How to create a portable encrypted file system on a loop file

Here I’m going to explain how to create an encrypted file system over a loop file. I also have a encrypted filesystem on a LVM partition but having them on a file has advantages like the capacity of copy the encrypted file in another PC and mount the file system there ( a portable encrypted file system ) or when you are, for example, in a server and you can’t create a new partition.

I do this with LUKS (Linux Unified Key Setup).

This “how to” is for Debian or Ubuntu but if you have another GNU/Linux distribution, it shouldn’t be too different, just install the packages like you always do.

First of all, use apt to install these packages:

apt-get install lvm2 cryptsetup e2fsprogs

Now let’s create, for example, a 500MB file:

dd if=/dev/zero of=/home/you/cryptfile bs=1M count=500

Asociate it with a loop device:

losetup /dev/loop0 /home/you/cryptfile

(if you have /dev/loop0 in use, just use another, like /dev/loop1, /dev/loop2, …)

Fill the file with random data:

badblocks -s -w -t random -v /dev/loop0

Using badblocks is better than create the file from /dev/urandom.
If you haven’t loaded the kernel module for the encryption you want, load them:

modprobe blowfish

When I write this, the default encryption algorithm was AES (if you prefer this use “modprobe aes”).

Create the encrypted file system asociated with the loop device:

cryptsetup -y luksFormat -c blowfish -s 256 /dev/loop0
cryptsetup luksOpen /dev/loop0 crypt_fun
mkfs.ext3 -j /dev/mapper/crypt_fun
e2fsck -f /dev/mapper/crypt_fun

In this case I create a ext3 file system, you can choose any other.

Also you can use another encryption algorithm with another options.

Try “man mkfs.ext3” and “man cryptsetup” to see different parameters and options.

Create a folder to mount the encrypted file system:

mkdir /media/fun

I made a couple of scripts to mount and unmount the file system:

mountCrypt.sh:

………………………………………

#! /bin/sh

(losetup /dev/loop0 /home/you/cryptfile || echo) && (cryptsetup luksOpen /dev/loop0 crypt_fun && mount /dev/mapper/crypt_fun /media/fun)
………………………………………

umountCrypt.sh:

………………………………………

#! /bin/sh

umount /media/fun && cryptsetup luksClose crypt_fun && losetup -d /dev/loop0
………………………………………
And that’s all, you have your portable encrypted file system ready!

  1. man, what a hassle… encfs is the real deal.

  2. You could have jumped one step on filling the device with random data doing it in the fist place like

    dd if=/dev/urandom of=/home/you/cryptfile bs=1M count=500

    substituing /dev/zero with /dev/urandom , ok anyway !!!

  3. You are right gabrix but I used badblocks to prevent the creation of filesystem over some bad block of the device.

    But now that I’m think about that, I replicate the method that I used to create an encrypted partition to create a encrypted file. I don’t know if badblocks can detect bad sectors when the device used is a file not a real device… may be not…

    Thanks for your comment.

    • yuvi
    • October 28th, 2012

    how do i resize such partition ?

  1. November 15th, 2007
  2. June 2nd, 2009