Posted by Steve on Wed 19 Jan 2005 at 11:14
If you're worried about storing confidential material upon your home machine, or a laptop, then you might be interested in using encryption. Using applications such as GNU Privacy Guard are good for protecting single files, but they lack something when wanting to keep a whole directory secure. This is where mounting volumes with an encryption module can be useful.
Using the loop-aes kernel module you can mount a file via the loopback interface and have everything written to that file be secure and private.
Of course there is a downside. Using encryption for a file will give you additional overhead, and it can make recovery of data difficult in the case of a crash, or filesystem corruption.
But the gain of mounting things securely is worthwhile.
The loopback module is available in Debian's unstable and sarge archives, and requires the use of the full kernel source of your running kernel to build.
For the moment it is suggested you use 2.6.x.
To determine your running kernel's version you should run:
uname -r
Assuming it returns "2.6.8-1-386" you would then run:
apt-get install kernel-headers-2.6.8-1-386
This will leave you with the header files in the directory /usr/src.
Now we can download the source to the kernel module itself, and the tool to build it module-assistant:
apt-get install module-assistant loop-aes-source
(This will almost certainly install additional packages on your system).
To build the module is very simple:
module-assistant prepare module-assistant build loop-aes apt-get install loop-aes-utils module-assistant install loop-aes
Now this is done we can create a small 5Mb filesystem using an encrypted volume:
dd if=/dev/zero of=volume bs=4k count=1280 losetup -e AES128 /dev/loop1 volume mkfs -t ext2 /dev/loop1 losetup -d /dev/loop1 mkdir /mnt/secure mount volume -o loop=/dev/loop1,encryption=AES128 /mnt/secure/ -t ext2
You will be prompted for the password to use when you run the "losetup" command to create the encrypted volume, and again when you attempt to mount it. The passwords must be 20 characters or more.
For passwords I'd run something like :
root@host:~# head /dev/urandom | md5sum | awk '{print $1}'
01f7c41e5936eff710e13581b3f8a1fe
This password can then be printed out and kept secure, or archived somewhere safe.
In addition to mounting a file as a filesystem like this you can find instructions for mounting partitions, swap, and even your root filesystem in a secure manner by reading /usr/share/doc/loop-aes-2.6.8-1-386/README.gz
This article can be found online at the Debian Administration website at the following bookmarkable URL:
This article is copyright 2005 Steve - please ask for permission to republish or translate.