1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
|
Written by Jari Ruusu <jariruusu@users.sourceforge.net>, May 24 2015
Copyright 2002-2015 by Jari Ruusu.
Redistribution of this file is permitted under the GNU Public License.
Table of Contents
~~~~~~~~~~~~~~~~~
1. General information
2. How to compile aespipe program
3. Examples
3.1. Example 1 - Encrypted archive with seeded and iterated key setup
3.2. Example 2 - Encrypted archive with gpg-encrypted key file
3.3. Example 3 - Encrypted CD-ROM
3.4. Example 4 - Adding encryption to existing file system
4. Files
5. Credits
1. General information
~~~~~~~~~~~~~~~~~~~~~~
aespipe program is AES encrypting or decrypting pipe. It reads from standard
input and writes to standard output. It can be used to create and restore
encrypted tar or cpio archives. It can be used to encrypt and decrypt
loop-AES compatible encrypted disk images.
Latest version of this package can be found at:
http://loop-aes.sourceforge.net/
http://sourceforge.net/projects/loop-aes/files/aespipe/
2. How to compile aespipe program
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
To compile, test and install, run:
./configure
make
make tests
make install
Possible options for ./configure script:
--disable-asm Disable assembler code for x86/amd64/padlock/intelaes
--enable-asm=x86 Always use optimized assembler code for x86
--enable-asm=amd64 Always use optimized assembler code for amd64
--enable-padlock Add support for VIA padlock hardware AES
--disable-padlock Remove support for VIA padlock hardware AES
--enable-intelaes Add support for Intel hardware AES
--disable-intelaes Remove support for Intel hardware AES
Fastest code for 32 bit x86 (i386, IA-32 & clones):
./configure --enable-asm=x86 --enable-padlock --enable-intelaes
Fastest code for 64 bit amd64 (AMD64, x86-64, EM64T, Intel64):
./configure --enable-asm=amd64 --enable-padlock --enable-intelaes
When using GNU tool chain (C compiler, assembler, linker)
x86/amd64/padlock/intelaes are automatically detected by ./configure script
and need not be specified. Assembler code for x86/amd64/padlock/intelaes
require GNU tool chain to compile correctly. If ./configure script
incorrectly detects the tool chain in use, then --disable-asm option may be
needed to successfully compile aespipe. --enable-padlock and
--enable-intelaes options can be used in situations where build host
computer doesn't have padlock/intelaes hardware, but intended target
computer does. padlock/intelaes code always include run time fall back to
slower software implementation in case the padlock/intelaes hardware isn't
found.
If you want to use special compiler and/or linker flags, ./configure script
understands exported CFLAGS= and LDFLAGS= environment variables.
Above installs aespipe program to /usr/local/bin/ directory and man page to
/usr/local/man/man1/ directory. If you want aespipe program installed in
/usr/bin/ and man page installed in /usr/share/man/man1/, add
"--bindir=/usr/bin" and "--mandir=/usr/share/man" parameters to ./configure
script.
3. Examples
~~~~~~~~~~~
Many of following examples depend on gpg-encrypted key files. gpg appears to
prevent its own keys from being leaked to swap, but does not appear to
prevent data handled by it from being leaked to swap. In gpg-encrypted key
file cases, the data handled by gpg are aespipe encryption keys, and they
may leak to swap. Therefore, use of gpg-encrypted key file depends on
encrypted swap.
3.1. Example 1 - Encrypted archive with seeded and iterated key setup
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
A random password seed and password iteration count are used to slow down
dictionary attacks. Edit bz2aespipe script to suit your needs, and copy it
to someplace in your path, /usr/local/bin/ for example.
Write files to bzip2 compressed, encrypted tar archive:
tar cvf archive.aes --use-compress-program=bz2aespipe files...
Restore files from bzip2 compressed, encrypted tar archive:
tar xvpf archive.aes --use-compress-program=bz2aespipe
3.2. Example 2 - Encrypted archive with gpg-encrypted key file
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Create 65 random encryption keys and encrypt those keys using gpg. Reading
from /dev/random may take indefinitely long if kernel's random entropy pool
is empty. If that happens, do some other work on some other console (use
keyboard, mouse and disks). Use of gpg-encrypted key file depends on
encrypted swap.
head -c 3705 /dev/random | uuencode -m - | head -n 66 | tail -n 65 \
| gpg --symmetric -a >mykey1.gpg
Write files to bzip2 compressed, encrypted tar archive. aespipe asks for
passphrase to decrypt the key file.
tar cvf - files... | bzip2 | aespipe -w 10 -K mykey1.gpg >archive.aes
Restore files from bzip2 compressed, encrypted tar archive. aespipe asks for
passphrase to decrypt the key file.
aespipe -d -K mykey1.gpg <archive.aes | bzip2 -d -q | tar xvpf -
3.3. Example 3 - Encrypted CD-ROM
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Create 65 random encryption keys and encrypt those keys using gpg. Reading
from /dev/random may take indefinitely long if kernel's random entropy pool
is empty. If that happens, do some other work on some other console (use
keyboard, mouse and disks). Use of gpg encrypted key file depends on
encrypted swap.
gpg encrypted key file is recorded to first 8192 bytes of the CD-ROM. Key
file does not use all of 8192 bytes so remaining part of the 8192 bytes is
padded with newlines.
