Encrypted disk, partition or USB stick on Linux: A short do-it-yourself cookbook

This post was written by eli on March 17, 2009
Posted Under: Linux,Software

Before anything: Recent distros come with packaged utilities for encrypting a disk, partition, USB stick or whatever block device. This little cookbook is for those who are not that lucky, or prefer to do things with their bare hands. If you’re not familiar with using loop devices, I suggest playing a bit with them before going for the encrypted version. Because the whole idea behind the mechanism is to wrap the plaintext disk, partition or file with a loop device which does the encryption on the fly.

I’m running an old system, in terms of year 2009: A Red Hat 7.3 with kernel 2.4.21. This is why I was so surprised, when I got the encrypted loop device up and running in no time, despite the fact that it requires some patchwork. I repeated this process, with the same ease on a Fedora Core 9 machine with a 2.6-family kernel.

To be 100% fair, I’ll mention that both machines had the kernel sources properly installed, and with the sane options set. If you’re running on a home-compiled kernel, this will be your case as well.

So here is the quick summary of actions:

  1. Downloaded util-linux-2.12r and loop-AES-v3.2e. Opened tarballs.
  2. Patched the util-linux to support loop-AES. At util-linux-2.12r’s root directory, I went:
    patch -p1 -i ../loop-AES-v3.2e/util-linux-2.12r.diff

    This makes losetup, mount and friends to respect the necessary flags. Note that the patch for util-linux is given by loop-AES. This is why downloading two recent versions is a good idea (or the two I mentioned).

  3. Compilation. At the same directory:
    CFLAGS=-O2 ./configure
    make SUBDIRS="lib mount"
  4. The configuration phase went with some scary messages, but they turned out irrelevant. At this point, I had the relevant utilities as executables in the “mount” subdirectory

    If you’d like to compile these as static binaries, this should be typed before anything:

    export LDFLAGS="-static"
  5. Next step was to compile the loop kernel module. The whole idea is to replace the existing module with one that supports AES encryption.  It means that the kernel is patched, but only the specific module is compiled and replaced. This is a pretty scary approach, but it works. So At loop-AES’ home directory, just go, as root:
    make clean
    make

    I know. I never compile as root. But this one does the work too well. Note that there is no “make install” because plain “make” includes the installation part.

  6. Next I installed the utilities. But I didn’t want to overwrite the original binaries. Why change the existing mount and swapon on a working system? So the idea is to put the executables close to the original ones, only with a “-patched” suffix.

    So from the util-linux-2.12r/mount/, I ran as root:

    for i in losetup mount pivot_root swapon umount ; do cp $i `which $i`-patched ; done
  7. And a final test: (my USB stick encrypted)
    losetup-patched -p 0 -e AES128 /dev/loop0 /dev/sdb1 < password

    Ah, before this, I prepared a file called “password”, containing the secret which is necessary to open the encrypted block device. Without the “-p 0″ flag and injecting the password through standard input, the user has to type it manually. Since at least 20 characters are required, the common solution is to let the user type a shorter password, and scramble it into something longer. Of course it’s completely stupid to keep the password on the disk as plain text. You might as well not encrypt anything if you do this.

  8. Played around with the new loop device, formatted it, mounted it with the old “mount”, unmounted, and finally released the loop device (with old losetup)
    losetup -d /dev/loop0

That’s it. May look a bit scary, but it was really easy.

Add a Comment

required, use real name
required, will not be published
optional, your blog address