥»ºÙ¬° 'loop'¡A´N¥i¥Î¤@Ó«ü¥O¡]'loop'¡^©M±K½X³]©w loopback ¥[±K ¤åÀɨt²Î¡C ______________________________________________________________ #!/usr/bin/perl -w # #minimal utility to deactivate loopback encryption filesystem #Copyright 1999 by Ryan T. Rhea `umount /mount/crypt`; `losetup -d /dev/loop0`; ______________________________________________________________ ±N³oÓ¸}¥»ºÙ¬° 'unloop'¡A¥H«á¥unÁä¤J 'unloop' ´N¥i¥ß§Y°±¤î³oÓ¤åÀɨt²Î ªº¹B§@¡C References 1. file://localhost/tmp/zh-sgmltools.26907/Loopback-Encrypted-Filesystem-HOWTO.txt.html#%B8%D4%B2%D3%A4%BA%AEe 2. ftp://ftp.kerneli.org/ 3. http://metalab.unc.edu/LDP/HOWTO/ 4. ftp://prep.ai.mit.edu/pub/gnu/COPYING/ 5. http://www.cl.cam.ac.uk/~rja14/serpent.html 6. file://localhost/tmp/zh-sgmltools.26907/Loopback-Encrypted-Filesystem-HOWTO.txt.html#%B8%D4%B2%D3%A4%BA%AEe 7. http://ftp.kerneli.org/pub/kerneli/ 8. ftp://ftp.kernel.org/pub/linux/utils/util-linux/ 9. file://localhost/tmp/zh-sgmltools.26907/Loopback-Encrypted-Filesystem-HOWTO.txt.html#%B8%D4%B2%D3%A4%BA%AEe