# CryptoAPI - Is there a better way ?

## Guest

Hello,

I was very pleased to see, that gentoo has a cryptoAPI package

in its tree. So I emerged the whole thing and it compiled wonderfully.

The Setup of the Loop-Devices (one plain HD-Partition and one 

image-file) and the formatting with 

xfs and ext3 went fine too. But mounting the loop-devices 

failed. (block and filesystem errors).

After that i manually untared the package and found the 

configure-option --enable-iv-mode-sector, which switches the 

IV-Calculation of the Loop-Device to a fixed 512 Byte Blocksize.

To make this work, the Kernel Loop Driver has to be patched too,

which I did manually using the patch in /usr/doc/cryptoapi-2.4.7.0/.

After that I recompiled all cryptoapi modules and now everything

seems to work fine. (still testing though).

My question is:

Does It have to be this way, or was my solution the silliest and most

complicated method avaiable? How did this work for you?

Best regards

Martin

----------

## zerogeny

what exactly does cryptapi do?

----------

## vicay

 *zerogeny wrote:*   

> what exactly does cryptapi do?

 

It's a set of kernel-drivers which apply a layer of cryptographic

functions to the "normal" Loopback Block-Device Driver.

A typical use for the loopbackdevice is mounting of 

imagefiles:

(First you create an image of a cd-rom or floppy)

# dd if=/dev/cdrom of=/path/to/imagefile

after that you can setup a loopbackdevice which is connected

to the imagefile

# losetup /dev/loop0 /path/to/imagefile

now you can mount the loopdevice and access it like the real

CD-ROM:

# mount -t iso9660 /dev/loop0 /path/to/mountpoint.

The CryptoAPI uses block-cipher-algorithms to encrypt and decrypt all

data before it is written to the loopdevice-container (after it is read from the container). if you want to use the  API you won't take an imagefile from a real cd-rom etc. you have to create a container manually. if you want a 2GB crypto filesystem you first create an 2 GB

large containerfile

# dd if=/dev/urandom of=/path/to/image bs=1024 count=2097152

now you have a 2 GB large file prefilled with quasi random values.

After that you connect the loopdevice with the imagefile

# losetup -e aes -k 256 -P sha512 /dev/loop0 /path/to/image

Password:

you will be prompted for a password. (you should never forget that passwd,

 it will not be safed anywhere but in your head)

in the example above we will use the AES cipher with a keysize

of 256 bits. your password is hashed via sha512 algorithm.

The generated hash results in the key which is used by the

AES-Cipher.

Next you have to create a filesystem the same way you do it with

a new harddisk partition.

(mkfs.XYZ /dev/loop0)

Now you can mount the filesystem.

# mount -t XYZ /dev/loop0 /path/to/mountpoint.

when you write files into /path/to/mountpoint, they will

be encrypted and stored in the corresponding imagefile.

If someone looks at the imagefile directly he sees nothing

than garbage...

If you don't want to use imagefiles, you can take whole

partitions too and attach them to a cryptoloop:

# losetup -e aes -k 256 -P sha512 /dev/loop0 /dev/hdxX

....

Best Regards 

vicay

----------

## manjit

vicay,

thanks for the easy-to-follow explanation on how CryptoAPI works!

----------

## zerogeny

thanks for that.

needs a patch to the gentoo-sources doesnt it?

might try a full encrypted filesystem when/if i format.

----------

## vicay

 *zerogeny wrote:*   

> thanks for that.
> 
> needs a patch to the gentoo-sources doesnt it?
> 
> might try a full encrypted filesystem when/if i format.

 

Hello,

when I tried the cryptoAPI (look at the first post - i posted as 

guest) i had to patch the kernel manually with the loop-iv-patch and did a manual 

./configure of the package instead of using the ebuild, because the --enable-iv-mode-sector 

switch wasn't used for the configure-script. It only worked for me that way (as stated above)

 But that was one day before the whole bunch of new kernel-flavours

appeared in the portage tree - i havent tried yet, whether the new

 kernelsources still need the manual patching. 

I still hope, that there is a better way to setup this  cryptostuff

Best regards 

vicay

----------

## manjit

Hi,

You will not need to path the newer kernel.  All I had to do was emerge cryptoapi and then load the module.  Everything else magically worked.  Portage is a great system!

----------

## Guest

mmm crypto...

must set it up when i have the time

----------

## Guest

do i need to format an existing partition to have it encrypted or will it allow my just to add it the loop thang?

----------

## vicay

 *Anonymous wrote:*   

> do i need to format an existing partition to have it encrypted or will it allow my just to add it the loop thang?

 

Hello,

if you want to use an existing partition you dont need to format

the partition before attaching the cryptoloop device.

however, especially on new, unused partitions it seems to be a nice

idea, to overwrite the whole partition with random values

before you attaching the cryptoloop.

```

# dd if=/dev/urandom of=/dev/hdxX

# losetup -e <cipher> -k <keysize> -P <hash> /dev/loopx /dev/hdxX

```

AFTER the attachment, you have to format the loopdevice (not the partition) with a filesystem of your choice...

```

# mkfs.xfs [...options] /dev/loopx

```

Best regards

vicay

----------

## zerogeny

one more thing.

i read about some problems with cryptoapi, concerning file corruption...

do i have to do anything special with the current gentoo-sources?

and is linuxutils already patched?

and what 128bit cypher to use?

----------

