Using LUKS to create an encrypted disk file

It has been a while since I posted about the wonderful LUKS encryption tool. I’m sure all Linux users have encrypted disks and I have already posted about using it to encrypt external devices (all my external disks and USB keys are encrypted, as should all yours be).

The history behind this post is way back in the dark ages when I used both windoze and linux machines I used the windoze third party TrueCrypt utility for encrypted volumes, there was/is a 3rd party ‘truecrypt’ program (that I must have installed from source as rpm -qf shows it is not part of a rpm package); which worked on linux to also be able to use those encrypted volumes… so momentum kept me using that method. Anyway, up until it stopped working on the more recent versions of Fedora as old obsolete library files were removed from the distros.

As I don’t actually use windoze anymore I created a LUKS volume and copied the data to that, and got rid of the TrueCrypt one… but it did make me realise I have not actually posted on using LUKS to encrypt virtual volumes… by that I do not mean all the fancy disk formats used by virtual machines, but a simple flat file on disk.

One little point to note, this may all need to be done as root simply because luksOpen needs to create a device entry under /dev/mapper which I would hope is restricted to root. Admitedly I have not tried using a non-root user simply because if your users have encrypted volumes lying about the place that are not documented you should squash them.

It is simple, as I was replacing a 200Mb truecrypt volume with a 200Mb LUKS one this is all that is needed…

Create a disk file as a LUKS encrypted volume

  • create a diskfile of 200Mb to use as the encrypted volume
  • luksFormat: format it as a LUKS device/file, and set the encryption password
  • luksOpen: create the device entry for it, format the device with a ext2 filesystem
  • luksClose: remove the device entry; it is now an encrypted disk file

And the log of the above steps

[root@phoenix posts]# dd if=/dev/zero of=normaldiskfile.dat bs=1024000 count=200
200+0 records in
200+0 records out
204800000 bytes (205 MB) copied, 3.86504 s, 53.0 MB/s
[root@phoenix posts]# cryptsetup luksFormat normaldiskfile.dat

This will overwrite data on bkpfiles.dat irrevocably.

Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase: yourpassphrase
Verify passphrase: yourpassphrase
[root@phoenix posts]# cryptsetup luksOpen normaldiskfile.dat myluksdisk
Enter passphrase for /home/mark/posts/normaldiskfile.dat: 
[root@phoenix posts]# mkfs -t ext2 /dev/mapper/myluksdisk
mke2fs 1.42.3 (14-May-2012)
Filesystem label=
OS type: Linux
Block size=1024 (log=0)
Fragment size=1024 (log=0)
Stride=0 blocks, Stripe width=0 blocks
49600 inodes, 197952 blocks
9897 blocks (5.00%) reserved for the super user
First data block=1
Maximum filesystem blocks=67371008
25 block groups
8192 blocks per group, 8192 fragments per group
1984 inodes per group
Superblock backups stored on blocks: 
	8193, 24577, 40961, 57345, 73729

Allocating group tables: done                            
Writing inode tables: done                            
Writing superblocks and filesystem accounting information: done 

[root@phoenix posts]# cryptsetup luksClose myluksdisk

Use the above disk file as a disk (mounted volume)

  • luksOpen: create the device entry
  • mount the device on a mount point, generally requires root access
  • happily use it
  • when done umount it and luksClose it

With the above example

[root@phoenix posts]# mkdir /mnt/newvol
[root@phoenix posts]# cryptsetup luksOpen normaldiskfile.dat myluksdisk
Enter passphrase for /home/mark/posts/normaldiskfile.dat:
[root@phoenix posts]# mount /dev/mapper/myluksdisk /mnt/newvol
[root@phoenix posts]# df -k /mnt/newvol
Filesystem             1K-blocks  Used Available Use% Mounted on
/dev/mapper/myluksdisk    191689  1550    180242   1% /mnt/newvol
[root@phoenix posts]# ls /mnt/newvol
[root@phoenix posts]# umount /mnt/newvol
[root@phoenix posts]# cryptsetup luksClose myluksdisk

About mark

At work, been working on Tandems for around 30yrs (programming + sysadmin), plus AIX and Solaris sysadmin also thrown in during the last 20yrs; also about 5yrs on MVS (mainly operations and automation but also smp/e work). At home I have been using linux for decades. Programming background is commercially in TAL/COBOL/SCOBOL/C(Tandem); 370 assembler(MVS); C, perl and shell scripting in *nix; and Microsoft Macro Assembler(windows).
This entry was posted in Unix. Bookmark the permalink.