Update: as far as cryptoloop is vulnerable and is not maintained I don’t recommend using below approach for creating encrypted for for those of you who require strong security. Use truecrypt to create encrypted filesystem within a file instead.

passwords.txtToday it came to my mind that it is time to make sensitive information stored on my usb flash drive encrypted but still transportable and easy to use. But I don’t want to have whole my 32 GB usb drive fully encrypted using truecrypt or something similar. It is just toooo slow. I also don’t want to use GPG for uncompressing files and directories every time I would like to read them and then create new GPG compressed file every time I save changes. This eats too much of my time and system resources. At the same time it is necessary to be able to use that usb drive under windows, mac, linux whatever (read/write files) but still have my directory structure with sensitive files encrypted. Here is the solution: create encrypted filesystem within a file named, say, 16GB.candy.bin that could be stored on regular windows formatted usb flash drive and then mounted under Linux using the password.

When it becomes necessary I can mount that 16GB.candy.bin as the regular ext3 filesystem with all those stuff like permissions, ownership etc. that is available on ext3 but not in FAT or NTFS. On my windows formatted flash drive candy takes only 16 GB so I can use the rest of space to store not so sensitive information like mp3, movies or photos. Moreover I on windows or linux to read it.

Let’s create that 16GB.candy.bin file with encrypted ext3 filesystem (read below explanations below carefully before just to copy/paste commands into CLI):

[root@artemn root]# cd /path/to/candy/

[root@artemn root]# modprobe cryptoloop

[root@artemn root]# modprobe aes

[root@artemn root]# dd if=/dev/urandom of=16GB.candy.bin bs=1048576 count=16000

[root@artemn root]# losetup -e aes /dev/loop0 16GB.candy.bin

[root@artemn root]# mkfs.ext3 /dev/loop0

[root@artemn root]# tune2fs -i 0 -c 0 /dev/loop0

Here are some points: using above commands we create encrypted file of 16 GB so if you need to have more or less just change “count=16000” in dd line. “count=16000” means 16GB so “count=20” means 20MB. Path ‘/path/to/candy/’ is for example only so you should change it to real directory that is able to host encrypted file (16 GB in above example). Command losetup is present in most Linux distributions (btw I recommend Ubuntu especially newly released Lucid Lynx) but if it is not use your disro’s packet manager to install it or compile from sources (for super geeks only, Mr. Stallman if you read this article — Hello). Reader, you can replace “/dev/urandom” in dd line with “/dev/zero” that will make that command to finish faster but will lower security level of resulting file (read about AES for better understanding). You will need to enter the password when running losetup command so make sure it safe and long enough like ‘6U2sAsR37Hn8122dGsaPrew1twt’ but not ‘abc123’ or ‘iloveyou’.

Once commands are done you will get 16GB.candy.bin containing encrypted ext3 filesystem. You can store this file where ever you want, say, on a flash drive. If you loose it nobody won’t be able to open it until he (or she!) cracked AES encryption (use long passwords to prevent this). As the next step it is required to mount filesystem and store some files/directories in it:

[root@artemn root]# mkdir -p /mnt/candy

[root@artemn root]# cd /path/to/candy/

[root@artemn root]# mount -t ext3 -o loop,encryption=aes 16GB.candy.bin /mnt/candy

[root@artemn root]# cd /mnt/candy

[root@artemn root]# #save files, edit them, view or anything you want

[root@artemn root]# cd /

[root@artemn root]# umount /mnt/candy

When you unmount 16GB.candy.bin the changes are already saved there so it’s not required to compress and encrypt anything unlike with GPG.

P.S. This post is inspired by Loopback tricks article. Thanks to the author. Good luck!




  1. May 5, 2010  3:18 pm by Peto Reply

    And where do you store that long password which is impossible to remember?

  2. May 6, 2010  6:41 am by admin Reply

    Peto, you can use the following approach: use md5sum of some common phrase, say, "to be or not to be". Using Linux command line you can create long and secure password from any text phrase:

    <code>[artemn-laptop@artemn]$ echo "to be or not to be" | md5sum</code>

    <code>[artemn-laptop@artemn]$ f9d804763c3031cc22323d79e165b562 -</code>

  3. Pingback : Links 7/5/2010: Phoronix Test Suite 2.6; Ryzom Becomes Free Software | Techrights

  4. May 7, 2010  7:43 am by micxer Reply

    Interesting article, but at the beginning you wrote about using it with Windows and Mac as well yet all the commands are for Linux only. Is there any way to use this method on the other systems as well?

  5. May 7, 2010  11:41 am by admin Reply

    micxer, you can use flash drive at any computer with windows, mac, linux whatever but 16GB.candy.bin can be opened in Linux/Unix only. This approach means you can cut some part of flash drive, encrypt it into a file and use the rest of flash drive (that can be FAT formatted) for not sensitive data like movies or photos.

  6. May 7, 2010  8:27 pm by specnaz Reply


    Cryptoloop is deprecated. It's not safe. It's been compromised. It's not even developed anymore.

    Use cryptsetup or LUKS - not cryptoloop.

  7. May 8, 2010  7:28 am by admin Reply

    Yep, cryptoloop approach is not so secure as LUKS or truecrypt but is still makes it possible encrypt a filesystem within a file and store it on a usb flash, CD or other storages. I'm about to write an article how to create encrypted candy using truecrypt :)

  8. May 8, 2010  12:39 pm by specnaz Reply

    Well if you want to encrypt something make it properly, don't stop halfway saying - "It's good enough", unless it's nothing of true value...

    Then why to bother with encryption - just fiddle with dir permissions :D

    Anyway, dm-crypt container is good material for tutorial...


  9. December 31, 2010  10:31 pm by handbag patterns Reply

    My finest friend suggested that I take a look at your site. Thanks for the good read and I'll be back soon.

  10. February 8, 2012  8:30 pm by lipBamapafe Reply

    ugg boots, drugs whatever send me i purchase all - ok fop ? here i my adress observations

  11. March 30, 2012  6:11 pm by fruit mocking party Reply

    Hey there! This is my 1st comment here so I just wanted to give a quick shout out and say I really enjoy reading through your blog posts. Can you recommend any other blogs/websites/forums that go over the same subjects? Thank you!

Leave a reply


Your email address will not be published.