Excerpt for file based crypto:
============================================
7. Using a file instead of a partition
It is just as easy to create an encrypted file system within a file on
another file system. This is especially useful if you want to back up
this file by burning it to a DVD, etc. You can then easily move the
file around to other machines as well.
To initially create a 100MB file containing random data use the
following command:
dd if=/dev/urandom of=/mystuff.aes bs=1k count=100000
If you want to change the size of the file, change the count value accordingly.
The above command creates 100000 blocks of 1k in size, but you can
change this to whatever you like. Just make sure it is not too small
to hold the file system you chose. You can choose any file name and
path you want instead of /mystuff.aes as long as there's enough space
on the partition.
You can then create the encrypted file system within this file,
similar to the way it is done above:
losetup -e aes-256 /dev/loop0 /mystuff.aes
Now you can create the file system:
mkfs.ext3 /dev/loop0
and mount it:
mount -t ext3 /dev/loop0 /mnt/crypto
Finally, unmount and detach the loop device:
umount /mnt/crypto
losetup -d /dev/loop0
You can then mount the file system later on as follows:
mount /mystuff.aes /mnt/crypto -oencryption=aes-256
===================================================
HTH,
-Hani
5. Setting up the loop device
Cryptoloop can be used either on a file or an entire file system. The following
describes how to set it up on a particular partition. This partition can be any
partition you like; the following example uses /dev/sda1. I have chosen to use
AES as a cipher, but you can substitute any cipher you like that has been
enabled in the kernel. You can get a list of the algorithms supported by your
currently running kernel by looking into /proc/crypto. An excellent resource,
discussing the different cryptographic algorithms, are Bruce Schneier's books,
Applied Cryptography and Practical Cryptography.
1.
It is recommended that you format your partition and fill it with random
data before you create the encrypted file system on it. This will make it
harder for an attacker to detect patterns in your encrypted partition.
WARNING!
Be careful what you type here for your partition. If you do make a
mistake, you can easily overwrite the wrong partition with random garbage!
Filling a partition with random data can be done as follows:
dd if=/dev/urandom of=/dev/sda1 bs=1M
You may get an error message that the device is full. You can ignore it.
2.
Select a cipher and key size. A list of ciphers supported by your kernel
can be obtained from /proc/crypto. I recommend that you use AES with a 256-bit
key.
3.
Set up the loop device. This is done using the losetup command from the
util-linux package. The following command creates an encrypted filesystem using
the loop device 0 using the AES cipher with a 256-bit key on the device
/dev/sda1:
losetup -e aes-256 /dev/loop0 /dev/sda1
The command prompts for a password. Select a strong password and try to
remember it without having to stick a Post-It note to your monitor. There is
one big downside to using Cryptoloop. Since the password is hashed to create
the encryption key, it is not easy to change the password later on. The most
straight-forward way of changing the password is to create a new encrypted
partition or file and move all data into it. For this reason, make sure you
select a strong password from the start.
4.
Create a file system. You can chose whatever file system you like. The
following creates an ext3 file system using the loop device:
mkfs.ext3 /dev/loop0
5.
Mount the encrypted file system. First you need to create a mount point,
such as /mnt/crypto:
mkdir /mnt/crypto
Then you need to mount the file system. At this stage you need to tell
mount explicitly which loop device to use:
mount -t ext3 /dev/loop0 /mnt/crypto
6.
You can now play with your encrypted file system until you are bored.
7.
Unmount the file system. After you are done playing, unmount the
filesystem:
umount /mnt/crypto
8.
Detach the loop device. The loop device is still attached to your
partition. Detach it with:
losetup -d /dev/loop0
6. Mounting the encrypted file system
For all operations on the Cryptoloop device, it is important that the necessary
modules are loaded. You need to load at least the Cryptoloop module and the
modules for each cipher with modprobe. If the features are compiled directly
into the kernel, this is not necessary.
In order to mount the encrypted file system created above, you can use the
standard mount command from util-linux:
mount -t ext3 /dev/sda1 /mnt/crypto/ -oencryption=aes-256
You will be prompted for the password and the file system will be mounted just
as any other. Since the encryption option implies that this is a Cryptoloop
filesystem, it will automatically pick an available loopback device.
When you are done, unmount it with:
umount /mnt/crypto
You can add the following line to /etc/fstab:
/dev/sda1 /mnt/crypto ext3
noauto,encryption=aes-256 0 0
Now you can simply mount the device with:
mount /mnt/crypto
That's it. Have fun.
7. Using a file instead of a partition
It is just as easy to create an encrypted file system within a file on another
file system. This is especially useful if you want to back up this file by
burning it to a DVD, etc. You can then easily move the file around to other
machines as well.
To initially create a 100MB file containing random data use the following
command:
dd if=/dev/urandom of=/mystuff.aes bs=1k count=100000
If you want to change the size of the file, change the count value accordingly.
The above command creates 100000 blocks of 1k in size, but you can change this
to whatever you like. Just make sure it is not too small to hold the file
system you chose. You can choose any file name and path you want instead of
/mystuff.aes as long as there's enough space on the partition.
You can then create the encrypted file system within this file, similar to the
way it is done above:
losetup -e aes-256 /dev/loop0 /mystuff.aes
Now you can create the file system:
mkfs.ext3 /dev/loop0
and mount it:
mount -t ext3 /dev/loop0 /mnt/crypto
Finally, unmount and detach the loop device:
umount /mnt/crypto
losetup -d /dev/loop0
You can then mount the file system later on as follows:
mount /mystuff.aes /mnt/crypto -oencryption=aes-256
If you want to move the file or burn it to a CD or DVD, make sure you unmount
it first.
