How to create and loop-mount an encrypted drive image?
Clash Royale CLAN TAG#URR8PPP
up vote
1
down vote
favorite
I've seen this excellent answer that explains how to use the following squashfs command to compress a disk image on-the-fly:
mkdir empty-dir
mksquashfs empty-dir squash.img -p 'sda_backup.img f 444 root root dd if=/dev/sda bs=4M'
I would like to also encrypt the image file on-the-fly. I would rather encrypt after creating the squashfs image so the encrypted image files are still as small as possible.
I would like the image to be encrypted to a public key so the backup process is unable to decrypt the backup files. I am intending to boot the machine off usb, and backup the boot drive to an encrypted image on a samba share, but I don't want to use a hardcoded key on the usb stick for obvious reasons.
I understand that because public-key encryption is slow, to encrypt a large file to a public key, it is necessary to create a random nonce, then encrypt that nonce, then use the result to encrypt the file using that as a symmetric key. I'm sure there's tools out there to do this, but I have no idea how to achieve this on my ubuntu machine.
Also, is it possible to loop-mount an encrypted file? I would much rather not have to decrypt the whole file in order to mount it. I don't mind if the image can only be mounted read-only.
encryption disk-image squashfs
add a comment |Â
up vote
1
down vote
favorite
I've seen this excellent answer that explains how to use the following squashfs command to compress a disk image on-the-fly:
mkdir empty-dir
mksquashfs empty-dir squash.img -p 'sda_backup.img f 444 root root dd if=/dev/sda bs=4M'
I would like to also encrypt the image file on-the-fly. I would rather encrypt after creating the squashfs image so the encrypted image files are still as small as possible.
I would like the image to be encrypted to a public key so the backup process is unable to decrypt the backup files. I am intending to boot the machine off usb, and backup the boot drive to an encrypted image on a samba share, but I don't want to use a hardcoded key on the usb stick for obvious reasons.
I understand that because public-key encryption is slow, to encrypt a large file to a public key, it is necessary to create a random nonce, then encrypt that nonce, then use the result to encrypt the file using that as a symmetric key. I'm sure there's tools out there to do this, but I have no idea how to achieve this on my ubuntu machine.
Also, is it possible to loop-mount an encrypted file? I would much rather not have to decrypt the whole file in order to mount it. I don't mind if the image can only be mounted read-only.
encryption disk-image squashfs
If you want to decrypt on the fly, say with LUKS, it needs to know what size container to use before starting, and you won't know that because of the compression. However gpg is happy to accept a pipe of unknown length, but doesn't do on the fly decryption. PS Do not try to diy encryption with "nonces" and low level tools, just use gpg that does it right.
â Xen2050
Jul 5 at 9:18
add a comment |Â
up vote
1
down vote
favorite
up vote
1
down vote
favorite
I've seen this excellent answer that explains how to use the following squashfs command to compress a disk image on-the-fly:
mkdir empty-dir
mksquashfs empty-dir squash.img -p 'sda_backup.img f 444 root root dd if=/dev/sda bs=4M'
I would like to also encrypt the image file on-the-fly. I would rather encrypt after creating the squashfs image so the encrypted image files are still as small as possible.
I would like the image to be encrypted to a public key so the backup process is unable to decrypt the backup files. I am intending to boot the machine off usb, and backup the boot drive to an encrypted image on a samba share, but I don't want to use a hardcoded key on the usb stick for obvious reasons.
I understand that because public-key encryption is slow, to encrypt a large file to a public key, it is necessary to create a random nonce, then encrypt that nonce, then use the result to encrypt the file using that as a symmetric key. I'm sure there's tools out there to do this, but I have no idea how to achieve this on my ubuntu machine.
Also, is it possible to loop-mount an encrypted file? I would much rather not have to decrypt the whole file in order to mount it. I don't mind if the image can only be mounted read-only.
encryption disk-image squashfs
I've seen this excellent answer that explains how to use the following squashfs command to compress a disk image on-the-fly:
mkdir empty-dir
mksquashfs empty-dir squash.img -p 'sda_backup.img f 444 root root dd if=/dev/sda bs=4M'
I would like to also encrypt the image file on-the-fly. I would rather encrypt after creating the squashfs image so the encrypted image files are still as small as possible.
I would like the image to be encrypted to a public key so the backup process is unable to decrypt the backup files. I am intending to boot the machine off usb, and backup the boot drive to an encrypted image on a samba share, but I don't want to use a hardcoded key on the usb stick for obvious reasons.
I understand that because public-key encryption is slow, to encrypt a large file to a public key, it is necessary to create a random nonce, then encrypt that nonce, then use the result to encrypt the file using that as a symmetric key. I'm sure there's tools out there to do this, but I have no idea how to achieve this on my ubuntu machine.
Also, is it possible to loop-mount an encrypted file? I would much rather not have to decrypt the whole file in order to mount it. I don't mind if the image can only be mounted read-only.
encryption disk-image squashfs
edited Jul 5 at 6:30
asked Jul 5 at 4:54
localhost
1243
1243
If you want to decrypt on the fly, say with LUKS, it needs to know what size container to use before starting, and you won't know that because of the compression. However gpg is happy to accept a pipe of unknown length, but doesn't do on the fly decryption. PS Do not try to diy encryption with "nonces" and low level tools, just use gpg that does it right.
â Xen2050
Jul 5 at 9:18
add a comment |Â
If you want to decrypt on the fly, say with LUKS, it needs to know what size container to use before starting, and you won't know that because of the compression. However gpg is happy to accept a pipe of unknown length, but doesn't do on the fly decryption. PS Do not try to diy encryption with "nonces" and low level tools, just use gpg that does it right.
â Xen2050
Jul 5 at 9:18
If you want to decrypt on the fly, say with LUKS, it needs to know what size container to use before starting, and you won't know that because of the compression. However gpg is happy to accept a pipe of unknown length, but doesn't do on the fly decryption. PS Do not try to diy encryption with "nonces" and low level tools, just use gpg that does it right.
â Xen2050
Jul 5 at 9:18
If you want to decrypt on the fly, say with LUKS, it needs to know what size container to use before starting, and you won't know that because of the compression. However gpg is happy to accept a pipe of unknown length, but doesn't do on the fly decryption. PS Do not try to diy encryption with "nonces" and low level tools, just use gpg that does it right.
â Xen2050
Jul 5 at 9:18
add a comment |Â
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f453523%2fhow-to-create-and-loop-mount-an-encrypted-drive-image%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
If you want to decrypt on the fly, say with LUKS, it needs to know what size container to use before starting, and you won't know that because of the compression. However gpg is happy to accept a pipe of unknown length, but doesn't do on the fly decryption. PS Do not try to diy encryption with "nonces" and low level tools, just use gpg that does it right.
â Xen2050
Jul 5 at 9:18