3. Creating the encrypted root filesystem

Fill the target partition with random data:

# shred -n 1 -v /dev/hda2

Setup the encrypted loopback device:

# losetup -e aes128 -S xxxxxxxxxx /dev/loop0 /dev/hda2

For better security, it is recommended to use the -S xxxxxxxxxx option, where "xxxxxxxxxx" is your (randomly) chosen seed. This prevents optimized dictionary attacks.

Also, note that using 256-bit AES would not be any more secure, since even 128-bit AES is impossible to crack by brute-force. Furthermore, AES-256 is about 25% slower than AES-128.

Now create the ext2 (or ext3 or reiserfs) filesystem:

# mke2fs /dev/loop0

Check that you correctly entered the password:

# losetup -d /dev/loop0
# losetup -e aes128 -S xxxxxxxxxx /dev/loop0 /dev/hda2
Password:
# mount /dev/loop0 /mnt

You can compare the encrypted and unencrypted data:

# xxd /dev/loop0 | less
# xxd /dev/hda2  | less