Encrypted Filesystem in a File: Best Practice

TL;DR

Creating an encrypted filesystem inside a single file (often called a container) is useful for portability and security. This guide explains how to do it safely using cryptsetup on Linux, covering setup, mounting, unmounting, and important considerations.

1. Prerequisites

You’ll need:

• A Linux system (tested on Ubuntu/Debian).
• Root or sudo access.
• The cryptsetup package installed. If not, install it with:

  sudo apt update && sudo apt install cryptsetup

2. Create the Container File

First, create a file that will hold your encrypted filesystem.

1. Choose a location and filename for your container (e.g., ~/my_encrypted_file).
2. Determine the size of the container. Consider how much data you’ll store. For example, to create a 1GB file:

   dd if=/dev/zero of=~/my_encrypted_file bs=1M count=1024 status=progress

   This creates a zero-filled file; it takes time but is important for security.

3. Set Up the Encrypted Volume

Use cryptsetup to create an encrypted volume mapped to your container file.

1. Open the encrypted volume using:

   sudo cryptsetup luksFormat ~/my_encrypted_file

   You’ll be prompted for a passphrase. Choose a strong one!

2. Open the device (this creates a virtual block device):

   sudo cryptsetup luksOpen ~/my_encrypted_file my_volume

   Replace my_volume with a name you choose. You’ll be prompted for your passphrase again.

4. Create and Mount the Filesystem

Now, create a filesystem inside the encrypted volume and mount it.

1. Create a filesystem (e.g., ext4):

   sudo mkfs.ext4 /dev/mapper/my_volume

2. Create a mount point:

   mkdir ~/mnt_encrypted

3. Mount the encrypted filesystem:

   sudo mount /dev/mapper/my_volume ~/mnt_encrypted

5. Accessing Your Files

You can now read and write files to ~/mnt_encrypted as if it were a normal directory.

6. Unmounting and Closing the Volume

When you’re finished, unmount the filesystem and close the encrypted volume.

1. Unmount the filesystem:

   sudo umount ~/mnt_encrypted

2. Close the encrypted volume:

   sudo cryptsetup luksClose my_volume

7. Important Security Considerations

• Passphrase Strength: Use a long, complex passphrase. Consider using a password manager to generate and store it securely.
• Keyfile (Optional): Instead of a passphrase, you can use a keyfile for added security. However, protect the keyfile itself!
• Random Data: Ensure your container file is filled with random data using dd if=/dev/urandom... instead of /dev/zero for better security (this takes much longer).
• Hidden Filesystem: Be aware that the existence of a large, encrypted file might attract attention. Consider hiding it within other files or directories.
• Full Disk Encryption: For full system encryption, consider using full disk encryption solutions instead of this method.
• Backups: Back up your container file regularly! If you lose the file *and* your passphrase, your data is unrecoverable.