How to create and loop-mount an encrypted drive image?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
1
down vote

favorite












I've seen this excellent answer that explains how to use the following squashfs command to compress a disk image on-the-fly:



mkdir empty-dir
mksquashfs empty-dir squash.img -p 'sda_backup.img f 444 root root dd if=/dev/sda bs=4M'


I would like to also encrypt the image file on-the-fly. I would rather encrypt after creating the squashfs image so the encrypted image files are still as small as possible.



I would like the image to be encrypted to a public key so the backup process is unable to decrypt the backup files. I am intending to boot the machine off usb, and backup the boot drive to an encrypted image on a samba share, but I don't want to use a hardcoded key on the usb stick for obvious reasons.



I understand that because public-key encryption is slow, to encrypt a large file to a public key, it is necessary to create a random nonce, then encrypt that nonce, then use the result to encrypt the file using that as a symmetric key. I'm sure there's tools out there to do this, but I have no idea how to achieve this on my ubuntu machine.



Also, is it possible to loop-mount an encrypted file? I would much rather not have to decrypt the whole file in order to mount it. I don't mind if the image can only be mounted read-only.







share|improve this question





















  • If you want to decrypt on the fly, say with LUKS, it needs to know what size container to use before starting, and you won't know that because of the compression. However gpg is happy to accept a pipe of unknown length, but doesn't do on the fly decryption. PS Do not try to diy encryption with "nonces" and low level tools, just use gpg that does it right.
    – Xen2050
    Jul 5 at 9:18














up vote
1
down vote

favorite












I've seen this excellent answer that explains how to use the following squashfs command to compress a disk image on-the-fly:



mkdir empty-dir
mksquashfs empty-dir squash.img -p 'sda_backup.img f 444 root root dd if=/dev/sda bs=4M'


I would like to also encrypt the image file on-the-fly. I would rather encrypt after creating the squashfs image so the encrypted image files are still as small as possible.



I would like the image to be encrypted to a public key so the backup process is unable to decrypt the backup files. I am intending to boot the machine off usb, and backup the boot drive to an encrypted image on a samba share, but I don't want to use a hardcoded key on the usb stick for obvious reasons.



I understand that because public-key encryption is slow, to encrypt a large file to a public key, it is necessary to create a random nonce, then encrypt that nonce, then use the result to encrypt the file using that as a symmetric key. I'm sure there's tools out there to do this, but I have no idea how to achieve this on my ubuntu machine.



Also, is it possible to loop-mount an encrypted file? I would much rather not have to decrypt the whole file in order to mount it. I don't mind if the image can only be mounted read-only.







share|improve this question





















  • If you want to decrypt on the fly, say with LUKS, it needs to know what size container to use before starting, and you won't know that because of the compression. However gpg is happy to accept a pipe of unknown length, but doesn't do on the fly decryption. PS Do not try to diy encryption with "nonces" and low level tools, just use gpg that does it right.
    – Xen2050
    Jul 5 at 9:18












up vote
1
down vote

favorite









up vote
1
down vote

favorite











I've seen this excellent answer that explains how to use the following squashfs command to compress a disk image on-the-fly:



mkdir empty-dir
mksquashfs empty-dir squash.img -p 'sda_backup.img f 444 root root dd if=/dev/sda bs=4M'


I would like to also encrypt the image file on-the-fly. I would rather encrypt after creating the squashfs image so the encrypted image files are still as small as possible.



I would like the image to be encrypted to a public key so the backup process is unable to decrypt the backup files. I am intending to boot the machine off usb, and backup the boot drive to an encrypted image on a samba share, but I don't want to use a hardcoded key on the usb stick for obvious reasons.



I understand that because public-key encryption is slow, to encrypt a large file to a public key, it is necessary to create a random nonce, then encrypt that nonce, then use the result to encrypt the file using that as a symmetric key. I'm sure there's tools out there to do this, but I have no idea how to achieve this on my ubuntu machine.



Also, is it possible to loop-mount an encrypted file? I would much rather not have to decrypt the whole file in order to mount it. I don't mind if the image can only be mounted read-only.







share|improve this question













I've seen this excellent answer that explains how to use the following squashfs command to compress a disk image on-the-fly:



mkdir empty-dir
mksquashfs empty-dir squash.img -p 'sda_backup.img f 444 root root dd if=/dev/sda bs=4M'


I would like to also encrypt the image file on-the-fly. I would rather encrypt after creating the squashfs image so the encrypted image files are still as small as possible.



I would like the image to be encrypted to a public key so the backup process is unable to decrypt the backup files. I am intending to boot the machine off usb, and backup the boot drive to an encrypted image on a samba share, but I don't want to use a hardcoded key on the usb stick for obvious reasons.



I understand that because public-key encryption is slow, to encrypt a large file to a public key, it is necessary to create a random nonce, then encrypt that nonce, then use the result to encrypt the file using that as a symmetric key. I'm sure there's tools out there to do this, but I have no idea how to achieve this on my ubuntu machine.



Also, is it possible to loop-mount an encrypted file? I would much rather not have to decrypt the whole file in order to mount it. I don't mind if the image can only be mounted read-only.









share|improve this question












share|improve this question




share|improve this question








edited Jul 5 at 6:30
























asked Jul 5 at 4:54









localhost

1243




1243











  • If you want to decrypt on the fly, say with LUKS, it needs to know what size container to use before starting, and you won't know that because of the compression. However gpg is happy to accept a pipe of unknown length, but doesn't do on the fly decryption. PS Do not try to diy encryption with "nonces" and low level tools, just use gpg that does it right.
    – Xen2050
    Jul 5 at 9:18
















  • If you want to decrypt on the fly, say with LUKS, it needs to know what size container to use before starting, and you won't know that because of the compression. However gpg is happy to accept a pipe of unknown length, but doesn't do on the fly decryption. PS Do not try to diy encryption with "nonces" and low level tools, just use gpg that does it right.
    – Xen2050
    Jul 5 at 9:18















If you want to decrypt on the fly, say with LUKS, it needs to know what size container to use before starting, and you won't know that because of the compression. However gpg is happy to accept a pipe of unknown length, but doesn't do on the fly decryption. PS Do not try to diy encryption with "nonces" and low level tools, just use gpg that does it right.
– Xen2050
Jul 5 at 9:18




If you want to decrypt on the fly, say with LUKS, it needs to know what size container to use before starting, and you won't know that because of the compression. However gpg is happy to accept a pipe of unknown length, but doesn't do on the fly decryption. PS Do not try to diy encryption with "nonces" and low level tools, just use gpg that does it right.
– Xen2050
Jul 5 at 9:18















active

oldest

votes











Your Answer







StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: false,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);








 

draft saved


draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f453523%2fhow-to-create-and-loop-mount-an-encrypted-drive-image%23new-answer', 'question_page');

);

Post as a guest



































active

oldest

votes













active

oldest

votes









active

oldest

votes






active

oldest

votes










 

draft saved


draft discarded


























 


draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f453523%2fhow-to-create-and-loop-mount-an-encrypted-drive-image%23new-answer', 'question_page');

);

Post as a guest













































































Popular posts from this blog

How to check contact read email or not when send email to Individual?

Displaying single band from multi-band raster using QGIS

How many registers does an x86_64 CPU actually have?