Title: Encrypted file containers using LUKS Date: 2014-07-05 Tags: linux, security, encryption
While I do use full partition encryption using LVM+LUKS, I have a few files on Dropbox that I want to be encrypted there as well. So, I have chosen to use file containers.
And now that TrueCrypt is no longer trusted,
and I no longer use any of the files I had
put in TrueCrypt containers under Windows,
I have switched to using just
This topic has been covered in a lot of places by a lot of people, but it has been simplified across the years. And, I’m using the steps out of a couple articles, which makes it annoying every time I try to remember and then find the steps. So, I’m posting them here, because I think I can remember my own site!
(I’m adapting this comment to this article, adding LUKS keys as shown on the Arch wiki, which provides more explaination and reasoning than I do here.)
Here we are going to create the container, generate and add a random LUKS key, put a file system on it and set up a directory to mount it to.
Almost all of these commands require root privileges, so take whatever means you need to do that first; I’m using CrunchBang, a port of Ubuntu.
# Simplify pathing; change to your working directory cd ~/Dropbox # switch to super-user sudo su # install cryptsetup if needed apt-get install cryptsetup # create the container; I'm making # a 256M container: dd if=/dev/urandom of=test.bin bs=1M count=256M # set it up for luks; answer caps YES cryptsetup luksFormat test.bin # it will prompt you twice for a password # now add an extra key so you don't # have to type the password every # time you want to use the container # - add the directory if needed mkdir -p /etc/keys # - make the key w/ 2K of random text dd if=/dev/urandom of=/etc/keys/test.key bs=512 count=4 # - change the key so only root can read chmod 400 /etc/keys/test.key # - assign the key to the next slot for test.bin cryptsetup luksAddKey test.bin /etc/keys/test.key # open the container using our key; maps it to /dev/mapper/test cryptsetup luksOpen test.bin test -d /etc/keys/test.key # create a file system in it (so we can actually use it) mkfs.ext2 /dev/mapper/test # create a directory to mount to, # and give yourself ownership mkdir /mnt/test mount /dev/mapper/test /mnt/test chown damon:damon /mnt/test # we can close it for now umount /mnt/test cryptsetup luksClose test # and exit the super user exit
Now, we have created the file container,
and it’s ready to go for future use.
still requires root permissions, but here
we only have a couple commands so I’ll sudo
instead. In the future you just:
# 1. open the container cd ~/Dropbox sudo cryptsetup luksOpen test.bin test -d /etc/keys/test.key # 2. mount it sudo mount /dev/mapper/test /mnt/test # 3. make our changes cd /mnt/test touch urFace rm urFace # take his face... off # 4. unmount it cd sudo umount /mnt/test # 5. close the container sudo cryptsetup luksClose test
And that’s it.