GNU.WIKI: The GNU/Linux Knowledge Base

  [HOME] [HowTo] [ABS] [MAN1] [MAN2] [MAN3] [MAN4] [MAN5] [MAN6] [MAN7] [MAN8] [MAN9]

 


Cryptoloop HOWTO

Ralf H�lzer

<cryptoloop@ralfhoelzer.com>

2004-01-15
Revision History                                                             
Revision 1.2             2004-03-12            Revised by: rh                
Added information on dm-crypt, updated loop-AES info, added more info on     
security                                                                     
Revision 1.1             2004-01-24            Revised by: rh                
Updated information on patching util-linux, Loop-AES, Best Crypt             
Revision 1.0             2004-01-17            Revised by: rh                
Initial release, reviewed by TM at LDP.                                      
Revision v0.9            2004-01-15            Revised by: rh                
Updated and converted to DocBook XML.                                        


  This document explains how to create encrypted file systems using the
Cryptoloop functionality. Cryptoloop is part of the CryptoAPI in the 2.6
Linux kernel series.

-----------------------------------------------------------------------------
Table of Contents
1. About this document
    1.1. Copyright and License
    1.2. Disclaimer
    1.3. Credits / Contributors
    1.4. Feedback
   
   
2. Introduction
3. Configuring the kernel
4. Getting the user space tools
5. Setting up the loop device
6. Mounting the encrypted file system
7. Using a file instead of a partition

1. About this document

  This HOWTO describes how to use the Cryptoloop loop device encryption in
the 2.6 Linux kernel series. Cryptoloop makes it possible to create encrypted
file systems within a partition or another file in the file system. These
encrypted files can the be moved to a CD, DVD, USB memory stick, etc.
Cryptoloop makes use of the loop device. This device is a pseudo-device which
serves as a "loop" through which each call to a the file system has to pass.
This way, data can be processed in order to encrypt and decrypt it. Since
kernel 2.6, the Crypto API has been integrated into the main kernel, and
setting up an encrypted file system has become much easier. No additional
kernel patches are required. An update of some userspace utilities is
necessary. Unfortunately, the use of Cryptoloop is not very well-documented
so far. This HOWTO is an attempt to make it easy everyone to create an
encrypted file system using the standard Cryptoloop functionality. Cryptoloop
is based on the Crypto API in the 2.6 Linux kernel. It should not be confused
with Loop-AES, which is a completely separate project. Cryptoloop is similar
to the Crypto API that was available as a separate patch for the 2.4 kernel
series. The new version is not compatible with the older one.
-----------------------------------------------------------------------------

1.1. Copyright and License

 This document, Cryptoloop HOWTO, is copyrighted � 2004 by Ralf H�lzer.
Permission is granted to copy, distribute and/or modify this document under
the terms of the GNU Free Documentation License, Version 1.1 or any later
version published by the Free Software Foundation; with no Invariant
Sections, with no Front-Cover Texts, and with no Back-Cover Texts. A copy of
the license is available at [http://www.gnu.org/copyleft/fdl.html]  http://
www.gnu.org/copyleft/fdl.html.

 Linux is a registered trademark of Linus Torvalds.
-----------------------------------------------------------------------------

1.2. Disclaimer

 No liability for the contents of this document can be accepted. Use the
concepts, examples and information at your own risk. There may be errors and
inaccuracies, that could be damaging to your system. Proceed with caution,
and although this is highly unlikely, the author(s) do not take any
responsibility.

 All copyrights are held by their by their respective owners, unless
specifically noted otherwise. Use of a term in this document should not be
regarded as affecting the validity of any trademark or service mark. Naming
of particular products or brands should not be seen as endorsements.
-----------------------------------------------------------------------------

1.3. Credits / Contributors

 I'd like to thank the following people who helped me improve this HOWTO:

��*�Dennis Kaledin
   
��*�Binh Nguyen
   
��*�David Lawyer
   
��*�Tabatha Marshall
   
��*�Kian Spongsveen
   

-----------------------------------------------------------------------------
1.4. Feedback

 Feedback is most certainly welcome for this document. Send your additions,
comments and criticisms to the following email address : <
cryptoloop@ralfhoelzer.com>.
-----------------------------------------------------------------------------