yes "" | dd of=image.iso bs=512 count=16
head -c 3705 /dev/random | uuencode -m - | head -n 66 | tail -n 65 \
| gpg --symmetric -a | dd of=image.iso conv=notrunc
Create encrypted ISO9660 CD-ROM image that can be mounted using Linux
loop-AES crypto package version 3.0a or later:
mkisofs -quiet -r directory-tree | aespipe -K image.iso -O 16 >>image.iso
This image file can then be mounted under Linux like this:
mount -t iso9660 image.iso /cdrom -o loop=/dev/loop0,encryption=AES128,gpgkey=image.iso,offset=8192
Or, after writing image.iso to CD-ROM, like this:
mount -t iso9660 /dev/cdrom /cdrom -o loop=/dev/loop0,encryption=AES128,gpgkey=/dev/cdrom,offset=8192
Or, if this line is added to /etc/fstab file:
/dev/cdrom /cryptcd iso9660 defaults,noauto,loop=/dev/loop0,encryption=AES128,gpgkey=/dev/cdrom,offset=8192 0 0
Then encrypted CD-ROMs can be mounted and unmounted like this:
mkdir /cryptcd
mount /cryptcd
umount /cryptcd
In above mount cases the mounted device name must be identical to gpgkey=
definition and offset= must be specified. That condition is special cased
inside mount and losetup programs to prevent gpg from reading all of cdrom
contents when gpg is decrypting the key file.
If you ever need to extract unencrypted image of encrypted CD-ROM, you can
do that like this:
dd if=/dev/cdrom bs=8192 count=1 of=key.gpg
dd if=/dev/cdrom bs=8192 skip=1 | aespipe -d -K key.gpg -O 16 >clear.iso
Latter of above dd commands may cause some kernel error messages when dd
command attempts to read past end of CD-ROM device.
3.4. Example 4 - Adding encryption to existing file system
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Create 65 random encryption keys and encrypt those keys using gpg. Reading
from /dev/random may take indefinitely long if kernel's random entropy pool
is empty. If that happens, do some other work on some other console (use
keyboard, mouse and disks). Use of gpg-encrypted key file depends on
encrypted swap.
umask 077
head -c 3705 /dev/random | uuencode -m - | head -n 66 | tail -n 65 \
| gpg --symmetric -a >/etc/fskey1.gpg
Add loop-AES (v3.0a or later) compatible encryption to 1.44 MB floppy disk:
dd if=/dev/fd0 bs=64k | aespipe -K /etc/fskey1.gpg | dd of=/dev/fd0 bs=64k conv=notrunc
Encrypted floppy can be mounted and unmounted under Linux like this:
mount -t ext2 /dev/fd0 /floppy -o loop=/dev/loop1,encryption=AES128,gpgkey=/etc/fskey1.gpg
umount /floppy
Remove encryption from loop-AES encrypted 1.44 MB floppy disk:
dd if=/dev/fd0 bs=64k | aespipe -d -K /etc/fskey1.gpg | dd of=/dev/fd0 bs=64k conv=notrunc
4. Files
~~~~~~~~
ChangeLog History of changes and public releases.
Makefile.in Source for generated Makefile. configure script reads this
and creates Makefile.
README This README file.
aes-GPL.diff A patch for aes-amd64.S and aes-x86.S files that updates
licenses to be fully GPL compatible. aes-amd64.S and
aes-x86.S files are derived from Brian Gladman's December
2001 published version that had no mention of GPL, but both
Brian Gladman and Jari Ruusu permit this license change.
aes-amd64.S Optimized assembler implementation of AES cipher for AMD64
and compatible processors.
aes-intel*.S Optimized assembler implementation of AES cipher using Intel
hardware AES instructions for x86 processors in 32 bit or 64
bit mode.
aes-x86.S Optimized assembler implementation of AES cipher for x86
processors.
aes.[ch] AES encryption functions, portable and usable in Linux
kernel and in user space, as well as in other operating
systems.
aespipe.1 Man page for aespipe.
aespipe.c Main aespipe source that calls cipher and hash functions in
aes.c/aes-*.S md5.c/md5-*.S sha512.c rmd160.c files.
bz2aespipe Example script to be used as GNU tar 'compress' program.
This script both compresses and encrypts the archive. Edit
default options in the script and install it somewhere in
your path, /usr/local/bin/ for example.
configure Script to create Makefile.
configure.ac Source for configure script.
gpgkey[123].asc gpg encrypted key files that are used by Makefile when "make
tests" command is run. These key files are encrypted with
symmetric cipher using 12345678901234567890 password.
md5-2x-amd64.S Optimized assembler implementation of MD5 transform function
for AMD64 and compatible processors. Does two transforms
simultaneously.
md5-amd64.S Optimized assembler implementation of MD5 transform function
for AMD64 and compatible processors.
md5-x86.S Optimized assembler implementation of MD5 transform function
for x86 processors.
md5.[ch] MD5 transform function implementation that is used to
compute IVs. This source code was copied from Linux kernel
CryptoAPI implementation.
rmd160.[ch] Implementation of RIPE-MD160. This source code was copied
from GnuPG.
sha512.[ch] Implementation of SHA-256, SHA-384, and SHA-512.
5. Credits
~~~~~~~~~~
This package uses AES cipher sources that were originally written by
Dr Brian Gladman:
// Copyright (c) 2001, Dr Brian Gladman <brg@gladman.uk.net>, Worcester, UK.
// All rights reserved.
//
// TERMS
//
// Redistribution and use in source and binary forms, with or without
// modification, are permitted subject to the following conditions:
//
// 1. Redistributions of source code must retain the above copyright
// notice, this list of conditions and the following disclaimer.
//
// 2. Redistributions in binary form must reproduce the above copyright
// notice, this list of conditions and the following disclaimer in the
// documentation and/or other materials provided with the distribution.
//
// 3. The copyright holder's name must not be used to endorse or promote
// any products derived from this software without his specific prior
// written permission.
//
// This software is provided 'as is' with no express or implied warranties
// of correctness or fitness for purpose.
|
