LUKS and loop device

encryption luks cryptsetup

Solution 1:

You can use dd or fallocate (or head or a few other tools) to create a file to act as your container. Then as Vincent Yu stated cryptsetup can handle the loop setup/teardown for you.

fallocate -l 100M mypath/filecontainer
sudo losetup # Debug for demonstration, not necessary in a real script
sudo cryptsetup -y luksFormat mypath/filecontainer
sudo losetup # Debug for demonstration, not necessary in a real script
sudo cryptsetup luksOpen mypath/filecontainer filecontainer
sudo losetup # Debug for demonstration, not necessary in a real script
sudo mkfs -t ext4 /dev/mapper/filecontainer
sync
sudo cryptsetup luksClose filecontainer
sudo losetup # Debug for demonstration, not necessary in a real script

In the debug sudo losetup output, note the AUTOCLEAR = 1 for the filecontainer entry. You could instead go crazy with loopdev=$(sudo losetup -f); mount -o loop <etc>, but letting cryptsetup handle it is WAY nicer.

The key is you want to make sure you FIRST use cryptsetup luksOpen containerfile mappedname to have it mounted to /dev/mapper/mappedname by default (you can give it a full path starting with / and it will mount there instead I believe, and THEN format the /dev/mapper/mappedname target and makes sure you are NOT touching the filecontainer directly, otherwise you are bypassing the encryption engine and just creating an unencrypted loopback file.

Solution 2:

If you don't manage the loop device yourself, cryptsetup will automatically set up a loop device and close it when it is no longer needed. So there is no difference between the two; cryptsetup always works on the loop device. See man cryptsetup:

NOTES ON LOOPBACK DEVICE USE

Cryptsetup is usually used directly on a block device (disk partition or LVM volume). However, if the device argument is a file, cryptsetup tries to allocate a loopback device and map it into this file. This mode requires Linux kernel 2.6.25 or more recent which supports the loop autoclear flag (loop device is cleared on last close automatically). Of course, you can always map a file to a loop-device manually. See the cryptsetup FAQ for an example.

When device mapping is active, you can see the loop backing file in the status command output. Also see losetup(8).

Related

How can I type special characters? [duplicate]
Why do I need to specify ":80" when using "apt-key adv"?
How to install ffmpeg on ubuntu? [duplicate]
How to make Synaptic the default to install .deb files? [duplicate]
What benefits would I see upgrading from 14.04 to 15.04 and what are some caveats? [duplicate]
Youtube Videos Are Not Playing in Ubuntu 14.04
Is it safe to delete btmp from log on ubuntu 14.04 rackapace server?
Ubuntu Software Centre is stalled installing a package and I can't install anything else
Nginx logrotate logs
position:fixed when left/top/right/bottom aren't specified - desired results in FF/IE, but not in Safari
How to start mouseover event while dragging
Preventing Canvas Clear when Resizing Window