A blog on Computer Science, Security, Programming, and more...

HeapSpray Blog » Linux » View Post


Creating Encrypted Virtual Volumes in Linux

Written by Matt

Here's how to create a "drive inside a file", the way TrueCrypt does, but using tools that are already included by default on most Linux distributions.

First, create the file that you will use as the drive using the command dd:

dd if=/dev/zero of=drive.bin bs=1048576 count=1024

The above creates a 1GB file called "drive.bin" filled with zeros, the block size being 1MB (1024*1024), and the number of blocks being 1024, which is exactly 1GB.

All the steps now will need to be run as root. We now need to associate the file with a drive using the loop device tool losetup:

losetup /dev/loop0 ./drive.bin

Now we use cryptsetup, the front-end that provides all disc encryption capabilities on Linux through dm-crypt, to initialize the virtual volume we just made and set a key for it:

cryptsetup -s 256 -y luksFormat /dev/loop0

This will overwrite data on /dev/loop0 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase: [Enter password]
Verify passphrase: [Re-enter password]

Next, we use cryptsetup once again to "open" the volume and associate it to the device mapper, after the following command, the drive will show up in /dev/mapper/cryptvol:

cryptsetup luksOpen /dev/loop0 cryptvol
Enter passphrase for /dev/loop0: [Enter password]

The last step is to take your virtual drive you've just mapped and format it using your preferred filesystem, I use XFS here:

mkfs.xfs -f /dev/mapper/cryptvol

Now mount it, and use it as you would use a regular drive. The file /dev/mapper/cryptvol is seen by the system as an actual disk device. So you just have to run the following:

mkdir /media/cryptvol
mount /dev/mapper/cryptvol /media/cryptvol

That's it, now we have an XFS formatted virtual volume that's stored inside a file, associated as a loop device, and mapped through cryptsetup providing it with encryption. You can treat the folder /media/cryptvol just as you would a mounted drive. After you're done putting data or reading it, just do the following:

umount /media/cryptvol
cryptsetup luksClose cryptvol
losetup -d /dev/loop0

The first command unmount the userland level drive, the second command disassociates the mapper volume, and the last command removes the loop0 loop device from use.

The next time you want to mount the drive, just do the following:

losetup /dev/loop0 ./drive.bin
crypsetup luksOpen /dev/loop0 cryptvol
Enter passphrase for /dev/loop0: [Enter password]
mount /dev/mapper/cryptvol /media/cryptvol

And that's it, you now have a file that is encrypted with AES in cbc-essiv:sha256 mode that can be mounted as a volume. You can use a tool like hexedit to check that the data you put on the virtual volume is indeed encrypted.

Topic: Linux tags: linux, encryption
  • Name and Email fields are optional
  • Your email will not be public, only the administrator can see it
  • You are rate limited to one comment for every 10 minutes