• Home
  • History
  • Annotate
Name Date Size #Lines LOC

..03-May-2022-

ChangeLogH A D10-Sep-20174.9 KiB11091

Makefile.inH A D23-Feb-20116.9 KiB133116

READMEH A D10-Sep-201712.4 KiB315227

aes-GPL.diffH A D07-Aug-20041.8 KiB4538

aes-amd64.SH A D06-Nov-200827.5 KiB898714

aes-intel32.SH A D27-Mar-201015.8 KiB656572

aes-intel64.SH A D27-Mar-201016 KiB650566

aes-x86.SH A D06-Nov-200825.8 KiB928742

aes.cH A D02-May-201553.5 KiB1,4811,162

aes.hH A D12-Jun-20044.2 KiB11142

aespipe.1H A D23-Feb-20117 KiB141133

aespipe.cH A D10-Sep-201748.9 KiB1,5061,272

bz2aespipeH A D08-Sep-20031.9 KiB5640

configureH A D10-Sep-2017191.2 KiB6,8895,793

configure.acH A D10-Sep-20178.1 KiB265243

gpgkey1.ascH A D07-Oct-2003325 108

gpgkey2.ascH A D07-Oct-20034.2 KiB7270

gpgkey3.ascH A D17-Nov-20044.2 KiB7169

md5-2x-amd64.SH A D11-Apr-20109.6 KiB224178

md5-amd64.SH A D06-Nov-20085.8 KiB205166

md5-x86.SH A D06-Nov-20085.7 KiB212176

md5.cH A D01-Oct-20034.7 KiB10783

md5.hH A D11-Apr-2010540 1914

rmd160.cH A D20-Dec-200217.4 KiB533343

rmd160.hH A D20-Dec-2002146 105

sha512.cH A D16-Apr-200113.5 KiB433362

sha512.hH A D16-Apr-20011.6 KiB4624

README

1Written by Jari Ruusu <jariruusu@users.sourceforge.net>, September 10 2017
2
3Copyright 2002-2017 by Jari Ruusu.
4Redistribution of this file is permitted under the GNU Public License.
5
6
7Table of Contents
8~~~~~~~~~~~~~~~~~
91.    General information
102.    How to compile aespipe program
113.    Examples
123.1.  Example 1 - Encrypted archive with seeded and iterated key setup
133.2.  Example 2 - Encrypted archive with gpg-encrypted key file
143.3.  Example 3 - Encrypted CD-ROM
153.4.  Example 4 - Adding encryption to existing file system
164.    Files
175.    Credits
18
19
201. General information
21~~~~~~~~~~~~~~~~~~~~~~
22aespipe program is AES encrypting or decrypting pipe. It reads from standard
23input and writes to standard output. It can be used to create and restore
24encrypted tar or cpio archives. It can be used to encrypt and decrypt
25loop-AES compatible encrypted disk images.
26
27Latest version of this package can be found at:
28
29    http://loop-aes.sourceforge.net/
30    http://sourceforge.net/projects/loop-aes/files/aespipe/
31
32
332. How to compile aespipe program
34~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
35To compile, test and install, run:
36
37    ./configure
38    make
39    make tests
40    make install
41
42Possible options for ./configure script:
43
44--disable-asm       Disable assembler code for x86/amd64/padlock/intelaes
45--enable-asm=x86    Always use optimized assembler code for x86
46--enable-asm=amd64  Always use optimized assembler code for amd64
47--enable-padlock    Add support for VIA padlock hardware AES
48--disable-padlock   Remove support for VIA padlock hardware AES
49--enable-intelaes   Add support for Intel hardware AES
50--disable-intelaes  Remove support for Intel hardware AES
51
52Fastest code for 32 bit x86 (i386, IA-32 & clones):
53
54    ./configure --enable-asm=x86 --enable-padlock --enable-intelaes
55
56Fastest code for 64 bit amd64 (AMD64, x86-64, EM64T, Intel64):
57
58    ./configure --enable-asm=amd64 --enable-padlock --enable-intelaes
59
60When using GNU tool chain (C compiler, assembler, linker)
61x86/amd64/padlock/intelaes are automatically detected by ./configure script
62and need not be specified. Assembler code for x86/amd64/padlock/intelaes
63require GNU tool chain to compile correctly. If ./configure script
64incorrectly detects the tool chain in use, then --disable-asm option may be
65needed to successfully compile aespipe. --enable-padlock and
66--enable-intelaes options can be used in situations where build host
67computer doesn't have padlock/intelaes hardware, but intended target
68computer does. padlock/intelaes code always include run time fall back to
69slower software implementation in case the padlock/intelaes hardware isn't
70found.
71
72If you want to use special compiler and/or linker flags, ./configure script
73understands exported CFLAGS= and LDFLAGS= environment variables. In cases
74where compiler/linker produces position independent executable (PIE) by
75default and you want to use assembler optimized code, the PIE thingy needs
76to be disabled like this:
77
78    CFLAGS="-O2 -Wall -fno-pie" LDFLAGS="-no-pie" ./configure
79
80Above installs aespipe program to /usr/local/bin/ directory and man page to
81/usr/local/man/man1/ directory. If you want aespipe program installed in
82/usr/bin/ and man page installed in /usr/share/man/man1/, add
83"--bindir=/usr/bin" and "--mandir=/usr/share/man" parameters to ./configure
84script.
85
86When aespipe uses gpg version 2 to decrypt public-key encrypted key file,
87gpg needs special bug workaround. gpg version 1 does not need that
88workaround, and that workaround is not compatible with gpg version 1.
