Encrypted disks (or container files) on the MyBook World


There are two relevant methods of encrypting disks (or partitions, or container files) with Linux in general:

  1. With the loopback device
  2. With dm-crypt
This document shall describe both variants and its advantages and disadvantages as well as a special variant of dm-crypt called LUKS.

Encryption with the loopback device (/dev/loopX)

Encryption with the loopback device is the simplest variant which needs only the following prerequisites:

To use an encrypted container file for example, you would type something like:

root@mybook:~# modprobe loop root@mybook:~# modprobe cryptoloop root@mybook:~# losetup -e aes /dev/loop0 containerfile Password: root@mybook:~# mke2fs /dev/loop0 # or continue using the volume here

Instead the container file, you also could use a disk or disk partition of course. This method works well if you are the only person that needs to access the encrypted volume (i.e. there is only ONE password). If you want to use container files, you need the loop device in any case, since the other methods work on devices only.

Encryption using cryptsetup

cryptsetup can be used to configure any blockdevice as an encrypted filesystem. WARNING: All data on the block device will get DESTROYED when you initialise the mapper device with the luksFormat command !
If you want to use this on a container-file (because you don't want to or can't create a separate, encrypted block device (e.g. a separate partition), you need to use losetup to bind the container file to a loop device.

To initialise a LUKS container, execute this commands:

root@mybook:~# cryptsetup luksFormat /dev/example_blockdevice Enter LUKS password: foobar

To open an encrypted LUKS container, enter:

root@mybook:~# cryptsetup luksOpen /dev/example_blockdevice myvolumename Enter LUKS password: foobar key slot 0 unlocked. root@mybook:~# ls -l /dev/mapper/myvolumename brw-r----- 1 root root 254, 0 Jan 1 1970 /dev/mapper/myvolumename

If using this volume the first time, the filesystem needs to get created:

root@mybook:~# mke2fs /dev/mapper/myvolumename

Then you can work with this device like with any hard disk partition:

root@mybook:~# mount -t ext2 /dev/mapper/myvolumename /mnt

When you are done, don't forget to remove the device:

root@mybook:~# cryptsetup luksClose myvolumename