The CryptoAPI is a kernel-space instruction set which can be used to encrypt nearly any arbitrary piece of data that the kernel manages. It's primarily used to encrypt filesystems and network connections, but through the use of an encrypting loopback device it realistically be used to encrypt anything that can be used with pipes (thus, nearly everything under Linux).
First, you must identify what version your Kernel is. You will also need the source for your kernel. You need to be sure that the source you are using is the source for the kernel you are running. If you are using something like Red Hat then you undoubtedly are running some custom patched kernel and will not be able to just download from the kernel archives what you need (for this reason, I personally just recommend recompiling your entire kernel).
After you identify your kernel version and have the source, you can obtain the CryptoAPI pacthes from here:
Once you've obtained the CryptoAPI source, you should unpack into someplace. For the sake of this document, let's assume you'll unpack it in /usr/src/cryptoapi.
$ cd /usr/src/cryptoapi
$ tar xvzf cryptoapi-0.1.0.tar.gz
Before we can compile any of the ciphers we need to patch our loop driver to support the encryption hooks. There are currently two loop patches distributed with the CryptoAPI. There is the loopiv patch, which includes minimal support needed for the CryptoAPI. And there is also the loop-jari patch which is distributed with loop-AES (which we will look at shortly), it includes support needed for CryptoAPI plus some additional bug fixes. We will be taking the minimalist approach and only worry about one patch, loop-iv(Initialization Vector), which provides the support for what we need. To do this go to the top level directory of the CryptoAPI sources and use the makefile to do the following:
$ make patchkernel KDIR=<kernel source dir> LOOP=iv
After this, you will have to recompile your loop driver (which is what grants us the loopback interface). This may be a bit of a chore if you are only recompiling segments of your kernel.
If you did everything right you should see a few lines go by saying that patches were applied successfully. Now we are ready to compile the cipher modules and install them into your system. We can compile the modules for all the ciphers and the cryptographic loopback plugin and install them without recompiling our kernel with the magic of kernel modules. To compile the modules you simply type:
$ make modules KDIR=<kernel source dir>
Then the CryptoAPI modules will begin to build. After which we need to install the modules in the appropriate kernel modules directory so that the kernel can load them. There is an autoinstall script which puts the modules in the appropriate directory, execute it with:
$ make install_modules
There is one more piece of software (non-kernel) that needs to be compiled before we can use the loopback encryption support. The losetup program, which is a part of the util-linux package, needs a patch to tell the kernel what cipher and key to use for your encrypted devices. There are different solutions for this depending on what Linux distribution you are using. If you are running Debian then the losetup patch is already included in the utillinux package on your system. There are patched rpms available for Redhat systems as well as patches for the source tarball at: http://www.kerneli.org/cryptoapi. SUSE and a few others include this in their base distribution (but not installed by default, so you may have to hunt for them).
Once you have installed a CryptoAPI enabled loop device, you can now use it to encrypt just about anything that can go through the lookback interface. For more information on using it, I would recommend taking a look around the CryptoAPI site: http://www.kerneli.org
But, by way of a very quick example, let's take a look at how we would go about encrypting a file system. Suppose you want to encrypt the partition containing your home directories, /dev/hda7. This means that every piece of information that gets written to that partition will be encrypted: plain text, binary files and even filesystem metadata (things like inode information, file and directory names and so on).
The traditional way to mount such a filesystem, either at boot time, or later on, is with the mount command:
$ mount -t ext2 /dev/hda7 /home
In order to encrypt and mount this filesystem we must have the cryptoloop module loaded into memory:
$ modprobe cryptoloop
Next we need to create the random data file before we actually write data to the system. We can do this using the dd command we've covered before:
This will create a 50 megabyte file named "cryptofile'' in Sam's home directory. Unfortunately this is not a fast procedure and will take good amount of time depending on the speed of your system.
Next, we must load whatever cipher we are using:
$ modprobe cipher-something
And finally, we use losetup to mount this random file like a regular filesystem:
where cipher is the cipher we specified above. You will now be prompted for a password (or a pass-phrase, i.e. longer password, depending upon the algorythm). After this, you can treat this /dev/loop0 like any other partition. You can mkfs it, mount it, and populate it.
The one thing to keep in mind is that, when done, you will need to delink the /dev/loop0 device from the crypted file:
