I was really fascinated by the stuff I have read about Truecrypt. I wanted to try that but I had two reasons to not do that. First, I had nothing really to hide; Second, I thought my poor hp mini won’t be able to handle encrypting a partition, if not the whole disk. And also I was lazy. My close friends, bro and sis know my password anyway. Sis won’t find anything I don’t want her to and I have no problem others finding those. So the only reason I’d try encrypting is curiosity.
One day I was struck by a fireball of curiosity. And I was looking for ways to make portable, encrypted disk I can even put in Dropbox [referral link]. I found few good howtos with lot of details but what I’m going to put together will be an easier howto for a better virtual disk that is encrypted on-the-fly.
I am using Ubuntu 10.04 Lucid Lynx so there maybe a leetle Ubuntu specific things that I’m not sure of. The process has commands that can destroy your data if not used with care. I have tried this and it works perfect for me. If you manage to screw things up in the process that should be purely because you are stupid or careless or even both. And that was my disclaimer.
Alright let’s go make it.
We need dmsetup and cryptsetup installed for this.
$sudo aptitude install dmsetup cryptsetup
Once the installation process is finished we can start making our encrypted vitual disk.
First we create a file with random data in it. You can chose a size that matches your needs. In this example I’m making a 20MB virtual disk so I will create a 20MB file in this step.
$ dd if=/dev/urandom of=~/sekret bs=1M count=20
Here, the dd command creates 20 1MB blocks and fill it with random data. ~/sekret means that we create the filee named sekret in your home directory. You can chose a file name you like and also a path you like.
Next we need to create a block device from the file. For that find a free loop device with
$ sudo losetup -f
And use that loop device and create the block device. Let’s assume /dev/loop0 is free.
$ sudo losetup /dev/loop0 ~/sekret
Now we need to luks format the device. FYI: LUKS stands for Linux Unified Key System.
$ sudo cryptsetup luksFormat -c aes-cbc-essiv:sha256 /dev/loop0
This will warn you that the data in /dev/loop0 are gonna be overwritten. Hope you are confident enough to say yes. Then you are required to enter a pass-phrase for this encrypted this. Chose a powerful pass-phrase here. And then confirm the pass-phrase. The process will report success if we are lucky.
Map the crypto partition using
$ sudo cryptsetup luksOpen /dev/loop0 mycrypt
To be sure about the success run
$ sudo dmsetup ls
This will output something like mycrypt (252, 0).
Now we create file system on the device we created.
$ sudo mkfs.ext3 /dev/mapper/mycrypt
This will create EXT3 file system on the device. You can format it with your choice of file system. At the successful finishing of formatting, we have our own encrypted disk ready to use.
We can mount it with..
$ sudo mount /dev/mapper/mycrypt /media/sekret
Once you are done adding juicy stuff on your device you should unmount it AND REMOVE THE DEVICE FILE.
$ sudo umount /mnt/sekret
$ sudo cryptsetup luksClose mycrypt
$ sudo losetup -d /dev/loop0
Once you have created an encrypted disk, to use next time you only have to follow the steps 2), 4) and 6). Once you are done using the device, unmount with step 7).
I have put an encrypted virtual disk in my Dropbox and it works pretty well. Maybe you’d like to try that too. To use it in Dropbox, copy the encrypted virtual disk file (~/sekret in our case) in to your Dropbox directory.
I have put together a bash script to automate the process and I named it crysp :). You have to run the script as root so use sudo when running it. I might be an evil bastard trying to destroy your data so take a look at the script before you run. With the script you can easily mount and unmount the encrypted devices similar to the usage of mount/umount commands. I have added a dirty hack to allow read/write access to the device from Nautilus.
To use this, change chanux to your login name in line 08 in the script. Find the source in it’s Google Code repository. There’s a version that prevents the existence of thumbnails related to the encrypted disk. check crysp-no-thumb branch for that.
Update: 27-01-2013 Updated the script and put it on a github gist.