Encrypted Filesystems, Loop Devices, Cryptoloop
A long time user of GnuPG, I was interested to learn about Cryptoloop, which offers full filesystem encryption, making it easier to edit secrets in place.
1 The Kernel Module
Cryptoloop is a kernel module which may not necessarily be inserted by default. It is provided in Debian systems in a package called along the lines of loop-aes-utils. Once installed, you can simply add the module to the kernel as root by running:
modprobe cryptoloop2 Making the Encrypted Filesystem
Cryptoloop can be used to encrypt filesystems located on entire partitions. However, it also works with loop devices, an approach adding a lot of flexibility if you want to isolate your encrypted filesystems, or if you like working with small ones which you can securely copy to other media.
Create the file that will contain the filesystem. Adding random data from
/dev/urandomfurther enhances security by making it harder for attackers to break in:dd if=/dev/urandom of=encryptedfs count=1000Set up the loop device:
You'll be asked for a passphrase at this stage.losetup -e aes-256 /dev/loop0 encryptedfsCreate the filesystem:
mkfs.ext3 /dev/loop0Detach the loop device:
losetup -d /dev/loop0
3 Mounting and Unmounting the Encrypted Filesystem
You may now mount your filesystem with mount, without needing to play with loop devices anymore. Interestingly, no option -o loop is required either, even though it's a loop device. However, you may still need to add the cryptoloop module, if you haven't done so already since the last reboot. You'll be asked for a password upon mount:
mount -o encryption=aes-256 encryptedfs mountpointUnmounting the filesystem is carried out without any particular option:
umount mountpoint