Softpedia >News >Linux >Other Tips, Tricks and Tutorials
Softpedia Homepage   

Encrypted Filesystem in 5 Minutes

The ultimate protection for your files!

Jun 12, 2007 14:58 GMT  ·  By
Lock
   Lock

Have you ever dreamed of having the ultimate protection for your computer? Of course you did, especially if you have sensitive files that you don't want anybody to see. Well, your dream can come true with the help of an encrypted filesystem. The encrypted filesystem is one that resides on an encrypted disk or partition. There are many methods to create such an encrypted filesystem, but today I am going to teach you an easy method to use an encrypted filesystem to protect your data.

There are also a lot of tools to encrypt your filesystem, all free, but some of them have weaknesses. So, I've chosen the dm-crypt (device-mapper crypto target) which provides transparent encryption of block devices with the help of cryptoapi, that can be found in the new Linux 2.6 kernel.

We will use a 256-bit AES (Advanced Encryption Standard) encryption, so make sure that your kernel has AES support loaded. Open a console and type:

code
cat /proc/crypto
I've got the following result:

~$ cat /proc/crypto name : md5 driver : md5-generic module : kernel priority : 0 refcnt : 1 type : digest blocksize : 64 digestsize : 16

Which is not good! So, if you get the same result, type the following code in order to activate the AES module:

code
sudo modprobe aes
Now if I type again cat /proc/crypto I'll get the following result:

~$ cat /proc/crypto name : aes driver : aes-generic module : aes priority : 100 refcnt : 1 type : cipher blocksize : 16 min keysize : 16 max keysize : 32

name : md5 driver : md5-generic module : kernel priority : 0 refcnt : 1 type : digest blocksize : 64 digestsize : 16

Which shows me that the AES module was successfully loaded. You have to install two more tools, dmsetup and cryptsetup:

code
sudo apt-get install dmsetup cryptsetup
Now let's load the dm-crypt module:
code
sudo modprobe dm-crypt
To see if the device-mapper has recognized the dm-crypt module and added crypt as an available target, type the following code:
code
sudo dmsetup targets
I've got the following result:

~$ sudo dmsetup targets crypt v1.3.0 striped v1.0.2 linear v1.0.2 error v1.0.1

Which shows me that crypt was added to available targets and I can continue with the encryption process.

You need to setup a block device and mount it as an encrypted logical volume. First, let's create a logical volume with cryptsetup and bind the block device to it:

MAKE SURE THE PARTITION IS UNMOUNTED AND EMPTY BEFORE YOU TYPE THE FOLLOWING CODE

code
sudo cryptsetup -y create securedata /dev/sdb4
In the example above, I've chosen the securedata name for the logical volume, but you can choose whatever name you want. And /dev/sdb4 is the partition I've chosen to encrypt, so check first with sudo fdisk -l the partition you want to encrypt.

You will be asked for a passphrase (twice) so be careful what you type (don't forget it, or you will lose everything on the encrypted partition).

~$ sudo cryptsetup -y create securedata /dev/sdb4 Enter passphrase: Verify passphrase:

Then you should verify if the logical volume was created, so type the following code:

code
sudo dmsetup ls
I've got the following result:

~$ sudo dmsetup ls securedata (254, 0)

Now, if you type:

code
ls -l /dev/mapper
you will see that device-mapper created a virtual block device under /dev/mapper, which is transparently encrypted:

~$ ls -l /dev/mapper/ total 0 crw-rw---- 1 root root 10, 61 2007-06-12 16:47 control brw-rw---- 1 root disk 254, 0 2007-06-12 17:07 securedata

Create an ext3 filesystem on the virtual block device:

code
sudo mkfs.ext3 /dev/mapper/securedata
Create a mount point under /mnt:
code
sudo mkdir /mnt/securedata
Mount the virtual block device:
code
sudo mount -t ext3 /dev/mapper/securedata /mnt/securedata
And finally, change the owner of the mount point, so you can have full access to the encrypted partition with your username:
code
sudo chown yourusername /mnt/securedata
Congratulations! Now you have an encrypted partition to store all your sensitive files. All the data you write to /mnt/securedata will be transparently encrypted before being written to hard drive, and the whole content will be decrypted on the fly every time you read it.

To automatically mount this partition every time you boot-up your PC, add the following link in the /etc/fstab file:

code
/dev/mapper/securedata /mnt/securedata ext3 noauto,noatime 0 0
For easy access to the encrypted partition, you can create a shortcut on the desktop. If you have KDE, right click on the desktop, go to Create new -> Link to Location (URL), enter a desired name for the shortcut (e.g. My Secure Data), add the location, which is obviously /mnt/securedata and click OK. Now you should have a new icon on the desktop, called My Secure Data. Right click on it, go to Properties, click on the question mark icon and select a pretty icon for your shortcut.
Review image

I'll get back soon with another guide on how to have an encrypted Ubuntu operating system. Until then, test this one. Enjoy!