[Was bored and figured I'd write up a fun little exercise to create your own mountable encrypted fs/volume/.img file.]
How to create an encrypted filesystem/disk img through cryptsetup/dmcrypt
Requirements: Some reasonable understanding of linux.
## Firstly you need to create a base .img file in order to store you encrypted filesystem on. The touch command works fine for this:
sudo touch /home/username/somename.img
## Setting permissions r/w/x strictly for the file owner 'username' & negating all permissions for group & other:
sudo chmod 700 /home/username/somename.img
## Time to make a mount point for your device/filesystem right now, instead of later on. A mount point is just a point within a directory and/or place on your filesystem to where you 'mount' the given device/fs. Here I just create a directory in /home/username/ called 'sbase', and I also chmod full permissions to the owner of the directory/mount point, negating all permissions for 'group' and 'other'.
So the full command to do both in one shot:
sudo mkdir /home/username/sbase && sudo chmod 700 /home/username/sbase
## Now I use the dd command to specify and populate the given image file with random data
from urandom and consequently set the size from this, given the 'bs' and 'count' options:
- The 'if' option refers to infile filepath, here i'm using /dev/urandom as the byte source
- The 'of' option is the outfile filepath you want to populate/build, in this case we want to populate the .img file
- The 'bs' option meaning r/w up to so many bytes at a time, so in this case i'm going to set it to write at 1kb chunks
- The 'count' option is how many total 1kb chunks to add to the .img file, i'll just do 1000000kb [1gb]
Full command below:
sudo dd if=/dev/urandom of=/home/username/somename.img bs=1k count=1000000
## Now we use losetup to create a loop device from somename.img. Loop devices allow things
such as .img files to be mounted.
## Here i'm using the losetup command to attach a specified loop device file from /dev to the specified img file i'd created in the specified directory, in order to create an initialized loop device [to be able to be mounted]. Loop device files are found in the /dev directory. [i.e /dev/loop /dev/loop1 /dev/loop2 etc etc; any one can be used]
With the full command you specify the loop device path first, then the path to your .img file:
sudo losetup /dev/loop0 /home/username/somename.img
### Now you need to create the encrypted device within the newly initialized loop device. A good tool to use is cryptsetup. This allows for device mappings & setting up an encrypted block device per above:
sudo cryptsetup -y -h sha256 create anynameuwantdevice /dev/loop0
The -y option allows for a passphrase when mapping the loop device to the newly stated encrypted block device. It's important that you use the passphrase option, this will be needed each time you're instantiating & mounting your encrypted device/filesystem. The passphrase is hashed per the specified hash algorithm [here i'm using sha256], then cryptsetup uses this hash as the key each time you mount/access your filesystem/device.
**MAKE SURE you formulate a strong passphrase**
The 'create' option creates the encrypted device within the new loop device, though following the 'create' option you need to specify a name for your newly created encrypted block device - this can be any name. Mine's 'sbase', which is the same name as my mount point that I'd created earlier.
-h specifies the hash to use
-c is to specify the cipher used, defaults to aes 256
** -c defaults to 256 bits, more than enough for this **
**If you're unsure of what algorithms/ciphers are supported per your os- use the command 'sudo cryptsetup benchmark' to pull up a supported list of algorithms.
This will list the current algorithms first followed by the encryption ciphers at the bottom. RAM speeds are also shown. Though you can also run the command 'sudo cat /proc/crypto' to get what's supported by the kernel per your os.
## We've now created the mountable .img file [bound to loop0] and created the encrypted device 'sbase' using cryptsetup [which resides in /dev/mapper/]. Now a file system needs created on said encrypted device in order to officially mount it and write, read, store and/or execute files. Using ext4 as the filesystem is the standard for today. There's others such as btrfs, though I won't get into the specifics of that. Btrfs offers some added benefits relative to ext4.
