In this tutorial, we'll cover how to create an encrypted container on Linux.  We'll also cover how to integrate its use into your environment.  You can think of this space as a safe, which you can open, store things in or read things from, and then close again.  Additionally, some of the techniques used to do this are generally quite valuable.  Among them are the ability to create files of arbitrary sizes, and create links that allow arbitrary scripts to be run as you would any other installed program.

I'm going to gloss over some of the more technical aspects of what the various tools do in favor of getting a encrypted container up and running quickly.  For more information, I recommend that you read the softwares' manuals, and investigate Logical Volume Management (LVM).

Creating and Using an Encrypted Container:

Before beginning, we'll need to get some software:

$ sudo apt update && sudo apt upgrade
$ sudo apt cryptsetup

The first step is create a file in which to create an encrypted file system.  Let's create a 1 gigabyte file.

To do this, I can use dd, specifying some arbitrary source of data, like /dev/zero, and providing count and bs (block size) parameters that add up to the size I want.  Count here is 1024*1024 (1 megabyte), while bs is 1024.  For our purposes of creating a file, the total file size is essentially bs*count, so whatever number you use for count will be the file's size in megabytes.  For fun, we'll call our encrypted container bucephalus.img:

$ dd if=/dev/zero of=bucephalus.img bs=1024 count=1048576

Now we'll make an encrypted file system out the file, using luksformat.  When prompted, type 'YES' to confirm you are willing to destroy all the data in the file, and then enter a passphrase for the encrypted container three times:

$ sudo luksformat bucephalus.img 
Creating encrypted device on bucephalus.img...

WARNING!
========
This will overwrite data on bucephalus.img irrevocably.

Are you sure? (Type uppercase yes): YES
Enter passphrase for bucephalus.img: 
Verify passphrase: 
Please enter your passphrase again to verify it
Enter passphrase for bucephalus.img: 
mkfs.fat 4.1 (2017-01-24)

$

Next we need a place to mount our newly encrypted container.  We'll make one at /mnt/my_safe:

$ sudo mkdir /mnt/my_safe

Now let's mount our newly created container.  To do this we need to first setup a device mapping, and then we can mount it as we would anything else.  We can name the mapping whatever we want.  I'll use 'abcd':

$ sudo cryptsetup luksOpen bucephalus.img abcd
Enter passphrase for bucephalus.img:
$ sudo mount /dev/mapper/abcd /mnt/my_safe

We can now look at, and write files into, our new encrypted space:

$ cd /mnt/my_safe
$ echo 'My Encrypted Space!' | sudo tee README.txt
$ ls -l
-rwxr-xr-x 1 root root 20 Apr  4 17:04 README.txt*
$ cat README.txt
My Encrypted Space!
$

Great!  Because we mounted our encrypted space as root, we will need to use sudo if we want to make changes.

Now let's unmount the space, and remove the mapping.  Removing the mapping with luksClose functionally 'locks' the contents:

$ sudo umount /mnt/my_space
$ sudo cryptsetup luksClose abcd

We've now created an encrypted file system, stored in the file bucephalus.img, and learned to both unlock and mount it, as well as unmount and lock it.

Making the Container Easy to Use:

We can easily automate this process so that we can much more quickly make use of the encrypted space.  To do this, we'll create two scripts that do what we just did manually.  The first will create a mount point and a mapping, and then mount our image.  The second will do the opposite.

Create a new file wherever you store custom programs or scripts.  I will place mine in ~/Scripts/, so creating two new script files would look something like this:

$ cd ~/Scripts/
$ touch open_safe.sh close_safe.sh

In 'open_safe.sh' write the following:

#!/bin/bash

# Mount Point:
sudo mkdir /mnt/my_space

# Decrypt and Mount:
sudo cryptsetup luksOpen $HOME/bucephalus.img abcd
sudo mount /dev/mapper/abcd /mnt/my_space

In 'close_safe.sh' write the following:

#!/bin/bash

# Unmount and Encrypt:
sudo umount /mnt/my_space
sudo cryptsetup luksClose abcd

# Remove Mount Point:
sudo rmdir /mnt/my_space

Then make both executable:

$ chmod +x open_safe.sh close_safe.sh

Lastly, we need to make shortcuts to these scripts and place them somewhere in our environment's PATH:

$ echo $PATH
/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games

/usr/local/bin seems like a good candidate.  Let's make shortcuts, by placing links to our scripts in one of the locations in our PATH, called 'open-safe' and 'close-safe':

$ sudo ln -s ~/Scripts/open_safe.sh /usr/local/bin/open-safe
$ sudo ln -s ~/Scripts/close_safe.sh /usr/local/bin/close-safe

Now, we can open and close our encrypted container simply by running 'open-safe' in a terminal, and entering our passphrase!  We can then close and lock the container with 'close-safe'!

$ open-safe
[sudo] password for user: 
Enter passphrase for /home/user/bucephalus.img: 
$ cd /mnt/my_safe
$ cat README.txt
My Encrypted Space!
$ cd
$ close-safe

Voila!

Technical information about your version of cryptsetup, and the kind of cryptography it uses by default (as we've used here) can be found by running cryptsetup --help.  The following was the output on Debian 10 having installed cryptsetup from the official repos:

$ sudo cryptsetup --help
...
Default compiled-in device cipher parameters:
	loop-AES: aes, Key 256 bits
	plain: aes-cbc-essiv:sha256, Key: 256 bits, Password hashing: ripemd160
	LUKS: aes-xts-plain64, Key: 256 bits, LUKS header hashing: sha256, RNG: /dev/urandom
	LUKS: Default keysize with XTS mode (two internal keys) will be doubled.

Caveats:

  1. As always, if your life depends on the security of something you don't understand, you have a severe vulnerability.  I suppose we're all believers.
  2. Less philosophically, this setup is obvious and as such is not secure against many attacks.  Coercion for example.
  3. All that aside, this is a very easy, and by most standards very secure way of setting up a digital lock box.
# Reads: 7584