UPDATE: For the extremely paranoid cryptoloop has a minor known vulnerability, it is possible to detect the presence of a specially created file in the file system, it shouldn’t cause a problem for most people. Wikipedia explains it here. If it is a concern for you then you might want something a bit more extreme. Cryptoloop has been superseded by dm-crypt, there is also truecrypt which can do 3 encryption algorithms at once and also hide your real encrypted fs under a dummy one. I’ll probably write up some more about them later.
I’m doing the following under Debian Etch but Ubuntu Feisty should work exactly the same, other Linux distros might need the correct cryptoloop & aes encryption modules for the kernel and ‘/dev/loop0’ might change to ‘/dev/loop/0’, The kernel modules required for encryption are included in linux-image for both Debian and Ubuntu. As of Etch Debian also has fairly good support for encryption to be setup during the installation but thats not the goal of this article.
Firstly you need to create a loop back image for your file system to use, the easiest way to do this is to output random data into a file, this will take a while for larger sizes, alternativly you could use /dev/zero but this could theoretically be less secure.
dd if=/dev/urandom of=encrypted.img bs=1M count=100
That will make a 100Mb loop back image, change the numbers to suit your desired size.
Next we want to bind our image to a loopback device:
losetup -e aes /dev/loop0 encrypted.img
At this point you will be asked for a password, type it in. I recommend you use a longer pass phrase rather than a password, like an entire sentence with mixed case and numbers/symbols. When I was following some older how-tos i was getting an “ioctl: LOOP_SET_STATUS: Invalid argument”, that was because they had “-e AES256” rather than “-e aes”, with newer versions if you want to manually specify a keylength you use the -k flag although the default should be fine.
Another common error is “ioctl: LOOP_SET_STATUS: Invalid argument” this is generally the result of not loading the correct modules, “modprobe aes loop cryptoloop” (actually cryptoloop will probally load everything required).
Now we want to make a file system on it, works just like making one on a hard drive except we use the loopback device, most other howto’s I’ve seen on the subject seem to use ext2, on ext3 it is somewhat harder to recover deleted files (which could be a good thing for encrypted data) and you get journals that can help reduce/detect data loss. [EDIT: Now there is ext4 with things like extents which reduce fragmentation (although if your on a loopback device the loopback image will probably itself have some fragmentation too), journal checksumming, much faster fsck and other goodies (also btrfs but as of now it’s experimental).] Change ext4 to ext3, ext2 or btrfs if you want:
Now we unbind the image from the interface:
losetup -d /dev/loop0
Now for automated mouting we want to make a mount point and edit the fstab:
To make sure that noone can access the mount point when the filesystem isn’t mounted, we need to set the correct permissions:
chown 700 /mnt/encrypted
The /etc/fstab entry should look like the following:
/directory/with/image/encrypted.img /mnt/encrypted ext3 defaults,noauto,loop=/dev/loop0,encryption=aes 0 0
Now try and mount it:
This should ask you for your password, if you get an error “mount: wrong fs type, bad option, bad superblock on /dev/loop/0,” you probably mistyped your password, otherwise you broke something.
Make sure the permissions on the folder for its mounted state are correct, the following will only allow the user with you username to browse the directory (and root):
chown -R username:username /mnt/encrypted
chmod 770 /mnt/encrypted
Remember that an encrypted system isn’t %100 secure, files can be cached in the swap drive, it is possible to encrypt swap space but you will loose some performance (Now days it might be better to just ensure you have plenty of ram and disable swap). Some programs will also cache information from the encrypted folder, such as file managers that make thumbnails for text/images/videos. It is possible to encrypt an entire installation, but generally there ins’t much point since files aren’t going to be saved in places like /usr/ and you will loose a lot of performance. It is also possible to use a encryption key file, rather than a password, this allows you to keep it on a USB drive but its possible the USB drive could be stolen too, or sized by the goverment tracking your MP3 downloading :p I would also recommend backing up the usb key in case you loose the key but not a laptop.
If you want to increase the size of the filesystem later, firstly you need to add extra blocks to the file, to add 200Mb to the file:
dd if=/dev/urandom bs=1M count=200 >> encrypted.img
You can then resize the partition while it is mounted (its probably possible and best to do it when it isn’t but /dev/loop0 with losetup wasn’t doing it for me and increasing the size of an ext3 partition seems safeish and wasn’t throwing any warnings about it needing to be done offline):