This is a summary of what I learned about linux and encryption.
This guide teaches you how to encrypt and mount an ext4 container/file WITHOUT SUDO PERMISSIONS.
This is accomplished by using the user-based udisk instead of a simple mount command. This allows users to mount filesystems (like inserting a USB and it showing up in your file manager).
Requirements: A linux desktop with GUI and time.
First you have to create the container file that you will use as a mountable and encrypted filesystem later.
You can also do this with a drive, but i decided for a single file because it is easier to setup, faster to create and backing it up can be achieved with a simple drag>drop.
To create a randomly filled file run the following dd command (don't forget the iflag=fullblock):
[rin@rin-80mx ~]$ dd if=/dev/urandom of=secret.img bs=50M count=1 iflag=fullblock 1+0 records in 1+0 records out 52428800 bytes (52 MB, 50 MiB) copied, 1.41763 s, 37.0 MB/sThe above command creates a file that is filled with random data. This file will be used as our encrypted filesystem.
[rin@rin-80mx ~]$ cryptsetup luksFormat secret.img WARNING! ======== This will overwrite data on secret.img irrevocably. Are you sure? (Type 'yes' in capital letters): YES Enter passphrase for secret.img: Verify passphrase:After this you need to create the filesystem itself.
[rin@rin-80mx ~]$ sudo cryptsetup open secret.img secret [sudo] password for rin: Enter passphrase for secret.img:The above command mounts the secret.img file as secret in /dev/mapper/. You can now create a filesystem on the mounted and empty file:
[rin@rin-80mx ~]$ sudo mkfs.ext4 /dev/mapper/secret mke2fs 1.46.3 (27-Jul-2021) Creating filesystem with 34816 1k blocks and 8720 inodes Filesystem UUID: 9cd02a3b-1444-4dab-921f-2249c1f4bcb7 Superblock backups stored on blocks: 8193, 24577 Allocating group tables: done Writing inode tables: done Creating journal (4096 blocks): done Writing superblocks and filesystem accounting information: doneThe above command creates an ext4 filesystem on the previously mounted secret.img. A good idea is to set the ownership of files inside it, as currently it all belongs to root and is unwriteable for normal users. To accomplish this you can run sudo chown -R user:user /dev/mapper/secret.
[rin@rin-80mx ~]$ sudo cryptsetup close secretYou now have an encrypted filesystem in your secret.img file that you can easily backup and mount. If you want to know how to mount it without needing to sudo cryptsetup everytime please read the next section.
You can easily mount the encrypted partition even as a user without sudo permissions.
Manjaro (with xfce4) has udisk installed which mounts USBs and external hard drives if you connect them to your machine. You can use this mechanism to mount your encrypted filesystem aswell.
First you have to setup a loop device for your image file.
[rin@rin-80mx ~]$ udisksctl loop-setup -f ind.img Mapped file ind.img as /dev/loop0.After the loopX has been created you can unlock it with your password.
[rin@rin-80mx ~]$ udisksctl unlock -b /dev/loop0 Passphrase: Unlocked /dev/loop0 as /dev/dm-0.After unlocking it you can mount the unlocked device with the following command:
[rin@rin-80mx ~]$ udisksctl mount -b /dev/dm-0 Mounted /dev/dm-0 at /run/media/rin/cc5748bc-adf5-4a20-8d00-495ae44ac966Congratulations! You now have mounted your encrypted filesystem! A few commands to verify it's size and content:
[rin@rin-80mx ~]$ ls /run/media/rin/cc5748bc-adf5-4a20-8d00-495ae44ac966/ lost+found [rin@rin-80mx ~]$ df -h Filesystem Size Used Avail Use% Mounted on /dev/dm-0 29M 14K 26M 1% /run/media/rin/cc5748bc-adf5-4a20-8d00-495ae44ac966
To unmount your filesystem you simply have to revert the steps.
First unmount the decrypted device (in this case dm-0):
[rin@rin-80mx ~]$ udisksctl unmount -b /dev/dm-0 Unmounted /dev/dm-0.Then lock your loopback device:
[rin@rin-80mx ~]$ udisksctl lock -b /dev/loop0After locking the loop it should be "removed" from the list of active devices. It is still visible, but the output of losetup should be none.