GPG encrypted loopback disks

Okay, so this system was primarily meant for my personal use, but I thought I wouldd share it with whomever is intested.

My intention was to be able to secure some data by encrypting them with a GPG key, but not have to create a new partition on my disk.
Also, I wanted to do easy backups by just backing up a single file.
I also wanted to be sure that I would still be able to recover everything in case my disk encryption GPG key was lost.
Since I am not aware of any systems that do this automatically, I just combined loopback devices, luks and GPG into a set of bash scripts.

The system

It consists of four different scripts, each part of the different stages of creating and using the "disks":

  1. - Creates a new GPG key to encrypt with. You could use your own private key, but then you cannot store your private key on it, right? :-)
  2. - Creates the disk and formats it (I used ext4, but it would be very easy to change this)
  3. - Mounts the disk
  4. - Unmounts it


You can download the whole set of scripts here: gpg-encrypted-loopback-disks.tar.gz (and a GPG signature: gpg-encrypted-loopback-disks.tar.gz.asc).


To use this system, you should first prepare your system by creating a directory where to store everything (let us call this $DISKHOME), and create two directories underneath: "keys" and "disks".
The "keyrings" directory will be used to store the GPG keyrings and trustdbs so as to not clutter up your normal keyrings.
The "disks" directory will be used to store the disk files themselves and the encrypted disk keys.

Now you should drop the set of scripts in $DISKHOME.
Now the $DISKHOME should look like this:

| keyrings/
| disks/

You should find the key-id of your backup gpg key, which you can use in case you lose the primary keyring or password of the primary encryption key.

Okay, now we can finally start the scripts to generate the keys and our first disk!


Creating the encryption key

First, run

./ "{your-name}"

replacing {your-name} with your name.
This OWNER_NAME is used to name the keys.
Gpg will ask you to enter a passphrase for the key.
At the end, it will report something like "gpg: key 3CAC409C marked as ultimately trusted".
Here, "3CAC409C" is the key-id for the just created GPG key, you should note this down somewhere for the next step.

Creating the disk

To create the disk, run

./ "{disk-name}" "{key-id}" "{recovery-key-id}"

replacing {disk-name} with a name by which you can identify the disk, {key-id} by the key id you found in the first step (3CAC409C in my example), and {recovery-key-id} by the key id of your backup key.
Now it should execute a lot of commands, which will sometime run sudo and ask for the GPG passphrase of your primary encryption key.
Do not worry though: at the end it will clear both the sudo password and GPG passphrase from memory, and you can see every command as it is executed.
That was the hard part... easy huh?

Mounting the disk

Now wefinally get to use our newly created, encrypted disk!
To use it, just execute

./ "{disk-name}"

replacing {disk-name} with the name you gave to the disk in the previous step.
This also executes some sudo commands and will ask for your GPG passphrase, and will again clear them after usage.
Now, your disk should be available in ~/mounted-$DISK_NAME/, have fun! :-).
If you want it to be available under another URL, you should add MOUNT_POINT={mount-point} before "DISK_NAME=" in the command.

Unmounting the disk

If you are ready with the disk, or will leave your computer for a while, and want to be sure it is safe and unavailable, you should execute the command

./ "{disk-name}"

replacing {disk-name} with the name of the disk you want to unmount.
And that is all!


If you have any questions or comments, you can find my contact info.

FAS-OpenID launched

Radboud Honours Academy report published