How do I create an encrypted filesystem inside a file?

Question

I've found this interesting tutorial on flossstuff blog.

It explains how to create an empty file, format it as ext4, and mount it as a device.

I'd like to know if it can be created as an encrypted ext4 file system.

I've tried using palimpsest (the disk utility found in System menu) to format the already created file system but it doesn't work as it detects the file system being used.

If I try to unmount the file system, that won't work either because it doesn't detect the device (since it's not a real device like a harddrive or a USB drive).

So my question is, is there an option to create the file system as encrypted from the beginning? I've used these commands:

Create an empty file 200Mb size:

dd if=/dev/zero of=/path/to/file bs=1M count=200

Make it ext4:

mkfs -t ext4 file

Mount it in a folder inside my home:

sudo mount -o loop file /path/to/mount_point

Is there any way the mkfs command can create an encrypted ext4 filesystem asking for a decryption password?

I'm planing to use this as a way to encrypt files inside Dropbox.

Related: http://askubuntu.com/questions/137828/how-to-encrypt-files-using-a-cross-platform-solution and http://askubuntu.com/questions/18751/how-to-encrypt-an-external-hard-drive-or-usb-key-using-a-cross-platform-solution — landroni, Jan 23 '15 at 23:21
If you want proper encryption when backing up files, you may want to consider SpiderOak instead. More security and less fuss. — landroni, Jan 23 '15 at 23:23

mixel · Answer 1 · 2017-01-29T18:33:43.297

Follow next steps to create an encrypted file with filesystem inside:

1. The faster way to create file of given size is:

fallocate -l 128M /path/to/file

2. Create LUKS (Linux Unified Key Setup) partition within the file using dm-crypt tools:

cryptsetup -y luksFormat /path/to/file

You can check that file is encrypted container:

/path/to/file: LUKS encrypted file, ver 1 [aes, xts-plain64, sha1] UUID: 7e2af5a1-3fab-43ea-a073-3b9cc6073f00

3. Open encrypted container:

cryptsetup luksOpen /path/to/file data

data is device mapper volume name. You can choose other name.

This opens the LUKS device, and maps it to a name that we supply, in our case creating a file at /dev/mapper/data.

4. Create ext4 filesystem on this device:

mkfs.ext4 /dev/mapper/data

5. Then create mount point:

mkdir /path/to/mount

6. And mount device there:

mount /dev/mapper/data /path/to/mount

7. To unmount filesystem and close LUKS device:

umount /path/to/mount
cryptsetup luksClose data

Now you have encrypted LUKS container with ext4 filesystem inside. When you want to use it simply repeat steps 3 and 6. When you are finished call step 7.

This article was very helpful to me.

Also one day your container will run out of space. Suppose encrypted container file size is 128 MB and we want to increase its size to 512 MB. To increase its capacity follow these steps:

1. Unmount and close LUKS device (see step 7 in above list).

2. Increase container file size:

 dd if=/dev/zero of=/path/to/file bs=384M count=1 oflag=append conv=notrunc

3. Open LUKS device.

cryptsetup luksOpen /path/to/file data

4. Resize LUKS device to match container file size. From man page:

If --size (in sectors) is not specified, the size of the underlying block device is used.

So you can just:

cryptsetup resize data

5. Then resize ext4 filesystem:

e2fsck -f /dev/mapper/data
resize2fs /dev/mapper/data

6. Now you can mount filesystem back:

mount /dev/mapper/data /path/to/mount

I think this answer is the best and most up to date answer. It should be selected as the correct answer! — yurtesen, Oct 05 '17 at 21:55
note: the output of step 2 is got by running the command file /path/to/file — sha, Oct 15 '22 at 19:27

score 10 · Accepted Answer · edited Nov 30 '17 at 08:51

10

You can use cryptmount to encrypt a filesystem, also if the filesystem is on a file.

The cryptmount manual page has a very simple and detailed explanation that I report (modified) here, and it do mention explicitly a file based filesystem.

Step 1
Add an entry in /etc/cryptmount/cmtab, as follows:

mycrypt {
    dev=/media/data/mycrypt dir=/home/enzotib/mycrypt
    fstype=ext4 mountoptions=defaults cipher=twofish
    keyfile=/etc/cryptmount/mycrypt.key
    keyformat=builtin
}

where /media/data/mycrypt is the support file created by dd and /home/enzotib/mycrypt is the desired mountpoint.

Step 2
Generate a secret decryption key

sudo cryptmount --generate-key 32 mycrypt

Step 3
Execute the following command
```
sudo cryptmount --prepare mycrypt
```
you will then be asked for the password used when setting up the key
Step 4
Create the filesystem
```
sudo mkfs.ext4 /dev/mapper/mycrypt
```
Step 5
Execute
```
sudo cryptmount --release mycrypt
```

Step 6
Now mount the filesystem

mkdir /home/enzotib/mycrypt
cryptmount -m mycrypt

then unmount it

cryptmount -u mycrypt

Also, if you need to crypt a directory, encfs may be worth to take into consideration.

edited Nov 30 '17 at 08:51

Zanna

70,465

answered Aug 28 '11 at 10:18

enzotib

93,831

Thanks for your answer, I've created the file system, encrypted, and uploaded to Dropbox. Later I'll try to mount that file in the other pc. Just one thing, can it be done without sudo? If I want to keep the file and the file system mounted inside my home (not in media like usb's or hardrive) the commands would be the same without sudo or does cryptmount always need root privileges? – animaletdesequia Aug 28 '11 at 15:25
1

@darent: it seems the command need root privileges only in filesystem setup, but mounting/unmounting is a user action, provided the image-file and the mountpoint are owned by user. To setup the same image-file on another machine, I suppose you should copy /etc/cryptmount/mycrypt.key and skip the --generate-key, step. – enzotib Aug 28 '11 at 15:36
I get this error in the last step:$ sudo cryptmount -m encriptat Enter password for target "encriptat": e2fsck 1.41.14 (22-Dec-2010) fsck.ext4: Súperbloc no vàlid, provant els blocs de còpia de seguretat... fsck.ext4: Bad magic number in super-block en intentar obrir /dev/mapper/encriptat – animaletdesequia Aug 28 '11 at 16:51
1

@darent: have you created the filesystem as shown in the step 4? have you been consistent in the substitution of the name "mycrypt" with "encriptat"? – enzotib Aug 28 '11 at 16:58
Sorry, the error was because instead of (sudo mkfs.ext4 /dev/mapper/mycrypt) i was typing (sudo mkfs.ext4 mycript). I was poiting to the file directly, not the device. Now it works perfect. And sorry about the format of this message, don't know why i can't separate the lines (if I press enter it publishes the comment instead of creating a new line, maybe a firefox glitch...) Cheers! EDIT: now I readed your answer, the encriptat name wasn't a problem (just adapted your post and put the files with catalan names, but it's all consistent). Everithing is working ok now, thanks again :) – animaletdesequia Aug 28 '11 at 17:05
There's also "cryptmount-setup", which will walk you through the same process. – Holger Jun 24 '14 at 20:52

score 3 · Answer 3 · answered Aug 28 '11 at 10:13

3

You can use the losetup command with the -e parameter to create an encrypted loop device. Details available at http://tldp.org/HOWTO/Cryptoloop-HOWTO/loopdevice-setup.html

answered Aug 28 '11 at 10:13

Mathieu

71

How do I create an encrypted filesystem inside a file?

3 Answers3