Protect critical information with encrypted file containers

Do you have sensitive or critical information and/or customer data on your computer that you need to protect for prolonged periods from physical attacks and unintended data disclosures? The answer to this question is encryption. Without encryption you can’t effectively protect them and they are viewable and accessible to everyone that has access to your system.

In this blog post will focus on creating a brute-force-resistant, authenticated and encrypted file container (LUKS). The purpose of this encrypted file-system (a.k.a. encrypted volume, vault) is to store your sensitive data securely, preventing malware and intruders from accessing the files stored inside. Your sensitive files can only be accessed with the right software and password (or decryption key).

Linux Unified Key Setup (LUKS)

The Linux Unified Key Setup (LUKS) is a disk encryption specification. LUKS implements a platform-independent standard on-disk format. This not only facilitates compatibility and interoperability among different programs, but also assures that they all implement password management in a secure and documented manner. The reference implementation for LUKS operates on Linux and is based on an enhanced version of cryptsetup, using dm-crypt as the disk encryption backend. Under Microsoft Windows, LUKS-encrypted disks can be used with the now defunct FreeOTFE. LUKS is designed to conform to the TKS1 secure key setup scheme.



dm-crypt is a transparent disk encryption subsystem in Linux kernel versions 2.6 and later and in DragonFly BSD. It is part of the device mapper infrastructure, and uses cryptographic routines from the kernel’s Crypto API. Unlike its predecessor cryptoloop, dm-crypt was designed to support advanced modes of operation, such as XTS, LRW and ESSIV, in order to avoid watermarking attacks. dm-crypt is implemented as a device mapper target and may be stacked on top of other device mapper transformations. It can thus encrypt whole disks (including removable media), partitions, software RAID volumes, logical volumes, as well as files. It appears as a block device, which can be used to back file systems, swap or as an LVM physical volume. Some Linux distributions support the use of dm-crypt on the root file system. These distributions use initrd to prompt the user to enter a passphrase at the console, or insert a smart card prior to the normal boot process.



cryptsetup provides commands to deal with the LUKS on-disk format. This format provides additional features such as key management and key stretching (using PBKDF2), and remembers encrypted volume configuration across reboots.


Installing Cryptsetup

sudo apt install cryptsetup

Create an empty container e.g. 1GB

fallocate -l 1GB mycontainer.img


dd if=/dev/zero of=mycontainer.img bs=1 count=0 seek=1G 

Generate a random 4096 master key to unlock the container

dd if=/dev/urandom of=master.key bs=4096 count=1

Encrypt the container

sudo cryptsetup -y -c aes-xts-plain64 -s 512 -h sha512 -i 5000 --use-random luksFormat mycontainer.img master.key

Unlock the container

Creates a device file at /dev/mapper/myVolume

sudo cryptsetup luksOpen mycontainer.img myVolume --key-file master.key

Format the unlocked Volume with ext4 filesystem

sudo mkfs.ext4 /dev/mapper/myVolume

Mount the unlocked volume just like a regular disk to a local directory

mkdir ~/myPrivateData
sudo mount /dev/mapper/myVolume ~/myPrivateData
sudo chown -R $USER:$USER ~/myPrivateData

Lock the container

sudo umount ~/myPrivateData && sudo cryptsetup luksClose myVolume

Quickly access your container

sudo cryptsetup luksOpen mycontainer.img myVolume --key-file master.key
sudo mount /dev/mapper/myVolume ~/myPrivateData