How do I create an encrypted filesystem inside a file?

You can use cryptmount to encrypt a filesystem, also if the filesystem is on a file.

The cryptmount manual page has a very simple and detailed explanation that I report (modified) here, and it do mention explicitly a file based filesystem.

  • Step 1
    Add an entry in /etc/cryptmount/cmtab, as follows:

    mycrypt {
    dev=/media/data/mycrypt dir=/home/enzotib/mycrypt
    fstype=ext4 mountoptions=defaults cipher=twofish
    keyfile=/etc/cryptmount/mycrypt.key
    keyformat=builtin
}

    where /media/data/mycrypt is the support file created by dd and /home/enzotib/mycrypt is the desired mountpoint.

  • Step 2
    Generate a secret decryption key 

    sudo cryptmount --generate-key 32 mycrypt

  • Step 3
    Execute the following command

    sudo cryptmount --prepare mycrypt

    you will then be asked for the password used when setting up the key

  • Step 4
    Create the filesystem

    sudo mkfs.ext4 /dev/mapper/mycrypt

  • Step 5
    Execute

    sudo cryptmount --release mycrypt

  • Step 6
    Now mount the filesystem

    mkdir /home/enzotib/mycrypt
cryptmount -m mycrypt

    then unmount it

    cryptmount -u mycrypt

Also, if you need to crypt a directory, encfs may be worth to take into consideration.


Follow next steps to create an encrypted file with filesystem inside:

1. The faster way to create file of given size is:

fallocate -l 128M /path/to/file

2. Create LUKS (Linux Unified Key Setup) partition within the file using dm-crypt tools:

cryptsetup -y luksFormat /path/to/file

You can check that file is encrypted container:

/path/to/file: LUKS encrypted file, ver 1 [aes, xts-plain64, sha1] UUID: 7e2af5a1-3fab-43ea-a073-3b9cc6073f00

3. Open encrypted container:

cryptsetup luksOpen /path/to/file data

data is device mapper volume name. You can choose other name.

This opens the LUKS device, and maps it to a name that we supply, in our case creating a file at /dev/mapper/data.

4. Create ext4 filesystem on this device:

mkfs.ext4 /dev/mapper/data

5. Then create mount point:

mkdir /path/to/mount

6. And mount device there:

mount /dev/mapper/data /path/to/mount

7. To unmount filesystem and close LUKS device:

umount /path/to/mount
cryptsetup luksClose data

Now you have encrypted LUKS container with ext4 filesystem inside. When you want to use it simply repeat steps 3 and 6. When you are finished call step 7.

This article was very helpful to me.

Also one day your container will run out of space. Suppose encrypted container file size is 128 MB and we want to increase its size to 512 MB. To increase its capacity follow these steps:

1. Unmount and close LUKS device (see step 7 in above list).

2. Increase container file size:

 dd if=/dev/zero of=/path/to/file bs=384M count=1 oflag=append conv=notrunc

3. Open LUKS device.

cryptsetup luksOpen /path/to/file data

4. Resize LUKS device to match container file size. From man page:

If --size (in sectors) is not specified, the size of the underlying block device is used.

So you can just:

cryptsetup resize data

5. Then resize ext4 filesystem:

e2fsck -f /dev/mapper/data
resize2fs /dev/mapper/data

6. Now you can mount filesystem back:

mount /dev/mapper/data /path/to/mount

You can use the losetup command with the -e parameter to create an encrypted loop device. Details available at http://tldp.org/HOWTO/Cryptoloop-HOWTO/loopdevice-setup.html

Tags:

Encryption

Ext4

Filesystem

Recent Posts