HOWTO: Encrypt a filesystem in a loopback file via dm_crypt:

Note: Here is the original of this text: http://forums.gentoo.org/viewtopic.php?p=1250192
Thanks to the dm_crypt tutorial: http://forums.gentoo.org/viewtopic.php?t=143301 (sorry if I copy some things from there)
But it took me a while to figure out how to setup a loopback file (okay, I'm still n00b) so I thought it would be a good idea to write this short tutorial

Having an encrypted file system which is stored in one file

I didn't like the idea of storing all my private files in my home-directory, because you might forget to lock your screen, go away and somebody can take a quick look at them... Beside that, they are stored clearly on the harddisk, so if someone has your harddrive, he has all your private files.
I stumbled over dm_crypt and yeah - that's it! I didn't like cryptoloop, because it seams that it will be replaced soon (http://kerneltrap.org/node/view/2433)
Also I didn't find it useful to encrypt my whole root filesystem - it's quite dangerous and 99% of my system are public available - so why encrypt them? If I have a small (say perhaps 200 MB) file, I can store all my private files and can backup them easily and savely (just burn the encrypted file and even the CIA won't recover your files without the passphrase )

At first, you need at least a 2.6.4 kernel for device mapping and dm_crypt support. Make sure you have these options enabled:

Device Drivers->Multi-device support (RAID and LVM)->

Device Drivers->Block-devices->

Cryptographic options->

Of course you can use a different algorithm, but I chose aes because it's said to be quite safe. I recommend to compile these things as modules.

After that, you have to create a loopback file. It's generally a good idea to use /dev/urandom, as having a random output in the file to start with is cryptographically safer. (This will create a 100 MB file at the location /home/secret)

Setup this as a loop device:

Install cryptsetup (http://www.saout.de/misc/dm-crypt/cryptsetup-0.1.tar.bz2)
You'll need dev-libs/popt, sys-libs/device-mapper, >=dev-libs/libgcrypt-1.1.42 On gentoo, portage lists the old gentoo 2.4 kernel as one of device-mapper's dependencies. You can avoid downloading the old kernel by running 'emerge --nodeps device-mapper' and device mapper still works fine (at least in the scope of this tutorial). This weird dependency will likely be fixed soon. If you're not using gentoo, you can download and compile the source code for these programs, or use your distro's package manager.

If you built your kernel with dm_crypt as a module, run:

(You might add dm_crypt and dm_mod to /etc/modules.autoload.d/kernel-2.6)

Setup the crypt-device:

So... now your encrypted device is available at /dev/mapper/secret, so let's create a filesystem (I chose ext3):

Mount it:

You might add a line to your /etc/fstab:

That's it!
Now you can store your data there and after that just
If you don't call cryptsetup remove, everybody can remount it without typing the passphrase!

To gain access to the encryted file system again you might have to setup the loop device again (for example after a reboot):


Otherwise you can just:



Be really careful to explicitly sync and unmount the filesystem in a file before the host filesystem is unmounted, I've lost files using the above approach for failing to do this, I think.

If you use cryptsetup with any special options when you create the mapping for the first time, you should remember to use the same options when you create the mapping to remount the system.

You might encrypt your whole /home/user directory, but that has disadvantages: You'll have mounted it all time when you sit in front of your computer, so if you leave it without locking it... then the best encryption is useless!
So I have a separate directory which I mount only when I need it, copy my files there and when I don't need it anymore, I unmount it.

For questions about dm_crypt, look at: http://www.saout.de/misc/dm-crypt/
Hope this tutorial is useful, if I'm wrong somewhere please correct me.