Choice of encryption method
I’m running OpenWrt “Kamkaze” on my Asus WL-500 gP (266 MHz MIPS architecture with 32 MiB RAM). Since there is no WiFi support in kernel 2.6 yet, I’m stuck to kernel 2.4. If we want to encrypt a filesystem on this setup, we need a fast and sleek encryption method running on kernel 2.4 .
At the moment there are three different methods to encrypt a filesystem on Linux, which I consider as sensible: Truecrypt, dm-crypt (with luks) and loop-aes.
Only loop-aes meets our demands.
Building the latest OpenWrt from SVN
Before we install the loop-aes, some comments on building OpenWrt from SVN. The latest official release of OpenWrt “Kamikaze 7.09” doesn’t include loop-aes . Fortunately, the current SVN version DOES include a patched loop kernel module (“kmod-loop-aes”), but no patched userland tools. So, with the SVN version we have to go only half the way to an encrypted system by patching the userland tools.
Building your own OpenWrt is simple. Just create a new working directory and do a
svn co https://svn.openwrt.org/openwrt/trunk/
to download the current version.
You can configure your firmware graphically via
make menuconfig
and build your firmware via
make
That’s all. More information here: OpenWrt Buildroot
Installation of loop-aes
loop-aes requires a patched loop kernel module and patched “mount”, “umount”, “losetup”, “swapon” and “swapoff” binaries. As mentioned before, the SVN version already includes the patched kernel module (Install it via the feed script in trunk/scripts).
Patching these binaries is quite easy:
- First check in trunk/package/util-linux-ng/Makefile which version of util-linux-ng is included in the svn (mine: 2.13.0.1).
- Then download the loop-aes version, which corresponds to that version (mine: loop-AES-v3.2b). There’s a file included: util-linux-ng-XXX.diff (mine: util-linux-ng-2.13.0.1.diff).
- Copy it to trunk/package/util-linux-ng/patches and rename it to something like 002-util-linux-ng-2.13.0.1.diff depending on how many patches there are already.
Next, edit trunk/package/util-linux-ng/Makefile and replace all occurrences of “losetup”, “mount-utils” and “swap-utils” with “aeslosetup”, “aesmount-utils”, “aesswap-utils” (not in Build/Compile of course). We want to avoid conflicts with the original packages and distinguish them better from the original packages. (In fact, it is possible to clone the whole package and build a patched and unpatched version simultaneously.)
At last,
make menuconfig
Our new aes crew should now appear in the selection menu. Build the firmware, flash and enjoy!
There are plenty tutorials on how to proceed with loop-aes.
Thanks to nanl.de for showing me the loop-aes module in SVN!
Note: Alternatively, you can install a regular Kamikaze 7.09. Then you have to check out the 7.09 tagged sources and import the svn packages feed. After that, you are able to backport the packages according to this tutorial.