This document describes the step-by-step process that allows the creation of a special file, here named secrets, containing an AES encrypted filesystem. When mounted using a password, secrets can be accessed like any mounted device. Directories and files may be created, read, modified, and deleted by the owner of secrets. When not mounted, secrets looks like a file of nearly random bits that are, for all practical purposes, undecipherable.
The following three HOWTO's are useful but were written before the 2.6 Linux kernel was released. You cannot take their information literally since many kernel-related names and methods have since changed.
Man pages that describe the most important tools used here are:
Linux makes it very easy to make a partition or even a file automatically encrypt or compress its contents. These notes show how to create a file that can be used as a filesystem to contain encrypted files. The kernel needs the following special capabilities either as modules or built-in:
The compressed file
/proc/config.gz allows you to determine exactly what capabilities are included in your kernel and which are available as modules. We are interested in the
aes capabilities which we can check by doing:
$ sudo grep "CRYPT\|LOOP" /boot/config-2.6.20-16-generic CONFIG_IEEE80211_CRYPT_WEP=m CONFIG_IEEE80211_CRYPT_CCMP=m CONFIG_IEEE80211_CRYPT_TKIP=m CONFIG_BLK_DEV_LOOP=m CONFIG_BLK_DEV_CRYPTOLOOP=m CONFIG_DM_CRYPT=m CONFIG_BLK_DEV_CLOOP=m CONFIG_ECRYPT_FS=m CONFIG_CRYPTO=y CONFIG_CRYPTO_ALGAPI=y CONFIG_CRYPTO_BLKCIPHER=m CONFIG_CRYPTO_HASH=y CONFIG_CRYPTO_MANAGER=y CONFIG_CRYPTO_HMAC=y CONFIG_CRYPTO_XCBC=m CONFIG_CRYPTO_NULL=m CONFIG_CRYPTO_MD4=m CONFIG_CRYPTO_MD5=y CONFIG_CRYPTO_SHA1=m CONFIG_CRYPTO_SHA256=m CONFIG_CRYPTO_SHA512=m CONFIG_CRYPTO_WP512=m CONFIG_CRYPTO_TGR192=m CONFIG_CRYPTO_GF128MUL=m CONFIG_CRYPTO_ECB=m CONFIG_CRYPTO_CBC=m CONFIG_CRYPTO_LRW=m CONFIG_CRYPTO_DES=m CONFIG_CRYPTO_BLOWFISH=m CONFIG_CRYPTO_TWOFISH=m CONFIG_CRYPTO_TWOFISH_COMMON=m CONFIG_CRYPTO_TWOFISH_586=m CONFIG_CRYPTO_SERPENT=m CONFIG_CRYPTO_AES=m CONFIG_CRYPTO_AES_586=m CONFIG_CRYPTO_CAST5=m CONFIG_CRYPTO_CAST6=m CONFIG_CRYPTO_TEA=m CONFIG_CRYPTO_ARC4=m CONFIG_CRYPTO_KHAZAD=m CONFIG_CRYPTO_ANUBIS=m CONFIG_CRYPTO_DEFLATE=m CONFIG_CRYPTO_MICHAEL_MIC=m CONFIG_CRYPTO_CRC32C=m CONFIG_CRYPTO_TEST=m CONFIG_CRYPTO_DEV_PADLOCK=m CONFIG_CRYPTO_DEV_PADLOCK_AES=m CONFIG_CRYPTO_DEV_PADLOCK_SHA=m CONFIG_CRYPTO_DEV_GEODE=m
We need work with loop file systems, so we need
Also, to do AES encryption in a loop filesystem, we need
CRYPTO is built into the kernel (
"=y"), but the others are available as modules (
"=m") which need to be loaded. This can be done as follows:
$ sudo modprobe aes $ sudo modprobe cryptoloop $ lsmod | grep "loop\|aes"
Module Size Used by cryptoloop 4096 0 loop 17800 1 cryptoloop aes 28608 0
Notice that there can be slight differences between the module names and the CONFIG names. If you compile your own custom kernel, you would probably build all of these into your kernel.
If you would like a place to put encrypted things, but don't want to dedicate an entire partition to encryption, you can use just a file. The following commands make a file named
secrets that that can be mounted as an encrypted filesystem with room for 1 MB of contents.
Starting as an ordinary user, not root, make the empty file filled with random bits
$ dd if=/dev/urandom of=secrets bs=4096 count=256 256+0 records in 256+0 records out
Then, become root
$ su Password:<your root password>
Use the following command to find a free loop device:
$ sudo losetup -f /dev/loop0
So we will use /dev/loop0. (This example uses Ubuntu, on Mandriva-2007, one needs to become root and use
losetup -a to see which loop devices are in use.)
