Title: Encrypted file containers using LUKS Date: 2014-07-05 Tags: linux, security, encryption

Intro / Reasoning

While I do use full partition encryption using LVM+LUKS, I have a few files on Dropbox that I want to be encrypted there as well. So, I have chosen to use file containers.

And now that TrueCrypt is no longer trusted, and I no longer use any of the files I had put in TrueCrypt containers under Windows, I have switched to using just cryptsetup.

This topic has been covered in a lot of places by a lot of people, but it has been simplified across the years. And, I’m using the steps out of a couple articles, which makes it annoying every time I try to remember and then find the steps. So, I’m posting them here, because I think I can remember my own site!

(I’m adapting this comment to this article, adding LUKS keys as shown on the Arch wiki, which provides more explaination and reasoning than I do here.)

Preparation / Creating the container

Here we are going to create the container, generate and add a random LUKS key, put a file system on it and set up a directory to mount it to.

Almost all of these commands require root privileges, so take whatever means you need to do that first; I’m using CrunchBang, a port of Ubuntu.

# Simplify pathing; change to your working directory
cd ~/Dropbox

# switch to super-user
sudo su

# install cryptsetup if needed
apt-get install cryptsetup

# create the container; I'm making
# a 256M container:
dd if=/dev/urandom of=test.bin bs=1M count=256M

# set it up for luks; answer caps YES
cryptsetup luksFormat test.bin
# it will prompt you twice for a password

# now add an extra key so you don't
# have to type the password every
# time you want to use the container
# - add the directory if needed
mkdir -p /etc/keys
# - make the key w/ 2K of random text
dd if=/dev/urandom of=/etc/keys/test.key bs=512 count=4
# - change the key so only root can read
chmod 400 /etc/keys/test.key
# - assign the key to the next slot for test.bin
cryptsetup luksAddKey test.bin /etc/keys/test.key

# open the container using our key; maps it to /dev/mapper/test
cryptsetup luksOpen test.bin test -d /etc/keys/test.key

# create a file system in it (so we can actually use it)
mkfs.ext2 /dev/mapper/test

# create a directory to mount to,
# and give yourself ownership
mkdir /mnt/test
mount /dev/mapper/test /mnt/test
chown damon:damon /mnt/test

# we can close it for now
umount /mnt/test
cryptsetup luksClose test

# and exit the super user

Subsequently using the container

Now, we have created the file container, and it’s ready to go for future use. cryptsetup still requires root permissions, but here we only have a couple commands so I’ll sudo instead. In the future you just:

# 1. open the container
cd ~/Dropbox
sudo cryptsetup luksOpen test.bin test -d /etc/keys/test.key

# 2. mount it
sudo mount /dev/mapper/test /mnt/test

# 3. make our changes
cd /mnt/test
touch urFace
rm urFace # take his face... off
# 4. unmount it
sudo umount /mnt/test

# 5. close the container
sudo cryptsetup luksClose test

And that’s it.