From Rexploit


                 <==============================>
                   ||    Linux Encrypting    ||
                   ||          by            ||
                   ||   William M. Hidalgo   ||
                   ||  redkommie<@>gmail.com ||
                   ||       02/25/05         ||
                 <==============================>


.: Contents :.

    I. INTRO
          - About
	  
    II. ENCRYPTING
          - Containers
          - Drives
          - Files
		  
    APPENDIX 
	

.: I. INTRO :.

[-=] About [=-]

This is a quick rundown on how to encrypt files, containers, and drives under 
Linux. The use of loopback encrypted filesystems and openssl is explained
and examples are given. This paper should have you encrypting in no time. The
following commands were done running kernel 2.6.9.


.: ENCRYPTING :.

I'll outline how to create encrypted containers and drives using the loopback 
filesystem support and file encryption via openssl.

[-=] Containers [=-]

This is essentially creating a filesystem within a file and mounting it as a 
device. Containers vastly decrease the tedious task of individually encrypting
files since you simply move your files into the mount point and then unmount 
and they nicely encrypted.

First, you need to create a blank file using the dd command.

    dd if=/dev/urandom of=crypto.img bs=1M count=50

    - The first parameter uses the /dev/urandom device to create the file with
      random data to make it more difficult to distinguish between free space
      and encrypted data. The /dev/zero device can be used but is not advised.

    - The second parameter of=crypto.img defines the name to be given to the
      file and this can be changed to suit your preference.

    - The third parameter bs=1M instructs the dd command to create the file in
      1MB blocks. I recommend you leave this value as 1M

    - The final parameter defines the size of the file in relation to the bs 
      parameter. Since bs=1M and count=50 the file will be 50MB hence changing
      the count value to 100 would yield a 100MB file and so on. It is worth
      mentioning that the file can be resized once created this will be
      explained in the appendix.

Second, the file must be associated to a loop device and encrypted.

    losetup -e aes256 /dev/loop0 crypto.img

    - The parameter -e aes256 at the beginning instructs losetup on which
      cipher to use. The cipher type is dependent on what your kernel supports.
      In this example the AES 256 bit cipher is used but you can use other
      cipher types such as blowfish interchangeably.
 
    - The second parameter /dev/loop0 is the device to which we bind the file 
      too. Binding the file will allow us to format the file with filesystem. 
    
    - The final parameter specifies which file to bind to the loop device.

Third, format the file with a filesystem and detach from loop device.

    mkfs -t ext2 /dev/loop0
 
    - The first parameter -t ext2 instructs mkfs to format the file with the
      ext2 filesystem. This is recommended as it allows you to resize the file
      if need be.

    - The last parameter points toward the /dev/loop0 device on which the file
      was bound.

    losetup -d /dev/loop0

    - This command detaches and frees the /dev/loop0 device.

Fourth, mounting your encrypted filesystem.

    mount -o encryption=aes256 crypto.img crypto_home

    - Using the mount the command the first parameter to be entered is
      encryption=aes256 which will tell the mount command which cipher to use.
      The value must be the cipher which you used to encrypt the file.

    - The second parameter specifies location of file to mount.

    - The third parameter designates the folder on which to mount the file.

    Once mounted you can move files into the mount point and create files 
    within it and when you are done simply unmount the file.
      

[-=] Drives [=-]

First, assuming you formated your drive bind the drive to a loopback device.

    losetup -e aes256 /dev/loop0 /dev/sda1

    - The parameter -e aes256 at the beginning instructs losetup on which
      cipher to use. The cipher type is dependent on what your kernel supports.
      In this example the AES 256 bit cipher is used but you can use other
      cipher types such as blowfish interchangeably.
 
    - The second parameter /dev/loop0 is the device to which we bind the drive 
      too. Binding the drive will allow us to format the file with filesystem. 
    
    - The final parameter specifies which drive to bind to the loop device
      in this case /dev/sda1 which most likely can be your USB flash drive.

Third, detach from loop device.

    losetup -d /dev/loop0

    - This command detaches and frees the /dev/loop0 device.

Fourth, mounting your encrypted drive.

    mount -o encryption=aes256 /dev/sda1 crypto_home

    - Using the mount the command the first parameter to be entered is
      encryption=aes256 which will tell the mount command which cipher to use.
      The value must be the cipher which you used to encrypt the device.

    - The second parameter specifies location of drive to mount.

    - The third parameter designates the folder on which to mount the drive.

    Once mounted you can move files into the mount point and create files 
    within it and when you are done simply unmount the drive.


[-=] Files [=-]

Openssl is an excellent program to use to encrypt individual files with a wide
assortment of cipher choices.

To encrypt a file its a simple matter of choosing a cipher and choosing a file
to insert and output.

    openssl enc -aes-256-cbc -salt -in password.txt -out password.txt.enc

    - The first part enc -aes-256-cbc -salt encrypts the file with the 
      -aes-256-cbc cipher. For a complete list of cipher consult openssl help 
      using the openssl -h command.

    - The last part specifies what the input file is and what to output it as.
      -in password.txt inputs the password.txt file and -out password.txt.enc
      outputs at password.txt.enc. (This is a rather redundant explanation
      but oh well)

Now to decrypt a file.

    openssl enc -d -aes-256-cbc -in password.txt.enc -out password.txt

    - The enc -d -aes-256-cbc part of the command specifies which cipher to use
      for decryption.

    - The -in password.txt parameter specifies which file to decrypt.

    - The final parameter instructs openssl to output the decryption into a
      file. This parameter can omitted and the file will be decrypted to
      stdout.


.: APPENDIX :.

[-=] Resizing containers [=-]

If you formatted your container with the ext2 filesystem you can resize it 
with the ext2resize app.

First, increase the size of the container. In this example the file acting as 
the encrypted container is called crypto.img and its size is incremented by
20MB.

    dd if=/dev/urandom bs=1M count=20 >> crypto.img

    - The of= parameter is omitted and instead >> is used at the end of the 
      command to append 20MB to the crypto.img file.

Second, bind the file to a loop device.

   losetup -e aes256 /dev/loop0 crypto.img

Third, extend the ext2 filesystem within the container.

    ext2resize /dev/loop0


That is all thats needed to resize your encrypted container.


Support us by making a donation using the button below. Please contact us using email. For other payment methods.