Encrypted Loopback Filesystem

Here are my notes about how to create an encrypted loopback filesystem on Debian lenny. Previously, I used the kernel loop-aes module, but support for that functionality has been removed for Debian squeeze. So, I needed to convert to a different mechanism.

The best reference I found was this: http://www.lylebackenroth.com/blog/2008/08/29/encrypting-containers-or-partitions-with-cryptsetup-and-luks/

Here are the steps I followed to set up a 5GB encrypted filesystem. All of these steps were taken as root.

modprobe dm-mod                                           # make sure kernel module is loaded
modprobe dm-crypt                                         # make sure kernel module is loaded
dd if=/dev/urandom of=/encryptedfs.img bs=1G count=5      # create 5GB file full of random bytes
losetup /dev/loop1 /encryptedfs.img                       # tie the random image to the loopback device
cryptsetup --verbose luksFormat /dev/loop1                # format the loopback device
cryptsetup luksOpen /dev/loop1 encryptedfs                # open the loopback device
ls -l /dev/mapper/encryptedfs                             # check that the device exists as expected
mkfs.ext3 -j -m 1 /dev/mapper/encryptedfs                 # create the filesystem
mount /dev/mapper/encryptedfs /mnt/encryptedfs            # mount the loopback device
umount /mnt/encryptedfs                                   # unmount the loopback device
cryptsetup luksClose encryptedfs                          # close the loopback device
losetup -d /dev/loop1                                     # disconnect the loopback device from the image

I wanted a normal user to be able to mount and unmount the filesystem, so I needed to do a few more things. First, I set up /etc/fstab so that /mnt/encryptedfs could be mounted automatically by normal users:

/dev/mapper/encryptedfs /mnt/encryptedfs ext3 user,exec,noauto

Then, I granted a set of commands to my normal users using visudo:

Cmnd_Alias LOSETUPLI    = /sbin/losetup /dev/loop1 /encryptedfs.img
Cmnd_Alias LOSETUPLO    = /sbin/losetup -d /dev/loop1
Cmnd_Alias LUKSOPEN     = /sbin/cryptsetup luksOpen /dev/loop1 encryptedfs
Cmnd_Alias LUKSCLOSE    = /sbin/cryptsetup luksClose encryptedfs

Once this was all in place, my normal users could issue these commands to mount the filesystem:

sudo losetup /dev/loop1 /encryptedfs.img
sudo cryptsetup luksOpen /dev/loop1 encryptedfs
mount /mnt/encryptedfs

and these commands to unmount it:

umount /mnt/encryptedfs
sudo cryptsetup luksClose encryptedfs
sudo losetup -d /dev/loop1

I got a comment from Stefan Haun in March of 2013. He said:

• I have read your howto on creating encrypted loopback file systems and found it very helpful. However, creating a 300GB file with dd is a real pain, so I looked around and found a much quicker way to create such a file:

          truncate -s 250G encryptedfs.img

  creates a file of 250G in no time by just allocating the blocks. Since the fs is formatted anyways this should not be a problem.