HOWTO: disk encryption in Linux

cdencrypt_20070622.jpg
It’s pretty easy to make encrypted disk images and partitions in Linux using the loop-aes-utils (cryptoloop kernel module). This can really come in handy for backing up or storing sensitive content such as your email archive or tax records.Required software
You’ll probably need to install aespipe and loop-aes-utils, as they may not be installed by default on your system. Check the link below for details on getting this set up in Ubuntu, or refer to the documentation for your particular distro for building and installing the Cryptoloop and AES kernel modules.

Once you’ve installed the software, you’ll need to load the “aes” and “cryptoloop” kernel modules that came with loop-aes-utils. You can use “modprobe aes; modprobe cryptoloop” from the command line or add the appropriate entries to your startup scripts.

Encrypting an ISO image
Creating an ISO image is done with mkisofs, just as you’d make a normal CD or DVD image. You then encrypt the image with 256-bit AES using the aespipe utility:

mkisofs -r backup | aespipe -e aes256 > backup.iso

Replace “backup” with the path to a directory to be backed up. You will be asked for a password which will be used by aespipe to encrypt your disk image. Remember it. The output will be an encrypted ISO image that you can burn to CD or DVD with your preferred burning software.

Mounting an encrpyted CD or DVD

To mount an an encrypted disk, you use the losetup utility to create a loopback device for your disk. It makes a virtual, unencrypted representation of your disk partition, which can then be mounted just like a normal device:

losetup -e aes-256 /dev/loop0 /dev/cdrom

You’ll be asked for your password, and when it’s complete your unencrypted CD can be accessed at /dev/loop0. You just need to mount it:

mount -t iso9660 /dev/loop0 /mnt/cdrom

When you are finished, you’ll want to unmount and also detach the loop device:

unmount /mnt/cdrom

losetup -d /dev/loop0

You can actually skip the losetup steps by adding the -oencryption=aes-256 to the mount command. This will set up and tear down the cryptoloop device automatically:

mount -t iso9660 /dev/cdrom /mnt/cdrom -oencryption=aes-256

... do some stuff ...

umount /mnt/cdrom

Encrypt a normal hard drive partition

You can create an encrypted partition on a normal disk using these same tools. After mounting it, you’ll be able to read and write to the encrypted disk just as if it were a normal partition. Unmount and detach the loop device and it’s just a scramble of bits on an external hard disk. Cool!

Caution: you’ll be reformatting this partition, so any data on it will be lost. Make sure to back up and also make sure you are using the right device name.

This example uses /dev/sda1. Replace that with your encrypted disk’s device name.

The cryptoloop manual suggests you fill your partition with random data before encrypting:

dd if=/dev/urandom of=/dev/sda1 bs=1M

Now you just connect the loop device. This will ask for your AES password. You won’t be able to change it without starting over and wiping the disk. So pick a good one and don’t forget it.

losetup -e aes-256 /dev/loop0 /dev/sda1

This is a new partition, so you’ll need to create a filesystem on it. The drive is now accessible via the loop0 device:

mkfs.ext3 /dev/loop0

Now you can just mount your partition through the loop0 device:

mount -t ext3 /dev/loop0 /mnt/encrypted

Use the filesystem that you mounted at /mnt/encrypted and then make sure to unmount and detach the loop device when you’re done:

unmount /mnt/encrypted

losetup -d /dev/loop0

As in the CD example above, you can actually skip the losetup steps (once you’ve created the filesystem) and have mount automatically handle the set up and tear down of the cryptoloop device:

mount -t ext3 /dev/sda1 /mnt/encrypted -oencryption=aes-256

... do some stuff ...

umount /mnt/encrypted

References:
Cryptoloop HOWTO – Link
HOWTO Encrypt CD/DVDs in Ubuntu – Link

See also:
HOW TO Create an Encrypted Disk Image in OS X – Link

1 thought on “HOWTO: disk encryption in Linux

  1. Gabriel Isla says:

    How safe it is?and how much time it gets to crypt 1gb for example??

Comments are closed.

Discuss this article with the rest of the community on our Discord server!

ADVERTISEMENT

Maker Faire Bay Area 2023 - Mare Island, CA

Escape to an island of imagination + innovation as Maker Faire Bay Area returns for its 15th iteration!

Buy Tickets today! SAVE 15% and lock-in your preferred date(s).

FEEDBACK