To give a little bit of background, AES-XTS is a cipher mode that has been recently standardized by the IEEE P1619 working group. It is thought to be currently the most secure narrow-block cipher mode designed for disk encryption.
It is possible to install Ubuntu 8.04 on an AES-XTS-encrypted root partition. Here are the steps to do it. Before starting the installation, obtain the kernel modules gf128mul.ko and xts.ko matching the installer's kernel version. They can be found in the kernel package which, depending on the architecture, can be downloaded from: http://packages.ubuntu.com/hardy/amd64/linux-image-2.6.24-16-generic/download http://packages.ubuntu.com/hardy/i386/linux-image-2.6.24-16-generic/download Extract the .deb package under a temporary directory and locate the modules: $ dpkg -x $NAME_OF_THE_DEB_PACKAGE tmpdir $ find tmpdir -name gf128mul.ko -o -name xts.ko Copy the 2 modules somewhere, on a USB drive, or on a machine that will be accessible via the network during the Ubuntu installation. Now proceed with the installation itself: o Boot using the alternate ISO image (ubuntu-8.04-alternate-$ARCH.iso). o When asked about the partitioning options, choose to create them manually. o Define an *unencrypted* /boot partition (necessary so the system can at least boot) o Define a partition to use as a "physical volume for encryption" (this will be the root partition). You can keep the default encryption params (aes-cbc-essiv:sha256), they will be changed later. Select "Done setting up the partition". o Select "Configure encrypted volumes". o Select "Write the changes to disk and configure encrypted volumes". o When asked about an encryption passphrase choose anything, it will be changed later. o When back at the main "partition disks" screen, press ctrl-alt-f2 to switch to the 2nd console. o Now get your hands on the files gf128mul.ko and xts.ko that you put aside earlier. If they are on a USB drive, mount it, copy them to /tmp, and unmount the key. If they are located on a remote machine, use netcat. From the remote machine's console, run: $ nc -q 0 -l -p 1234 < gf128mul.ko This command listens on port 1234/tcp and serves the file to the first client that will establish a connection. Now on the machine running the Ubuntu installer, run (replace x.x.x.x with the IP of the remote machine): $ nc x.x.x.x 1234 > /tmp/gf128mul.ko Repeat the same steps to transfer xts.ko. o Now load the modules in this order: $ insmod /tmp/gf128mul.ko $ insmod /tmp/xts.ko o Remove the dm-crypt device created by the installer earlier and recreate it using AES-XTS. Example assuming /dev/sda5: $ dmsetup ls sda5_crypt (254, 0) $ cryptsetup remove sda5_crypt $ cryptsetup luksFormat -c aes-xts-plain -s 512 /dev/sda5 $ cryptsetup luksOpen /dev/sda5 sda5_crypt (When using aes-xts-plain, you have to use either -s 256 or -s 512, to create respectively the two 128-bit or two 256-bit AES keys required by the XTS-PLAIN mode). o Then press ctrl-alt-f1 to go back to the installer screen. Select the encrypted volume. Select a file system and select the mount point "/". o Select "Finish partitioning and write changes to disk". o Proceed with the usual installation steps. VoilĂ ! -marc -- support AES-XTS mode https://bugs.launchpad.net/bugs/244480 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
