My previous post was made a long time ago, so here is a draft that I finally decide to post. Let’s see how to secure some of your data with an encrypted block device using losetup and dd.
Steps will be :
- Create an image with dd
- Build a new device using the image with an encrypt algorythm by using losetup
- Format the device using mkfs.ext3
- Mount the device and start using it !
Of course, when you have mounted the device, your data are readable to anyone who have access to the mounted directory.
Create an image with dd
root@vm-ubuntu-lamp:~# dd if=/dev/zero of=encrypted.img bs=4k count=1000 seek=4001
1000+0 records in
1000+0 records out
4096000 bytes (4,1 MB) copied, 0,10063 seconds, 40,7 MB/s
We now have a raw image file using 4MB.
root@vm-ubuntu-lamp:~# ls -l encrypted.img
-rw-r–r– 1 root root 20484096 2008-07-12 13:38 encrypted.img
root@vm-ubuntu-lamp:~# du -hs encrypted.img
4,0M encrypted.img
Create the encrypted device
root@vm-ubuntu-lamp:~# losetup -e aes /dev/loop0 encrypted.img
Password:
ioctl: LOOP_SET_STATUS: Invalid argument
Ooops.. Something wrong. Our losetup bin isn’t patched to use AES. On ubuntu/debian based OS, it’s is to deal.
apt-get install loop-aes-utils
root@vm-ubuntu-lamp:~# losetup -e aes /dev/loop0 encrypted.img
Password:
ioctl: LOOP_SET_STATUS: Invalid argument, requested cipher or key length (128 bits) not supported by kernel
Hmm.. Still not good, we need now to patch or change our kernel for support encryption. We have to check if the “aes” and “cryptoloop” modules are loaded, if not we will load them.
root@vm-ubuntu-lamp:~# lsmod | grep aes
root@vm-ubuntu-lamp:~# modprobe aes
root@vm-ubuntu-lamp:~# lsmod | grep aes
aes 28608 0
root@vm-ubuntu-lamp:~# lsmod | grep cryptoloop
root@vm-ubuntu-lamp:~# modprobe cryptoloop
root@vm-ubuntu-lamp:~# lsmod | grep crypto
cryptoloop 4096 0
loop 17928 1 cryptoloop
If you don’t have the module with your current kernel, you will have to build it by activate the some kernel options.
CONFIG_BLK_DEV_LOOP=m
CONFIG_BLK_DEV_CRYPTOLOOP=m
CONFIG_CRYPTO_AES=m
CONFIG_CRYPTO_AES_586=m
Now we should be ok to load our encrypted image.
root@vm-ubuntu-lamp:~# losetup -e aes /dev/loop0 encrypted.img
Password:
Format the device with a proper filesystem
root@vm-ubuntu-lamp:~# mkfs.ext3 /dev/loop0
mke2fs 1.40-WIP (14-Nov-2006)
Filesystem label=
OS type: Linux
Block size=1024 (log=0)
Fragment size=1024 (log=0)
5016 inodes, 20004 blocks
1000 blocks (5.00%) reserved for the super user
First data block=1
Maximum filesystem blocks=20709376
3 block groups
8192 blocks per group, 8192 fragments per group
1672 inodes per group
Superblock backups stored on blocks:
8193Writing inode tables: done
Creating journal (1400 blocks): done
Writing superblocks and filesystem accounting information: doneThis filesystem will be automatically checked every 39 mounts or
180 days, whichever comes first. Use tune2fs -c or -i to override.
Mount the device
Easiest step, just have to use the mount command.
root@vm-ubuntu-lamp:~# mkdir /mnt/encrypted
root@vm-ubuntu-lamp:~# mount /dev/loop0 /mnt/encryptedroot@vm-ubuntu-lamp:~# df
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/sda1 7850996 1346292 6105892 19% /
varrun 63052 40 63012 1% /var/run
varlock 63052 0 63052 0% /var/lock
procbususb 63052 68 62984 1% /proc/bus/usb
udev 63052 68 62984 1% /dev
devshm 63052 0 63052 0% /dev/shm
/dev/loop0 19366 1578 16788 9% /mnt/encryptedroot@vm-ubuntu-lamp:~# df -H
Filesystem Size Used Avail Use% Mounted on
/dev/sda1 8,1G 1,4G 6,3G 19% /
varrun 65M 41k 65M 1% /var/run
varlock 65M 0 65M 0% /var/lock
procbususb 65M 70k 65M 1% /proc/bus/usb
udev 65M 70k 65M 1% /dev
devshm 65M 0 65M 0% /dev/shm
/dev/loop0 20M 1,7M 18M 9% /mnt/encrypted
If you want to go further on this subject : Encryption HOWTO
