Uwe Hermann - HOWTO: Encrypted USB thumb drives and (USB) hard disks using loop-AES - Comments

Encrypted USB thumb drives and (USB) hard disks using loop-AES

Portable hard drive — Fri, 04 Dec 2009 16:48:00 +0100

I feel that dm-crypt works faster, it is also secure and no way be compared by Loop-Aes.

Cryptoloop and loop-aes are

Anonymous — Wed, 18 Feb 2009 00:27:33 +0100

Cryptoloop and loop-aes are actually two separate projects.

http://mareichelt.de/pub/notmine/linuxbsd-comparison.html

Loop-aes is probably more secure than dm-crypt, since loop-aes supports multi-key mode. Dm-crypt is cryptoloop's successor.

no need for kernel patches

Anonymous — Sat, 10 Mar 2007 02:27:49 +0100

loop-aes builds a module by default. there is no need for kernel patches at all.

One should use the more

Anonymous — Fri, 10 Feb 2006 20:26:46 +0100

One should use the more secure v3 operating mode of loop-aes with gpg-encrypted keyfiles instead of the single-key mode. The iteration count and seed only apply to the old v1 single-key mode.

GELI

Uwe Hermann — Wed, 08 Feb 2006 21:57:32 +0100

Hm, I'm using Debian, and I don't see me switching to FreeBSD anytime soon ;) Anyways, I'll definately watch Jacob Applebaums video as soon as it's available...

look at GELI

Anonymous — Tue, 07 Feb 2006 01:37:59 +0100

You should really take a look at GELI on FreeBSD. There was a very, very interesting talk at 22C3 by Jacob Appelbaum (still waiting for the video) and he said: cryptoloop is shit, it has a real bad design and is a stupid implementation!

crypsetup and loop-AES?

Uwe Hermann — Mon, 06 Feb 2006 13:02:12 +0100

That package looks nice, but it's intended to be used with dm-crypt, right? Or is there a way to use it with loop-AES?

Loop-AES is said to be a bit faster and more secure than dm-crypt, that's why I chose it.

apt-get install cryptsetup

Enrico Zini — Mon, 06 Feb 2006 12:39:10 +0100

I suggest to use cryptsetup to automate all the handling of loop device and mounting. It's very nice and handy.

Ciao,

Enrico

HOWTO: Encrypted USB thumb drives and (USB) hard disks using loop-AES

Uwe Hermann — Mon, 06 Feb 2006 11:34:28 +0100

Yet another thing that has been on my TODO list for quite a while: encrypted USB thumb drives and/or encrypted external USB hard drives.

I have finally tried this over the weekend using loop-AES. This is very useful for securing your USB thumb drive contents in case you lose it or it gets stolen. Also, I use an external USB hard drive for backups (previously unencrypted). This is encryped now, too.

Here's a quick HOWTO:

Get the loop-AES kernel patches, apply them, enable "AES encrypted loop device support" in "Device Drivers -> Block Devices -> Loopback device support", and recompile the kernel.
I also enabled "loop encryption key scrubbing support" as it seems to promise higher security (can anybody confirm that?).
If you're using the Debian kernel packages, apt-get install loop-aes-2.6-686 (or a similar package) should suffice.
Get a loop-aes enabled losetup, mount etc.:
apt-get install loop-aes-utils
Securely delete the target partition: shred -n 1 -v /dev/sda3.
Use -n 25 or higher if you want more security and have a few days time to wait for the thing to finish...
Setup the loopback device: losetup -e aes256 -C 3 -S 'seed' /dev/loop0 /dev/sda3.
Notes:
- I used AES-256 as cipher, but others are possible.
- The -C 3 means "run hashed password through 3000 iterations of AES-256 before using it for loop encryption. This consumes lots of CPU cycles at loop setup/mount time but not thereafter." (see losetup(8)). This is supposed to be more secure.
- Using -S 'seed' (replace "seed" with a secret string like "g7sN4" or something) should make brute force attacks a bit harder. Don't forget the seed!
- You'll be asked for a passphrase > 20 characters. Choose a good one. Don't forget it!
Create the filesystem (I used ext3): mke2fs -j /dev/loop0
Detach the loopback device: losetup -d /dev/loop0
Add this to /etc/fstab:
/dev/sda3 /mnt/crypted_sda3 ext3 noauto,loop=/dev/loop0,encryption=AES256,itercountk=3 0 0
Mount the (now encrypted) partition by supplying the seed and entering the chosen password: mount -o pseed=seed /mnt/crypted_sda3
Done. You can now copy stuff to /mnt/crypted_sda3 which will be encrypted automatically.

For a more detailed guide read the Encrypted-Root-Filesystem-HOWTO. A performance comparison of different ciphers is available, but in general I didn't notice too much of a slow-down because of the encryption...