HOWTO: Encrypt a filesystem in a loopback file

plbe · l33t Joined: 01 May 2004 Posts: 661

A Spin off the "Use new baselayout for file system encryption" thread here: https://forums.gentoo.org/viewtopic-t-298001.html

Taken from the dm_crypt wiki...

First you will need at least a 2.6.4 kernel

Enable these options:

***************************************************************
Device Drivers->Multi-device support (RAID and LVM)->

* Multiple devices driver support (RAID and LVM)
<*> Device mapper support
<*> Crypt target support

***************************************************************
Device Drivers->Block-devices->

<*> Loopback device support

***************************************************************

Cryptographic options->

<*> AES cipher algorithms

***************************************************************

Next: You have to create a loopback file (The following will create a 100mb file at the location of /home/sekrit)

dd if=/dev/urandom of=/home/sekrit bs=1M count=100

Set it as the loop device:

losetup /dev/loop0 /home/sekrit

****************************************************************

emerge cryptsetup
emerge popt
emerge device-mapper
emerge libgcrypt

****************************************************************

Setup the crypt device:

cryptsetup -c aes -y create sekrit /dev/loop0

Your encrypted device is available at /dev/mapper/sekrit, create a file system:

mke2fs -j /dev/mapper/sekrit

Mount it:

mount -t ext3 /dev/mapper/sekrit /mnt/sekrit

Add a line to your /etc/fstab is you like:

/dev/mapper/sekrit /mnt/sekrit ext3 noauto,noatime 0 0

Your Done! You can now store your data there and after that just......

umount /mnt/sekrit
cryptsetup remove sekrit

***If you don't call cryptsetup remove, everybody can remount it without typing the passphrase!***

To gain access to the encryted file system again you might have to setup the loop device again (for example after a reboot):

losetup /dev/loop0 /home/sekrit

Otherwise........

cryptsetup create sekrit /dev/loop0
mount /dev/mapper/sekrit /mnt/sekrit

kawsper · Posted: Sun Jan 15, 2006 7:48 am Post subject:

If you want to secure your data more you should use /dev/random instead of /dev/urandom, it will take longer time to get the info, but it is more secure that way.
_________________
Laptop: Zepto 2314W, Pentium M 730, 512 Mb Pc-3200
Server 1: Athlon XP 3200+ | Asus A7V880 | 768 Mb DDR Pc-3200
Server 2: Pentium III Coppermine | Unknown MB | 64 Mb
All running Gentoo

www.hyggenet.org - IRC-Network for the pleasant atmosphere.

DJ_Rubbie · n00b Joined: 03 Jan 2004 Posts: 38 Location: /dev/null

Don't need to use /dev/urandom at all, /dev/zero will do, since all it really needs is a file of some size to mount as a loop device. /dev/random will unnecessarily prolong the process (try to time the length of time it needs to generate 10 megabytes of data with /dev/random, let alone 10 kilobytes). Not to mention it's the aes cypher that does the encryption, not whatever that was in the original file.
_________________
Please direct all bug reports to /dev/null

Jake · Veteran Joined: 31 Jul 2003 Posts: 1132

The advantage of /dev/urandom is hiding used space. Encrypted data will ideally appear identical to the randomness. Besides, if you wanted to save time, you'd use the skip= option.

dogunderdog · n00b Joined: 31 Mar 2004 Posts: 19

Hi,
I don't understand how the skip option can save time when using dd???

cheers,
Florian

Jake · Veteran Joined: 31 Jul 2003 Posts: 1132

dogunderdog · n00b Joined: 31 Mar 2004 Posts: 19

hi,
thanks.

interestingly this does not work on a vfat partition (i.e. it doesn't save time there, unless the file already exists)

cheers,
florian