Keeping Files in the cryptoloop
The February 2006 “Product Picks” column mentions that
TrueCrypt (
http://www.truecrypt.org/) is now available for Linux. Other than stegonography, all of the major features of TrueCrypt have been available in the Linux kernel for several years.
In the 2.6 kernel, the equivalent feature is called “cryptoloop,” and, like the name implies, it uses a loopback interface to work it’s magic. There are several cryptoloop tutorials floating around, but here’s a script[ shown in Listing One] that demonstrates the basics. After running the script, you’ve got an encrypted partition in the file crypto.img.
# path to file for crypto image (replace USERNAME with your username)
CRYPTO_IMG=/home/USERNAME/crypto.img
# Create a 16M file filled with random data
dd if=/dev/urandom of=$CRYPTO_IMG \
bs=4096 count=4096
# You’ll need to do everything after this point as root, either via su
# or sudo.
# Load the loop and cryptoloop modules
# (note: If you get errors here, then you’re not running as
# root, your module dependencies are messed up, these modules have
# been compiled in to your kernel, or you need to compile them in.
# Obviously this step needs to succeed in order for you to continue,
# so take a look at your kernel config and /proc/crypto to see what
# went wrong).
for mod in loop cryptoloop aes; do /sbin/modprobe $mod; done
# Grab a free loop device.
LOOP_DEV=$(/sbin/losetup –f)
# Create an 256-bit, AES-encrypted loop device and bind it to our
# image of random data. At this point you’ll be prompted for a
# password. This is the password for your encrypted partition, so
# don’t lose it.
losetup –e aes $LOOP_DEV $CRYPTO_IMG
# Format the partition through the loopback device. You can use any
# filesystem you’d like here, but ext2 seems to be the best choice;
# it uses less CPU than the other filesystems and you can’t really
# take advantage of any journaling features anyway.
/sbin/mke2fs $LOOP_DEV
# delete the loopback device
/sbin/losetup –d $LOOP_DEV
You can mount it like so:
# mkdir /mnt/crypto && \
mount –o loop,encryption=aes \
$CRYPTO_IMG /mnt/crypto
If you’re feeling extra tricky, you can add an entry to fstab, so you don’t have to be root to mount the filesystem. For example, I keep the data for my OpenVPN certificate authority on an encrypted partition. Listing Two shows the fstab entry for that encrypted partition.[ The fstab entry should appear on one line. It was wrapped here to fit within the constraints of the page.]
/data1/ca.fs /home/pabs/ca ext2
defaults,user,noauto,loop,encryption=aes 0 0
So far, all of the examples have mounted files via loopback. But the source file for losetup and mount can actually be a file, another loop device, or a physical block device (such as a physical disk partition). It’s that last one that’s most interesting, because it allows you to create encrypted physical partitions.
Let’s say you have an old USB flash drive on /dev/sdb1 that you’d like to reuse as a secure storage device. You can actually use the same commands above, with two minor changes,[ as shown in Listing Three].
# change our crypto source to be /dev/sdb1
CRYPTO_IMG=/dev/sdb1
# fill the entire partition with random data (since it’s
# a physical partition, we omit the block size and count
# parameters and let dd fill the entire partition).
dd if=/dev/urandom of=/dev/sdb1
# .. and everything after that is the same as working with a file
Paul Duncan, via email
