This site is now 100% read-only, and retired.

Mounting encrypted volumes

Posted by Steve on Wed 19 Jan 2005 at 11:14

If you're worried about storing confidential material upon your home machine, or a laptop, then you might be interested in using encryption. Using applications such as GNU Privacy Guard are good for protecting single files, but they lack something when wanting to keep a whole directory secure. This is where mounting volumes with an encryption module can be useful.

Using the loop-aes kernel module you can mount a file via the loopback interface and have everything written to that file be secure and private.

Of course there is a downside. Using encryption for a file will give you additional overhead, and it can make recovery of data difficult in the case of a crash, or filesystem corruption.

But the gain of mounting things securely is worthwhile.

The loopback module is available in Debian's unstable and sarge archives, and requires the use of the full kernel source of your running kernel to build.

For the moment it is suggested you use 2.6.x.

To determine your running kernel's version you should run:

uname -r

Assuming it returns "2.6.8-1-386" you would then run:

apt-get install kernel-headers-2.6.8-1-386

This will leave you with the header files in the directory /usr/src.

Now we can download the source to the kernel module itself, and the tool to build it module-assistant:

apt-get install module-assistant loop-aes-source

(This will almost certainly install additional packages on your system).

To build the module is very simple:

module-assistant prepare
module-assistant build loop-aes
apt-get install loop-aes-utils
module-assistant install loop-aes

Now this is done we can create a small 5Mb filesystem using an encrypted volume:

dd if=/dev/zero of=volume bs=4k count=1280
losetup -e AES128 /dev/loop1 volume
mkfs -t ext2 /dev/loop1
losetup -d /dev/loop1
mkdir /mnt/secure
mount volume -o loop=/dev/loop1,encryption=AES128 /mnt/secure/ -t ext2

You will be prompted for the password to use when you run the "losetup" command to create the encrypted volume, and again when you attempt to mount it. The passwords must be 20 characters or more.

For passwords I'd run something like :

root@host:~# head /dev/urandom | md5sum | awk '{print $1}'
01f7c41e5936eff710e13581b3f8a1fe

This password can then be printed out and kept secure, or archived somewhere safe.

In addition to mounting a file as a filesystem like this you can find instructions for mounting partitions, swap, and even your root filesystem in a secure manner by reading /usr/share/doc/loop-aes-2.6.8-1-386/README.gz

 

 


Re: Mounting encrypted volumes
Posted by chris (80.203.xx.xx) on Wed 19 Jan 2005 at 22:00
[ View Weblogs ]

Useful article - not used module-assistent before.

You only need the kernel-headers (as shown in the examples) - not the kernel source as stated in the intro.

For some strange reason after the module-assistant install loop-aes I had the following:

ioctl: LOOP_SET_STATUS: Invalid argument, requested cipher or key length (128 bits) not supported by kernel
# rmmod loop
# modprobe loop

fixed this.

And - the following line in fstab worked well for me:

/path/to/volume     /mnt/secure/       ext2    loop=/dev/loop1,encryption=AES128,user,noauto,rw       0       0

:-)

[ Parent ]

Re: Mounting encrypted volumes
Posted by chris (80.203.xx.xx) on Wed 19 Jan 2005 at 23:15
[ View Weblogs ]
Followup note on this - after a reboot (upgrade of 2.6.10-1-k7) the same rmmod/modprobe is required. Re-compilation of the module was not required.

[ Parent ]

Re: Mounting encrypted volumes
Posted by Steve (82.41.xx.xx) on Thu 20 Jan 2005 at 09:30
[ View Weblogs ]

You can cause the modules to be loaded automatically at boot time if you add their names to /etc/modules.

Steve
-- Steve.org.uk

[ Parent ]

Re: Mounting encrypted volumes
Posted by chris (217.8.xx.xx) on Thu 20 Jan 2005 at 09:34
[ View Weblogs ]
However - the loop module (or at least _a_ loop module) is loaded - I do have to rmmod first.