2. Introduction

  There are currently a few alternatives to using Cryptoloop. Loop-AES
([http://loop-aes.sourceforge.net] http://loop-aes.sourceforge.net) is
probably the most well-known. It provides very similar functionality to
Cryptoloop. Aes-loop is currently more mature than Cryptoloop and it is also
faster (about twice as fast, according to the author of loop-AES), because it
uses a highly optimized assembler implementation for AES. This doesn't mean
that Cryptoloop is slow. I have not noticed any significant speed differences
between a Cryptoloop-encrypted partition and a non-encrypted partition during
everyday work with normal amounts of I/O. Unless I/O performance is extremely
important to you, Cryptoloop should do just fine. Loop-AES offers some
additional features that are not yet present in the kernel implementation of
Cryptoloop. Loop-AES requires modified userspace tools (mount, losetup) and
these modifications are incompatible with Cryptoloop. You will not be able to
use Cryptoloop and Loop-AES at the same time.

  In terms of security, Cryptoloop is doing ok. The key is usually generated
from a password and its hash is used as the key to AES. This leads to the
possibility of a [http://lwn.net/Articles/67216/] known-plaintext attack.
Loop-AES is superior in this regard, because it generates a random key and
encrypts this key separately, making a known-plaintext attack more difficult.
Loop-AES also supports a multi-key mode, where sectors are encrypted with 64
separate AES keys. In general, a brute-force attack on your password can be
very effective, if you choose a weak password. To be on the safe side, your
password should be at least 20 characters long. Otherwise a brute-force
attack on the password will be much easier than trying to brute-force the AES
encryption directly.

  The Cryptoloop functionality in the standard kernel provides a stable and
clean implementation without the need for extra patches. Since it is still
fairly new, it may not have gotten the necessary amount of review in terms of
security. You have to decide for yourself what is suitable for you.

  IMPORTANT: Cryptoloop has been marked deprecated in the latest 2.6 kernel.
This means that it will no longer be maintained actively. The successor to
Cryptoloop will be [http://www.saout.de/misc/dm-crypt/] dm-crypt. Dm-crypt is
available in the main kernel since 2.6.4. Cryptoloop will still be available
in the main kernel for a long time, but dm-crypt will be the method of choice
for disk encryption in the future. Dm-crypt is based on the device mapper and
offers pretty much the same functionality as Cryptoloop. It is still very new
and there are no easy-to-use userspace tools available yet. Dm-crypt is
considered to be much cleaner code than Cryptoloop, but there are some
important differences. For example, creating an ecrypted filesystem within a
file will still require to go through a loop device, but this support is
still in development.

  There are other tools which allow you to create an encrypted file system.
BestCrypt is a commercial product from Jetico. It allows you to create
encrypted containers and has a large choice of ciphers. It also offers some
nifty features such as hidden containers. It is available for Windows and
Linux, which makes it suitable for interchanging encrypted containers between
Windows and Linux. BestCrypt now compiles on 2.6 kernels as well. Cryptoloop
can also create containers that can be moved around, by creating the
encrypted file system within a file as described below. I don't know of a way
to access the Cryptoloop-encrypted files from other operating systems such as
Windows. In this case, BestCrypt may be your only choice.

  There are other commercial disk encryption tools such as PGP disk, but to
my knowledge there is no Linux support for them.
-----------------------------------------------------------------------------

3. Configuring the kernel

  In order to use Cryptoloop, you need to activate a few kernel options. You
have the option to either compile these requirements as modules or compile
them directly into the kernel. The following steps enable them as modules. If
you are not familiar with building a 2.6 kernel, you should refer to the
[http://www.linuxdocs.org/HOWTOs/Kernel-HOWTO.html] Linux Kernel HOWTO. The
following instructions just give the minimal steps.

 1. Go to the directory that holds your kernel source tree (usually /usr/src/
    linux/) and start the configuration:
    make menuconfig                                                          
   
 2. Enable general loop device support. Active "Loopback device support"
    under:
    Device Drivers -> Block Devices -> Loopback device support               
   
 3. Enable Cryptoloop support in the same section. The option should show up
    as soon as you enable general loopback support.
   
 4. Enable the cryptographic API by going to "Cryptographic options" from the
    main menu. You can safely enable most algorithms here. I would recommend
    that you enable the following:
        -- Cryptographic API                                                 
         <*>   HMAC support                                                  
         < >   Null algorithms                                               
         <*>   MD4 digest algorithm                                          
         <*>   MD5 digest algorithm                                          
         <*>   SHA1 digest algorithm                                         
         <*>   SHA256 digest algorithm                                       
         <*>   SHA384 and SHA512 digest algorithms                           
         <*>   DES and Triple DES EDE cipher algorithms                      
         <*>   Blowfish cipher algorithm                                     
         <*>   Twofish cipher algorithm                                      
         <*>   Serpent cipher algorithm                                      
         <*>   AES cipher algorithms                                         
         <*>   CAST5 (CAST-128) cipher algorithm                             
         <*>   CAST6 (CAST-256) cipher algorithm                             
         <*>   Deflate compression algorithm                                 
         < >   Testing module                                                
                                                                             
   
      If you decide to make them as modules, make sure you load the
    appropriate modules (cryptoloop, aes, etc.) at startup before you
    continue.
   
 5. Make your kernel and modules and install them. For example, if you are
    using lilo on a x86 machine, this can be done like this:
         make                                                                
         make modules_install                                                
         cp arch/i386/boot/bzImage /boot/kernel-2.6.1                        
         lilo                                                                
                                                                             
   
 6. Load the required modules at startup. This is handled differently on the
    various distributions. For example, on Gentoo these modules can be added
    to /etc/modules.autoload/kernel-2.6. If you have compiled Cryptoloop as a
    module, it will have to be loaded first. It will automatically load the
    basic loop device module as well. You can manually load the module with:
    modprobe cryptoloop                                                      
   

-----------------------------------------------------------------------------
4. Getting the user space tools

  The Cryptoloop driver requires updated userspace tools to actually create
and mount the encrypted file system. An updated util-linux package is needed
and can be obtained from [http://ftp.cwi.nl/aeb/util-linux/
util-linux-2.12.tar.gz] http://ftp.cwi.nl/aeb/util-linux/
util-linux-2.12.tar.gz. The most current version is 2.12. There will be new
versions out soon that will probably introduce major changes, so make sure
you check this HOWTO for updates before upgrading to a newer version.
Unfortunately there are many patches for util-linux out there. There are
differences in the way how encrypted partitions are created and mounted. In
order to use util-linux 2.12 with a 2.6 kernel at least the following two
patches need to be applied:

 1. [http://www.stwing.org/~sluskyb/util-linux/losetup-combined.patch]
    Combined losetup patch
 2. [http://www.ece.cmu.edu/~rholzer/cryptoloop/
    util-linux-2.12-kernel-2.6.patch] Util-linux 2.6 patch

  Download the util-linux package and the two patches above. First extract
the util-linux package and then apply the two patches:
     tar xvfz util-linux-2.12.tar.gz                                         
                                                                             
     cd util-linux-2.12                                                      
                                                                             
     patch -p1 < /path_to_patchfile/losetup-combined.patch                   
                                                                             
     patch -p1 < /path_to_patchfile/util-linux-2.12-kernel-2.6.patch         
                                                                             

  After applying the patches, compile and install util-linux according to the
instructions in the INSTALL file.

  I recommend to use [http://gentoo.org] Gentoo Linux, which automatically
applies these patches when emerging the util-linux patches. Other
distributions may have versions of util-linux available, that have these
patches aleady applied as well.
-----------------------------------------------------------------------------

5. Setting up the loop device

Cryptoloop can be used either on a file or an entire file system. The
following describes how to set it up on a particular partition. This
partition can be any partition you like; the following example uses /dev/
sda1. I have chosen to use AES as a cipher, but you can substitute any cipher
you like that has been enabled in the kernel. You can get a list of the
algorithms supported by your currently running kernel by looking into /proc/
crypto. An excellent resource, discussing the different cryptographic
algorithms, are Bruce Schneier's books, Applied Cryptography and Practical
Cryptography. Both AES and Serpent are probably a reasonable choice. AES has
been cryptanalyzed a lot and no serious weaknesses have been discovered so
far. Serpent has not been analyzed as much, but is considered to be even a
little bit stronger than AES. However, Serpent is also slower than AES. Stay
away from DES, it is both slow and weak. Triple-DES may be an option, but AES
is probably more secure and faster, so there is really no reason to use
Triple-DES anymore.

 1. It is recommended that you format your partition and fill it with random
    data before you create the encrypted file system on it. This will make it
    harder for an attacker to detect patterns in your encrypted partition.
   
    WARNING!
   
    Be careful what you type here for your partition. If you do make a
    mistake, you can easily overwrite the wrong partition with random
    garbage!
   
    Filling a partition with random data can be done as follows:
    dd if=/dev/urandom of=/dev/sda1 bs=1M                                    
   
    You may get an error message that the device is full. You can ignore it.
   
