Create an encrypted container in linux

In case you have some files which you want to have encrypted in a secured container, like a password-ed zip file. When mapping this container file you have to enter a password or you can use a key file to unlock the file! I will use a manual password entry to unlock the container.

Installing cryptsetup

Use yum, apt to install cryptsetup or download the source to build your own. For now I will use apt as an example.

# apt-get install cryptsetup

Creating the container file

Create a 1GB file named ‘PRIVATE’

# fallocate -l 1GB PRIVATE

Set the file as luks

# cryptsetup -v luksFormat PRIVATE

Decrypt the file and create /dev/mapper/private_file

# cryptsetup -v luksOpen PRIVATE private_file

Format private file as ext4

# mkfs -t ext4 /dev/mapper/private_file

Mounting and unmounting the container file

Make sure the file is decrypted:

# cryptsetup -v luksOpen PRIVATE private_file

Mount the private_file

# mkdir /mnt/private_file
# mount /dev/mapper/private_file /mnt/private_file

Umount and close file

# umount /mnt/private_file
# cryptsetup luksClose private_file

Mounting automatically with a key-file or online key

You can auto mount your encrypted container by creating a key-file.
In this case I will use the string “MyRandomString123” as an example. Better is to use a random pwgen string of 64 characters!

# cryptsetup luksAddKey /dev/sdX MyRandomString123 

Or when you want to create a file with random a random string

# pwgen -s 64 1 > MyKeyFile
# cryptsetup luksAddKey PRIVATE ./MyKeyFile

Place this keyfile somewhere on your filesystem (ea /root) or online page and open it up!

cat /root/MyKeyFile | cryptsetup -v luksOpen PRIVATE private_file

Or from online

 curl -s https://my_site.tld/MyKeyFile | cryptsetup -v luksOpen PRIVATE private_file 

Or open it using fstab so it opens on reboot.
Add to /etc/crypttab

private_file /root/PRIVATE /root/MyKeyFile luks 

And add to /etc/fstab

/dev/mapper/private_file /mnt/private_file ext4 defaults 0 2

7 thoughts on “Create an encrypted container in linux

  1. Hi, thanks for this quick and useful tutorial! I just wanted to let you know that you probably meant to write “And add to /etc/fstab”, not “And add to /etc/crontab” as the last step.

  2. Unfortunately this doesn’t seem to work as regular user:

    $ cryptsetup open vault.img vault_file
    Enter passphrase for vault.img:
    Cannot initialize device-mapper, running as non-root user.

    Any ideas?

    P.S.: the file should not automatically mount on boot and udiskctl works with block devices only.

    1. Hi Paole,

      What if you try
      $ sudo cryptsetup open vault.img vault_file

      It looks like you do not have the permissions needed.

      1. well, that’s exactly the point of my question: I would like to tun cryptsetup as regular / non-sudo user, but I didn’t find any possibility so far and hoped for some nice tweak.

        1. Hi Paole,

          You cannot run cryptsetup without sudo yet. This is a known thing on their wishlist but i’m not sure if it will be implemented anywhere soon.

          From what I can read you can however open a LUKS encrypted device using udiskctl, but I’m not sure if you can create a volume with it. From what I know you can lock and unlock volumes with it.

Leave a Reply

Your email address will not be published.