89configure script detects the need for this gpg bug workaround at configure
90time. If you change installed gpg version from 1 to 2, or from 2 to 1, then
91aespipe needs to be configured and compiled again to enable/disable the
92workaround.
93
94
953. Examples
96~~~~~~~~~~~
97Many of following examples depend on gpg-encrypted key files. gpg appears to
98prevent its own keys from being leaked to swap, but does not appear to
99prevent data handled by it from being leaked to swap. In gpg-encrypted key
100file cases, the data handled by gpg are aespipe encryption keys, and they
101may leak to swap. Therefore, use of gpg-encrypted key file depends on
102encrypted swap.
103
104
1053.1. Example 1 - Encrypted archive with seeded and iterated key setup
106~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
107A random password seed and password iteration count are used to slow down
108dictionary attacks. Edit bz2aespipe script to suit your needs, and copy it
109to someplace in your path, /usr/local/bin/ for example.
110
111Write files to bzip2 compressed, encrypted tar archive:
112
113    tar cvf archive.aes --use-compress-program=bz2aespipe files...
114
115Restore files from bzip2 compressed, encrypted tar archive:
116
117    tar xvpf archive.aes --use-compress-program=bz2aespipe
118
119
1203.2. Example 2 - Encrypted archive with gpg-encrypted key file
121~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
122Create 65 random encryption keys and encrypt those keys using gpg. Reading
123from /dev/random may take indefinitely long if kernel's random entropy pool
124is empty. If that happens, do some other work on some other console (use
125keyboard, mouse and disks). Use of gpg-encrypted key file depends on
126encrypted swap.
127
128    head -c 3705 /dev/random | uuencode -m - | head -n 66 | tail -n 65 \
129        | gpg --symmetric -a >mykey1.gpg
130
131Write files to bzip2 compressed, encrypted tar archive. aespipe asks for
132passphrase to decrypt the key file.
133
134    tar cvf - files... | bzip2 | aespipe -w 10 -K mykey1.gpg >archive.aes
135
136Restore files from bzip2 compressed, encrypted tar archive. aespipe asks for
137passphrase to decrypt the key file.
138
139    aespipe -d -K mykey1.gpg <archive.aes | bzip2 -d -q | tar xvpf -
140
141
1423.3. Example 3 - Encrypted CD-ROM
143~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
144Create 65 random encryption keys and encrypt those keys using gpg. Reading
145from /dev/random may take indefinitely long if kernel's random entropy pool
146is empty. If that happens, do some other work on some other console (use
147keyboard, mouse and disks). Use of gpg encrypted key file depends on
148encrypted swap.
149
150gpg encrypted key file is recorded to first 8192 bytes of the CD-ROM. Key
151file does not use all of 8192 bytes so remaining part of the 8192 bytes is
152padded with newlines.
153
154    yes "" | dd of=image.iso bs=512 count=16
155    head -c 3705 /dev/random | uuencode -m - | head -n 66 | tail -n 65 \
156        | gpg --symmetric -a | dd of=image.iso conv=notrunc
157
158Create encrypted ISO9660 CD-ROM image that can be mounted using Linux
159loop-AES crypto package version 3.0a or later:
160
161    mkisofs -quiet -r directory-tree | aespipe -K image.iso -O 16 >>image.iso
162
163This image file can then be mounted under Linux like this:
164
165    mount -t iso9660 image.iso /cdrom -o loop=/dev/loop0,encryption=AES128,gpgkey=image.iso,offset=8192
166
167Or, after writing image.iso to CD-ROM, like this:
168
169    mount -t iso9660 /dev/cdrom /cdrom -o loop=/dev/loop0,encryption=AES128,gpgkey=/dev/cdrom,offset=8192
170
171Or, if this line is added to /etc/fstab file:
172
173 /dev/cdrom /cryptcd iso9660 defaults,noauto,loop=/dev/loop0,encryption=AES128,gpgkey=/dev/cdrom,offset=8192 0 0
174
175Then encrypted CD-ROMs can be mounted and unmounted like this:
176
177    mkdir /cryptcd
178    mount /cryptcd
179    umount /cryptcd
180
181In above mount cases the mounted device name must be identical to gpgkey=
182definition and offset= must be specified. That condition is special cased
183inside mount and losetup programs to prevent gpg from reading all of cdrom
184contents when gpg is decrypting the key file.
185
186If you ever need to extract unencrypted image of encrypted CD-ROM, you can
187do that like this:
188
189    dd if=/dev/cdrom bs=8192 count=1 of=key.gpg
190    dd if=/dev/cdrom bs=8192 skip=1 | aespipe -d -K key.gpg -O 16 >clear.iso
191
192Latter of above dd commands may cause some kernel error messages when dd
193command attempts to read past end of CD-ROM device.
194
195
1963.4. Example 4 - Adding encryption to existing file system
197~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
198Create 65 random encryption keys and encrypt those keys using gpg. Reading
199from /dev/random may take indefinitely long if kernel's random entropy pool
