Provided by: loop-aes-utils_2.16.2-2ubuntu1_amd64
losetup - set up and control loop devices
losetup [options] loop_device file losetup -F [options] loop_device [file] losetup [ -d ] loop_device losetup -a losetup -f losetup -R loop_device
losetup is used to associate loop devices with regular files or block devices, to detach loop devices and to query the status of a loop device. If only the loop_device argument is given, the status of the corresponding loop device is shown.
-a Show status of all loop devices. -C itercountk Runs hashed passphrase through itercountk thousand iterations of AES-256 before using it for loop encryption. This consumes lots of CPU cycles at loop setup/mount time but not thereafter. In combination with passphrase seed this slows down dictionary attacks. Iteration is not done in multi-key mode. -d Detach the file or device associated with the specified loop device. -e encryption Enable data encryption. Following encryption types are recognized: NONE Use no encryption (default). XOR Use a simple XOR encryption. AES128 AES Use 128 bit AES encryption. Passphrase is hashed with SHA-256 by default. AES192 Use 192 bit AES encryption. Passphrase is hashed with SHA-384 by default. AES256 Use 256 bit AES encryption. Passphrase is hashed with SHA-512 by default. twofish128 twofish160 twofish192 twofish256 blowfish128 blowfish160 blowfish192 blowfish256 serpent128 serpent192 serpent256 mars128 mars192 mars256 rc6-128 rc6-192 rc6-256 tripleDES These encryption types are available if they are enabled in kernel configuration or corresponding modules have been loaded to kernel. -f Find and show next unused loop device. -F Reads and uses mount options from /etc/fstab that match specified loop device, including offset= sizelimit= encryption= pseed= phash= loinit= gpgkey= gpghome= cleartextkey= itercountk= and looped to device/file name. loop= option in /etc/fstab must match specified loop device name. Command line options take precedence in case of conflict. -G gpghome Set gpg home directory to gpghome, so that gpg uses public/private keys on gpghome directory. This is only used when gpgkey file needs to be decrypted using public/private keys. If gpgkey file is encrypted with symmetric cipher only, public/private keys are not required and this option has no effect. -H phash Uses phash function to hash passphrase. Available hash functions are sha256, sha384, sha512 and rmd160. unhashed1, unhashed2 and unhashed3 functions also exist for compatibility with some obsolete implementations. Hash function random does not ask for passphrase but sets up random keys and attempts to put loop to multi-key mode. When random/1777 hash type is used as mount option for mount program, mount program will create new file system on the loop device and construct initial permissions of file system root directory from octal digits that follow the slash character. WARNING! DO NOT USE RANDOM HASH TYPE ON PARTITION WITH EXISTING IMPORTANT DATA ON IT. RANDOM HASH TYPE WILL DESTROY YOUR DATA. -I loinit Passes a numeric value of loinit as a parameter to cipher transfer function. Cipher transfer functions are free to interpret value as they want. -K gpgkey Passphrase is piped to gpg so that gpg can decrypt file gpgkey which contains the real keys that are used to encrypt loop device. If decryption requires public/private keys and gpghome is not specified, all users use their own gpg public/private keys to decrypt gpgkey. Decrypted gpgkey should contain 1 or 64 or 65 keys, each key at least 20 characters and separated by newline. If decrypted gpgkey contains 64 or 65 keys, then loop device is put to multi-key mode. In multi- key mode first key is used for first sector, second key for second sector, and so on. 65th key, if present, is used as additional input to MD5 IV computation. -o offset The data start is moved offset bytes into the specified file or device. Normally offset is included in IV (initialization vector) computations. If offset is prefixed with @ character, then offset is not included in IV computations. @ prefix functionality may not be supported on some older kernels and/or loop drivers. -p passwdfd Read the passphrase from file descriptor passwdfd instead of the terminal. If -K option is not being used (no gpg key file), then losetup attempts to read 65 keys from passwdfd, each key at least 20 characters and separated by newline. If losetup successfully reads 64 or 65 keys, then loop device is put to multi-key mode. If losetup encounters end-of-file before 64 keys are read, then only first key is used in single-key mode. echo SecretPassphraseHere | losetup -p0 -K foo.gpg -e AES128 ... In above example, losetup reads passphrase from file descriptor 0 (stdin). -P cleartextkey Read the passphrase from file cleartextkey instead of the terminal. If -K option is not being used (no gpg key file), then losetup attempts to read 65 keys from cleartextkey, each key at least 20 characters and separated by newline. If losetup successfully reads 64 or 65 keys, then loop device is put to multi-key mode. If losetup encounters end-of-file before 64 keys are read, then only first key is used in single-key mode. If both -p and -P options are used, then -p option takes precedence. These are equivalent: losetup -p3 -K foo.gpg -e AES128 ... 3<someFileName losetup -P someFileName -K foo.gpg -e AES128 ... In first line of above example, in addition to normal open file descriptors (0==stdin 1==stdout 2==stderr), shell opens the file and passes open file descriptor to started losetup program. In second line of above example, losetup opens the file itself. -r Read-only mode. -R Resize existing, already set up loop device, to new changed underlying device size. This option is for changing mounted live file system size on LVM volume. This functionality may not be supported on some older kernels and/or loop drivers. -s sizelimit Size of loop device is limited to sizelimit bytes. If unspecified or set to zero, loop device size is set to maximum available (file size minus offset). This option may not be supported on some older kernels and/or loop drivers. -S pseed Sets encryption passphrase seed pseed which is appended to user supplied passphrase before hashing. Using different seeds for different partitions makes dictionary attacks slower but does not prevent them if user supplied passphrase is guessable. Seed is not used in multi-key mode. -T Asks passphrase twice. -v Verbose mode.
losetup returns 0 on success, nonzero on failure. When losetup displays the status of a loop device, it returns 1 if the device is not configured and 2 if an error occurred which prevented losetup from determining the status of the device.
/dev/loop0,/dev/loop1,... loop devices (major=7)
The following commands can be used as an example of using the loop device. dd if=/dev/zero of=/file bs=1k count=500 head -c 3705 /dev/random | uuencode -m - | head -n 66 \ | tail -n 65 | gpg --symmetric -a >/etc/fskey9.gpg losetup -e AES128 -K /etc/fskey9.gpg /dev/loop0 /file mkfs -t ext2 /dev/loop0 mount -t ext2 /dev/loop0 /mnt ... umount /dev/loop0 losetup -d /dev/loop0
XOR encryption is terribly weak.
Original version: Theodore Ts'o <email@example.com> AES support: Jari Ruusu