1 2 3

Compile and install kernel:

  1. Download Linux 3.6.2 from
  2. Unpack the kernel source to /usr/src/linux-3.6.2.
  3. Apply the TRESOR patch by running /usr/src/> patch --directory /usr/src/linux-3.6.2 -p1 < tresor-patch-3.6.2
  4. Run make menuconfig inside the Linux source directory to configure the kernel to your needs. Don't forget to enable TRESOR (Cryptographic API -> AES cipher algorithms (TRESOR)). Once you enable TRESOR, you can choose between two key setting options: via a boot prompt (suggested for laptops and desktop PCs) or via sysfs (suggested for remotely maintained servers). The default option is the boot prompt.
  5. The following holds for Debian based distributions:
    • /usr/src/linux-3.6.2> make-kpkg kernel_image --initrd --revision tresor1
    • /usr/src/> dpkg -i linux-image-3.6.2-tresor1.deb
    • /usr/src/> update-initramfs -c -k 3.6.2

Start system:

  1. Reboot your system and choose the recently installed TRESOR kernel from grub.
  2. If you have activated the TRESOR prompt in your kernel config (enabled by default), you next see a password prompt displaying "Enter password".
  3. Choose a secure password of 8 to 53 characters (special characters are allowed). If you already set your initial password, make sure you have entered the correct password. To this end, a hash of the key helps you to verify the password is correct.
  4. After you entered a password, you must enter 4096 arbitray characters to overwrite the terminal buffer in order to remove the password from RAM. Otherwise the key is not in RAM, but the password may reside in RAM for a while. (We are sorry for this annoying procedure and plan more comfortable improvements in future releases.)
  5. If you do not set the TRESOR key via a boot prompt, but activated the sysfs interface in your kernel config (disabled by default), please refer to our userland tool tresor_sysfs.c how to set the key securely from userland.
  6. Once the system is up and running, you can give ACPI suspend a try: echo mem > /sys/power/state. Upon wakeup you get a password prompt similar to the boot prompt if you configured the kernel accordingly.
    • Warning: Do not suspend your machine if you use sysfs to enter your key without unmounting encrypted partitions, because this may destroy your encrypted filesystems.
    • Note: Depending on your graphics adapter, Linux fails to re-initialize video without returning to X. As the TRESOR password prompt is displayed in console mode, you may have to enter your password "blind".

Set up an encrypted partition:

  1. If your kernel is compiled with LKM support, ensure the module dm_mod is loaded (modprobe dm_mod).
  2. You must have a free partition to encrypt. For testing purpose, you can use an empty USB stick or a container file (see below). Next we assume this partition is /dev/sdb1. Encrypt the partition by: cryptsetup create tresor /dev/sdb1 --cipher tresor --key-size 128, where key-size can be 128, 192, or 256 on 64-bit AES-NI processors. The passphrase can be an arbitrary string -- it is just used to derive the Crypto-API dummy key, which has no effect in practice.
  3. Next make a filesystem on the recently encrypted partition by mkfs.ext2 /dev/mapper/tresor to setup EXT2, for example.
  4. Last, you can mount your filesystem by mount /dev/mapper/tresor /media/tresor/. Every read and write operation to /mount/tresor/ is encrypted by TRESOR now. Of course, if you want to employ TRESOR seriously, you should encrypt directories like /home/, for example.
  5. Once you are done, you can umount the encrypted partition by umount /media/tresor/ and, if you don't need the crypto device anymore, remove it by cryptsetup remove tresor.

Set up an encrypted container:

  1. Run dd if=/dev/zero bs=1M count=1024 of=container to set up an 1G container file.
  2. Attach the container to a loop device by losetup /dev/loop0 container.
  3. Follow the instructions from Set up a TRESOR encrypted partition using /dev/loop0 as your device.
  4. Once you are done and the container is unmounted, you can run losetup -d /dev/loop0 to detach the container from its loop device.