Changes between Version 81 and Version 82 of doc/OperationalSecurity


Ignore:
Timestamp:
Mar 5, 2018, 1:04:40 PM (7 months ago)
Author:
cypherpunks
Comment:

remove old loopaes linux 2.4 information, note about linux 2.6 also being EOL

Legend:

Unmodified
Added
Removed
Modified
  • doc/OperationalSecurity

    v81 v82  
    1111'''Linux'''
    1212
    13 '''2.6+ kernels'''
     13~~'''2.6+ kernels''' ~~
     14
     15Note: The instructions below reference Linux 2.6. As of March 2018, you the minimum version of Linux which still receives security updates is 3.2 and the current version is 4.15. These instructions may or may not still apply to present day Debian systems. Please do not run a Tor relay on Linux 2.6 or any other EOL'd kernel!
     16
     17FIXME: could someone confirm that these instructions are still correct?
    1418
    1519On Debian, running at least a 2.6.4 kernel, you can encrypt swap using the [https://packages.debian.org/search?keywords=cryptsetup cryptsetup] package.
     
    4650}}}
    4751
    48 '''2.4 kernels'''
    49 
    50 For 2.4 kernels you either need the [http://loop-aes.sourceforge.net/ loop-AES] or the [http://www.kernel.org/pub/linux/kernel/crypto/v2.4/testing/ Cryptoloop] patch. A forward port of the Cryptoloop patch is available [http://www.northernsecurity.net/download/patch-cryptoloop-jari-2.4.27.0 here].
    51 
    52 When compiling the kernel for cryptoloop include CONFIG_BLK_DEV_CRYPTOLOOP=y and the ciphers you want to support. For loop-aes only CONFIG_BLK_DEV_LOOP=y is necessary once the kernel has been patched.
    53 
    54 Loop-AES on systems with VIA Padlock can use the hardware AES acceleration by building with the following arguments:
    55 
    56 {{{
    57 make PADLOCK=y KEYSCRUB=y
    58 }}}
    59 Sample script to encrypt swap and /tmp. It encrypts /dev/hda2 (swap) and /dev/hda5 (/tmp) with AES. If you want a more complex setup (random ciphers etc) check out [http://www.northernsecurity.net/download/encswap.tar.gz EncSwap].
    60 
    61 {{{
    62 #!/bin/sh
    63 pw(){
    64          dd if=/dev/urandom bs=1 count=256 2> /dev/null \
    65                   | head -n 2 | tail -n 1 | tr [+/=] 0-9
    66 }
    67 
    68 echo -n "Building encrypted swap-device... "
    69 swapoff /dev/loop1
    70 losetup -d /dev/loop1
    71 
    72 pw | losetup -e aes -k 256 -p 0 /dev/loop1 /dev/hda2
    73 mkswap /dev/loop1
    74 swapon -p 1 /dev/loop1
    75 
    76 echo -n "Building encrypted /tmp ... "
    77 umount /dev/loop3
    78 losetup -d /dev/loop3
    79 
    80 pw | losetup -e aes -k 256 -p 0 /dev/loop3 /dev/hda5
    81 mkfs -t ext2 /dev/loop3
    82 mount -o nosuid,nodev -t ext2 /dev/loop3 /tmp
    83 chmod 1777 /tmp
    84 }}}
    85 More details: [http://www.tldp.org/HOWTO/Cryptoloop-HOWTO/ Cryptoloop-HOWTO]
    86 
    87 After you compiled support for [http://www.saout.de/misc/dm-crypt/ DM-CRYPT] (Under Device Drivers---> Multi-Device Support (RAID and LVM)---> CONFIG_BLK_DEV_DM=y CONFIG_DM_CRYPT=y) and the ciphers you want to support add the following to /etc/crypttab
    88 
    89 {{{
    90 # <target device> <source device> <key file> <options>
    91 swap                    /dev/hda2 /dev/urandom swap
    92 tmp                     /dev/hda5 /dev/urandom tmp
    93 }}}
    94 where /dec/hda2 is your swap-device and /dev/hda5 is /tmp.
    95 
    96 Your fstab should look like this:
    97 
    98 {{{
    99 /dev/mapper/tmp /tmp            ext2    defaults        0       2
    100 /dev/mapper/swap none           swap    sw              0       0
    101 }}}
    102 Note ext2 on /tmp.
    103 
    104 Reboot. You should see something like
    105 
    106 {{{
    107 Adding 104412k swap on /dev/mapper/swap.  Priority:1 extents:1
    108 }}}
    109 /proc/swaps should include
    110 
    111 {{{
    112 /dev/mapper/swap                        partition       104412  0       1
    113 }}}
    114 Verify with `dmsetup table --showkeys`
    115 
    116 {{{
    117 tmp: 0 979902 crypt aes-cbc-plain 9840530abe44eb49826aaaaaaaa4809e688a01f6a1c1cebc6caaaa6b2a4ad97d4 0 3:5 0
    118 swap: 0 1959930 crypt aes-cbc-plain 3c2bbd7e5e500bca957a8dcb88754aaaaaa34986541aeaaafe3daa1542c3389e9 0 3:2 0
    119 }}}
    12052'''FreeBSD'''
    12153