2. Introduction

There are currently a few alternatives to using Cryptoloop. Loop-AES (http://loop-aes.sourceforge.net) is probably the most well-known. It provides very similar functionality to Cryptoloop. Aes-loop is currently more mature than Cryptoloop and it is also faster (about twice as fast, according to the author of loop-AES), because it uses a highly optimized assembler implementation for AES. This doesn't mean that Cryptoloop is slow. I have not noticed any significant speed differences between a Cryptoloop-encrypted partition and a non-encrypted partition during everyday work with normal amounts of I/O. Unless I/O performance is extremely important to you, Cryptoloop should do just fine. Loop-AES offers some additional features that are not yet present in the kernel implementation of Cryptoloop. Loop-AES requires modified userspace tools (mount, losetup) and these modifications are incompatible with Cryptoloop. You will not be able to use Cryptoloop and Loop-AES at the same time.

In terms of security, Cryptoloop is doing ok. The key is usually generated from a password and its hash is used as the key to AES. This leads to the possibility of a known-plaintext attack. Loop-AES is superior in this regard, because it generates a random key and encrypts this key separately, making a known-plaintext attack more difficult. Loop-AES also supports a multi-key mode, where sectors are encrypted with 64 separate AES keys. In general, a brute-force attack on your password can be very effective, if you choose a weak password. To be on the safe side, your password should be at least 20 characters long. Otherwise a brute-force attack on the password will be much easier than trying to brute-force the AES encryption directly.

The Cryptoloop functionality in the standard kernel provides a stable and clean implementation without the need for extra patches. Since it is still fairly new, it may not have gotten the necessary amount of review in terms of security. You have to decide for yourself what is suitable for you.

IMPORTANT: Cryptoloop has been marked deprecated in the latest 2.6 kernel. This means that it will no longer be maintained actively. The successor to Cryptoloop will be dm-crypt. Dm-crypt is available in the main kernel since 2.6.4. Cryptoloop will still be available in the main kernel for a long time, but dm-crypt will be the method of choice for disk encryption in the future. Dm-crypt is based on the device mapper and offers pretty much the same functionality as Cryptoloop. It is still very new and there are no easy-to-use userspace tools available yet. Dm-crypt is considered to be much cleaner code than Cryptoloop, but there are some important differences. For example, creating an ecrypted filesystem within a file will still require to go through a loop device, but this support is still in development.

There are other tools which allow you to create an encrypted file system. BestCrypt is a commercial product from Jetico. It allows you to create encrypted containers and has a large choice of ciphers. It also offers some nifty features such as hidden containers. It is available for Windows and Linux, which makes it suitable for interchanging encrypted containers between Windows and Linux. BestCrypt now compiles on 2.6 kernels as well. Cryptoloop can also create containers that can be moved around, by creating the encrypted file system within a file as described below. I don't know of a way to access the Cryptoloop-encrypted files from other operating systems such as Windows. In this case, BestCrypt may be your only choice.

There are other commercial disk encryption tools such as PGP disk, but to my knowledge there is no Linux support for them.