Creating and using an encrypted directory

From Devpit
Jump to: navigation, search

This how-to will provide the steps necessary to use an encrypted block file as an encrypted directory in Linux.

Required kernel modules

The following modules must be present:

modprobe loop
modprobe cryptoloop
modprobe cipher (may be built in)

Creating the block file for the encrypted file system

You need to determine a size for the encrypted block file which will represent your encrypted directory. This example uses a 10 Meg file block file. As a user (non-root) allocate the block file with the following command:

«user@host»:~/encrypted§  dd if=/dev/urandom of=/home/user/encrypted/private.aes bs=1k count=10000

Setting up the cryptoloop loop device

Setup a cryptoloop loop device for accessing the block file as a device. As the root user execute the following command. You will be prompted for a passphrase. This will be used as the encryption key so make it suitably long and complicated:

«root@host»:~/encrypted§ losetup -e aes /dev/loop0 /home/user/encrypted/private.aes
Password: <Some Big Ass Passphrase>

Creating the file system on the encrypted loop device

As the root user create a file system on the device the same size as the block file:

«root@host»:~/encrypted§  mkfs -t ext2 /dev/loop0 10000

Mounting the encrypted loop device to a mount-point

Create a mount point for the new encrypted device to be accessed as a file system using the following command executed as a non-root user:

«user@host»:~/encrypted§  mkdir /home/user/encrypted/private

As the root user test it out by mounting the device the new mount point directory.

«root@host»:~/encrypted§  mount -t ext2 /dev/loop0 /home/user/encrypted/private

Removing the cryptoloop loop device

As the root user you can now umount the loopback device and remove the cryptoloop setup using the following commands:

«root@host»:~/encrypted§  umount /dev/loop0
«root@host»:~/encrypted§  losetup -d /dev/loop0

Accessing the encrypted filesystem after it is created

Now, as root, you can mount the block file properly and it will ask for the passphrase when you do:

«root@host»:~/encrypted§  mount /home/user/encrypted/private.aes /home/user/encrypted/private -oencryption=aes,rw,user,gid=<userid>,umask=007,noauto

The reason for including the gid and umask fields is so that the user userid can actually read/write/execute files in the mounted directory. You can change this to a particular group if you choose.

You can also mount with the filesystem type flag if you choose, as follows:

«root@host»:~/encrypted§  mount -t ext2 /home/user/encrypted/private.aes /home/user/encrypted/private -oencryption=aes,rw,user,gid=<userid>,umask=007,noauto

As the user you can now cd into 'private' and you can now create files.


For some reason, sometimes after restarting the system using the previous command didn't work to mount the block file. I had to go through the losetup phase again. If this happens simply repeat the following steps:

«root@host»:~/encrypted§  losetup -e aes /dev/loop0 /home/user/encrypted/private.aes
«root@host»:~/encrypted§  mount -t ext2 /dev/loop0 /home/user/encrypted/private

I will inspect this later and determine the minimum number of steps -- RandomTask

You should also be able to write this block file to a CDROM or DVDROM and use the same process to access the Read-Only encrypted filesystem on the disc.


This method has been tested with the following file system types:


It'd be interesting to figure out a way to mount this in Windows and access a vfat file system from there. I suspect this may already work in Mac OS X.

Saving the encrypted block file to and mounting from CD

Burn the private.aes file and the following unencrypted bash script ( onto the CD media in the default shallowest directory:

echo "You must have sudo authority to mount in order run this script"

if [ ! -d "/home/$USER/cryptotmp/" ]; then
     mkdir -p /home/$USER/cryptotmp
if [ ! -d "/home/$USER/cryptotmp/" ]; then
     echo "/home/$USER/cryptotmp/ couldn't be created."
sudo mount -t ext2 /media/cdrom0/private.aes /home/$USER/cryptotmp -oencryption=aes,rw,user,gid=$USER,umask=007,noauto
echo "Hopefully /media/cdrom0/private.aes was mounted as /home/$USER/cryptotmp"

After it is burned when you want to access the data on the disc simply copy the script off of the CD to $USER's home directory; make the script executable and then execute the script. Of course you need sudo to be able to mount a volume unless you have an entry specified in /etc/fstab created for doing this which allows any user to mount it.

You will be prompted for your passphrase.