200is empty. If that happens, do some other work on some other console (use
201keyboard, mouse and disks). Use of gpg-encrypted key file depends on
202encrypted swap.
203
204    umask 077
205    head -c 3705 /dev/random | uuencode -m - | head -n 66 | tail -n 65 \
206        | gpg --symmetric -a >/etc/fskey1.gpg
207
208Add loop-AES (v3.0a or later) compatible encryption to 1.44 MB floppy disk:
209
210    dd if=/dev/fd0 bs=64k | aespipe -K /etc/fskey1.gpg | dd of=/dev/fd0 bs=64k conv=notrunc
211
212Encrypted floppy can be mounted and unmounted under Linux like this:
213
214    mount -t ext2 /dev/fd0 /floppy -o loop=/dev/loop1,encryption=AES128,gpgkey=/etc/fskey1.gpg
215    umount /floppy
216
217Remove encryption from loop-AES encrypted 1.44 MB floppy disk:
218
219    dd if=/dev/fd0 bs=64k | aespipe -d -K /etc/fskey1.gpg | dd of=/dev/fd0 bs=64k conv=notrunc
220
221
2224. Files
223~~~~~~~~
224ChangeLog       History of changes and public releases.
225
226Makefile.in     Source for generated Makefile. configure script reads this
227                and creates Makefile.
228
229README          This README file.
230
231aes-GPL.diff    A patch for aes-amd64.S and aes-x86.S files that updates
232                licenses to be fully GPL compatible. aes-amd64.S and
233                aes-x86.S files are derived from Brian Gladman's December
234                2001 published version that had no mention of GPL, but both
235                Brian Gladman and Jari Ruusu permit this license change.
236
237aes-amd64.S     Optimized assembler implementation of AES cipher for AMD64
238                and compatible processors.
239
240aes-intel*.S    Optimized assembler implementation of AES cipher using Intel
241                hardware AES instructions for x86 processors in 32 bit or 64
242                bit mode.
243
244aes-x86.S       Optimized assembler implementation of AES cipher for x86
245                processors.
246
247aes.[ch]        AES encryption functions, portable and usable in Linux
248                kernel and in user space, as well as in other operating
249                systems.
250
251aespipe.1       Man page for aespipe.
252
253aespipe.c       Main aespipe source that calls cipher and hash functions in
254                aes.c/aes-*.S md5.c/md5-*.S sha512.c rmd160.c files.
255
256bz2aespipe      Example script to be used as GNU tar 'compress' program.
257                This script both compresses and encrypts the archive. Edit
258                default options in the script and install it somewhere in
259                your path, /usr/local/bin/ for example.
260
261configure       Script to create Makefile.
262
263configure.ac    Source for configure script.
264
265gpgkey[123].asc gpg encrypted key files that are used by Makefile when "make
266                tests" command is run. These key files are encrypted with
267                symmetric cipher using 12345678901234567890 password.
268
269md5-2x-amd64.S  Optimized assembler implementation of MD5 transform function
270                for AMD64 and compatible processors. Does two transforms
271                simultaneously.
272
273md5-amd64.S     Optimized assembler implementation of MD5 transform function
274                for AMD64 and compatible processors.
275
276md5-x86.S       Optimized assembler implementation of MD5 transform function
277                for x86 processors.
278
279md5.[ch]        MD5 transform function implementation that is used to
280                compute IVs. This source code was copied from Linux kernel
281                CryptoAPI implementation.
282
283rmd160.[ch]     Implementation of RIPE-MD160. This source code was copied
284                from GnuPG.
285
286sha512.[ch]     Implementation of SHA-256, SHA-384, and SHA-512.
287
288
2895. Credits
290~~~~~~~~~~
291This package uses AES cipher sources that were originally written by
292Dr Brian Gladman:
293
294// Copyright (c) 2001, Dr Brian Gladman <brg@gladman.uk.net>, Worcester, UK.
295// All rights reserved.
296//
297// TERMS
298//
299//  Redistribution and use in source and binary forms, with or without
300//  modification, are permitted subject to the following conditions:
301//
302//  1. Redistributions of source code must retain the above copyright
303//     notice, this list of conditions and the following disclaimer.
304//
305//  2. Redistributions in binary form must reproduce the above copyright
306//     notice, this list of conditions and the following disclaimer in the
307//     documentation and/or other materials provided with the distribution.
308//
309//  3. The copyright holder's name must not be used to endorse or promote
310//     any products derived from this software without his specific prior
311//     written permission.
312//
313//  This software is provided 'as is' with no express or implied warranties
314//  of correctness or fitness for purpose.
315