Encrypted Filesystems

[Øyvind Stegard]

dabicho wrote:
> Hello. I am looking for a way to encrypt filesystem in a loop device.
>  I have used loopAES, but if I use it with fedora, replacing
> utilities like mount and losetup will make a mess.
> 
> It'd be a big job to try and port all the patches needed by loopAES
> to Fedora or avoid using some of Fedora's properties, like
> automounting CD's with kudzu and the like, so I am looking for a way
> to encrypt filesystems that doesn't require too much hassle.
> 
> Any suggestions?
I consider this quite hazzle-free, but don't know loopAES, so it might 
seem a bit more complicated. Here's how I did it using cryptloop [as root]:
# Create "empty" file (or partition, or any old block device)
# This will hold the encrypted fs contents.
$ dd if=/dev/urandom of=/securefs.aes bs=1024 count=4000000 # ~4 gigs

# Make sure cryptoloop module is loaded, to avoid getting error
# messages when trying to attach loop device using encryption.
$ /sbin/modprobe cryptoloop

# Setup loop device
$ losetup -e aes-cbc-256 /dev/loop0 /securefs.aes
[type password, and type carefully, it isn't verified]

# Create FS (Don't know how well ext3 plays together with cryptoloop)
$ mkfs.ext2 -m0 /dev/loop0

# Try it out
$ mkdir /mnt/secure && mount -t ext2 /dev/loop0 /mnt/secure
$ cd /mnt/secure

# Unmount fs and detach loop device
$ umount /mnt/secure && losetup -d /dev/loop0

# Add /etc/fstab entry (if wanted):
/securefs.aes /mnt/secure ext2 loop,noauto,encryption=aes-cbc-256,user,rw

Mounting /mnt/secure will now result in a password prompt (hopefully 
you'll remember the passphrase). When mounted using 'loop' option, the 
loop device will be automatically released when it is unmounted.

Add '/sbin/modprobe --quiet cryptoloop' to some startup script 
(/etc/rc.d/rc.local comes to mind), since this module isn't autoloaded 
when needed.

Øyvind
-- 
< Øyvind Stegard < oyvinst at ifi uio no >
  < http://www.oyvind.nu/
   < `Lottery: A tax on people who are bad at math.'