Email this page
Send a link

Loop-AES

This document describes how I encrypted a USB flash memory pen using Loop-AES. There are different methods and ways to encrypt a filesystem: I hope this helps to suggest alternatives or better ways to do it.

I'm using Debian GNU/Linux and a kernel 2.6.x.

Before starting, you may want to backup the current content of your USB flash memory pen: create a mirror somewhere, for example using rsync.

Install the following packages:
loop-aes-ciphers-source
    loop-aes-source
    loop-aes-utils

You also need gnupg and sg3-utils packages installed.

Unpack modules sources installed under /usr/src: loop-aes.tar.bz2 and loop-aes-ciphers.tar.bz2. Modules sources will be automatically unpacked under /usr/src/modules/loop-aes and /usr/src/modules/loop-aes-ciphers.

Recompile the new modules the debian way:
make-kpkg modules_image

Your new debian packages are under /usr/src:
loop-aes-2.6.x...i386.deb
    loop-aes-ciphers-2.6.x...i386.deb

Install them using
dpkg -i /usr/src/loop-aes-2.6.x...i386.deb /usr/src/loop-aes-ciphers-2.6.x...i386.deb

As a non-root user, create a key (choose your preferred file name):
head -c 2880 /dev/urandom | uuencode -m - | head -n 65 | tail -n 64 | gpg --symmetric -a > mykey.asc

You'll be asked to specify a passphrase: choose a good one!

Backup your key in a secure place. Copy it in a good location, for example your home directory. Restrict file permissions:
chmod go-rwx mykey.asc

You're ready to create a new encrypted filesystem. Detect your device by using:
sg_map -i

In my case I have:
/dev/sg0 /dev/sda Generic USB Flash Disk 2.23

so I will use /dev/sda device.

As root, create the filesystem:
losetup -e AES128 -K mykey.asc /dev/loop0 /dev/sda
    mkfs.ext2 /dev/loop0

(invoking losetup you'll be asked to specify your passphrase).

Mount your new filesystem and you're ready to use it. For example:
mount -t auto /dev/loop0 /mnt

You can also restore your previous rsync-ed backup on your USB flash memory pen now.

When finished, unmount your device:
umount /mnt
    losetup -d /dev/loop0

Here is a script used to mount your encrypted device. You can modify and improve it according to your needs.
#!/bin/bash
    MNTDEVICE=`sg_map -i | grep "USB Flash Disk" | cut -d " " -f 3`

    if [ -z "$MNTDEVICE" ]; then
        echo "Device not found!"
        exit 1
    fi

    losetup -e AES128 -K /path/to/your/key/mykey.asc /dev/loop7 $MNTDEVICE && mount -t auto /dev/loop7 /path/to/your/mount/dir

Another useful script to unmount your device:
#!/bin/bash
    umount /path/to/your/mount/dir
    losetup -d /dev/loop7


Note
This text is not mine. At least I don't remember writing it! :P Any copyright voilation should be sent to mail at confighell.com.

Also see
This article about Filesystem encryption