[ Parent ]

Re: Mounting encrypted volumes
Posted by Anonymous (71.80.xx.xx) on Mon 17 Jan 2011 at 07:05
I had similar error message as above, which I resolved by doing:
modprobe cryptoloop
Probably rebooting or remove/install loop accomplishes the same which is what helped others above

[ Parent ]

Re: Mounting encrypted volumes
Posted by Steve (82.41.xx.xx) on Thu 20 Jan 2005 at 09:35
[ View Weblogs ]

module-assistant rocks!

I've used it for mounting remote filesystems using SSH, installing the NVidia drivers, and for a few kernel packages.

I find it much more understandable than the alternatives.

Steve
-- Steve.org.uk

[ Parent ]

Re: Mounting encrypted volumes
Posted by chris (217.8.xx.xx) on Thu 20 Jan 2005 at 09:36
[ View Weblogs ]
Just waiting for the mga-vid drivers to work with 2.6.x :-)

[ Parent ]

Re: Mounting encrypted volumes
Posted by ginumohanm (121.243.xx.xx) on Sun 22 Apr 2007 at 12:34
@Steve: Great article. Very informative and useful.

@Chris: Thanks a lot for the fix. I was having the same "cipher or key length (128 bits) not supported by kernel" problem.
Thanks once again.

[ Parent ]

Re: Mounting encrypted volumes
Posted by alfal (63.65.xx.xx) on Wed 16 Feb 2005 at 14:32
Hi Steve,

Thanks for setting up this site... I have passed it around to many of my debian friends and we all have found some good reads.

I have used encryption before using the crypto loop module - which has worked well. The one issue I have with using encrypted loop devices is the wasted space of using a file for this. Example: I have a 5gig file for my encrypted loop device. Only 50% is being used... so its wasting some space on my otherwise unencrypted drive.

Any good ideas on a way to make the encrypted file grown and shrink with the data thats inside?

Thanks,

Al

[ Parent ]

Re: Mounting encrypted volumes
Posted by Steve (82.41.xx.xx) on Wed 16 Feb 2005 at 15:00
[ View Weblogs ]

I've not seen anything that's as general purpose as using the loopback support.

I guess it depends on what you're looking at storing? If its simple files you might be better off using some software that saves things in an encrypted fashion - or using GNUPG for example.

It might be possible to use LVM via loopback, but its something I've not thought of, could be worth investigating maybe?.

I tend to create a small initial partition of say 1Gb, then if it gets close to being full just create a new one of a large size and copy all the contents over - so I dont commit myself to using lots of space in advance ...

Steve
-- Steve.org.uk

[ Parent ]

Re: Mounting encrypted volumes
Posted by Anonymous (61.88.xx.xx) on Thu 28 Jul 2005 at 03:54
I wonder if you can use cloop instead of loop and if that would assist you.

[ Parent ]

Re: Mounting encrypted volumes
Posted by Anonymous (82.228.xx.xx) on Mon 7 Mar 2005 at 21:25
Hello

I am using dm-crypt

http://www.saout.de/tikiwiki/tiki-index.php

/Regards Fredrik Helmer

[ Parent ]

Re: Mounting encrypted volumes
Posted by gonad (203.118.xx.xx) on Sun 1 May 2005 at 03:53
from cryptsetup package, read:
/usr/share/doc/cryptsetup/CryptoRoot.HowTo

Very useful, makes it easy to understand and do.

[ Parent ]

Re: Mounting encrypted volumes
Posted by gonad (203.118.xx.xx) on Tue 7 Jun 2005 at 08:11
If you've done the CryptoRoot, be very very very careful when upgrading kernels etc - if you've got any doubts about the process, the only advice I can offer is: don't.

I'm still trying to work out what it was I did wrong with my kernel upgrade, ended up starting again.

