19 Aug 2008
If you want to keep some secret documents well guarded on your hard disk, you can encrypt them using for example, GPG suite. But if you don't want to type a password every 5 minutes, you can use an encrypted container to store your sensitive materials in a very secure way. Why a container and not a partition? Maybe just because you have already a partition full of information and we don't have the possibility to move around the info and then work to encrypt a partition. An encrypted container is an easier way to do it, even that in some cases it's much better to have the whole partition encrypted. But this is how it works…
Some background infos:
Device Mapper and DM-Crypt
Starting in version 2.6, the Linux kernel started providing the Device-Mapper interface. This interface allowed for the creation of layers of virtual block devices on top of real block devices. These devices are used for things like RAID formats, snapshot or encryption. The DM-Crypt is the module for Device-Mapper that provides access to the cryptographic functions.
Cryptsetup is the primary userland tool for creating and managing encrypted partitions and containers for DM-Crypt.
Linux Unified Key Setup (LUKS)
LUKS provides a standard on-disk format for encrypted partitions to facilitate cross distribution compatibility, to allow for multiple users/passwords, effective password revocation, and to provide additional security against low entropy attacks. To use LUKS, you must use an enabled version of cryptsetup. To the authors knowledge currently only Debian (Etch, Lenny and Sid), Ubuntu and Gentoo offer LUKS enabled versions of cryptsetup in their repositories.
In your kernel you must enable (this is a 2.6.23 one):
Code maturity level options Prompt for development or/and incomplete code/drivers Device Drivers -> Multiple devices driver support (RAID and LVM) (*) Device mapper support (M) Crypt target support Cryptographic API (M) AES cipher algorithms (M) SHA256 digest algorithm
Compile and install the new kernel if it's the case.
Install cryptosetup. If you have the chance to find a package for your distro, alright. Otherwise, install it from the sources. You can grab it from here (./configure; make; make install)
Create a container (wherever you have enough room) and shred it to the needed size:
cd /mnt touch container_enc shred -n1 -s20G container_enc
First find the name of the first unused loop device :
NOTE If the command above doesn't work, update the util-linux package (losetup is included in it). It seems that 2.13 and after, is a good choice ;)
Another choice is to try losetup /dev/loopX where X is 0, 1, … until you get an error message as:
loop: cannot get info on device /dev/loop0: No such device or address
which indicates the availability for that loop.
Use this loop device to set a loopback (in this case /dev/loop0 is available)
losetup /dev/loop0 /mnt/container_enc
cryptsetup -y create containercrypt /dev/loop0
Check if it worked:
mkdir /mnt/container_protected_mp mount /dev/mapper/containercrypt /mnt/container_protected_mp
umount /mnt/container_protected_mp cryptsetup remove containercrypt losetup -d /dev/loop0
After that, no one can read that partition without knowing the right passphrase! Great news, huh?
To make the whole process easy to digest (mount-umount stuff) you can create two simple scripts like:
#!/bin/bash losetup /dev/loop0 /mnt/container_enc sleep 1 cryptsetup create containercrypt /dev/loop0 sleep 1 mount /dev/mapper/containercrypt /mnt/container_protected_mp
#!/bin/bash umount /mnt/container_protected_mp cryptsetup remove containercrypt
Save them to a folder; than create two shortcuts on your Desktop to these scripts. Don't forget to alter options for “Run in terminal” (to be able to enter the password) and “Run as a different user” (as root - to be able to mount the encrypted filesystem).