Protecting Files Using Encrypted Containers
Prerequisites:
Kernel version 2.6.4-rc2 or higher.
root access for initial setup.
System Configuration
Enable the device-mapper module - lets you create new logical block devices from portions of existing devices. The block devices then are "mapped" to devices that for our use are treated like normal drive partitions.
Enable dm-crypt – (Crypt Target Support in the kernel configuration menu). dm-crypt is the kernel module used to handle the encryption/decryption using the crypto API available in the 2.6 version kernels.
To use an encrypted container for our files instead of an entire drive or partition, loopback device support also needs to be enabled in the kernel. The loopback device kernel module allows us to use ordinary files as if they were real block devices.
Compile or use module for the encryption type you want to use - AES encryption algorithm is used here but others are available.
Modules needed if compiling:
Device Drivers -> Multi-Device Support (RAID and LVM) -> Device Mapper Support
Device Drivers -> Multi-Device Support (RAID and LVM) -> Crypt Target Support
Device Drivers -> Block Devices -> Loopback Device Support
Cryptographic Options -> <encryption type>
Enable the required modules, compile the kernel and install it.
If you want to use modules dm-mod, dm-crypt and aes-i586
modprobe dm-mod
modprobe dm-crypt
modprobe aes
Now install these two sets of utitlites:
device-mapper utilities – if already installed then /dev/mapper and /dev/mapper/control will already exist.
cryptsetup utility - if the package is already installed /bin/cryptsetup will exist
Creating the Encrypted Container
Reboot with the new kernel (or make sure needed modules are loaded)
Create the container for your files and mount it.
Select a partition with enough space to create the container and make the container large enough for all the files you want in it (including new files!!) – it isn’t possible to increase the container size once created.
Use dd to create the container file
dd if=/dev/random of=/crypt/data.crypt bs=1M count=1024
bs is block size (1MB) and count is size in blocks (1GB 1024 X 1MB Blocks)
Source for the dd command is /dev/random - this makes it impossible to determine how much of the container is being used. It will be stored on /crypt
Create a loopback device using the container file.
If multiple containers are used you have to use a different /dev/loopX device (where X is a unique number)
losetup /dev/loop0 /crypt/data.crypt
Create the encrypted device
I used /dev/random to generate a 32-character random string password that I stored in a file named /home/crypt.key
cat /dev/random > /home/tkey (hit control-c after a second)
cat /home/tkey | cut -b 0-31 > /home/crypt.key
rm /home/tkey
cryptsetup -c aes -d /home/crypt.key create data.crypt /dev/loop0
To mount and use create a filesystem. This creates the ext2 filesystem (others can be used).
Once created mount like a normal drive partition.
mke2fs -j /dev/mapper/data.crypt
mkdir /mnt/encrypted
mount /dev/mapper/data.crypt /mnt/encrypted
Your encrypted device should act the same way that a normal drive partition does.
* You must remember to unmount the device and destroy the loopback setup when finished with the device!
umount /mnt/encrypted
cryptsetup remove data.crypt
losetup -d /dev/loop0
To recap – here’s how to remount the device:
losetup /dev/loop0 /crypt/data.crypt
cryptsetup -d /home/crypt.key create data.crypt /dev/loop0
mount /dev/mapper/data.crypt /mnt/encrypted
HOWTO: Protect Files Using Encrypted Containers
Linear Mode
