# Container encryption using cryptsetup ## How to encrypt a container using [cryptsetup](https://gitlab.com/cryptsetup/cryptsetup)? For disk encryption we will have these choices * Container encryption ( a single file ) * A partition encryption ( whole partition ) * Whole disk encryption ( excluding boot ) * Full disk encryption ( including boot ) This instruction is about **container encryption** which simply means a *single mountable file* like an *image* file that we have with docker container. {% hint style="warning" %} This guide is for **Debian** based distribution, for others may not be the same steps. {% endhint %} ### Install / Setup `cryptsetup` Simply we can install it ```bash sudo apt install cryptsetup-bin ``` and the command will be installed, then use it `cryptsetup` ```bash cryptsetup --help ``` ### ### Create the volume you need Then using `dd` or `fallocate` we can create a single file with desired size e.g. **512M** ```bash dd if=/dev/zero of=/home//encrypted_volume bs=1M count=512 ``` and with `fallocate` ```bash fallocate -l 512M /home//encrypted_volume ``` or it can be other places e.g. `/` which we should be `root` to do so ```bash dd if=/dev/zero of=/root/encrypted_volume bs=1M count=512 ``` ### LUKS the volume With this single 512M file we have, we will next create a LUKS partition ```bash # LUKS = Linux Unified Key Setup # shu = my username cryptsetup -y luksFormat /home/shu/encrypted_volume ``` then `cryptsetup` asks you for confirmation and you should type in **YES** in uppercase and then it asks you for the **passphrase** with which later this volume / container is going be for decrypted. {% hint style="info" %} You can have a **benchmark** before encryption and may be change the encryption method. Here is a sample ```bash sudo cryptsetup benchmark [sudo] password for shu: # Tests are approximate using memory only (no storage IO). PBKDF2-sha1 1497965 iterations per second for 256-bit key PBKDF2-sha256 1814145 iterations per second for 256-bit key PBKDF2-sha512 1428577 iterations per second for 256-bit key PBKDF2-ripemd160 1086607 iterations per second for 256-bit key PBKDF2-whirlpool 845625 iterations per second for 256-bit key argon2i 5 iterations, 1048576 memory, 4 parallel threads (CPUs) for 256-bit key (requested 2000 ms time) argon2id 5 iterations, 1048576 memory, 4 parallel threads (CPUs) for 256-bit key (requested 2000 ms time) # Algorithm | Key | Encryption | Decryption aes-cbc 128b 1136.4 MiB/s 3382.0 MiB/s serpent-cbc 128b 93.8 MiB/s 705.5 MiB/s twofish-cbc 128b 211.7 MiB/s 387.2 MiB/s aes-cbc 256b 856.0 MiB/s 2749.1 MiB/s serpent-cbc 256b 93.2 MiB/s 706.9 MiB/s twofish-cbc 256b 211.9 MiB/s 387.8 MiB/s aes-xts 256b 2111.2 MiB/s 2118.1 MiB/s serpent-xts 256b 683.6 MiB/s 697.0 MiB/s twofish-xts 256b 377.3 MiB/s 369.3 MiB/s aes-xts 512b 1832.6 MiB/s 1841.7 MiB/s serpent-xts 512b 664.1 MiB/s 683.6 MiB/s twofish-xts 512b 368.3 MiB/s 364.6 MiB/s ``` {% endhint %} ### Open the volume After adding **LUKS** on top the volume, we can open it using ```bash sudo cryptsetup luksOpen /home/shu/encrypted_volume ``` The `` can be your desired name, just notice with are dealing with **special devices** and `/dev` so we need `root` permission. After opening it we will see it in `/dev/mapper` ```bash ll /dev/mapper/ total 0 drwxr-xr-x 2 root root 80 Mar 23 15:10 ./ drwxr-xr-x 20 root root 4660 Mar 23 15:10 ../ crw------- 1 root root 10, 236 Mar 23 10:18 control lrwxrwxrwx 1 root root 7 Mar 23 15:11 derak -> ../dm-0 ``` here **derak** is the name (``) I entered for the volume, you will have a different name. ### Mount the volume Now that we have the device (it is like a partition) we can `mount` it like other partitions ```bash sudo mount /dev/mapper/ /media # for me sudo mount /dev/mapper/derak /media # /media could be /mnt # or other location you have access to ``` ### Check the mounted volume Here is quick check ```bash df -h | grep mapper /dev/mapper/derak 486M 3.8M 453M 1% /media ``` ### Use the volume After you checked it with `df -h` then we can `cd` to `/media` and create file or `cp` other files into `/media` ### Umount the volume When we are done with adding / removing file into our volume, we can umount it ```bash # for me sudo umount /dev/mapper/derak # for you with your sudo umount /dev/mapper/ # then the /media or your mount-point should be empty ll /media total 8 drwxr-xr-x 2 root root 4096 Jul 25 2018 ./ drwxr-xr-x 27 root root 4096 Mar 21 09:52 ../ ``` ### Close the LUKS / volume Optionally we can check our mapped device befor closing it. *Here for me ithe name is derak* ```bash ll /dev/mapper/ total 0 drwxr-xr-x 2 root root 80 Mar 23 15:10 ./ drwxr-xr-x 20 root root 4660 Mar 23 15:10 ../ crw------- 1 root root 10, 236 Mar 23 10:18 control lrwxrwxrwx 1 root root 7 Mar 23 15:11 derak -> ../dm-0 ``` Then **close** it ```bash # for me sudo cryptsetup luksClose derak # for you with the name you created sudo cryptsetup luksClose ``` And check the device again, which we should not have it ```bash ll /dev/mapper/ total 0 drwxr-xr-x 2 root root 60 Mar 23 16:31 ./ drwxr-xr-x 20 root root 4640 Mar 23 16:31 ../ crw------- 1 root root 10, 236 Mar 23 10:18 control ``` ### references * [www.digitalocean.com](https://www.digitalocean.com/community/tutorials/how-to-use-dm-crypt-to-create-an-encrypted-volume-on-an-ubuntu-vps) * [superuser.com](https://superuser.com/questions/1051557/under-linux-is-it-possible-to-encrypt-a-folder-partition-in-a-way-that-it-is-no) and [this answer](https://superuser.com/a/1051562/657649) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.shakiba.net/tools/cryptsetup/container-encryption-using-cryptsetup.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.