Also, make sure /home is on a seperate partition, that way you'll avoid potential heartache :)

[ Parent ]

Re: Mounting encrypted volumes
Posted by suspended user phil (83.235.xx.xx) on Wed 29 Jun 2005 at 08:54
I'm having a problem. I have installed debian kernel-source-2.4.27 and kernel-headers-2.4.27-2-386 - this deb puts a source tarball in /usr/src as expected. The running kernel is 2.4.27-2-386

But when I do:
module-assistant fakesource

I get at the end:

make[2]: *** No rule to make target `/usr/src/kernel-source-2.4.27-2-386/include/linux/autoconf.h', needed by `/usr/src/kernel-source-2.4.27-2-386/include/linux/modules/signal .ver'. Stop.
make[2]: Leaving directory `/usr/src/kernel-source-2.4.27-2-386/kernel'
make[1]: *** [_sfdep_kernel] Error 2
make[1]: Leaving directory `/usr/src/kernel-source-2.4.27-2-386'
make: *** [dep-files] Error 2

And my subsequent attempt to build the module with these faked sources fails.

It doesn;t work using just the headers either. Any help out there? Am I missing something?


[ Parent ]

Re: Mounting encrypted volumes
Posted by gonad (222.152.xx.xx) on Wed 29 Jun 2005 at 22:54
Phil, your post is not relevant to this thread.

[ Parent ]

Re: Mounting encrypted volumes
Posted by Anonymous (83.235.xx.xx) on Thu 30 Jun 2005 at 14:25
Actually it was relevant, but I can see now why that wasn't clear! My apologies - I should have provided some context.

The text at the beginning of the page is instructions for building the loop-aes module using module-assistant, which is what I was trying to do but was having, er, difficulties. In desperation I tried first configuring my downloaded kernel sources for my architecture with m-a fakesource, but that was not working, obviously.

However I have now got around my problems.

In case anyone's interested, I did this by building from the .deb loop-aes-source and loop-aes-ciphers-source packages (from sid) using method 4 in the README.debian described in those packages (this uses debian full kernel tree, image etc). Loop-aes is now up and working well.










[ Parent ]

Re: Mounting encrypted volumes
Posted by suspended user phil (83.235.xx.xx) on Tue 5 Jul 2005 at 06:16
BTW: See http://www.tldp.org/LDP/lkmpg/2.6/html/x384.htm for the correct way to configure raw kernel sources to match a precompiled kernel.

[ Parent ]

Re: Mounting encrypted volumes
Posted by suspended user mthaddon (82.45.xx.xx) on Wed 22 Feb 2006 at 17:31
Not sure if this is relevant specifically to this article, but I'm hoping someone might be able to help.

I have successfully installed the loop-aes module using module-assistant. However, it seems I don't have the appropriate loop devices (/dev/loop[0-7]). All I have is /dev/loop/0). Is this a problem and/or how do I create the other loop devices? Should I just reinstall loop-aes-utils?

Thanks, Tom

[ Parent ]

Re: Mounting encrypted volumes
Posted by Steve (82.41.xx.xx) on Wed 22 Feb 2006 at 17:35
[ View Weblogs ]

This should help if you're using a static /dev setup:

skx2:/# cd /dev
skx2:/dev# ./MAKEDEV loop

If you're using a dynamic /dev I'd guess they would be created on demand..

Steve

[ Parent ]

Re: Mounting encrypted volumes
Posted by suspended user mthaddon (82.45.xx.xx) on Wed 22 Feb 2006 at 17:44
Thanks, Steve. Works a treat - great article.

I'm actually in the process of writing an article on encrypted filesystems for Linux at the moment (for OSTG) - comparing EncFS and Loop-aes, and also including a comment on TrueCrypt (and possibly dm-crypt as well). If you'd like to see a draft when it's ready, let me know.

Tom

[ Parent ]

Re: Mounting encrypted volumes
Posted by Steve (82.41.xx.xx) on Wed 22 Feb 2006 at 18:04
[ View Weblogs ]

Great!

Sure I'd be happy to read what you've written, and if it were possible carry it here too ;)

Steve

[ Parent ]

Re: Mounting encrypted volumes
Posted by suspended user joshuah (213.226.xx.xx) on Wed 10 May 2006 at 09:51
Hello to all,

Anyone knows a way to do LVM + Loop-AES + XFS? Thanks in advance.

[ Parent ]