Linux

Create encrypted loopback filesystems on Linux


One nice feature about Mac OS X that is widely advertised is the fact that you can create encrypted disk images very easily. These disk images can be used to store documents and files, and can be mounted and unmounted on demand. In fact, the FileVault feature of OS X allows the entire home directory to be so encrypted and mounted that in the event that a laptop is stolen, the contents of the user's home directory is completely unavailable.

The same can be done in Linux. Using the loopback filesystem interface, you can create encrypted filesystems very easily. These filesystems are great for storing sensitive documents be it SSH or GnuPG keys, financial documents, etc.

To begin, you'll need to load the aes and cryptoloop modules in the kernel if they are not already available. This can be done by executing:

# modprobe cryptoloop

# modprobe aes

Most modern Linux distributions provide these modules from the get-go, so you shouldn't have to recompile the kernel. Once this is done, create the filesystem container, associate it to a loopback device interface, and format it:

# dd if=/dev/urandom of=enc.img bs=1M count=50

# losetup -e aes /dev/loop0 enc.img

Password:

# mkfs -t ext2 /dev/loop0

# mount /dev/loop0

# mount -o loop,encryption=aes enc.img /media/disk

The first step creates an empty image file called enc.img with a size of 50 MB; you can increase this by changing the count value. Next, use losetup to associate the enc.img file to the /dev/loop0 device and tell it that the device is to be encrypted with AES encryption. This command uses 128-bit AES encryption; look at the losetup manpage to see what other encryption types you can use. You will have to provide a password that will be used from that point forward to access the image.

Next, the filesystem is formatted with the ext2 filesystem. Finally, it is mounted to /media/disk. The options passed to mount tell it to use the loopback interface and the encryption type needed. When you call mount, you will have to provide the password you used to encrypt the image.

Putting this kind of image in /etc/fstab will not work unless you want to be prompted for your password on each boot. Instead, this should be accessed as needed. For instance, you could store the file as ~/.enc.img so it's hidden from normal view, with mode 0600 permissions. Wrapper scripts could be written to mount and umount the image easily:

#!/bin/sh

# mount ~/.enc.img

mkdir -p /media/secure && mount -o loop,encryption=aes ~/.enc.img /media/secure

</code>

And to unmount the volume when you're finished with it:

#!/bin/sh

# umount /media/secure

umount /media/secure && rmdir /media/secure

These two commands could be saved as ~/bin/ms and ~/bin/ums respectively. Alternatively, you could add the following to ~/.bashrc and uses aliases instead:

alias ms="mkdir -p /media/secure && mount -o loop,encryption=aes ~/.enc.img /media/secure"

alias ums="umount /media/secure && rmdir /media/secure"

Using encrypted filesystems for on Linux is extremely easy and sensible, especially for laptops or when dealing with very sensitive files.

Delivered each Tuesday, TechRepublic's free Linux NetNote provides tips, articles, and other resources to help you hone your Linux skills. Automatically sign up today!

About

Vincent Danen works on the Red Hat Security Response Team and lives in Canada. He has been writing about and developing on Linux for over 10 years and is a veteran Mac user.

3 comments
stomfi
stomfi

You can add squashfs to the mix to make a much smaller archive.

frylock
frylock

I remember crytoploop having a known plain text (or somesuch) vulnerability, and aesloop being recommended instead. Is this still true, or has it been fixed? It was a year or two ago that I read about that problem.

thomasjwarchol
thomasjwarchol

Any particular issues when saving to a thumb drive?

Editor's Picks