Quick simple encrypted loopback filesystem

UPDATE: For the extremely paranoid cryptoloop has a minor known vulnerability, it is possible to detect the presence of a specially created file in the file system, it shouldn’t cause a problem for most people. Wikipedia explains it here. If it is a concern for you then you might want something a bit more extreme. Cryptoloop has been superseded by dm-crypt, there is also truecrypt which can do 3 encryption algorithms at once and also hide your real encrypted fs under a dummy one. I’ll probably write up some more about them later.

I’m doing the following under Debian Etch but Ubuntu Feisty should work exactly the same, other Linux distros might need the correct cryptoloop & aes encryption modules for the kernel and ‘/dev/loop/0′ might change to ‘/dev/loop0′, The kernel modules required for encryption are included in linux-image for both Debian and Ubuntu. Etch also apparently has fairly good support for encryption to be setup during the installation but thats not the goal of this article.

Firstly you need to create a loop back image for your file system to use, the easiest way to do this is to output random data into a file, this will take a while for larger sizes, alternativly you could use /dev/zero but this could theoretically be less secure.
dd if=/dev/urandom of=encrypted.img bs=1M count=100

That will make a 100Mb loop back image, change the numbers to suit your desired size.

Next we want to bind our image to a loopback device:
losetup -e aes /dev/loop/0 encrypted.img
At this point you will be asked for a password, type it in. I recommend you use a longer pass phrase rather than a password, like an entire sentence with mixed case and numbers/symbols. When I was following some older how-tos i was getting an “ioctl: LOOP_SET_STATUS: Invalid argument”, that was because they had “-e AES256″ rather than “-e aes”, with newer versions if you want to manually specify a keylength you use the -k flag although the default should be fine.

Another common error is “ioctl: LOOP_SET_STATUS: Invalid argument” this is generally the result of not loading the correct modules, “modprobe aes loop cryptoloop” (actually cryptoloop will probally load everything required).

Now we want to make a file system on it, works just like making one on a hard drive except we use the loopback device, most other howto’s I’ve seen on the subject seem to use ext2, I don’t know if the added journals used in ext3 could be a security risk, on ext3 it is somewhat harder to recover deleted files though, chances are its just a performance thing and the encryption would need to be broken already for either the journals or file recovery to be a problem but change ext3 to ext2 if you want:
mkfs.ext3 /dev/loop/0

Now we unbind the image from the interface:
losetup -d /dev/loop/0

Now for automated mouting we want to make a mount point and edit the fstab:
mkdir /mnt/encrypted

To make sure that noone can access the mount point when the filesystem isn’t mounted, we need to set the correct permissions:
chown 700 /mnt/encrypted

The /etc/fstab entry should look like the following:
/directory/with/image/encrypted.img /mnt/encrypted ext3 defaults,noauto,loop=/dev/loop/0,encryption=aes 0 0

Now try and mount it:
mount /mnt/encrypted

This should ask you for your password, if you get an error “mount: wrong fs type, bad option, bad superblock on /dev/loop/0,” you probably mistyped your password, otherwise you broke something.

Make sure the permissions on the folder for its mounted state are correct, the following will only allow the user with you username to browse the directory (and root):
chown -R username:username /mnt/encrypted
chmod 770 /mnt/encrypted


Remember that an encrypted system isn’t %100 secure, files can be cached in the swap drive, it is possible to encrypt swap space but you will loose some performance. Some programs will also cache information from the encrypted folder, such as file managers that make thumbnails for text/images/videos. It is possible to encrypt an entire installation, but generally there ins’t much point since files aren’t going to be saved in places like /usr/ and you will loose a lot of performance. It is also possible to use a encryption key file, rather than a password, this allows you to keep it on a USB drive but its possible the USB drive could be stolen too, or sized by the goverment tracking you MP3s :p I would also recommend backing up the usb key in case you loose the key but not a laptop.

If you want to increase the size of the filesystem later, firstly you need to add extra blocks to the file, to add 200Mb to the file:
dd if=/dev/urandom bs=1M count=200 >> encrypted.img

You can then resize the partition while it is mounted (its probably possible and best to do it when it isn’t but /dev/loop/0 with losetup wasn’t doing it for me and increasing the size of an ext3 partition is a fairly safe operation and wasn’t throwing any warnings):
mount /mnt/encrypted
resize2fs /dev/loop/0