It’s pretty easy to make encrypted disk images and partitions in Linux using the loop-aes-utils (cryptoloop kernel module). This can really come in handy for backing up or storing sensitive content such as your email archive or tax records.Required software
You’ll probably need to install aespipe and loop-aes-utils, as they may not be installed by default on your system. Check the link below for details on getting this set up in Ubuntu, or refer to the documentation for your particular distro for building and installing the Cryptoloop and AES kernel modules.
Once you’ve installed the software, you’ll need to load the “aes” and “cryptoloop” kernel modules that came with loop-aes-utils. You can use “modprobe aes; modprobe cryptoloop” from the command line or add the appropriate entries to your startup scripts.
Encrypting an ISO image
Creating an ISO image is done with mkisofs, just as you’d make a normal CD or DVD image. You then encrypt the image with 256-bit AES using the aespipe utility:
mkisofs -r backup | aespipe -e aes256 > backup.iso
Replace “backup” with the path to a directory to be backed up. You will be asked for a password which will be used by aespipe to encrypt your disk image. Remember it. The output will be an encrypted ISO image that you can burn to CD or DVD with your preferred burning software.
Mounting an encrpyted CD or DVD
To mount an an encrypted disk, you use the losetup utility to create a loopback device for your disk. It makes a virtual, unencrypted representation of your disk partition, which can then be mounted just like a normal device:
losetup -e aes-256 /dev/loop0 /dev/cdrom
You’ll be asked for your password, and when it’s complete your unencrypted CD can be accessed at /dev/loop0. You just need to mount it:
mount -t iso9660 /dev/loop0 /mnt/cdrom
When you are finished, you’ll want to unmount and also detach the loop device:
unmount /mnt/cdrom
losetup -d /dev/loop0
You can actually skip the losetup steps by adding the -oencryption=aes-256 to the mount command. This will set up and tear down the cryptoloop device automatically:
mount -t iso9660 /dev/cdrom /mnt/cdrom -oencryption=aes-256
... do some stuff ...
umount /mnt/cdrom
Encrypt a normal hard drive partition
You can create an encrypted partition on a normal disk using these same tools. After mounting it, you’ll be able to read and write to the encrypted disk just as if it were a normal partition. Unmount and detach the loop device and it’s just a scramble of bits on an external hard disk. Cool!
Caution: you’ll be reformatting this partition, so any data on it will be lost. Make sure to back up and also make sure you are using the right device name.
This example uses /dev/sda1. Replace that with your encrypted disk’s device name.
The cryptoloop manual suggests you fill your partition with random data before encrypting:
dd if=/dev/urandom of=/dev/sda1 bs=1M
Now you just connect the loop device. This will ask for your AES password. You won’t be able to change it without starting over and wiping the disk. So pick a good one and don’t forget it.
losetup -e aes-256 /dev/loop0 /dev/sda1
This is a new partition, so you’ll need to create a filesystem on it. The drive is now accessible via the loop0 device:
mkfs.ext3 /dev/loop0
Now you can just mount your partition through the loop0 device:
mount -t ext3 /dev/loop0 /mnt/encrypted
Use the filesystem that you mounted at /mnt/encrypted and then make sure to unmount and detach the loop device when you’re done:
unmount /mnt/encrypted
losetup -d /dev/loop0
As in the CD example above, you can actually skip the losetup steps (once you’ve created the filesystem) and have mount automatically handle the set up and tear down of the cryptoloop device:
mount -t ext3 /dev/sda1 /mnt/encrypted -oencryption=aes-256
... do some stuff ...
umount /mnt/encrypted
References:
Cryptoloop HOWTO – Link
HOWTO Encrypt CD/DVDs in Ubuntu – Link
See also:
HOW TO Create an Encrypted Disk Image in OS X – Link
ADVERTISEMENT