How to create encrypted disk image with Linux LUKS format using Cryptsetup
If you have sensitive data or file, you can make an iso image on Linux.
For example backup file, photo or even your source code, so no one can stole it.
Linux Unified Key Setup (LUKS) is a disk encryption specification created by Clemens Fruhwirth in 2004 and was originally intended for Linux.
LUKS is the standard for Linux hard disk encryption. By providing a standard on-disk-format, it does not only facilitate compatibility among distributions, but also provides secure management of multiple user passwords.
LUKS stores all necessary setup information in the partition header, enabling to transport or migrate data seamlessly.
The benefits of LUKS is compatibility via standardization, secure against low entropy attacks, support for multiple keys, effective passphrase revocation, and most important is it’s free.
Cryptsetup is a utility used to conveniently set up disk encryption based on the DMCrypt kernel module.
These include plain dm-crypt volumes, LUKS volumes, loop-AES, TrueCrypt (including VeraCrypt extension) and BitLocker formats.
You can read more about Cryptsetup project here.
On CentOs, Cryptsetup ins installed by default. But if not, you can manually install with command below:
# yum install cryptsetup-luks
On Ubuntu use this command to install;
# sudo apt-get install cryptsetup
Create an empty file and use Crypsetup to create LUKS container:
# fallocate -l 1024M encrypted_volume.iso # cryptsetup -y luksFormat encrypted_volume.iso WARNING! ======== This will overwrite data on encrypted_volume.iso irrevocably. Are you sure? (Type uppercase yes): YES Enter passphrase for encrypted_volume.iso: Verify passphrase:
Please note that must remember password. You can not get it back or use any forgot password, reset or remove password on LUKS container. So if you lost your password, you will never get your file on encrypted volume.
You need to decrypt your volume using crypsetup luksopen before you can format it.
# cryptsetup luksOpen encrypted_volume.iso encVolume Enter passphrase for encrypted_volume.iso:
The command above will map the file encrypted_volume.iso to the volume encVolume.
The volume encVolume will be available as /dev/mapper/encVolume. You can create file system for example Ext4, XFS or Fat.
# mkfs.ext4 /dev/mapper/encVolume Filesystem label= OS type: Linux Block size=4096 (log=2) Fragment size=4096 (log=2) Stride=0 blocks, Stripe width=0 blocks 65408 inodes, 261632 blocks 13081 blocks (5.00%) reserved for the super user First data block=0 Maximum filesystem blocks=268435456 8 block groups 32768 blocks per group, 32768 fragments per group 8176 inodes per group Superblock backups stored on blocks: 32768, 98304, 163840, 229376 Allocating group tables: done Writing inode tables: done Creating journal (4096 blocks): done Writing superblocks and filesystem accounting information: done
Now you can mount /dev/mapper/encVolume
# mkdir -p ~/backup # mount /dev/mapper/encVolume ~/backup
You can put your files on ~/backup
To close your encrypted container, first you need to unmount file system.
Use this command:
# umount ~/backup # cryptsetup luksClose encVolume