Openwrt上使用dm-crypt

 

1.   Dm-crypt的介绍：

dm-crypt: a device-mapper crypto target

About

Device-mapper is a new infrastructure in the Linux 2.6 kernel that provides a generic way to create virtual layers of block devices that can do different things on top of real block devices like striping, concatenation, mirroring, snapshotting, etc... The device-mapper is used by the LVM2 andEVMS 2.x tools.
dm-crypt is such a device-mapper target that provides transparent encryption of block devices using the new Linux 2.6 cryptoapi. The user can basically specify one of the symmetric ciphers, a key (of any allowed size), an iv generation mode and then the user can create a new block device in /dev. Writes to this device will be encrypted and reads decrypted. You can mount your filesystem on it as usual. But without the key you can't access your data.
It does basically the same as cryptoloop only that it's a much cleaner code and better suits the need of a block device and has a more flexible configuration interface. The on-disk format is also compatible. In the future you will be able to specify other iv generation modes for enhanced security (you'll have to reencrypt your filesystem though).
 

I've set up a Wiki.
There's a mailing list at dm-crypt@saout.de. If you want to subscribe, use the mailman web interfaceor its archive.
Gmane provides a NNTP interface and also a web archive for this mailing list.
 

 

 

 

 

2. 在openwrt中的配置

2.1 Openwrt中默认不打开dm-crypt选项需要在

package/kernel/linux/modules/block.mk里的 改成红色部分

define KernelPackage/dm

  SUBMENU:=$(BLOCK_MENU)

  TITLE:=Device Mapper

  DEPENDS:=+kmod-crypto-manager

  # All the "=n" are unnecessary, they're only there

  # to stop the config from asking the question.

  # MIRROR is M because I've needed it for pvmove.

  KCONFIG:= \

        CONFIG_BLK_DEV_MD=n \

        CONFIG_DM_DEBUG=n \

        CONFIG_DM_UEVENT=n \

        CONFIG_DM_DELAY=n \

        CONFIG_DM_MULTIPATH=n \

        CONFIG_DM_ZERO=n \

        CONFIG_DM_SNAPSHOT=n \

        CONFIG_DM_LOG_USERSPACE=n \

        CONFIG_MD=y \

        CONFIG_BLK_DEV_DM\

        CONFIG_DM_CRYPT\

        CONFIG_DM_MIRROR

  FILES:=$(LINUX_DIR)/drivers/md/dm-*.ko

  AUTOLOAD:=$(call AutoLoad,30,dm-mod dm-log dm-region-hash dm-mirror dm-crypt)

Endef

 

检查一下Crypt.mk里要有如下

define KernelPackage/crypto-xts

  TITLE:=XTS cipher CryptoAPI module

  DEPENDS:=+kmod-crypto-manager

  KCONFIG:= \

        CONFIG_CRYPTO_GF128MUL \

        CONFIG_CRYPTO_XTS

  FILES:= \

        $(LINUX_DIR)/crypto/xts.ko \

        $(LINUX_DIR)/crypto/gf128mul.ko

  AUTOLOAD:=$(call AutoLoad,09, \

        gf128mul \

        xts \

  )

  $(call AddDepends/crypto)

endef

                  

 

2.2  make menuconfig配置 Kernel modules里

   Block Devices->里的配置

< > kmod-aoe....................................... ATA over Ethernet support              

< > kmod-ata-core............................ Serial and Parallel ATA support                

<*> kmod-block2mtd................................ Block device MTD emulation              

-*- kmod-dm.................................................... Device Mapper              

< > kmod-ide-core............................. IDE (ATA/ATAPI) device support               │ │  <*> kmod-loop........................................ Loopback device support               │ │ 

< > kmod-md-mod...................................................... MD RAID               │ │ 

< > kmod-nbd.................................... Network block device support               │ │ 

< > kmod-scsi-cdrom....................... Kernel support for CD / DVD drives               │ │ -*- kmod-scsi-core....................................... SCSI device support               │ │ 

< > kmod-scsi-generic........................ Kernel support for SCSI generic               │ │ 

注意红色的部分  dm是device mapper的支持

Loop功能是为了能把文件连接到loop设备中去

 

Cryptographic API modules  ---> 里的配置

kmod-crypto-aes.............................. AES cipher CryptoAPI module                                   < > kmod-crypto-arc4...................... ARC4 (RC4) cipher CryptoAPI module              

< > kmod-crypto-authenc...................... Combined mode wrapper for IPsec              

< > kmod-crypto-cbc................... Cipher Block Chaining CryptoAPI module                -*- kmod-crypto-core.................................. Core CryptoAPI modules                 < > kmod-crypto-crc32c..................................... CRC32c CRC module                 < > kmod-crypto-deflate................. Deflate compression CryptoAPI module               < > kmod-crypto-des......................... DES/3DES cipher CryptoAPI module                 