## Time to use the mkfs command to make the given filesystem on the encrypted device:
sudo mkfs.ext4 /dev/mapper/sbase
## The '.' extension is appended to mkfs in order to specify the filesystem you want to use [in this case ext4], followed by the path to your newly encrypted block device [which is stored in '/dev/mapper']
## We would've created the mount point with the 'mkdir' command, though we've already done
that earlier when we ran 'sudo mkdir /home/username/sbase'.
## Now we mount the newly encrypted block device with the mount command. We use the -t option to specify filesystem type, followed by the /dev/mapper directory where your encrypted device is listed, followed by the mount point [directory]:
sudo mount -t ext4 /dev/mapper/sbase /home/username/sbase
Thats it. Now you have a mounted, fully functioning, separate filesystem that's fully encrypted. Store/write files, execute binaries, whatever.
## When you want to unmount the encrypted device, the steps are essentially in reverse:
sudo umount /home/username/sbase
## Then you need to unmap the encrypted device on /dev/loop0 using cryptsetup and remove sbase from the /dev/mapper directory:
cryptsetup remove sbase
## Now we use losetup to stop/detach the loop0 device entirely, separating the loop0 device from the .img file, transferring all data/filesystem to your initial .img file:
losetup -d /dev/loop0
## To remount we basically follow a portion of the beginning of this tut:
sudo losetup /dev/loop0 /home/username/somename.img
sudo cryptsetup -y -h sha256 create sbase /dev/loop0
sudo mount -t ext4 /dev/mapper/sbase /home/username/sbase
Two very simple bash scripts can be created in nano or vim to automate much of this:
## To mount:
#!/bin/bash
losetup /dev/loop0 /home/username/somename.img
cryptsetup -y -h sha256 create sbase /dev/loop0
mount -t ext4 /dev/mapper/sbase /home/username/sbase
## To unmount:
#!/bin/bash
umount /home/username/sbase
cryptsetup remove sbase
losetup -d /dev/loop0
## Both these scripts are separate.
- The mount script could be called 'enmount'
- The unmount script could be called 'enumount'
** No need to fix '.sh' to each bash script.
** Set permissions on both scripts as 'chmod 700' [strict permissions] [only the file owner can r/w/x]
##Below are both scripts:
How to create an encrypted filesystem/disk img through cryptsetup/dmcrypt
Requirements: Some reasonable understanding of linux.
## Firstly you need to create a base .img file in order to store you encrypted filesystem on. The touch command works fine for this:
sudo touch /home/username/somename.img
## Setting permissions r/w/x strictly for the file owner 'username' & negating all permissions for group & other:
sudo chmod 700 /home/username/somename.img
## Time to make a mount point for your device/filesystem right now, instead of later on. A mount point is just a point within a directory and/or place on your filesystem to where you 'mount' the given device/fs. Here I just create a directory in /home/username/ called 'sbase', and I also chmod full permissions to the owner of the directory/mount point, negating all permissions for 'group' and 'other'.
So the full command to do both in one shot:
sudo mkdir /home/username/sbase && sudo chmod 700 /home/username/sbase
## Now I use the dd command to specify and populate the given image file with random data
from urandom and consequently set the size from this, given the 'bs' and 'count' options:
- The 'if' option refers to infile filepath, here i'm using /dev/urandom as the byte source
- The 'of' option is the outfile filepath you want to populate/build, in this case we want to populate the .img file
- The 'bs' option meaning r/w up to so many bytes at a time, so in this case i'm going to set it to write at 1kb chunks
- The 'count' option is how many total 1kb chunks to add to the .img file, i'll just do 1000000kb [1gb]
Full command below:
sudo dd if=/dev/urandom of=/home/username/somename.img bs=1k count=1000000
## Now we use losetup to create a loop device from somename.img. Loop devices allow things
such as .img files to be mounted.
