This is an old revision of the document!
Encrypted partitions for DNS-323
It is possible to use losetup and friends to have encrypted partitions on your DNS 323. Currently, this is only possible for the 1.03 and 1.05 firmware, unless you fancy compiling your own kernel modules (see crosscompile). But be aware that this will have a huge impact on performance (expect to get about 10% the performance of normal disk access…)
Firmware 1.05
There is no need to install a full-blown Linux distribution, just grab these files:
- losetup with encryption support in http://www.x-linked.de/dns323/fw105/cryptloop/sbin/losetup
- cryptloop.ko Kernel module in http://www.x-linked.de/dns323/fw105/cryptloop/modules/block/cryptoloop.ko
- all available encryption modules in http://www.x-linked.de/dns323/fw105/cryptloop/modules/crypto/ – choose one
insmod cryptoloop.ko insmod algorithm_of_your_choice.ko
That's all you need, now go read http://www.faqs.org/docs/Linux-HOWTO/Loopback-Encrypted-Filesystem-HOWTO.html on how to setup an encrypted disk image.
Firmware 1.03
Setting Up
Firstly, you will need to have installed debian under a chroot. Then, install the “loop-aes-utils” package on it.
Next, you need to get the missing kernel modules. These should be placed in /mnt/HD_a2/modules/`uname -a`/, eg /mnt/HD_a2/modules/2.6.12.6-arm1/
- Grab all the modules from http://dev.skcserver.de/dns323/modules_v1.03/kernel/crypto/ and place under crypto/
- Grab all the modules from http://dev.skcserver.de/dns323/modules_v1.03/kernel/lib/ (and subdirectories) and place under aa_lib/
- Grab cryptoloop.ko from http://dev.skcserver.de/dns323/modules_v1.03/kernel/drivers/block/ and place under block/
Edit your funplug script, and add in the following near the top:
# Load extra modules cd /mnt/HD_a2/modules/`uname -a`/ for i in */*.ko; do insmod $i; done
Going Forward
You're now ready to get started with losetup, see http://www.faqs.org/docs/Linux-HOWTO/Loopback-Encrypted-Filesystem-HOWTO.html
To see what crypto drivers you have, do cat /proc/crypto . Most of the crypto drivers will have a small key size than default, so you will almost certainly need to specify something small than losetup would expect, eg losetup -e twofish56 /dev/loop0 /dev/md1 rather than just -e twofish
Crypto speeds
These speeds were found by writing /dev/zero to a 10mb crypto device on the 1.03 Firmware, and reading it back again. They were run 3 times and averaged.
aes - 128 bit - 1.5 MB/s write - 2.1 MB/s read blowfish-32 - 32 bit - 2.3 MB/s write - 4.8 MB/s read blowfish-48 - 48 bit - 2.3 MB/s write - 4.8 MB/s read blowfish-448 - 448 bit - 2.2 MB/s write - 4.7 MB/s read blowfish - 128 bit - 2.2 MB/s write - 4.7 MB/s read des3_ede - 192 bit - 0.6 MB/s write - 1.3 MB/s read serpent - 128 bit - 1.9 MB/s write - 4.1 MB/s read twofish - 128 bit - 2.1 MB/s write - 4.2 MB/s read xor - 1 bit - 2.7 MB/s write - 5.5 MB/s read twofish-256 - 256 bit - 2.1 MB/s write - 4.2 MB/s read
A quick test with different hardware on 1.05 Firmware reveals a 90% performance impact compared to unencrypted disks
encryption | write speed | read speed |
---|---|---|
aes | 3.8 MB/s | 3.6 MB/s |
none | 40 MB/s | 49 MB/s |