Encrypting containers with luks


This is a summary of what I learned about linux and encryption.
This guide teaches you how to encrypt and mount an ext4 container/file WITHOUT SUDO PERMISSIONS.
This is accomplished by using the user-based udisk instead of a simple mount command. This allows users to mount filesystems (like inserting a USB and it showing up in your file manager).

Requirements: A linux desktop with GUI and time.

Creating the file

First you have to create the container file that you will use as a mountable and encrypted filesystem later.
You can also do this with a drive, but i decided for a single file because it is easier to setup, faster to create and backing it up can be achieved with a simple drag>drop.

To create a randomly filled file run the following dd command (don't forget the iflag=fullblock):

[rin@rin-80mx ~]$ dd if=/dev/urandom of=secret.img bs=50M count=1 iflag=fullblock
1+0 records in
1+0 records out
52428800 bytes (52 MB, 50 MiB) copied, 1.41763 s, 37.0 MB/s
The above command creates a file that is filled with random data. This file will be used as our encrypted filesystem.
To now create the encryption use the cryptsetup command:
[rin@rin-80mx ~]$ cryptsetup luksFormat secret.img 

This will overwrite data on secret.img irrevocably.

Are you sure? (Type 'yes' in capital letters): YES
Enter passphrase for secret.img: 
Verify passphrase:
After this you need to create the filesystem itself.
This is the ONLY command you need sudo permissions for.
[rin@rin-80mx ~]$ sudo cryptsetup open secret.img secret
[sudo] password for rin: 
Enter passphrase for secret.img:
The above command mounts the secret.img file as secret in /dev/mapper/. You can now create a filesystem on the mounted and empty file:
[rin@rin-80mx ~]$ sudo mkfs.ext4 /dev/mapper/secret 
mke2fs 1.46.3 (27-Jul-2021)
Creating filesystem with 34816 1k blocks and 8720 inodes
Filesystem UUID: 9cd02a3b-1444-4dab-921f-2249c1f4bcb7
Superblock backups stored on blocks: 
	8193, 24577

Allocating group tables: done                            
Writing inode tables: done                            
Creating journal (4096 blocks): done
Writing superblocks and filesystem accounting information: done
The above command creates an ext4 filesystem on the previously mounted secret.img. A good idea is to set the ownership of files inside it, as currently it all belongs to root and is unwriteable for normal users. To accomplish this you can run sudo chown -R user:user /dev/mapper/secret.
After the filesystem is created you can unmount it with the following command:
[rin@rin-80mx ~]$ sudo cryptsetup close secret
You now have an encrypted filesystem in your secret.img file that you can easily backup and mount. If you want to know how to mount it without needing to sudo cryptsetup everytime please read the next section.

Mounting (without sudo)

You can easily mount the encrypted partition even as a user without sudo permissions.
Manjaro (with xfce4) has udisk installed which mounts USBs and external hard drives if you connect them to your machine. You can use this mechanism to mount your encrypted filesystem aswell.

First you have to setup a loop device for your image file.

[rin@rin-80mx ~]$ udisksctl loop-setup -f ind.img
Mapped file ind.img as /dev/loop0.
After the loopX has been created you can unlock it with your password.
[rin@rin-80mx ~]$ udisksctl unlock -b /dev/loop0
Unlocked /dev/loop0 as /dev/dm-0.
After unlocking it you can mount the unlocked device with the following command:
[rin@rin-80mx ~]$ udisksctl mount -b /dev/dm-0
Mounted /dev/dm-0 at /run/media/rin/cc5748bc-adf5-4a20-8d00-495ae44ac966
Congratulations! You now have mounted your encrypted filesystem! A few commands to verify it's size and content:
[rin@rin-80mx ~]$ ls /run/media/rin/cc5748bc-adf5-4a20-8d00-495ae44ac966/

[rin@rin-80mx ~]$ df -h
Filesystem      Size  Used Avail Use% Mounted on
/dev/dm-0        29M   14K   26M   1% /run/media/rin/cc5748bc-adf5-4a20-8d00-495ae44ac966


To unmount your filesystem you simply have to revert the steps.
First unmount the decrypted device (in this case dm-0):

[rin@rin-80mx ~]$ udisksctl unmount -b /dev/dm-0 
Unmounted /dev/dm-0.
Then lock your loopback device:
[rin@rin-80mx ~]$ udisksctl lock -b /dev/loop0
After locking the loop it should be "removed" from the list of active devices. It is still visible, but the output of losetup should be none.
If loop0 is still visible in the output of losetup then you can run udisksctl loop-delete -b /dev/loop0 to try and remove it. (Warning: The file /dev/loop0 will still be there, but losetup should show no loop0 results)