Skip to content

LUKS containers - files that store encrypted filesystems

Published Jan 2, 2025

TL;DR

Using cryptsetup, files can contain encrypted LUKS (Linux Unified Key Setup) filesystems, that can then be mounted using mount.

Sometimes, you might have a lot of files that you want to encrypt. One way is to zip them up into an encrypted archive, but then you might have to unzip it every time you want to change its contents. On Windows, I have used Veracrypt, which stores encrypted file systems inside of ordinary-looking files, which can be mounted as drives. The drives can then be easily unmounted and secured when editing is finished.

Veracrypt is available for Linux, however, it is not in the standard Ubuntu repositories. Thus, I went looking for a more "Linux-native" approach.

cryptsetup and LUKS

On default 24.04 installations, the package cryptsetup is already installed. cryptsetup simplifies the creation of LUKS (Linux Unified Key Setup) encrypted filesystems contained within files. AES encryption is used.

How do I use it?

  • Install cryptsetup if not installed already.
  • Create a file with the desired size of your encrypted filesystem. 
    dd if=/dev/zero of=<container name> bs=1M count=<size in MB>
Explanation

dd is a powerful Linux utitity to convert and copy files. if is the input file, in this case set to /dev/zero which outputs as many zeros as is required. of is the output file, which name you can set. bs is the block size, set to 1 MB. count is how big the output file will be, measured in blocks. So count=10 with bs=1M would yield an output file of 10 MB.

  • Set up LUKS on the file 
    sudo cryptsetup luksFormat <container name>
    This will prompt you to set a password. Choose a strong one! The encryption is only as strong as your password.
  • Create the actual filesystem on the file 
    sudo cryptsetup luksOpen <container name> <volume name>
    Create a volume within the encrypted container to actually store your files in (like a partition on a drive). After this command, the volume will be available at /dev/mapper/<volume name>. Create an ext4 filesystem on the volume by executing: 
    sudo mkfs.ext4 /dev/mapper/<volume name>
  • Mount the volume to a directory With a filesystem on the volume, you can now mount the drive. Create a folder within your home partition for mounting: 
    mkdir <mount folder path>
    Then mount the volume to the folder: 
    sudo mount /dev/mapper/<volume name> <mount folder path>

Warning

At this point, you may notice that the mount is owned by root, and so normal users can only read the contents of the drive but not write to it. To solve this issue, run sudo chown -R <user>:<user> <mount folder path>, where the -R flag recursively changes the owner on all subdirectories as well as the top directory, and <user> is your username.

  • At this point, you can write and read files in the mount as usual. When you're done editing, simply unmount the volume and close the file: 
    sudo umount <mount folder path>
sudo cryptsetup luksClose <volume name>