< > kmod-crypto-ecb..................... Electronic CodeBook CryptoAPI module                 

< > kmod-crypto-fcrypt........................ FCRYPT cipher CryptoAPI module              

-*- kmod-crypto-hash.................................. CryptoAPI hash support                 < > kmod-crypto-hmac............................ HMAC digest CryptoAPI module                 < > kmod-crypto-hw-geode.................... AMD Geode hardware crypto module                 < > kmod-crypto-hw-hifn-795x.................... HIFN 795x crypto accelerator                 

< > kmod-crypto-hw-padlock..... VIA PadLock ACE with AES/SHA hw crypto module                 

< > kmod-crypto-hw-talitos. Freescale integrated security engine (SEC) driver                 

kmod-crypto-iv.......................... CryptoAPI initialization vectors              

-*- kmod-crypto-manager.......................... CryptoAPI algorithm manager                 

< > kmod-crypto-md4.............................. MD4 digest CryptoAPI module                 

< > kmod-crypto-md5.............................. MD5 digest CryptoAPI module               

< > kmod-crypto-michael-mic........ Michael MIC keyed digest CryptoAPI module                 

< > kmod-crypto-misc................................. Other CryptoAPI modules               

< > kmod-crypto-null................................... Null CryptoAPI module                 

< > kmod-crypto-ocf.............................................. OCF modules                 

< > kmod-crypto-pcbc...... Propagating Cipher Block Chaining CryptoAPI module              

-*- kmod-crypto-pcompress....... CryptoAPI Partial (de)compression operations              

< > kmod-crypto-rng....................... CryptoAPI random number generation              

< > kmod-crypto-sha1............................ SHA1 digest CryptoAPI module              

< > kmod-crypto-sha256................. SHA224 SHA256 digest CryptoAPI module              

< > kmod-crypto-test................................... Test CryptoAPI module              

< > kmod-crypto-user........................... CryptoAPI userspace interface              

< > kmod-crypto-wq............................. CryptoAPI work queue handling              

kmod-crypto-xts.............................. XTS cipher CryptoAPI module              

< > kmod-cryptodev..................... Driver for cryptographic acceleration              

这些将编译出加密库

 

Filesystems  ---> 里的配置 把ext4打开，我们需要这个

 

Native Language Support  --->里的配置，

-*- kmod-nls-base

<*> kmod-nls-cp437

<*> kmod-nls-utf8

 

Libraries  ---> 里的配置

{M} libgcrypt............................................. GNU crypto library              

< > libgd............................................ The GD graphics library              

< > libgee.................................. GObject based collection library              

{M} libgpg-error......................... GnuPG error handling helper library

 

Utilities  ---> 里的配置

cryptsetup.

losetup

 

 

 

 

 

 

 

 

 

 

 

 

3.   如何使用

3.1 在ubuntu上的操作

在ubuntu上建立好加密分区以方便在板子上直接加载

我们建立一个300M的文件

dd if=/dev/zero of=cryptsetup.img bs=1M count=300

 

对接到loop1里

losetup /dev/loop1 cryptsetup.img

 

建立加密设备，使用aes加密方式 这个命令要求输入密码的，假定为”12345678”

cryptsetup  -c aes create  crfs  /dev/loop1

 

成功的话看看有没有分区 /dev/mapper/crfs就是设备节点了

ls /dev/mapper/crfs    

 

格式化它

mkfs.ext4 /dev/mapper/crfs

 

加载分区到指定目录

mount /dev/mapper/crfs /mnt/crypt_mount

 

这就可以用了

Cd /mnt/crypt_mount

Mkdir test

Ps > ps.txt

我们生成几个测试文件

 

接下来我们反安装它，目的是让cryptsetup.img可以放到openwrt上直接使用

Umount  /mnt/crypt_mount

cryptsetup remove crfs

losetup -d /dev/loop1

 

这样cryptsetup.img文件就是一个ext4格式的加密文件了，可以在openwrt 上直接加载

 

 

 

 

3.2 在openwrt上的操作

需要的库和程序如下：

 

/lib/libgcrypt.so.20

/lib/libcryptsetup.so.4

/lib/libgpg-error.so.0

libcryptsetup.so.4 -> /mnt/udisk/dm/cryptsetup/usr/lib/libcryptsetup.so.4.5.0

libgcrypt.so.20 -> /mnt/udisk/dm/cryptsetup/usr/lib/libgcrypt.so.20.0.1

libgpg-error.so.0 -> /mnt/udisk/dm/cryptsetup/usr/lib/libgpg-error.so.0.10.0

 

gf128mul.ko

cbc.ko

xts.ko

 

cryptsetup

losetup

 

准备好上述的程序和库后进行如下操作，就可以挂接分区了

 

1.       将ubuntu里生成的cryptsetup.img 复制到openwrt的磁盘里

 

losetup /dev/loop1 cryptsetup.img

echo 12345678 | cryptsetup  -c aes  create  crfs  /dev/loop1

mount /dev/mapper/crfs /mnt/cryptdisk

 

好了，我们现在可以操作这个分区了

 

记得为root增加密码，把串口设置成需要登录，这样就不会有问题了