Last updated:

👉 This post was originally written in 2008 and made given the software versions available at the time. It covers how to secure some of your data with an encrypted block device using losetup and dd.

⚠️ Remember that once the device is mounted your data is readable to anyone who have access to the mounted directory.

Create an image with dd

root@vm-ubuntu-lamp:~$ dd if=/dev/zero of=encrypted.img bs=4k count=1000 seek=4001
1000+0 records in
1000+0 records out
4096000 bytes (4,1 MB) copied, 0,10063 seconds, 40,7 MB/s

We now have a raw image file using 4MB.

root@vm-ubuntu-lamp:~$ ls -l encrypted.img
-rw-r--r-- 1 root root 20484096 2008-07-12 13:38 encrypted.img
root@vm-ubuntu-lamp:~$ du -hs encrypted.img
4,0M    encrypted.img

Create the encrypted device

root@vm-ubuntu-lamp:~$ losetup -e aes /dev/loop0 encrypted.img  
ioctl: LOOP_SET_STATUS: Invalid argument

Ooops.. Something wrong. Our losetup bin isn’t patched to use AES. On ubuntu/debian based OS, you can simply add the missing package with apt.

apt-get install loop-aes-utils
root@vm-ubuntu-lamp:~$ losetup -e aes /dev/loop0 encrypted.img
ioctl: LOOP_SET_STATUS: Invalid argument, requested cipher or key length (128 bits) not supported by kernel

Hmm.. Still not good, we need now to patch or change our kernel to support encryption. We have to check if the aes and cryptoloop modules are loaded, if not we will load them.

root@vm-ubuntu-lamp:~$ lsmod | grep aes
root@vm-ubuntu-lamp:~$ modprobe aes
root@vm-ubuntu-lamp:~$ lsmod | grep aes
aes                    28608  0
root@vm-ubuntu-lamp:~$ lsmod | grep cryptoloop
root@vm-ubuntu-lamp:~$ modprobe cryptoloop
root@vm-ubuntu-lamp:~$ lsmod | grep crypto
cryptoloop              4096  0
loop                   17928  1 cryptoloop

If you don’t have the module with your current kernel, you will have to build it by activate the some kernel options.


Now we should be ok to load our encrypted image.

root@vm-ubuntu-lamp:~$ losetup -e aes /dev/loop0 encrypted.img  

Format the device with a proper filesystem

root@vm-ubuntu-lamp:~$ mkfs.ext3 /dev/loop0
mke2fs 1.40-WIP (14-Nov-2006)
Filesystem label=
OS type: Linux
Block size=1024 (log=0)
Fragment size=1024 (log=0)
5016 inodes, 20004 blocks
1000 blocks (5.00%) reserved for the super user
First data block=1
Maximum filesystem blocks=20709376
3 block groups
8192 blocks per group, 8192 fragments per group
1672 inodes per group
Superblock backups stored on blocks:

Writing inode tables: done
Creating journal (1400 blocks): done
Writing superblocks and filesystem accounting information: done

This filesystem will be automatically checked every 39 mounts or
180 days, whichever comes first.  Use tune2fs -c or -i to override.

Mount the device

Easiest step, just have to use the mount command.

root@vm-ubuntu-lamp:~$ mkdir /mnt/encrypted
root@vm-ubuntu-lamp:~$ mount /dev/loop0 /mnt/encrypted

root@vm-ubuntu-lamp:~$ df
Filesystem           1K-blocks      Used Available Use% Mounted on
/dev/sda1              7850996   1346292   6105892  19% /
varrun                   63052        40     63012   1% /var/run
varlock                  63052         0     63052   0% /var/lock
procbususb               63052        68     62984   1% /proc/bus/usb
udev                     63052        68     62984   1% /dev
devshm                   63052         0     63052   0% /dev/shm
/dev/loop0               19366      1578     16788   9% /mnt/encrypted

root@vm-ubuntu-lamp:~$ df -H
Filesystem             Size   Used  Avail Use% Mounted on
/dev/sda1              8,1G   1,4G   6,3G  19% /
varrun                  65M    41k    65M   1% /var/run
varlock                 65M      0    65M   0% /var/lock
procbususb              65M    70k    65M   1% /proc/bus/usb
udev                    65M    70k    65M   1% /dev
devshm                  65M      0    65M   0% /dev/shm
/dev/loop0              20M   1,7M    18M   9% /mnt/encrypted

👉 For a more up to date approach, check out this guide on the Ubuntu Community Forum: Full_Disk_Encryption_Howto_2019