Cryptoloop

Cryptoloop is a disk encryption module for Linux which relies on the CryptoAPI in the 2.6 Linux kernel series. It was first introduced in the 2.5.x kernel series. Its functionality is incorporated into the device mapper, a generic framework used to map one block device into another.

~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Cryptoloop can create an encrypted file system within a partition or from within a regular file in the regular file system. Once a file is encrypted, it can be moved to another storage device. This is accomplished by making use of a loop device, a pseudo-device that enables a normal file to be mounted as if it were a physical device. By encrypting I/O to the loop device, any data being accessed must first be decrypted before passing through the regular file system; conversely, any data being stored will be encrypted.

~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Cryptoloop is vulnerable to watermarking attacks,{{cite web| last = SecuriTeam| title = Linux Cryptoloop Watermark Exploit| date = 2005-05-26| url = http://www.securiteam.com/exploits/5UP0P1PFPM.html| accessdate = 2006-08-09 }} making it possible to determine presence of watermarked data on the encrypted filesystem:

~ ~ ~ ~ ~ ~ ~ ~ ~ ~

This attack exploits weakness in IV computation and knowledge of how file systems place files on disk. This attack works with file systems that have soft block size of 1024 or greater. At least ext2, ext3, reiserfs and minix have such property. This attack makes it possible to detect presence of specially crafted watermarked files, such as, unreleased Hollywood movies, cruise missile service manuals, and other content that you did not create yourself. Watermarked files contain special bit patterns that can be detected without decryption.

~ ~ ~ ~ ~ ~ ~ ~ ~ ~

{{cite web| last = Saarinen| first = Markku-Juhani O.| title = Re: Oopsing cryptoapi (or loop device?) on 2.6.*| date = 2004-02-19| url = http://marc.theaimsgroup.com/?l=linux-kernel&m=107719798631935&w=2| accessdate = 2006-08-09 }}

~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Newer versions of cryptoloop's successor, dm-crypt, are less vulnerable to this type of attack if used correctly.{{cite web |author=Markus Reichelt |date=2004-06-20 |title=Why Mainline Cryptoloop Should Not Be Used |url=http://mareichelt.de/pub/texts.cryptoloop.php?alt_styles=2 |accessdate=2007-04-20 }}

~ ~ ~ ~ ~ ~ ~ ~ ~ ~