How to create, format, and mount a LUKS image

To install:

apt install cryptsetup

Use fallocate to create an empty file and use Crypsetup to create a LUKS container:

# fallocate -l 250G encrypted_volume.iso

# cryptsetup -y luksFormat encrypted_volume.iso

WARNING!
========
This will overwrite data on encrypted_volume.iso irrevocably.

Are you sure? (Type uppercase yes): YES
Enter passphrase for encrypted_volume.iso:
Verify passphrase:

Or using dd:

# dd if=/dev/zero of=encrypted_volume.iso bs=1 count=1 seek=250G

# cryptsetup -y luksFormat encrypted_volume.iso

WARNING!
========
This will overwrite data on encrypted_volume.iso irrevocably.

Are you sure? (Type uppercase yes): YES
Enter passphrase for encrypted_volume.iso:
Verify passphrase:

Please note that must remember your password. You can not get it back or use any forgot password, reset or remove password on LUKS container. So if you lost your password, you will never get your file on encrypted volume.

You need to decrypt your volume using crypsetup luksOpen before you can format it.

# cryptsetup luksOpen encrypted_volume.iso encVolume

Enter passphrase for encrypted_volume.iso:

# mkfs.xfs /dev/mapper/encVolume
Filesystem label=
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
Stride=0 blocks, Stripe width=0 blocks
65408 inodes, 261632 blocks
13081 blocks (5.00%) reserved for the super user
First data block=0
Maximum filesystem blocks=268435456
8 block groups
32768 blocks per group, 32768 fragments per group
8176 inodes per group
Superblock backups stored on blocks:
        32768, 98304, 163840, 229376

Allocating group tables: done
Writing inode tables: done
Creating journal (4096 blocks): done
Writing superblocks and filesystem accounting information: done

# mount /dev/mapper/encVolume /mnt

Making a keyfile and adding it to the image

# dd if=/dev/urandom of=~/.vault/keyfile bs=1024 count=4
# chmod 0400 ~/.vault/keyfile

# cryptsetup luksAddKey ~/encrypted_volume.iso ~/.vault/keyfile

You can map anytime by:

# cryptsetup luksOpen ~/encrypted_volume.iso encVolume -d ~/.vault/keyfile

Adding to crypptab

# <target name> <source device>         <key file>      <options>

encVolume  ~/encrypted_volume.iso  ~/.vault/keyfile  luks

Leave a Reply

Your email address will not be published. Required fields are marked *

Filed under: Hints,iT - @ 2021-11-30 20:05