Linux Format forums Forum Index Linux Format forums
Help, discussion, magazine feedback and more
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

HDD encryption, expert guru help needed.

 
Post new topic   Reply to topic    Linux Format forums Forum Index -> Help!
View previous topic :: View next topic  
Author Message
complication
Guest





PostPosted: Sat Apr 23, 2005 8:43 am    Post subject: HDD encryption, expert guru help needed. Reply with quote

Alrighty, I have a lot to say, but not a great deal of time, so Im going to get right to it.
A while ago I purchased 3 external maxtor 200 gig usb2 hdd's. I have them set up in a raid array, which is encrypted on 2 levels.

This is how it works,
Each disk is individually encrypted at the io level, then the 3 disks are mapped into a raid0 partition, which is again fed through dmcrypt to produce the final partition which I can format and mount as such.

WHY ?
Because I dont trust AES, or any one cipher. AES is especially suspect, because like the now broken DES the NSA are reccomending it, and because it uses a very questionable algebra system. Clearly they want a breakable cipher, that only they can crack, no perhaps not today, but within 10 years.
Of the remaining 4 candidates I most prefer serpent. AES , anubis and twofish are my io level choices, and the final raid partition is mapped with serpent.

Does it work at an acceptable speed ?
YES.
The raid0 increases the bandwidth all things considered and the algorythms were designed with limited resources in mind. I have 600 gig, as fast (auctually faster) than any HDD. The encryption is operative as far as I can tell, and my centrino 1.6 cpu jumps when I move data on to it. It works. Well.
It should also be noted that I have a gig of ram.

Here is the script I use......

#! /bin/sh

# CYRAX-REF

devlabel add -u S:IBMMemoryKey -s /dev/key
devlabel add -u S80:uniquenumberishereMaxtorOneTouchII -s /dev/exar0
devlabel add -u S80:uniquenumberishereMaxtorOneTouchII -s /dev/exar1
devlabel add -u S80:uniquenumberishereMaxtorOneTouchII -s /dev/exar2
devlabel start

umount /mnt/key
mkfs /dev/key
mount /dev/key /mnt/key

dd if=/dev/urandom of=/mnt/key/cyrax-0 bs=1c count=32
dd if=/dev/urandom of=/mnt/key/cyrax-1 bs=1c count=40
dd if=/dev/urandom of=/mnt/key/cyrax-2 bs=1c count=32
dd if=/dev/urandom of=/mnt/key/lucifer bs=1c count=32

umount /mnt/lucifer
dmsetup remove lucifer
mdadm -S /dev/md1
rm /dev/md1
dmsetup remove cyrax-0
dmsetup remove cyrax-1
dmsetup remove cyrax-2

cryptsetup.sh -c anubis-cbc-essiv:sha256 -s 40 -d /mnt/key/cyrax-0 create cyrax-0 /dev/exar0
cryptsetup.sh -c aes-cbc-essiv:sha256 -s 32 -d /mnt/key/cyrax-1 create cyrax-1 /dev/exar1
cryptsetup.sh -c twofish-cbc-essiv:sha256 -s 32 -d /mnt/key/cyrax-2 create cyrax-2 /dev/exar2
cryptsetup.sh status cyrax-0
cryptsetup.sh status cyrax-1
cryptsetup.sh status cyrax-2
mdadm -Cv /dev/md1 --auto -l0 -n3 -c32 /dev/mapper/cyrax-0 /dev/mapper/cyrax-1 /dev/mapper/cyrax-2
cryptsetup.sh -c serpent-cbc-essiv:wp256 -s 32 -d /mnt/key/lucifer create lucifer /dev/md1
cryptsetup.sh status lucifer
mkfs.reiserfs -f -q /dev/mapper/lucifer

mount /dev/mapper/lucifer /mnt/lucifer

There are many aspects to this script, and I cannot go through everything. I recompiled my kernel too, with supporting options. I am using Slackware 10. Kernel 2.6.11.7, with grsecurity (high+PAX) and an updated vesa patch.

After this script has generated my partition I use a different script to mount it as follows...

#!/bin/sh

# CYRAX-IO

devlabel add -u S:IBMMemoryKey -s /dev/key
devlabel add -u S80:uniquenumberishereMaxtorOneTouchII -s /dev/exar0
devlabel add -u S80:uniquenumberishereMaxtorOneTouchII -s /dev/exar1
devlabel add -u S80:uniquenumberishereMaxtorOneTouchII -s /dev/exar2
devlabel start

mount /dev/key /mnt/key

cryptsetup.sh -c anubis-cbc-essiv:sha256 -s 40 -d /mnt/key/cyrax-0 create cyrax-0 /dev/exar0
cryptsetup.sh -c aes-cbc-essiv:sha256 -s 32 -d /mnt/key/cyrax-1 create cyrax-1 /dev/exar1
cryptsetup.sh -c twofish-cbc-essiv:sha256 -s 32 -d /mnt/key/cyrax-2 create cyrax-2 /dev/exar2

mdadm -A --auto /dev/md1 /dev/mapper/cyrax-0 /dev/mapper/cyrax-1 /dev/mapper/cyrax-2
cryptsetup.sh -c serpent-cbc-essiv:wp256 -s 32 -d /mnt/key/lucifer create lucifer /dev/md1

mount /dev/mapper/lucifer /mnt/lucifer


I store my keys on a usb key. Later I plan to encrypt them too, with idea over a password.

To answer a few possible questions,

Why not raid 5 ?
Because then only 2 of the disks would have to have their encryption broken. The parity would generate the third.

Why a memory key ?
Erasing data from a hard drive is practically impossible, A memory key is much more difficult for the forensic examiner, if the data has been overwritten. Furthermore I can flush it down the toilet for extra fun.

Why Why Why are you doing this ?
Cause its cool. Like James Bondish. Kinda wish I had something to hide. But hey nobody will auctually know if I do or not, so thats one step closer.


OK you have read this far, now I need your help if your an expert guru.
ReiserFS works just fine, but I was trying other filesystems to see if i could get more speed out of one. XFS crashed my system (amazing it never has happened before) and bfs(?) sucks. Thanks again SCO.

Now I am running a Thinkpad T40p.

Here is my problem. I tried jfs (IBM's contributed super file system) and boy was it fast. UNFORTUNATELY after I rebooted my system, after I formatted using jfs in the first script (the refresh) I was prompted with a bios prompt. Asking for a password. Hmmmmmmm.....

In the IBM bios, the way I have it set up, if you plug in a BOOTABLE external HDD you need to give a password over to allow the system to boot from that.

So what has happened here is that the IBM bios somehow knows there is a jfs file system in my double encrypted raid. Which is in my opinion totally impossible. When I changed file systems, nada.

So my question to anyone not crying of boredom by now is WTF ?

Once again these disk are mapped at the io level, it is NOT possible for this to happen. Consipacy theories ?

By the way nice site. It really took 2 long though.

If anyone is interested in my kernel config I might be willing to let it out... just ask.
Back to top
View previous topic :: View next topic  
Display posts from previous:   
Post new topic   Reply to topic    Linux Format forums Forum Index -> Help! All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Linux Format forums topic RSS feed 


Powered by phpBB © 2001, 2005 phpBB Group


Copyright 2011 Future Publishing, all rights reserved.


Web hosting by UKFast