This is an old revision of the document!
Encrypted partitions for DNS-323
It is possible to use losetup and friends to have encrypted partitions on your DNS 323. Currently, this is only possible for the 1.03, 1.05, 1.10b7 firmware, unless you fancy compiling your own kernel modules (see crosscompile). But be aware that this will have a huge impact on performance (expect to get about 10% the performance of normal disk access…)
Firmware dns323_FW_110b07_BETA.zip
Looks like works both encrypted loopback (see instructions below) and dm-crypt + device-mapper (both modules already in kernel). For work with dm-crypt you need to setup ffp, take all necessary encryption modules from page below (http://www.x-linked.de/dns323/fw105/cryptloop/modules/crypto/). Using crosscompile (you can use DNS-323 ffp to compile all) compile LVM. Unfortunatly orignal 'install' form busybox does not recognize option -D but you can use workaround (move original symlink /bin/install to /tmp/x/install), put this script into /ffp/bin:
#!/ffp/bin/perl -w $res="/tmp/x/install"; $pre=""; @AV=@ARGV; #print ">'".$AV[$#AV-2]."'\n"; if( $AV[$#AV-2] eq '-D' ){ print "Find -D\n"; $AV[$#AV-2] = ""; $srcFileName=$AV[$#AV-1]; $_=$AV[$#AV]; if(/\/([^\/]+?)$/){ #$dstPath=$`; $shortDstName=$1; $AV[$#AV-1]=$1; if( $srcFileName ne $shortDstName ){ $pre = "cp $srcFileName $shortDstName; "; }; }; map { $res .= " $_" if ($_ ne ""); } @AV; $res = $pre . $res; } else { map { $res .= " $_"; } @AV; }; `$res`; # cat install
ffp packages what you need (from: http://www.inreto.de/dns323/fun-plug/0.5/):
- e2fsprogs-1.41.0-1.tgz
- vreadline-5.2-3.tgz
- kernel-headers-2.6.9.1-2.tgz
- make-3.81-3.tgz
- binutils-2.18.50.0.1-4.tgz
- gcc-4.1-2.tgz
- perl-5.10-2.tgz
- uclibc-0.9.29-7.tgz
- wget-1.12-2.tgz
- grep-2.5.3-2.tgz
Sources from original developers sites:
- LVM2.2.02.85.tgz
- libgcrypt-1.4.6.tar.gz
- cryptsetup-1.2.0.tar.gz
- libgpg-error-1.9.tar.gz
- popt-1.16.tar.gz
Configuration hint:
./configure --build=arm-linux-uclibc --prefix=/ffp
Regarding cryptsetup looks like it is not nesessary because you can setup encrypted device using only device-mapper & dmsetup tool (see http://www.saout.de/misc/dm-crypt/)
Performance in case of dm-crypt
It is really nightmare. F.E. DNS-323 use Samsung 1,5TB drive.
dd bs=10M if=/dev/zero of=zero count=149
takes ~9min (2MB/sec) for encrypted drive and 30s for normal drive (49MB/sec)
dd bs=10M if=zero of=/dev/null count=149
takes ~8min (3MB/sec) for encrypted drive and 30s for normal drive (49MB/sec) From one point of view it is normal to see some movies and play sound from that drives
Firmware 1.05
There is no need to install a full-blown Linux distribution, just grab these files:
- losetup with encryption support in http://www.x-linked.de/dns323/fw105/cryptloop/sbin/losetup
- cryptloop.ko Kernel module in http://www.x-linked.de/dns323/fw105/cryptloop/modules/block/cryptoloop.ko
- all available encryption modules in http://www.x-linked.de/dns323/fw105/cryptloop/modules/crypto/ – choose one
insmod cryptoloop.ko insmod algorithm_of_your_choice.ko
That's all you need, now go read http://www.faqs.org/docs/Linux-HOWTO/Loopback-Encrypted-Filesystem-HOWTO.html on how to setup an encrypted disk image.
Firmware 1.03
Setting Up
Firstly, you will need to have installed debian under a chroot. Then, install the “loop-aes-utils” package on it.
Next, you need to get the missing kernel modules. These should be placed in /mnt/HD_a2/modules/`uname -a`/, eg /mnt/HD_a2/modules/2.6.12.6-arm1/
- Grab all the modules from http://dev.skcserver.de/dns323/modules_v1.03/kernel/crypto/ and place under crypto/
- Grab all the modules from http://dev.skcserver.de/dns323/modules_v1.03/kernel/lib/ (and subdirectories) and place under aa_lib/
- Grab cryptoloop.ko from http://dev.skcserver.de/dns323/modules_v1.03/kernel/drivers/block/ and place under block/
Edit your funplug script, and add in the following near the top:
# Load extra modules cd /mnt/HD_a2/modules/`uname -a`/ for i in */*.ko; do insmod $i; done
Going Forward
You're now ready to get started with losetup, see http://www.faqs.org/docs/Linux-HOWTO/Loopback-Encrypted-Filesystem-HOWTO.html
To see what crypto drivers you have, do cat /proc/crypto . Most of the crypto drivers will have a small key size than default, so you will almost certainly need to specify something small than losetup would expect, eg losetup -e twofish56 /dev/loop0 /dev/md1 rather than just -e twofish
Crypto speeds
These speeds were found by writing /dev/zero to a 10mb crypto device on the 1.03 Firmware, and reading it back again. They were run 3 times and averaged.
aes - 128 bit - 1.5 MB/s write - 2.1 MB/s read blowfish-32 - 32 bit - 2.3 MB/s write - 4.8 MB/s read blowfish-48 - 48 bit - 2.3 MB/s write - 4.8 MB/s read blowfish-448 - 448 bit - 2.2 MB/s write - 4.7 MB/s read blowfish - 128 bit - 2.2 MB/s write - 4.7 MB/s read des3_ede - 192 bit - 0.6 MB/s write - 1.3 MB/s read serpent - 128 bit - 1.9 MB/s write - 4.1 MB/s read twofish - 128 bit - 2.1 MB/s write - 4.2 MB/s read xor - 1 bit - 2.7 MB/s write - 5.5 MB/s read twofish-256 - 256 bit - 2.1 MB/s write - 4.2 MB/s read
A quick test with different hardware on 1.05 Firmware reveals a 90% performance impact compared to unencrypted disks
encryption | write speed | read speed |
---|---|---|
aes | 3.8 MB/s | 3.6 MB/s |
none | 40 MB/s | 49 MB/s |