Easy storage encryption for unix


This project is dead. It is dead because lack of time to maintain it, and because I don't like the way I was coding before... Maybe later I'll try to rewrite it from scratch, but it is not probable. Sorry.

What is cryptoboot?

It is set of tools for disk encryption on Unix. It is especially suited to encrypt root partition, so _everything_ (except kernel and cryptoboot inself) is encrypted.
Cryptoboot does its job using external "drivers" for actual crypto work. Currently it supports loop-AES by Jari Ruusu on Linux, but I hope future versions will support Linux dm_crypt, NetBSD's cgd, FreeBSD's geom, OpenBSD's encrypted vnd and maybe Linux cryptoloop and ppdd. The architecture is extendable (xml configuration file), so maybe some day there will show support for Windows CompuSec (to access Windows drives from Unix).

Features include:

  1. key hierarchy
  2. easy administration - one can easily encrypt/decrypt devices and menage users using simple CLI interface (fdisk like, but with readline bells and whistles)
  3. standards:

Initial encryption of devices is performed using kernel driver, not userland tool. It is faster in runtime, but your kernel needs to support that particular crypto driver.
This process is very similiar to:

# dd if=/dev/hda1 of=/dev/loop0

although it is better at error handling. I use cryptoboot on my own machine, so I needed fault-awardness. For example bad-sectors are skipped, as opposed to simple dd method, where entire process stops.


You can see cryptoboot in action here.


You can download cryptoboot source tarball from sourceforge project page. There you can also get example boot-partition files with cryptoboot, libraries, tools and kernel - ready to copy on your boot partition. But remember to use _your_ kernel and read README. And think twice, because encrypted device is sensitive stuff...


You will find my email address at: