# Crypted filesystem. Not hackable !? Protect your data  F.A.Q

## Adwin

Well, this short FAQ is posted in order to help people get a +- secure filesystem.

The information needed to write this article was compiled from various sources, so I give credit to the various authors.

If anybody hacks you while your filesystem is mounted, they still get access to your data.

The goal is to get a mountable crypted filesystem in its entirety, ie, including data.

Data is encrypted ON THE FLY.

For this, we will need the following:

A kernel with built-in (not as a module, although it can be done also) loop device support AND cryptoloop.

In order to achieve this, enable the following options in your kernel:

           Block devices  ---> 

                               <*> Loopback device support                                                                                

                               <*>   Cryptoloop Support

We will also need to chose an appropriate algorithm in order to encrypt out data.

You can use any available algo, but let's choose AES, for the strength of the cypher.

Let me remind you that AES is in compliance with the "National Institute of Standards and Technology"

           Cryptographic options  --->

                                <*>   AES cipher algorithms

You'll probably also need util-linux from  ftp://ftp.kernel.org/pub/linux/utils/util-linux/

You should also check if you've got gnupg, otherwise do an 

           $ emerge gnupg

Now let's get to the interesting part.

We have to wipe out our entire partition, and to do so, we'll either overwrite it with random data or with "0".

          Overwrite with random data:

          dd if=/dev/urandom of=/dev/hda1 (your partition, SCSI may be sdxx) bs=4k

           Overwrite with zeros:

           dd if=/dev/zero of=/dev/hda1 (your partition, SCSI may be sdxx) bs=4k (You can change the block size to one 

           fitting your needs, but 4k is a nice compromise between speed and storage efficiency)

I prefer zeroeing rather than random.

First, you can't get data corruption through sector merge

Second, it's waaaaaay faster.

DISCLAIMER:

Beware, overwriting your partitions wipes out your dta, so do a backup. I can't be held responsible for any damage / data loss of whatsoever kind.

The speed of overwriting is a lot CPU / Hard drive dependant and intensive.

Now we'll have to associate a loop device with your partition:

            losetup -e AES128 -T /dev/loop2 /dev/hda1

-e sets encryption type, AES128 is good enough. If you are a maniac, you can choose AES192 or AES256, but then, you should equip yourself with a decent CPU.

-T asks you for your password TWICE (I recommend it, since you have to confirm your pass. A crypted partition with a lost password is IRRECOVERABLE without the pass, so, you wouldn't want to lose your data forever, would you?)

A password is any character from 0-9, a-z and A-Z.

For a loop device, you can choose anything from /dev/loop0 and up. I'd recommend using /dev/loop2 and up, since many distributions / livecds tend to use loop0.

Now, let's make a filesystem on your partition:

            mkfs -t ext3 /dev/loop0 (For testing needs, I have chosen ext3)

Afterwards, you'll need to unmount your loop device, by doing a:

            $ losetup -d /dev/loop2

Let's get to mounting options now:

In order to mount a partition manually:

1: Associate a loop device with your physical partition:

            $ losetup -e AES128 /dev/loop2 /dev/hda1

2: Mount your partition:

            $ mount /dev/loop2 /mnt/my-crypted-partition1

Unmounting partitions:

1: Unmounting your partition:

            $ umount /mnt/my-crypted-partition1

2: Delete loop-device to physical partition association:

            $ losetup -d /dev/loop2

You can also add an entry to your /etc/fstab for automatic / semi-automatic mounting:

Automatic mounting:

             /dev/hda1    /mnt/my-crypted-partition1    ext3    noatime,loop=/dev/loop2,encryption=AES128 0 0

Automatically mounted upon init / system boot.

Semi-automatic mounting:

             /dev/hda1    /mnt/my-crypted-partition1    ext3    noauto,noatime,loop=/dev/loop2,encryption=AES128 0 0

Mounting only via a

             $mount /mnt/my-crypted-partition1

For the purpose of partition copying or otherwise, you can also associate a loop device to a file.

That would be like a virtual partition from a file.

dd if=/dev/zero of=/root/crypto bs=4k count=3000

The file size is determined by multiplying your block size by your sector count.

In our example:

               4k * 3000 = 12 000k, approximately 11.7Mb

Well, that'll all.

If your system is secure during "mount-time", nobody will get access to your data, not even your brother, the RIAA or even the Russian Mafia.

;]

Hope that helps.

----------

## DaSch

I like this posting  :Smile: 

will try this asap

----------

## TheCarNinja

Very cool. Perfect for my needs. I'll let you know how it goes  :Wink: 

One question tho, this ought to work the same with SATA yes?

----------

## hensan

Is ext3 and cryptoloop a good combination? This warning is in the help text for cryptoloop in the kernel config:

 *Quote:*   

> WARNING: This device is not safe for journaled file systems like
> 
> ext3 or Reiserfs. Please use the Device Mapper crypto module
> 
> instead, which can be configured to be on-disk compatible with the
> ...

 

----------

## ultraViolet

I was using losetup before, and now I am using dm-crypt. It is more easy to use. You only need to create LVM disks, then to use the cryptsetup command. I would advise people to use the dmcrypt solutions...

But thanks for your howto !

----------

## RobinVossen

1 _sxb # losetup -e AES128 -T /dev/loop2 /home/_sxb/secure

Error: Password must be at least 20 characters.

Why is that?

How can I enter a password if it says error before I have to chance to put one in?

Thanks,.

----------

## Adwin

Do you have an alias defined for losetup somewhere ?

Try something like this:

echo YOURPASS | losetup -p0 -e AES128 /dev/loop2 /...

Check if your /dev/loop2 isn't already used by another resource

losetup -a

----------

## RobinVossen

```

1 _sxb # echo 123456qwertysecret00 | losetup -p0 -e AES128 /dev/loop2 /home/_sxb         /secure

ioctl: LOOP_SET_FD: Operation not permitted

```

losetup -a gives no output

----------

