Encryption HOWTO for Linux Systems
Copyright (C)1999 Marc Mutz.
This document is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
This document is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You can get a copy of the GNU GPL at http://www.gnu.org/copyleft/gpl.html.
In this section I will briefly remind you of basic rules that must be taken care of if you want to use strong encryption, as all of the presented packages in this document support (or even require) it.
I will not start the old and always returning discussion about using encryption to ensure privacy. But I want to make clear that not everyone who uses encryption has something (criminal) to hide. Everyone has hidden ``secret'' letters in his life, also those to whom the use of strong encryption seems to imply criminal deeds. Media has pushed the picture of the bad Internet full of organized crime and pornography quite a bit into the brains of all of us, and politicians are happy to find support for banning strong crypto in the name of Justice. But it is important to remember that not everyone using strong crypto is a member of organized crime circles and that the right to protect one's privacy (once?) was a human right.
Now, as the above discussion has produced some strange regulations concerning the use of strong encryption, it cannot be over-emphasized how important it is to know the law in your own country:
alt.security.*
, alt.privacy.*
newsgroups.
This document will (eventually, more or less extensively) describe all major development activities around the Linux(tm) operating system that provide encryption features to the kernel.
These effords are currently being collected by Alexander Kjeldaas ( astor@fast.no) in the so-called International Kernel Patch (see below). If some packages described here are currently not included in this patch, I will state that clearly at the beginning of the section that discusses it.
This document will not speak about other security-related issues. See the excellent Security HOWTO for that.
As everyone can clearly see, this document is still in an evolutionary process of extension, and probably ever will be, keeping track of new versions and approaches to encryption for Linux.
However, the documentation on the loopback device encryption is mostly complete. Waiting for the network section to grow to the same level would greatly increase the time needed for the first release to publicly appear, leaving the documentation on disk encryption complete but unread by those for whom this document is written---the users.
I therefore decided to publish version 0.1.0 on my web page and submit it to the linux HOWTO maintainer, Tim Bynum, letting him decide if he he will include versions below 1.0.0 in the HOWTO index.
FreeS/WAN 1.0 does not work properly (i.e. stable) on 2.2 kernels. It is also by far the most complex package to be described here, so please be patient with me on this one. FreeS/WAN 1.1 is out for a few weeks now, but I have not had the time to look at it. Nevertheless rumors are good about it and 1.2 is to come out "between Thanksgiving and Christmas" (1999, that is).
Any feedback and contribution is hereby strongly encouraged. Finalizing this document will be much work and I am currently in the process of preparing myself for writing my diploma thesis in mathematical physics, which will take a year or so to complete, hence I cannot spare that much time. Also, I have currently no home network to play with, so testing the network encryption approaches has to be done in the university, which slows things down.
If you contact me concerning this document, please include the string "[Encryption-HOWTO]" in the subject of the message. My E-Mail address can be found at the beginning of this document.
This is version 0.1.0 of the Linux Encryption HOWTO, which brings the disk encryption part to a publishable form, relying on work done by Doobee. R. Tzeck (drt@ailis.de) for mostly anything that has not to do with loop device encryption. The planned roadmap for future milestone versions looks thus:
Version 0.2.0 will eventually bring the network section to a state similar to the disk section, with a detailed description of CIPE and short summaries of the other approaches. Target date is late Dec 1999.
Version 0.3.0 should include a thorough description of Free/SWAN, with v1.0.0 unifying the overall structure and presenting a more or less complete overview of encryption for 2.2 kernels. Target date for 1.0.0 is approximately mid-2000.
Quickly following that will be v1.1.0 which will take the whole stuff to kernel v2.4.
You can always find the latest version of this document at its homepage at http://marc.mutz.com/Encryption-HOWTO/.