## Here i'm using the losetup command to attach a specified loop device file from /dev to the specified img file i'd created in the specified directory, in order to create an initialized loop device [to be able to be mounted]. Loop device files are found in the /dev directory. [i.e /dev/loop /dev/loop1 /dev/loop2 etc etc; any one can be used]
With the full command you specify the loop device path first, then the path to your .img file:
sudo losetup /dev/loop0 /home/username/somename.img
### Now you need to create the encrypted device within the newly initialized loop device. A good tool to use is cryptsetup. This allows for device mappings & setting up an encrypted block device per above:
sudo cryptsetup -y -h sha256 create anynameuwantdevice /dev/loop0
The -y option allows for a passphrase when mapping the loop device to the newly stated encrypted block device. It's important that you use the passphrase option, this will be needed each time you're instantiating & mounting your encrypted device/filesystem. The passphrase is hashed per the specified hash algorithm [here i'm using sha256], then cryptsetup uses this hash as the key each time you mount/access your filesystem/device.
**MAKE SURE you formulate a strong passphrase**
The 'create' option creates the encrypted device within the new loop device, though following the 'create' option you need to specify a name for your newly created encrypted block device - this can be any name. Mine's 'sbase', which is the same name as my mount point that I'd created earlier.
-h specifies the hash to use
-c is to specify the cipher used, defaults to aes 256
** -c defaults to 256 bits, more than enough for this **
**If you're unsure of what algorithms/ciphers are supported per your os- use the command 'sudo cryptsetup benchmark' to pull up a supported list of algorithms.
This will list the current algorithms first followed by the encryption ciphers at the bottom. RAM speeds are also shown. Though you can also run the command 'sudo cat /proc/crypto' to get what's supported by the kernel per your os.
## We've now created the mountable .img file [bound to loop0] and created the encrypted device 'sbase' using cryptsetup [which resides in /dev/mapper/]. Now a file system needs created on said encrypted device in order to officially mount it and write, read, store and/or execute files. Using ext4 as the filesystem is the standard for today. There's others such as btrfs, though I won't get into the specifics of that. Btrfs offers some added benefits relative to ext4.
## Time to use the mkfs command to make the given filesystem on the encrypted device:
sudo mkfs.ext4 /dev/mapper/sbase
## The '.' extension is appended to mkfs in order to specify the filesystem you want to use [in this case ext4], followed by the path to your newly encrypted block device [which is stored in '/dev/mapper']
## We would've created the mount point with the 'mkdir' command, though we've already done
that earlier when we ran 'sudo mkdir /home/username/sbase'.
## Now we mount the newly encrypted block device with the mount command. We use the -t option to specify filesystem type, followed by the /dev/mapper directory where your encrypted device is listed, followed by the mount point [directory]:
sudo mount -t ext4 /dev/mapper/sbase /home/username/sbase
Thats it. Now you have a mounted, fully functioning, separate filesystem that's fully encrypted. Store/write files, execute binaries, whatever.
## When you want to unmount the encrypted device, the steps are essentially in reverse:
sudo umount /home/username/sbase
## Then you need to unmap the encrypted device on /dev/loop0 using cryptsetup and remove sbase from the /dev/mapper directory:
cryptsetup remove sbase
## Now we use losetup to stop/detach the loop0 device entirely, separating the loop0 device from the .img file, transferring all data/filesystem to your initial .img file:
losetup -d /dev/loop0
## To remount we basically follow a portion of the beginning of this tut:
sudo losetup /dev/loop0 /home/username/somename.img
sudo cryptsetup -y -h sha256 create sbase /dev/loop0
sudo mount -t ext4 /dev/mapper/sbase /home/username/sbase
Two very simple bash scripts can be created in nano or vim to automate much of this:
## To mount:
#!/bin/bash
losetup /dev/loop0 /home/username/somename.img
cryptsetup -y -h sha256 create sbase /dev/loop0
mount -t ext4 /dev/mapper/sbase /home/username/sbase
## To unmount:
#!/bin/bash
umount /home/username/sbase
cryptsetup remove sbase
losetup -d /dev/loop0
## Both these scripts are separate.
- The mount script could be called 'enmount'
- The unmount script could be called 'enumount'
** No need to fix '.sh' to each bash script.
** Set permissions on both scripts as 'chmod 700' [strict permissions] [only the file owner can r/w/x]
##Below are both scripts: