Modern operating systems give you the possibility to encrypt filesystems. Or virtual filesystem as the loopback ones. This article discuss two ways of getting an encrypted loopback on linux.
Crypto-loops on Linux
About The Author
Eugenia Loli
Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker.
Follow me on Twitter @EugeniaLoli
In my case I went a bit further putting the device in /etc/fstab to have it automagically mounted at every boot on my Gnome desktop too.
I hope that “automagically” doesn’t imply that he needn’t enter the passphrase? The crypt device would be quite useless then.
Otherwise, nice artice
I hope that “automagically” doesn’t imply that he needn’t enter the passphrase? The crypt device would be quite useless then.
It does, sir. Its pathetic indeed.
I got aware of this a while ago when this was still ‘hot’. Here, check out what /etc/crypttab on Debian Sarge says:
# <target device> <source device> <key file> <options>
…
Good article, but I have two comments:
Assume that the file that will act as a filesystem for our loopback device is called crloop: it has a size of 640 MB and i created it typing dd if=/dev/zero of=/home/marco/crloop bs=1M count=640.
As long as cryptography is involved, why not make this:
dd if=/dev/urandom of=/home/marco/crloop bs=1M count=640?
You will need to type a password when using cryptsetup, remember what I wrote above about the number of characters.
Before you memorize that 20+ character password — cryptsetup hashes the password by default so it does not require such a long password.
cryptsetup hashes the password by default so it does not require such a long password.
Not if you use dm-crypt which uses by default the more secure -h plain (FAQ on dm-crypt website addresses this). There are tricks to memorize long passwords, too.
Not if you use dm-crypt which uses by default the more secure -h plain (FAQ on dm-crypt website addresses this).
Are you sure you’re not mixing this up with the ECB vs. plain IV generation modes? Since that’s all I can find at http://www.saout.de/misc/dm-crypt/ .
Also, I can’t see how not using a hash could be more secure (given that a secure password is chosen in the first place). If anything, hashing should help in preventing dictionary attacks.
Compared to Mac OS X’s File Vault, which encrypts users’ home directories based on their sign in password, this cryptoloop thing is pretty useless.
While it’s true that niether Mac OS X’s /tmp or swap is encrypted, this is an easier thing to fix than this rediculous cryptoloop “automagically” working.
Does anyone know how to mount OSX encrypted .dmg files under linux? Linux supports AES-128, and HFS+, but the format of the dmg itself seems odd. Anyone know how to mix linux encryption with OSX?
I don’t see how this “cryptoloop thing” is useless. It could easily be used to have the sign-in password encrypt the home directory. It may not be in any Linux distros out of the box, but I would think anyone who has a decent amount of Linux knowledge could get this kind of functionality working. Why would you want to do this though? No one else should have access to your home directory anyway unless they have root access. Assuming someone has root access, they could decrypt your user password, and then unencrypt your home directory. So it really does….nothing.
A far better and I think much slicker method for encrypting a home directory, would be to have it check for a private key on an automountable device, and unencrypt your home directory on login with this information. This would allow you to store your private key on a usb drive or compact flash card(like a passive token), creating the need to have the device to decrypt the home directory or whatever else you wanted to have encrypted.
I can especially recommend loop-aes combined with a GPG key which then is (preferably) kept on a usbkey or similar. This also keeps you from entering a 20 char passwort which loop-aes demands (as would recompiling
.
Paragraph 7.2 in the loop-aes doc describes this: http://loop-aes.sourceforge.net/loop-AES.README
Despite this being in plain text format it is good documentation, but still all this is something better left to the advanced linuxuser, I also wrote my own startupscripts for this.
Also I know dm-crypt is “the next big thing” but I still have to find out how to do this gpg interation with it.
And about mounting on login (with the user password) I think there are plans for libpam integration, and root cannot simply find out a users password since it’s hashed (though root could simple eavesdrop the loginprocess).
I liked the article, especially the dm-crypt information.
However if you go here
http://www.tldp.org/HOWTO/Cryptoloop-HOWTO/cryptoloop-introduction….
it clearly states that cryptoloop is deprecated and no longer maintained.
The main loss that I see (correct me if I’m wrong) is with dm-crypt you have to use a partition, you can’t just use a ‘container’ file in a partition.
… just use the loopback devices
losetup /dev/loop9 /mimble/bimble/baz
makes the file /mimble/bimble/baz appear as a loopbacked block device, suitable for dm-crypto
And about mounting on login (with the user password) I think there are plans for libpam integration, and root cannot simply find out a users password since it’s hashed (though root could simple eavesdrop the loginprocess).
Yes root could find out the user password, root could simply decrypt the hash, using something such as john or l0phtcrack. It only takes like a couple minutes a password(I mean long password including numbers and symbols) and if you got a lot of time even a slow machine can crack hundreds of passwords in a night,