HOWTO: Encrypted USB thumb drives and (USB) hard disks using loop-AES

Yet another thing that has been on my TODO list for quite a while: encrypted USB thumb drives and/or encrypted external USB hard drives.

I have finally tried this over the weekend using loop-AES. This is very useful for securing your USB thumb drive contents in case you lose it or it gets stolen. Also, I use an external USB hard drive for backups (previously unencrypted). This is encryped now, too.

Here's a quick HOWTO:

  1. Get the loop-AES kernel patches, apply them, enable "AES encrypted loop device support" in "Device Drivers -> Block Devices -> Loopback device support", and recompile the kernel.
    I also enabled "loop encryption key scrubbing support" as it seems to promise higher security (can anybody confirm that?).
    If you're using the Debian kernel packages, apt-get install loop-aes-2.6-686 (or a similar package) should suffice.
  2. Get a loop-aes enabled losetup, mount etc.:
    apt-get install loop-aes-utils
  3. Securely delete the target partition: shred -n 1 -v /dev/sda3.
    Use -n 25 or higher if you want more security and have a few days time to wait for the thing to finish...
  4. Setup the loopback device: losetup -e aes256 -C 3 -S 'seed' /dev/loop0 /dev/sda3.

    • I used AES-256 as cipher, but others are possible.
    • The -C 3 means "run hashed password through 3000 iterations of AES-256 before using it for loop encryption. This consumes lots of CPU cycles at loop setup/mount time but not thereafter." (see losetup(8)). This is supposed to be more secure.
    • Using -S 'seed' (replace "seed" with a secret string like "g7sN4" or something) should make brute force attacks a bit harder. Don't forget the seed!
    • You'll be asked for a passphrase > 20 characters. Choose a good one. Don't forget it!
  5. Create the filesystem (I used ext3): mke2fs -j /dev/loop0
  6. Detach the loopback device: losetup -d /dev/loop0
  7. Add this to /etc/fstab:
    /dev/sda3 /mnt/crypted_sda3 ext3 noauto,loop=/dev/loop0,encryption=AES256,itercountk=3 0 0
  8. Mount the (now encrypted) partition by supplying the seed and entering the chosen password: mount -o pseed=seed /mnt/crypted_sda3
  9. Done. You can now copy stuff to /mnt/crypted_sda3 which will be encrypted automatically.

For a more detailed guide read the Encrypted-Root-Filesystem-HOWTO. A performance comparison of different ciphers is available, but in general I didn't notice too much of a slow-down because of the encryption...


Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Encrypted USB thumb drives and (USB) hard disks using loop-AES

I feel that dm-crypt works faster, it is also secure and no way be compared by Loop-Aes.

no need for kernel patches

loop-aes builds a module by default. there is no need for kernel patches at all.

One should use the more

One should use the more secure v3 operating mode of loop-aes with gpg-encrypted keyfiles instead of the single-key mode. The iteration count and seed only apply to the old v1 single-key mode.

look at GELI

You should really take a look at GELI on FreeBSD. There was a very, very interesting talk at 22C3 by Jacob Appelbaum (still waiting for the video) and he said: cryptoloop is shit, it has a real bad design and is a stupid implementation!

Cryptoloop and loop-aes are

Cryptoloop and loop-aes are actually two separate projects.

Loop-aes is probably more secure than dm-crypt, since loop-aes supports multi-key mode. Dm-crypt is cryptoloop's successor.


Hm, I'm using Debian, and I don't see me switching to FreeBSD anytime soon ;) Anyways, I'll definately watch Jacob Applebaums video as soon as it's available...

apt-get install cryptsetup

I suggest to use cryptsetup to automate all the handling of loop device and mounting. It's very nice and handy.



crypsetup and loop-AES?

That package looks nice, but it's intended to be used with dm-crypt, right? Or is there a way to use it with loop-AES?

Loop-AES is said to be a bit faster and more secure than dm-crypt, that's why I chose it.