$ sudo losetup -e aes /dev/loop/0 secrets Password:<The password for accessing
The password given here need not be your root password, however, you must be sure to not forget it. If you lose this password, your secrets will be inaccessible. I am unaware of any work-arounds.
/dev/loop/0 is now in use:
$sudo losetup /dev/loop0 /dev/loop0: :512157 (/home/craig/secrets), encryption aes (type 18)
:512157 identifies the drive (
hda7:, major # 03, minor #07) and inode number for
secrets is attached to a loop device, we can make an
ext2 filesystem inside it.
$sudo mke2fs /dev/loop0 mke2fs 1.40-WIP (14-Nov-2006) mke2fs: Permission denied while trying to determine filesystem size craig@server:~$ sudo mke2fs /dev/loop0 mke2fs 1.40-WIP (14-Nov-2006) Filesystem label= OS type: Linux Block size=1024 (log=0) Fragment size=1024 (log=0) 128 inodes, 1024 blocks 51 blocks (4.98%) reserved for the super user First data block=1 Maximum filesystem blocks=1048576 1 block group 8192 blocks per group, 8192 fragments per group 128 inodes per group Writing inode tables: done Writing superblocks and filesystem accounting information: done This filesystem will be automatically checked every 26 mounts or 180 days, whichever comes first. Use tune2fs -c or -i to override.
We can now detach
/dev/loop0 from secrets.
$sudo losetup -d /dev/loop0
secrets is now ready to use.
secrets file is made available by mounting it using
encryption options for the
$ mkdir ~/crypto $ chmod 600 /mnt/crypto $ sudo mount -t ext2 -o loop,encryption=aes secrets /mnt/crypto Password:<The password for accessing
After we give it the password, we can use it like an ordinary 1 MB partition. Be sure to not leave it mounted any longer than necessary even though access is restricted to the root user because
/mnt/crypto and did
chmod 600 /mnt/crypto.
If you forget your password, your information is lost! Be sure to let your spouse or other survivors know the password in case you suddenly die. Using a password that is the same as the root password would make it easier to remember, but only as secure as your root password. Encryption of files and partitions protect your data if someone were to gain physical access to your computer. In the absence of special security hardware, the normal file permissions can be easily dodged by booting a rescue disk. The encrypted files and partitions, however, still would be protected.
cat /etc/mtab, and other methods that show mounted filesystems will show that we have mounted it.
As long as it is mounted, it can be used like any other mounted filesystem:
/mnt# cd crypto /mnt/crypto# echo "amazon.com: craig2345 saeWxB235SyE" > passwords /mnt/crypto# echo "slashdot.com: craigv xRo523dDzvP" >> passwords /mnt/crypto# cat passwords amazon.com: craig2345 saeWxB235SyE slashdot.com: craigv xRo523dDzvP /mnt/crypto# cd ..
Here, we simply used the
echo command, but we could create subdirectories (a
lost+found directory was created by
mke2fs) and use an editor to work with the files. Anything copied into
secrets gets encrypted; anything copied out of it gets decrypted.
As usual, unmounting is done by
# umount /mnt/crypto
If you try to mount it without the
encryption=AES option, the mount instruction will fail because it will not see the ext2 filesystem. Examination of the file
cat or other tools will simply show 1 MB of seemingly-random bytes.
In the above
mount description, it was necessary to be
root to mount
secrets. This restriction can be removed if, as
root, we insert the following line into
/home/craig/secrets /home/craig/crypto ext2 defaults,loop,encryption=aes,user,noauto 0 0
/etc/fstab is owned by
root and has permissions
root can change its contents.
user part of the mount options here allows any user to mount the device, but if the file
secrets is owned by the user
craig and has permissions
600, then only the user
craig can access its files.
noauto option makes sure that the system does not try to mount the
secrets file upon boot. Without
noauto, the boot would be stalled waiting for the password to be entered.
The user that mounts
secrets must know the password to
secrets, and once it is mounted, that user and
root are the only ones that can
umount it. The mount point set by this line in
/home/craig/crypto which still needs to be created and tested as follows:
~$ mkdir crypto ~$ chmod 600 crypto ~$ mount secrets Password: <access password for secret> ~$ cd crypto ~/crypto$ echo testing > x ~/crypto$ cat x testing ~/crypto$ cd .. ~$ umount crypto
Last updated: August 6, 2007
Contact Craig Van Degrift if you have problems or questions with this web site.