Container encryption using cryptsetup

How to encrypt a container using cryptsetup

How to encrypt a container using cryptsetup?

For disk encryption we will have these choices

  • Container encryption ( a single file )

  • A partition encryption ( whole partition )

  • Whole disk encryption ( excluding boot )

  • Full disk encryption ( including boot )

This instruction is about container encryption which simply means a single mountable file like an image file that we have with docker container.

This guide is for Debian based distribution, for others may not be the same steps.

Install / Setup cryptsetup

Simply we can install it 

sudo apt install cryptsetup-bin

and the command will be installed, then use it cryptsetup

cryptsetup --help

Create the volume you need

Then using dd or fallocate we can create a single file with desired size e.g. 512M

 dd if=/dev/zero of=/home/<YOU-USERNAME>/encrypted_volume bs=1M count=512

and with fallocate

fallocate -l 512M /home/<YOU-USERNAME>/encrypted_volume

or it can be other places e.g. / which we should be root to do so

 dd if=/dev/zero of=/root/encrypted_volume bs=1M count=512

LUKS the volume

With this single 512M file we have, we will next create a LUKS partition 

# LUKS = Linux Unified Key Setup
# shu  = my username
cryptsetup -y luksFormat /home/shu/encrypted_volume

then cryptsetup asks you for confirmation and you should type in YES in uppercase and then it asks you for the passphrase with which later this volume / container is going be for decrypted.

You can have a benchmark before encryption and may be change the encryption method. Here is a sample

sudo cryptsetup benchmark
[sudo] password for shu: 
# Tests are approximate using memory only (no storage IO).
PBKDF2-sha1      1497965 iterations per second for 256-bit key
PBKDF2-sha256    1814145 iterations per second for 256-bit key
PBKDF2-sha512    1428577 iterations per second for 256-bit key
PBKDF2-ripemd160 1086607 iterations per second for 256-bit key
PBKDF2-whirlpool  845625 iterations per second for 256-bit key
argon2i       5 iterations, 1048576 memory, 4 parallel threads (CPUs) for 256-bit key (requested 2000 ms time)
argon2id      5 iterations, 1048576 memory, 4 parallel threads (CPUs) for 256-bit key (requested 2000 ms time)
#     Algorithm | Key |  Encryption |  Decryption
        aes-cbc   128b  1136.4 MiB/s  3382.0 MiB/s
    serpent-cbc   128b    93.8 MiB/s   705.5 MiB/s
    twofish-cbc   128b   211.7 MiB/s   387.2 MiB/s
        aes-cbc   256b   856.0 MiB/s  2749.1 MiB/s
    serpent-cbc   256b    93.2 MiB/s   706.9 MiB/s
    twofish-cbc   256b   211.9 MiB/s   387.8 MiB/s
        aes-xts   256b  2111.2 MiB/s  2118.1 MiB/s
    serpent-xts   256b   683.6 MiB/s   697.0 MiB/s
    twofish-xts   256b   377.3 MiB/s   369.3 MiB/s
        aes-xts   512b  1832.6 MiB/s  1841.7 MiB/s
    serpent-xts   512b   664.1 MiB/s   683.6 MiB/s
    twofish-xts   512b   368.3 MiB/s   364.6 MiB/s

Open the volume

After adding LUKS on top the volume, we can open it using

sudo cryptsetup luksOpen /home/shu/encrypted_volume <NAME>

The <NAME> can be your desired name, just notice with are dealing with special devices and /dev so we need root permission. After opening it we will see it in /dev/mapper

ll /dev/mapper/
total 0
drwxr-xr-x  2 root root      80 Mar 23 15:10 ./
drwxr-xr-x 20 root root    4660 Mar 23 15:10 ../
crw-------  1 root root 10, 236 Mar 23 10:18 control
lrwxrwxrwx  1 root root       7 Mar 23 15:11 derak -> ../dm-0

here derak is the name (<NAME>) I entered for the volume, you will have a different name.

Mount the volume

Now that we have the device (it is like a partition) we can mount it like other partitions

sudo mount /dev/mapper/<NAME> /media

# for me
sudo mount /dev/mapper/derak /media

# /media could be /mnt
# or other location you have access to

Check the mounted volume

Here is quick check

df -h | grep mapper
/dev/mapper/derak                          486M  3.8M  453M   1% /media

Use the volume

After you checked it with df -h then we can cd to /media and create file or cp other files into /media

Umount the volume

When we are done with adding / removing file into our volume, we can umount it

# for me
sudo umount /dev/mapper/derak

# for you with your <NAME>
sudo umount /dev/mapper/<NAME>

# then the /media or your mount-point should be empty
ll /media
total 8
drwxr-xr-x  2 root root 4096 Jul 25  2018 ./
drwxr-xr-x 27 root root 4096 Mar 21 09:52 ../

Close the LUKS / volume

Optionally we can check our mapped device befor closing it. Here for me ithe name is derak

ll /dev/mapper/
total 0
drwxr-xr-x  2 root root      80 Mar 23 15:10 ./
drwxr-xr-x 20 root root    4660 Mar 23 15:10 ../
crw-------  1 root root 10, 236 Mar 23 10:18 control
lrwxrwxrwx  1 root root       7 Mar 23 15:11 derak -> ../dm-0

Then close it

# for me
sudo cryptsetup luksClose derak

# for you with the name you created
sudo cryptsetup luksClose <NAME>

And check the device again, which we should not have it

ll /dev/mapper/
total 0
drwxr-xr-x  2 root root      60 Mar 23 16:31 ./
drwxr-xr-x 20 root root    4640 Mar 23 16:31 ../
crw-------  1 root root 10, 236 Mar 23 10:18 control

references

PreviousCryptsetupNextcurly

Last updated

Was this helpful?