blob: 401de8709248971020b36299eb5b4dac5a6e4c06 (
about) (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
|
---
title: How to create an encrypted file container with dm-crypt
tags: gnu, linux, crypto, tutorial
---
Here are some instructions on how to create an encrypted filesystem on a file.
Create an empty file with the size of your container. Here I'll use a 100MB
container. The file is created with `dd` which reads chunks from an input
device and writes the contents to a file or another device.
dd if=/dev/zero bs=1M count=100 of=~/my-container.img
This command means the following: read 100 chunks of one megabyte from the zero
device `/dev/zero` and write them to the file `~/my-container.img`. This will
create a file named `my-container.img` in your home directory that will be
about 100MB of zeros[^1].
[^1]: You could use `/dev/random` as the input device if you wanted to, but
that would be considerably slower and wouldn't help you much. Later commands
will initialise the file/partition, so you don't need to initialise it manually
with random numbers.)
Next, we'll initialise the LUKS partition on the file and set the initial
passphrase.
sudo cryptsetup luksFormat ~/mycontainer
Note that you need to type "YES" (i.e. "yes" in *uppercase*) to confirm the
operation; there is no error message when you fail this step which may be
confusing. Make sure that the file you want to format is your container file
or an empty partition's device file. Input your passphrase when prompted. You
will have to input this passphrase whenever you mount the container unless you
decide to store the passphrase with the container (which obviously is not very
safe). Note that you have to run this as root, because cryptsetup must access
the loopback device. (On the Hurd this would not be necessary, I think.)
Now, we'll open the container. Opening the container creates a kernel device
file which can then be mounted.
sudo cryptsetup luksOpen ~/mycontainer secret-device
This command will prompt for the container's passphrase and then create a
device file with the name `/dev/mapper/secret-device`. You may choose another
name than "secret-device".
The container is now decrypted. Since the device has no filesystem yet we
still cannot put any data on it. Use `mkfs.ext4` to create an ext4 filesystem
on the decrypted container:
sudo mkfs.ext4 /dev/mapper/secret-device
Now the filesystem can be mounted like a filesystem on a regular block device.
mkdir ~/my-mount-point
sudo mount /dev/mapper/secret-device ~/my-mount-point
The first command creates a new mount point (an empty directory) named
"my-mount-point" in your home directory. The second command mounts the
decrypted device at this location.
You can now write to the directory as usual. Once you are done follow these
steps to unmount the device and close (= re-encrypt) the container:
sudo umount ~/my-mount-point
sudo cryptsetup luksClose secret-device
To access the container again only these two commands are required:
sudo cryptsetup luksOpen ~/mycontainer secret-device
sudo mount /dev/mapper/secret-device ~/my-mount-point
|
