HOWTO: disk encryption in Linux

cdencrypt_20070622.jpg
It's pretty easy to make encrypted disk images and partitions in Linux using the loop-aes-utils (cryptoloop kernel module). This can really come in handy for backing up or storing sensitive content such as your email archive or tax records.

Required software
You'll probably need to install aespipe and loop-aes-utils, as they may not be installed by default on your system. Check the link below for details on getting this set up in Ubuntu, or refer to the documentation for your particular distro for building and installing the Cryptoloop and AES kernel modules.

Once you've installed the software, you'll need to load the "aes" and "cryptoloop" kernel modules that came with loop-aes-utils. You can use "modprobe aes; modprobe cryptoloop" from the command line or add the appropriate entries to your startup scripts.


Encrypting an ISO image
Creating an ISO image is done with mkisofs, just as you'd make a normal CD or DVD image. You then encrypt the image with 256-bit AES using the aespipe utility:

mkisofs -r backup | aespipe -e aes256 > backup.iso

Replace "backup" with the path to a directory to be backed up. You will be asked for a password which will be used by aespipe to encrypt your disk image. Remember it. The output will be an encrypted ISO image that you can burn to CD or DVD with your preferred burning software.


Mounting an encrpyted CD or DVD

To mount an an encrypted disk, you use the losetup utility to create a loopback device for your disk. It makes a virtual, unencrypted representation of your disk partition, which can then be mounted just like a normal device:

losetup -e aes-256 /dev/loop0 /dev/cdrom

You'll be asked for your password, and when it's complete your unencrypted CD can be accessed at /dev/loop0. You just need to mount it:

mount -t iso9660 /dev/loop0 /mnt/cdrom

When you are finished, you'll want to unmount and also detach the loop device:

unmount /mnt/cdrom

losetup -d /dev/loop0

You can actually skip the losetup steps by adding the -oencryption=aes-256 to the mount command. This will set up and tear down the cryptoloop device automatically:

mount -t iso9660 /dev/cdrom /mnt/cdrom -oencryption=aes-256

... do some stuff ...

umount /mnt/cdrom


Encrypt a normal hard drive partition

You can create an encrypted partition on a normal disk using these same tools. After mounting it, you'll be able to read and write to the encrypted disk just as if it were a normal partition. Unmount and detach the loop device and it's just a scramble of bits on an external hard disk. Cool!

Caution: you'll be reformatting this partition, so any data on it will be lost. Make sure to back up and also make sure you are using the right device name.

This example uses /dev/sda1. Replace that with your encrypted disk's device name.

The cryptoloop manual suggests you fill your partition with random data before encrypting:

dd if=/dev/urandom of=/dev/sda1 bs=1M

Now you just connect the loop device. This will ask for your AES password. You won't be able to change it without starting over and wiping the disk. So pick a good one and don't forget it.

losetup -e aes-256 /dev/loop0 /dev/sda1

This is a new partition, so you'll need to create a filesystem on it. The drive is now accessible via the loop0 device:

mkfs.ext3 /dev/loop0

Now you can just mount your partition through the loop0 device:

mount -t ext3 /dev/loop0 /mnt/encrypted

Use the filesystem that you mounted at /mnt/encrypted and then make sure to unmount and detach the loop device when you're done:

unmount /mnt/encrypted

losetup -d /dev/loop0

As in the CD example above, you can actually skip the losetup steps (once you've created the filesystem) and have mount automatically handle the set up and tear down of the cryptoloop device:

mount -t ext3 /dev/sda1 /mnt/encrypted -oencryption=aes-256

... do some stuff ...

umount /mnt/encrypted

References:
Cryptoloop HOWTO - Link
HOWTO Encrypt CD/DVDs in Ubuntu - Link

See also:
HOW TO Create an Encrypted Disk Image in OS X - Link


Posted by Jason Striegel | Jun 22, 2007 08:27 PM
hacks | Permalink | Comments (1) | Email This | Bookmark and Share | Digg this!


Recent Entries

Comments

Oldest comments listed first.

Posted by: Helping HaND on January 31, 2009 at 9:17 PM

Hey, that unmount command in the fourth block of code should be a umount. It might confuse the newbies...


Reply to this comment

Leave a comment


Subscribe to MAKE!Subscribe to MAKE Magazine!

Subscribe today, save 42% and get web access to MAKE free. MAKE Digital Edition is available only to subscribers.

$34.95 / 1 year
(4 Quarterly Issues)

Subscribe now


Void your warranty, violate a user agreement, fry a circuit, blow a fuse, poke an eye out. Make: The risk-takers, the doers, the makers of things... Welcome to Make: Online!


CRAFT Maker Shed Maker Faire MAKE television
Holiday Gift Guides from MAKE
Gifts for Dads
Science and Chemistry
Gifts Under $20
More guides: Santa Claus Machines, Geek Toys for Grown Up Girls & Boys


Check out all of the episodes of Make: television

Alex Rider Dream Gadget Contest
Make: Science Room

Connect with MAKE

Be a MAKE fan on Facebook MAKE on Facebook
Visit our Facebook page and become a fan of MAKE!
MAKE on Twitter MAKE on Twitter
Follow our MAKE tweets!
MAKE Flickr Pool MAKE on Flickr
Join our MAKE Flickr Pool!

Tweet a Tip

    make_tips on Twitter




    Maker SHED

    Advertise here with FM.

    Why advertise on MAKE?
    Read what folks are saying about us!

    Click here to advertise on MAKE!



    Subscribe to MAKE Magazine!

    Make: Online authors!

    Gareth BranwynGareth Branwyn
    Senior Editor


    Phillip TorronePhillip Torrone
    Senior Editor
    | AIM | Twitter


    Becky SternBecky Stern
    Associate Editor
    | AIM | Twitter


    Marc de VinckMarc de Vinck
    Contributing Writer
    | AIM | Twitter


    John ParkJohn Park
    Contributing Writer
    | Twitter


    Sean RaganSean Ragan
    Contributing Writer
    | Twitter


    Matt MetsMatt Mets
    Contributing Writer
    | AIM | Twitter


    Dale DoughertyDale Dougherty
    Editor & Publisher
    | Twitter


    Shawn ConnallyShawn Connally
    Managing Editor
    | Twitter


    Goli MohammadiGoli Mohammadi
    Associate Managing Editor

    Kip KayKip Kay
    Weekend Projects
    | AIM | Twitter


    Collin CunninghamCollin Cunningham
    Contributing Writer
    | AIM | Twitter

    Adam FlahertyAdam Flaherty
    Contributing Writer
    | AIM | Twitter



    More contributors: Mark Frauenfelder (Editor-in-Chief, MAKE magazine), Kipp Bradford (Technical Consultant/Writer), Chris Connors (Education), Diana Eng (Guest Author), Peter Horvath (Intern), Brian Jepson (O'Reilly Media), Robert Bruce Thompson (Science Room)

    Suggest a Site!

    Current Podcast

    itunesdl.gif Weekend Project: Beetlebot Simple robot from your parts bin that avoids obstacles. Thanks go to Jerome Demers for the original article in MAKE, Volume 12. To download the Beetlebot video, click here or subscribe in iTunes. Check out the complete Beetlebot article... More...

    Get the Make: Online sent via email
    Enter your email to receive Make: Online each day:



    MAKE Fascination video series brought to you by Dow

    Make: Education
    MAKE: en EspaƱol MAKE: Japan
    Important please read

    Make Categories

    www.flickr.com
    photos in MAKE More photos in MAKE Flickr Pool

    Make Archives

    www.flickr.com
    photos in Craft More photos in Craft Flickr Pool


    Subscribe to MAKE Magazine!

    Recent Comments

    Recent Posts from the Craft: Blog