Portable Loopback-Encrypted-Filesystem

**pau1knopp** · 07-02-2003, 08:59 PM

This allows you to create encrypted containers that you can mount and unmount, and move between machines as needed. This functionality is similar to pgpdisk or bestcrypt. This has been tested on the live cd and a hardrive install using Knoppix 3.2 June 6 2003.

As root:

Make a mount point for the encrypted filesystem as follows:
mkdir /mnt/crypt

Edit '/etc/fstab', adding an entry for your mount point as follows:

/dev/loop0 /mnt/crypt ext2 user,noauto,rw,loop 0 0

Create your encrypted file as follows:

dd if=/dev/urandom of=/etc/cryptfile bs=1M count=10

This creates a 10M encryption "container" in /etc called cryptfile.
You can adjust size, location, and name to your preferences.

Next, run losetup as follows:

losetup -e aes /dev/loop0 /etc/cryptfile

You only have one chance to enter the 20 character password, be careful.

-=Note: optional test=-
If you want to double-check your password, use the command:
losetup -d /dev/loop0
to deactivate your loop device. Next you will run losetup again to test your password, as follows:
losetup -e aes /dev/loop0 /etc/cryptfile
-=end optional test=-

Make your ext2 filesystem as follows:

mkfs -t ext2 /dev/loop0

Now you can mount the encrypted filesystem with:

mount -t ext2 /dev/loop0 /mnt/crypt

When you're done, you can unmount and protect your filesystem as follows:

umount /dev/loop0
losetup -d /dev/loop0

Slick, no?

**pau1knopp** · 07-08-2003, 06:32 PM

The above works fine for the root user, but I wanted something where "joe user" could mount, unmount, and read / write to the encrypted container. After a little trial and effort, here is what I have come up with...

This example shows how to create an ext2 file system on encrypted file. This example creates a 5 MB file (/mnt/msdos/scratch/cryptfile) for storage and a directory (/mnt/crypt) as a mount point.

A couple of notes: This example is intentionally simple to help you understand basic loop encryption, but is also vulnerable to optimized dictionary attacks. Also, the "losetup -e" command asks for a 20 character encryption password, make up one and don't forget it.

Execute the following commands (as root), modifying paths and filenames for your purposes:

dd if=/dev/zero of=/mnt/msdos/scratch/cryptfile bs=4k count=1280
losetup -e AES128 -T /dev/loop1 /mnt/msdos/scratch/cryptfile
mkfs -t ext2 /dev/loop1
losetup -d /dev/loop1
mkdir /mnt/crypt
cd /mnt/crypt
chown knoppix.knoppix *
chown knoppix.knoppix .
chown knoppix.knoppix ..
cd ..
chown knoppix.knoppix crypt

Next, add this to your /etc/fstab file (all one line):

/mnt/msdos/scratch/cryptfile /mnt/crypt ext2 noauto,users,exec,loop=/dev/loop1,encryption=AES128 0 0

Exit the root account, to your joe user account (knoppix in this example).

Now regular users should be able to mount the file system as follows (after answering the password prompt correctly).

mount /mnt/crypt

The can then unmount it like this:
umount /mnt/crypt

The only thing that needs done now is to create a desktop icon that will let users mount and unmount the container. Creating an icon that shows the "disk" as mounted and lets you unmount is no problem, but when you go to mount it, you will get an error because the password is needed. Currently, I am mounting (as joe user) from a terminal, then using the icon (or command line) to dismount. If anyone comes up with anything a little more user friendly that is tested and working, please post.

**Incubii** · 07-11-2003, 06:18 AM

nice. you can also do the same thing on the floppy drive. of course u cant have a 10mb file but hey 1.44mb is enough for small documents. plus u could create a script on the floppy to mount it

**rneff** · 10-02-2003, 06:43 PM

How do I send the password automatically for attaching the encrypted file to the loopbackdevice.

I want the password to come from the output of another program.

Any ideas?

**rneff** · 10-03-2003, 02:24 PM

The answer to my own question is, use the -p option.

You can search google for "losetup -p" for more information, or just use my example below.

echo <password> | losetup -p0-e AES128 /dev/loop0 /file

**Incubii** · 02-17-2004, 02:46 AM

well thats all fine and dandy if only you can see this <password> but what if others use it?

**reagle** · 05-19-2004, 06:32 PM

this doesn't appear to work with 2.6 ... ?

**gwalters** · 02-10-2005, 06:03 PM

IS there a way to use this command and a USB Stick? Mount the USB stick and make sure anything tranfered to it or anything on it is encrypted. These file would have to be able to then be decrypted before being sent. This would be a safeguard in case the usb stick was lost after moving the data to it.

thanks,
Gary

**gwalters** · 02-10-2005, 10:27 PM

For anyone interested, this helped me solve my problems:

http://unit.aist.go.jp/itri/knoppix/...n/index20.html

**pau1knopp** · 07-01-2005, 04:02 PM

Since my work PC is Windows 2000, I have been wanting to use my same AES containers created on Linux in my Windows environment, and vice versa. Found a most excellent tool called CrossCrypt for this very purpose.

http://www.scherrer.cc/crypt/

It is command line driven, so you may want to use the GUI overlay designed for it.

http://www.sdean12.org/CrossCryptGUI.htm

Finally, there is also a utility that let's you manage your containers from a system tray icon.

http://www.sdean12.org/zipped2/SecureTrayUtil391.zip

The system tray also supports other Win32 FOSS and commercial encrypted containers you might be using (freeOETF, bestcrypt, E4M, pgpdisk, scramdisk, and truecrypt) as well as adds shredder functionality, and integrates into the Windows shell pretty well.