Laptop Security Project Help

[anthrax]

After all my googling and from what I see not quite getting a definitive answer about a certain aspect of the encryption I shall be implementing on my laptop computer. It is a 1.2ghz VIA C3 Laptop (hardware random number generation whoo!).

The plan is that the laptop's root partition and others will be encrypted by the twofish cipher , the kernel will reside on a USB flash drive along with the encryption keys. Using an initrd I will then supply the passphrase that decrypts the gpgkey, the decrypted gpg key will supply the password to decrypt the root partition.

I have just finished the bootstrap and system with the the 2005.0 livecd. After not even thinking that I could just modprobe twofish to get everything encrypted on the fly (little bit pissed off) I need to know THIS: Can grub when installed on a USB drive MBR, be configured to boot a kernel off the USB drive's second partition and use initrd's with pivot root etc.. to mount the encrypted root partition on the HDD after being suppplied with the passphrase through the decrypted gpg key.

Damn I am not too god explaining this stuff so please be nice, btw the partitioning is based inside one lvm2 partition (not yet encrypted in any way). Please ask me to elaborate on part I did not explain properly at all. Thanks
_________________
Trust is a weakness

[fredgt]

Grub can be installed on the MBR of a USB flash drive, the only thing is , Does you're laptop support booting from a USB device. Mine does , i've used it for flash my bios. For the rest, i understand what you're triing to do but i have no idea how you should do all that.

[user]

a good start is http://loop-aes.sourceforge.net/

Jari Ruusu describe in this loop-aes readme several scenarios about root encryption.
i see no problem with grub and your illustration.

if you like loop-aes that create a request at https://bugs.gentoo.org/ for include loop-aes addon code into util-linux.

[anthrax]

Thanks for the suggestions and clarifications so far, fredgt thanks for clearing me up on grub a bit. Yes I tested that my laptop could do this before even beginning my plan. One more thing though, grub can be configured to load a kernel image from a USB drive's second partition and then proceed to boot the root partition on the HDD right? I have already found methods of dealing with the lvm2 and dm-crypt stuff so dont worry about that.

As for the comments on using loop-aes I will not use a cipher that seems to have (from what I have read) several cryptograhic weaknesses, add to that one of my friends has found software that can decrypt it x6000 times faster than anything else available . Will have to get the name. This is why I chose to use twofish (16 rounds theoretically unbreakable).

Plus as far as I am aware the crypto-loop is NO longer maintained which is why I am using lvm2 and dm-crypt.
_________________
Trust is a weakness

[kill]

When you get this all up and working you should wirte a how-to in the Documentation, Tips & Tricks forum. This is something that I'm sure a lot of people would be interested in.

[anthrax]

Yeah I sure will kill, I mean hell for laptops this will rock! The level of security from what I know of twofish is maybe even beyond DoD level (16 round 256 pass is said to be theoretically unbreakable). This being (from what I have researched and actually understood without needing a heatsink for my math allergic brain) is because it works on the concept of primes numbers instead of entropy. Now if any of you have ever used prime 95 to try and generate these prime numbers to test, say? your overclocking ceiling, then you will know how long it takes to generate these numbers. Meaning that brute forcing is very difficult before long, it is just impossible since the correct prime number must be found thus requiring the CPU to process the whole range and the bigger the number the longer it takes to generate. This could easily be uncrackable even with governmental resources .

NOTE: My words on Twofish have a large tendancy to not be completely correct I ONLY understand the most basic concepts of it.

As far as things are going at the moment, I have got all the filesystem inside a lvm2 partition with seperated logical volumes for swap (I may regret this one), root, tmp (so that nothing may be executed here) and home. The install has been done from stage one, the bootstap and system are in, the kernel images and friends have been copied to boot. I am now just looking at resources on the creation of an initrd to deal with the lvm2 and crypto stuff.
_________________
Trust is a weakness