A loopback device is a very special device that allows you to mount a normal file as it was a physical device. loopbacks can be encrypted: this becomes very useful sometimes.
Consider, as na example, that you need to encrypt a few files, nothing big, let's say 100 MB or so. Encrypting an entire partition could be too much. Then a cryptoloop could be the right solution to your problem.

Kernel modules and tools

To play a bit with all the solutions I experimented in this article you will need the following kernel-space features. Compiling them as modules is what I did and what I suggest.

- device mapper support and its crypt target (you find them in the lvm/raid menu of the kernel configure)
- support for loopback device and its cryptoloop (in the block device support section)
- crypto routines (in the cryptographic options section)

You need some user-space tools too. Under Debian it was enough for me doing a

apt-get install loop-aes-utils

and a

apt-get install cryptsetup

to get all of them. Yes, Debian makes you feel very lucky in these situations :)

Let's start

To begin we will look at two ways of doing the same thing: getting an encrypted loopback. In these examples I'm using aes as encryption algorithm. For both the ways I illustrate you will need to do a

modprobe loop

which will load the support for the loopback device and a

modprobe aes

which will load the aes routines instead.

Assume that the file that will act as a filesystem for our loopback device is called crloop: it has a size of 640 MB and i created it typing dd if=/dev/zero of=/home/marco/crloop bs=1M count=640 . Once you created this and you installed all the user-space tools and the kernel modules are in place, you're ready to go.

The old way
We have to insert one more module:

modprobe cryptoloop

Now it is time to setup the given file /home/marco/crloop as a loopback. You just need to type:

losetup -e aes /dev/loop0 /home/marco/crloop

Probably you will need root privileges to execute this latest command. You will be prompted to insert a password: you will receive an error message if the password you inserted is composed of less than 20 characters. So be ready to think about a long passphrase and, clearly, do not forget it right after you inserted it.

It is now time to create a filesystem on the loopback device. Type this:

mkfs -t ext2 /dev/loop0

You probably noticed I am using ext2 as the cryptoloop filesystem. That's a safe choice, cause journaled filesystems are reported to have bad problems with cryptoloops. So, if you want to setup things in this old way, stay with ext2 or consider using the device mapper instead (as described further in the article).
You can finally mount your encrypted filesystem now. In my case I do:

mount /dev/loop0 /media/cryptovolume

At this point you can play with your encrypted loopback device. You can copy some files on it and leave them there. When you finish you can umount the loopback dev doing a:

umount /media/cryptovolume

Followed by a:

losetup -d /dev/loop0

that will detach the loop0 device from the file /home/marco/crloop.

Now it is important to understand how to mount the cryptoloop again next time we need those files. These are the basic steps you will neeed to follow:
1) If modules are not loaded load them: loop, cryptoloop and the encryption algorithm, aes in my case.
2) Re-attach the loopback device to the file in which datas are stored: losetup /dev/loop0 /home/marco/crloop, in my case.
3) Now mount your filesystem again: mount -t ext2 /dev/loop0 /media/cryptovolume -oencryption=aes. You will be prompted to insert the password you selected during the setup of the cryptoloop. Insert it and the encrypted filesystem will be mounted.

The new way
The new way is to use the loopback device in combination with the device mapper support of the kernel. Performances are better and there are no problems reported with the use of a journaled filesystem, in this case. You will need extra features compiled in the kernel (as modules or right built-in. In particular in the multi-device support (raid and lvm) section of the kernel configuration you must enable two voices: device mapper support and its sub-voice crypt target support.
If you compile them as modules, as always, you will need to load them. Doing a modprobe dm-crypt will automatically load thedm-mod module too. As in the first case you must load the loop module too but you WILL NOT need the cryptoloop module instead.

What you need:
- loop and dm-crypt modules loaded
- losetup and cryptsetup user-space utilities

We move in the same way as before. We have the file /home/marco/crloop and we setup it as a loopback giving this command:

losetup /dev/loop0 /home/marco/crloop

You probably noticed that we are setting it up as a normal loopback with no encryption at all. We tell the system to consider it an encrypted loopback giving this other command:

cryptsetup -c aes -y create crloop /dev/loop0

Now let's create a filesystem on the loopback device:

mkfs.ext3 /dev/mapper/crloop

You will need to type a password when using cryptsetup, remember what I wrote above about the number of characters. More: the cryptesetup command string I used will let appear a new device called /dev/mapper/crloop which is the one we're going to mount right after the creation of the ext3 filesystem on it: mount /dev/mapper/crloop /media/cryptovolume.
The encrypted loopback is now mounted, you can copy files on it, delete them, sotre al you need. When you've finished playing with it you can umount the volume with umount /media/cryptovolume and then deattach the lopback with cryptsetup remove crloop followed by losetup -d /dev/loop0.

If you're in the need for the files stored there you must issue the following commands:

losetup /dev/loop0 /home/marco/crloop
cryptsetup create crloop /dev/loop0
mount /dev/mapper/crloop /media/cryptovolume


and you will get your encrypted loopback filesystem mounted again (when issueing the second command you will be asked for a password).

Conclusions
Clearly it is a bit tricky mounting everytime this loopback device cause you have to perform several steps. The best way in my opinion is to do a little script that will perform the steps for you. Doing so will require you just to type the password you used. In the same script we could put commands to de-attach the cryptoloop too. In my case I went a bit further putting the device in /etc/fstab to have it automagically mounted at every boot on my Gnome desktop too.
This article will complete soon with the discussion of encrypted physical partitions with the device mapper.