posts: add diagram for shared Guix profiles and store
[software/elephly-net.git] / posts / 2013-10-01-dm-crypt.markdown
1 ---
2 title: How to create an encrypted file container with dm-crypt
3 tags: gnu, linux, crypto, tutorial
4 ---
5
6 Here are some instructions on how to create an encrypted filesystem on a file.
7
8 Create an empty file with the size of your container. Here I'll use a 100MB
9 container. The file is created with `dd` which reads chunks from an input
10 device and writes the contents to a file or another device.
11
12 dd if=/dev/zero bs=1M count=100 of=~/my-container.img
13
14 This command means the following: read 100 chunks of one megabyte from the zero
15 device `/dev/zero` and write them to the file `~/my-container.img`. This will
16 create a file named `my-container.img` in your home directory that will be
17 about 100MB of zeros[^1].
18
19 [^1]: You could use `/dev/random` as the input device if you wanted to, but
20 that would be considerably slower and wouldn't help you much. Later commands
21 will initialise the file/partition, so you don't need to initialise it manually
22 with random numbers.)
23
24 Next, we'll initialise the LUKS partition on the file and set the initial
25 passphrase.
26
27 sudo cryptsetup luksFormat ~/mycontainer
28
29 Note that you need to type "YES" (i.e. "yes" in *uppercase*) to confirm the
30 operation; there is no error message when you fail this step which may be
31 confusing. Make sure that the file you want to format is your container file
32 or an empty partition's device file. Input your passphrase when prompted. You
33 will have to input this passphrase whenever you mount the container unless you
34 decide to store the passphrase with the container (which obviously is not very
35 safe). Note that you have to run this as root, because cryptsetup must access
36 the loopback device. (On the Hurd this would not be necessary, I think.)
37
38 Now, we'll open the container. Opening the container creates a kernel device
39 file which can then be mounted.
40
41 sudo cryptsetup luksOpen ~/mycontainer secret-device
42
43 This command will prompt for the container's passphrase and then create a
44 device file with the name `/dev/mapper/secret-device`. You may choose another
45 name than "secret-device".
46
47 The container is now decrypted. Since the device has no filesystem yet we
48 still cannot put any data on it. Use `mkfs.ext4` to create an ext4 filesystem
49 on the decrypted container:
50
51 sudo mkfs.ext4 /dev/mapper/secret-device
52
53 Now the filesystem can be mounted like a filesystem on a regular block device.
54
55 mkdir ~/my-mount-point
56 sudo mount /dev/mapper/secret-device ~/my-mount-point
57
58 The first command creates a new mount point (an empty directory) named
59 "my-mount-point" in your home directory. The second command mounts the
60 decrypted device at this location.
61
62 You can now write to the directory as usual. Once you are done follow these
63 steps to unmount the device and close (= re-encrypt) the container:
64
65 sudo umount ~/my-mount-point
66 sudo cryptsetup luksClose secret-device
67
68 To access the container again only these two commands are required:
69
70 sudo cryptsetup luksOpen ~/mycontainer secret-device
71 sudo mount /dev/mapper/secret-device ~/my-mount-point