Disk Encryption

Overview

-------------------------------------------------------
|  Files and Directories    |  /encrypted             |
|-----------------------------------------------------|
|  File System              |  EXT4                   |
|-----------------------------------------------------|
|  Virtual Block Device     |  /dev/mapper/encrypted  |
|-----------------------------------------------------|
|  Encryption / Decryption  |  dm-crypt               |
|-----------------------------------------------------|
|  Physical Block Device    |  /dev/sda1              |
-------------------------------------------------------

Setup

apt install cryptsetup

File as Device

If you don’t have access to block devices on your system, you can use a file as a device. Doing this is also convenient if you want to carry around the encrypted file.

Create a file of a certain size to act as the encrypted device:

fallocate -l 100M file

Write random data to the file. fallocate creates a zeroed file, which you can double check with strings file. Writing random data makes the encrypted data on the file harder to distinguish from the “empty” parts of the file:

shred file

Manipulating the Encrypted Device

These instructions work for both block devices and the file-as-device abstraction. <path> in the instructions below refer to the block device or file.

Format the encrypted device:

cryptsetup luksFormat <path>

Open the device:

sudo cryptsetup luksOpen <path> encrypted

This creates the virtual block device and sets up a mapping in /dev/mapper/. You can verify this with ls -l /dev/mapper/encrypted.

Create a file system:

sudo mkfs -t ext4 /dev/mapper/encrypted

Mount the device:

sudo mkdir -p /encrypted
sudo mount /dev/mapper/encrypted /encrypted

Unmount the device:

sudo umount /encrypted

Close the device:

sudo cryptsetup luksClose encrypted