Creating and using an encrypted directory
This how-to will provide the steps necessary to use an encrypted block file as an encrypted directory in Linux.
Contents
- 1 Required kernel modules
- 2 Creating the block file for the encrypted file system
- 3 Setting up the cryptoloop loop device
- 4 Creating the file system on the encrypted loop device
- 5 Mounting the encrypted loop device to a mount-point
- 6 Removing the cryptoloop loop device
- 7 Accessing the encrypted filesystem after it is created
- 8 Oddities
- 9 Compatibility
- 10 Saving the encrypted block file to and mounting from CD
Required kernel modules
The following modules must be present:
modprobe loop modprobe cryptoloop modprobe cipher (may be built in)
Creating the block file for the encrypted file system
You need to determine a size for the encrypted block file which will represent your encrypted directory. This example uses a 10 Meg file block file. As a user (non-root) allocate the block file with the following command:
«user@host»:~/encrypted§ dd if=/dev/urandom of=/home/user/encrypted/private.aes bs=1k count=10000
Setting up the cryptoloop loop device
Setup a cryptoloop loop device for accessing the block file as a device. As the root user execute the following command. You will be prompted for a passphrase. This will be used as the encryption key so make it suitably long and complicated:
«root@host»:~/encrypted§ losetup -e aes /dev/loop0 /home/user/encrypted/private.aes Password: <Some Big Ass Passphrase>
Creating the file system on the encrypted loop device
As the root user create a file system on the device the same size as the block file:
«root@host»:~/encrypted§ mkfs -t ext2 /dev/loop0 10000
Mounting the encrypted loop device to a mount-point
Create a mount point for the new encrypted device to be accessed as a file system using the following command executed as a non-root user:
«user@host»:~/encrypted§ mkdir /home/user/encrypted/private
As the root user test it out by mounting the device the new mount point directory.
«root@host»:~/encrypted§ mount -t ext2 /dev/loop0 /home/user/encrypted/private
Removing the cryptoloop loop device
As the root user you can now umount the loopback device and remove the cryptoloop setup using the following commands:
«root@host»:~/encrypted§ umount /dev/loop0 «root@host»:~/encrypted§ losetup -d /dev/loop0
Accessing the encrypted filesystem after it is created
Now, as root, you can mount the block file properly and it will ask for the passphrase when you do:
«root@host»:~/encrypted§ mount /home/user/encrypted/private.aes /home/user/encrypted/private -oencryption=aes,rw,user,gid=<userid>,umask=007,noauto
The reason for including the gid and umask fields is so that the user userid can actually read/write/execute files in the mounted directory. You can change this to a particular group if you choose.
You can also mount with the filesystem type flag if you choose, as follows:
«root@host»:~/encrypted§ mount -t ext2 /home/user/encrypted/private.aes /home/user/encrypted/private -oencryption=aes,rw,user,gid=<userid>,umask=007,noauto
As the user you can now cd into 'private' and you can now create files.
Oddities
For some reason, sometimes after restarting the system using the previous command didn't work to mount the block file. I had to go through the losetup phase again. If this happens simply repeat the following steps:
«root@host»:~/encrypted§ losetup -e aes /dev/loop0 /home/user/encrypted/private.aes «root@host»:~/encrypted§ mount -t ext2 /dev/loop0 /home/user/encrypted/private
I will inspect this later and determine the minimum number of steps -- RandomTask
You should also be able to write this block file to a CDROM or DVDROM and use the same process to access the Read-Only encrypted filesystem on the disc.
Compatibility
This method has been tested with the following file system types:
ext2 vfat
It'd be interesting to figure out a way to mount this in Windows and access a vfat file system from there. I suspect this may already work in Mac OS X.
Saving the encrypted block file to and mounting from CD
Burn the private.aes file and the following unencrypted bash script (mountfromCD.sh) onto the CD media in the default shallowest directory:
#!/bin/bash
echo "You must have sudo authority to mount in order run this script"
if [ ! -d "/home/$USER/cryptotmp/" ]; then
mkdir -p /home/$USER/cryptotmp
fi
if [ ! -d "/home/$USER/cryptotmp/" ]; then
echo "/home/$USER/cryptotmp/ couldn't be created."
exit;
fi
sudo mount -t ext2 /media/cdrom0/private.aes /home/$USER/cryptotmp -oencryption=aes,rw,user,gid=$USER,umask=007,noauto
echo "Hopefully /media/cdrom0/private.aes was mounted as /home/$USER/cryptotmp"
After it is burned when you want to access the data on the disc simply copy the mountfromCD.sh script off of the CD to $USER's home directory; make the script executable and then execute the script. Of course you need sudo to be able to mount a volume unless you have an entry specified in /etc/fstab created for doing this which allows any user to mount it.
You will be prompted for your passphrase.
