LinuxQuestions.org - Encrypted filesystem and boot from flash

Have a look at True Crypt.

http://www.truecrypt.org/

I started using it about a week ago. The nice thing about it is that it works on numerous platforms. You can have your pass phrase on a USB. It is as easy to use as cryptoloop but you don't have to worry about what encryption algorithms are available on any given kernel. It requires 2.6.x kernel and device mapper on Linux. It also works on Windows and on *BSD.

The encrypted files do not have any header information to give away the encryption algorithm used to create the file. Sweet. I think I'm in love. :)

Here is an example of creating an encrypted file system on /dev/sda1 with True Crypt.

Code:

truecrypt -c /dev/sda1

It will ask a bunch of questions. When it asks if you want FAT or none you should enter none. Once you have answered all of the questions it will set up the partition. Then you need to format the partition under True Crypt.

Code:

truecrypt /dev/sda

<password>

mkfs -t ext3 /dev/mapper/truecrypt0

That takes care of the one time tasks. Now you can mount /dev/mapper/truecrypt0 just as you would any other block device.

Code:

mount -o noexec /dev/mapper/truecrypt0 /home

True Crypt will take care of unmounting cleanly during system shutdown.

The next time that you boot you just have to tell True Crypt to connect to /dev/sda1 and then you can mount it.

Code:

truecrypt /dev/sda1

<password>

mount -o noexec /dev/mapper/truecrypt0 /home

It's easy to use.

Oh yeah. Part of the process of creating the encrypted partition asks if you want to create a key file. You would say yes. Put the key file on the USB. There you are. Of course if you encrypted the USB with True Crypt first it would be even more secure.