How do I create an encrypted filesystem inside a file?

filesystem ext4 encryption

I've found this interesting tutorial on flossstuff blog.

It explains how to create an empty file, format it as ext4, and mount it as a device.

I'd like to know if it can be created as an encrypted ext4 file system.

I've tried using palimpsest (the disk utility found in System menu) to format the already created file system but it doesn't work as it detects the file system being used.

If I try to unmount the file system, that won't work either because it doesn't detect the device (since it's not a real device like a harddrive or a USB drive).

So my question is, is there an option to create the file system as encrypted from the beginning? I've used these commands:

Create an empty file 200Mb size:

dd if=/dev/zero of=/path/to/file bs=1M count=200

Make it ext4:

mkfs -t ext4 file

Mount it in a folder inside my home:

sudo mount -o loop file /path/to/mount_point

Is there any way the mkfs command can create an encrypted ext4 filesystem asking for a decryption password?

I'm planing to use this as a way to encrypt files inside Dropbox.


Follow next steps to create an encrypted file with filesystem inside:

1. The faster way to create file of given size is:

fallocate -l 128M /path/to/file

2. Create LUKS (Linux Unified Key Setup) partition within the file using dm-crypt tools:

cryptsetup -y luksFormat /path/to/file

You can check that file is encrypted container:

/path/to/file: LUKS encrypted file, ver 1 [aes, xts-plain64, sha1] UUID: 7e2af5a1-3fab-43ea-a073-3b9cc6073f00

3. Open encrypted container:

cryptsetup luksOpen /path/to/file data

data is device mapper volume name. You can choose other name.

This opens the LUKS device, and maps it to a name that we supply, in our case creating a file at /dev/mapper/data.

4. Create ext4 filesystem on this device:

mkfs.ext4 /dev/mapper/data

5. Then create mount point:

mkdir /path/to/mount

6. And mount device there:

mount /dev/mapper/data /path/to/mount

7. To unmount filesystem and close LUKS device:

umount /path/to/mount
cryptsetup luksClose data

Now you have encrypted LUKS container with ext4 filesystem inside. When you want to use it simply repeat steps 3 and 6. When you are finished call step 7.

This article was very helpful to me.

Also one day your container will run out of space. Suppose encrypted container file size is 128 MB and we want to increase its size to 512 MB. To increase its capacity follow these steps:

1. Unmount and close LUKS device (see step 7 in above list).

2. Increase container file size:

 dd if=/dev/zero of=/path/to/file bs=384M count=1 oflag=append conv=notrunc

3. Open LUKS device.

cryptsetup luksOpen /path/to/file data

4. Resize LUKS device to match container file size. From man page:

If --size (in sectors) is not specified, the size of the underlying block device is used.

So you can just:

cryptsetup resize data

5. Then resize ext4 filesystem:

e2fsck -f /dev/mapper/data
resize2fs /dev/mapper/data

6. Now you can mount filesystem back:

mount /dev/mapper/data /path/to/mount

You can use cryptmount to encrypt a filesystem, also if the filesystem is on a file.

The cryptmount manual page has a very simple and detailed explanation that I report (modified) here, and it do mention explicitly a file based filesystem.

  • Step 1
    Add an entry in /etc/cryptmount/cmtab, as follows:

    mycrypt {
    dev=/media/data/mycrypt dir=/home/enzotib/mycrypt
    fstype=ext4 mountoptions=defaults cipher=twofish
    keyfile=/etc/cryptmount/mycrypt.key
    keyformat=builtin
}

    where /media/data/mycrypt is the support file created by dd and /home/enzotib/mycrypt is the desired mountpoint.

  • Step 2
    Generate a secret decryption key 

    sudo cryptmount --generate-key 32 mycrypt

  • Step 3
    Execute the following command

    sudo cryptmount --prepare mycrypt

    you will then be asked for the password used when setting up the key

  • Step 4
    Create the filesystem

    sudo mkfs.ext4 /dev/mapper/mycrypt

  • Step 5
    Execute

    sudo cryptmount --release mycrypt

  • Step 6
    Now mount the filesystem

    mkdir /home/enzotib/mycrypt
cryptmount -m mycrypt

    then unmount it

    cryptmount -u mycrypt

Also, if you need to crypt a directory, encfs may be worth to take into consideration.


You can use the losetup command with the -e parameter to create an encrypted loop device. Details available at http://tldp.org/HOWTO/Cryptoloop-HOWTO/loopdevice-setup.html

Related

How can I set up a Dynamic DNS fetching service on Ubuntu Server?
Environment variables - where are they stored by linux, how do I change them and is it safe to do so?
Find Randomart of existing ssh key
How to create a read-only link to a directory?
apt-get update not working (Not Found [IP: 91.189.92.201 80]) [closed]
Xubuntu 13.10: disabling suspend on lid being closed
Quickly find whether a value is present in a C array?
Show loading image while $.ajax is performed
Importing a Swift protocol in Objective-C class
Flutter give container rounded border
Each for object? [duplicate]
How to change TextField's height and width?