 2. Select a cipher and key size. A list of ciphers supported by your kernel
    can be obtained from /proc/crypto. I recommend that you use AES with a
    256-bit key.
   
 3. Set up the loop device. This is done using the losetup command from the
    util-linux package. The following command creates an encrypted filesystem
    using the loop device 0 using the AES cipher with a 256-bit key on the
    device /dev/sda1:
    losetup -e aes-256 /dev/loop0 /dev/sda1                                  
   
    The command prompts for a password. Select a strong password and try to
    remember it without having to stick a Post-It note to your monitor. There
    is one big downside to using Cryptoloop. Since the password is hashed to
    create the encryption key, it is not easy to change the password later
    on. The most straight-forward way of changing the password is to create a
    new encrypted partition or file and move all data into it. For this
    reason, make sure you select a strong password from the start. AES may be
    a strong algorithm, but if you chose a weak password, that security goes
    down the drain.
   
    If losetup fails with an INVALID ARGUMENT error message, there is a
    problem with your util-linux package. Make sure you have followed the
    instructions above on how to install a patched version of util-linux.
    Older and unpatched version use a different way of passing the key size,
    and do not work with the 2.6 Crypto API.
   
 4. Create a file system. You can chose whatever file system you like. The
    following creates an ext3 file system using the loop device:
    mkfs.ext3 /dev/loop0                                                     
   
 5. Mount the encrypted file system. First you need to create a mount point,
    such as /mnt/crypto:
    mkdir /mnt/crypto                                                        
   
    Then you need to mount the file system. At this stage you need to tell
    mount explicitly which loop device to use:
    mount -t ext3 /dev/loop0 /mnt/crypto                                     
   
 6. You can now play with your encrypted file system until you are bored.
   
 7. Unmount the file system. After you are done playing, unmount the
    filesystem:
    umount /mnt/crypto                                                       
   
 8. Detach the loop device. The loop device is still attached to your
    partition. Detach it with:
    losetup -d /dev/loop0                                                    
   

-----------------------------------------------------------------------------
6. Mounting the encrypted file system

 For all operations on the Cryptoloop device, it is important that the
necessary modules are loaded. You need to load at least the Cryptoloop module
and the modules for each cipher with modprobe. If the features are compiled
directly into the kernel, this is not necessary.

In order to mount the encrypted file system created above, you can use the
standard mount command from util-linux:
mount -t ext3 /dev/sda1 /mnt/crypto/ -oencryption=aes-256                    

You will be prompted for the password and the file system will be mounted
just as any other. Since the encryption option implies that this is a
Cryptoloop filesystem, it will automatically pick an available loopback
device.

When you are done, unmount it with:
umount /mnt/crypto                                                           

You can add the following line to /etc/fstab:
/dev/sda1               /mnt/crypto     ext3            noauto,encryption=aes-256       0 0

Now you can simply mount the device with:
mount /mnt/crypto                                                            

That's it. Have fun.
-----------------------------------------------------------------------------

7. Using a file instead of a partition

 It is just as easy to create an encrypted file system within a file on
another file system. This is especially useful if you want to back up this
file by burning it to a DVD, etc. You can then easily move the file around to
other machines as well.

To initially create a 100MB file containing random data use the following
command:
dd if=/dev/urandom of=/mystuff.aes bs=1k count=100000                        

 If you want to change the size of the file, change the count value
accordingly. The above command creates 100000 blocks of 1k in size, but you
can change this to whatever you like. Just make sure it is not too small to
hold the file system you chose. You can choose any file name and path you
want instead of /mystuff.aes as long as there's enough space on the
partition.

You can then create the encrypted file system within this file, similar to
the way it is done above:
losetup -e aes-256 /dev/loop0 /mystuff.aes                                   

Now you can create the file system:
mkfs.ext3 /dev/loop0                                                         

 and mount it:
mount -t ext3 /dev/loop0 /mnt/crypto                                         

 Finally, unmount and detach the loop device:
umount /mnt/crypto                                                           
losetup -d /dev/loop0                                                        

 You can then mount the file system later on as follows:
mount /mystuff.aes /mnt/crypto -oencryption=aes-256                          

If you want to move the file or burn it to a CD or DVD, make sure you unmount
it first.





  All copyrights belong to their respective owners. Other site content (c) 2014, GNU.WIKI. Please report any site errors to webmaster@gnu.wiki.