Update: as far as cryptoloop is vulnerable and is not maintained I don’t recommend using below approach for creating encrypted for for those of you who require strong security. Use truecrypt to create encrypted filesystem within a file instead.
Today it came to my mind that it is time to make sensitive information stored on my usb flash drive encrypted but still transportable and easy to use. But I don’t want to have whole my 32 GB usb drive fully encrypted using truecrypt or something similar. It is just toooo slow. I also don’t want to use GPG for uncompressing files and directories every time I would like to read them and then create new GPG compressed file every time I save changes. This eats too much of my time and system resources. At the same time it is necessary to be able to use that usb drive under windows, mac, linux whatever (read/write files) but still have my directory structure with sensitive files encrypted. Here is the solution: create encrypted filesystem within a file named, say, 16GB.candy.bin that could be stored on regular windows formatted usb flash drive and then mounted under Linux using the password.
When it becomes necessary I can mount that 16GB.candy.bin as the regular ext3 filesystem with all those stuff like permissions, ownership etc. that is available on ext3 but not in FAT or NTFS. On my windows formatted flash drive candy takes only 16 GB so I can use the rest of space to store not so sensitive information like mp3, movies or photos. Moreover I on windows or linux to read it.
Let’s create that 16GB.candy.bin file with encrypted ext3 filesystem (read below explanations below carefully before just to copy/paste commands into CLI):
[root@artemn root]# cd /path/to/candy/
[root@artemn root]# modprobe cryptoloop
[root@artemn root]# modprobe aes
[root@artemn root]# dd if=/dev/urandom of=16GB.candy.bin bs=1048576 count=16000
[root@artemn root]# losetup -e aes /dev/loop0 16GB.candy.bin
[root@artemn root]# mkfs.ext3 /dev/loop0
[root@artemn root]# tune2fs -i 0 -c 0 /dev/loop0
Here are some points: using above commands we create encrypted file of 16 GB so if you need to have more or less just change “count=16000″ in dd line. “count=16000″ means 16GB so “count=20″ means 20MB. Path ‘/path/to/candy/’ is for example only so you should change it to real directory that is able to host encrypted file (16 GB in above example). Command losetup is present in most Linux distributions (btw I recommend Ubuntu especially newly released Lucid Lynx) but if it is not use your disro’s packet manager to install it or compile from sources (for super geeks only, Mr. Stallman if you read this article — Hello). Reader, you can replace “/dev/urandom” in dd line with “/dev/zero” that will make that command to finish faster but will lower security level of resulting file (read about AES for better understanding). You will need to enter the password when running losetup command so make sure it safe and long enough like ’6U2sAsR37Hn8122dGsaPrew1twt’ but not ‘abc123′ or ‘iloveyou’.
Once commands are done you will get 16GB.candy.bin containing encrypted ext3 filesystem. You can store this file where ever you want, say, on a flash drive. If you loose it nobody won’t be able to open it until he (or she!) cracked AES encryption (use long passwords to prevent this). As the next step it is required to mount filesystem and store some files/directories in it:
[root@artemn root]# mkdir -p /mnt/candy
[root@artemn root]# cd /path/to/candy/
[root@artemn root]# mount -t ext3 -o loop,encryption=aes 16GB.candy.bin /mnt/candy
[root@artemn root]# cd /mnt/candy
[root@artemn root]# #save files, edit them, view or anything you want
[root@artemn root]# cd /
[root@artemn root]# umount /mnt/candy
When you unmount 16GB.candy.bin the changes are already saved there so it’s not required to compress and encrypt anything unlike with GPG.
P.S. This post is inspired by Loopback tricks article. Thanks to the author. Good luck!