This Blog Is Not For Reading

A blog, just like any blog, only more so

  • Subscribe

  • Categories

  • RSS Bob Jonkman’s Microblog

    • New note by bobjonkman 14 January 2023
      I seem to recall there's a standard API that should be common to all the #StatusNet derivitave servers. I'm pretty sure that in its infancy Mastodon conformed to that API. But Mastodon's API expanded beyond that, and I suspect some of the common API was removed, probably around the time #OStatus was dropped from Mastodon […]
    • New note by bobjonkman 14 January 2023
      Twidere has stopped working for Twitter accounts. My Mastodon account still works nicely. I thought maybe the Twidere API keys for the developer had been revoked, or that something had gone wrong with my phone (It's a vanilla Samsung with Android 12, but I've refused to install any of the Samsung or Google apps). I […]
    • bobjonkman repeated a notice by heluecht 14 January 2023
      RT @heluecht !Friendica Admins As you might have heard, there are issues with the Twitter API. Several favourite clients stopped working, while others (still) do. By now there hadn't been any word if there is some massive Problem or if this was some deliberate action. Whatever is causing these issues, at least my connection still […]
    • Favorite 5 January 2023
      bobjonkman favorited something by lnxw48a1: https://imaginary.ca/blog/2017/06/16/top-hat/#more-231 [imaginary ca] I am glad this instructor thinks this way. Too many don't seem to care how badly a vendor's product affects students.
    • Favorite 5 January 2023
      bobjonkman favorited something by lnxw48a1: https://500ish.com/mastodon-brought-a-protocol-to-a-product-fight-ba9fda767c6a #Medium link; don't be surprised if it does weird things before showing you the article. "Mastodon brought a protocol to a product fight" > Yes, yes, the network is under immense strain as people flee the Elon strain infecting Twitter. But come on, there are folks who really believe […]
    • bobjonkman repeated a notice by lnxw48a1 5 January 2023
      RT @lnxw48a1 https://500ish.com/mastodon-brought-a-protocol-to-a-product-fight-ba9fda767c6a #Medium link; don't be surprised if it does weird things before showing you the article. "Mastodon brought a protocol to a product fight" > Yes, yes, the network is under immense strain as people flee the Elon strain infecting Twitter. But come on, there are folks who really believe this is going […]
    • Favorite 5 January 2023
      bobjonkman favorited something by lnxw48a1: > For now, I’ll just say that while I fully understand why everyone wants Mastodon to be the new Twitter. Or the better Twitter. The more ideal Twitter. Or whatever. It’s just not going to happen. Mastodon brought a protocol to a product fight. Maybe Ivory or another client can […]
    • bobjonkman repeated a notice by clacke 4 January 2023
      RT @clacke NZ PM Jacinda Ardern called ACT leader David Seymour a prick on a hot mike in parliament. She apologized, he accepted, they had a laugh, and now together they've framed and signed a transcript of the exchange, selling it to the highest bidder, currently at 100 kNZD. The proceeds will go prostate cancer […]
    • Favorite 4 January 2023
      bobjonkman favorited something by clacke: NZ PM Jacinda Ardern called ACT leader David Seymour a prick on a hot mike in parliament.She apologized, he accepted, they had a laugh, and now together they've framed and signed a transcript of the exchange, selling it to the highest bidder, currently at 100 kNZD. The proceeds will go […]
    • New comment by bobjonkman 14 December 2022
      @lnxw48a1 "Pop" is also the Canadian word for carbonated soft drinks...

Archive for October, 2017

How To Create an Encrypted Drive in a File Container

Posted by Bob Jonkman on 9th October 2017

Inspired by The Linux Experiment, I want to create an encrypted drive in a file container using only the command line.

Creating an encrypted file container

Create the container file. We’ll call it containerfile.img:


laptop:~/temp$ fallocate -l 250MB containerfile.img

laptop:~/temp$ ls -l
total 244148
-rw-rw-r-- 1 bjonkman bjonkman 250000000 Oct  8 22:45 containerfile.img

laptop:~/temp$

Create the encrypted LUKS volume. Note that creating volumes and file systems requires elevated privileges, so we use the sudo command:


laptop:~/temp$ sudo cryptsetup luksFormat containerfile.img 
[sudo] password for bjonkman: 

WARNING!
========
This will overwrite data on containerfile.img irrevocably.

Are you sure? (Type uppercase yes): YES
Enter passphrase: 
Verify passphrase: 
Command successful.

laptop:~/temp$

Of course, the passphrase doesn’t show on the screen, not even as asterisks. That would give a shouldersurfer an idea of how long the passphrase is. It is a long passphrase, right?

Open the encrypted LUKS volume, which we’ll call cryptvolume:


laptop:~/temp$ sudo cryptsetup luksOpen containerfile.img cryptvolume
Enter passphrase for containerfile.img: 

laptop:~/temp$

Let’s see if the encrypted LUKS volume exists:


laptop:~/temp$ lsblk
NAME                                          MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINT
sda                                             8:0    0 465.8G  0 disk  
├─sda1                                          8:1    0   243M  0 part  
├─sda2                                          8:2    0    14G  0 part  /
└─sda3                                          8:3    0     1K  0 part  
loop4                                           7:4    0 238.4M  0 loop  
└─cryptvolume                                 252:11   0 236.4M  0 crypt 

laptop:~/temp$

Yay!

Now we create a filesystem inside the encrypted LUKS volume. We’ll give it the label cryptdrive:


laptop:~/temp$ sudo mkfs -L cryptdrive -t ext4 /dev/mapper/cryptvolume 
mke2fs 1.42.13 (17-May-2015)
Creating filesystem with 253952 1k blocks and 63488 inodes
Filesystem UUID: 040765be-eddb-4ea6-b8d8-594b81233465
Superblock backups stored on blocks: 
	8193, 24577, 40961, 57345, 73729, 204801, 221185

Allocating group tables: done                            
Writing inode tables: done                            
Creating journal (4096 blocks): done
Writing superblocks and filesystem accounting information: done 

laptop:~/temp$

Create a mount point, which we’ll call mountpoint, then mount the encrypted drive:


laptop:~/temp$ mkdir mountpoint

laptop:~/temp$ sudo mount /dev/mapper/cryptvolume mountpoint

laptop:~/temp$ lsblk
NAME                                          MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINT
sda                                             8:0    0 465.8G  0 disk  
├─sda1                                          8:1    0   243M  0 part  
├─sda2                                          8:2    0    14G  0 part  /
└─sda3                                          8:3    0     1K  0 part  
loop4                                           7:4    0 238.4M  0 loop  
└─cryptvolume                                 252:11   0 236.4M  0 crypt /home/bjonkman/temp/mountpoint

laptop:~/temp$ ls -l
total 244149
-rw-rw-r-- 1 bjonkman bjonkman 250000000 Oct  8 23:19 containerfile.img
drwxr-xr-x 3 root     root          1024 Oct  8 23:14 mountpoint

laptop:~/temp$

Note that the encrypted file system still belongs to root:root because we used the sudo command.

Change file ownership to bjonkman:bjonkman so I can read/write to it without elevated permissions:


laptop:~/temp$ sudo chown bjonkman: mountpoint/

laptop:~/temp$ ls -l
total 244149
-rw-rw-r-- 1 bjonkman bjonkman 250000000 Oct  8 23:19 containerfile.img
drwxr-xr-x 3 bjonkman bjonkman      1024 Oct  8 23:14 mountpoint

laptop:~/temp$

Since an encrypted container file is probably secret, it shouldn’t be visible to groups or others, so remove those file permissions:


laptop:~/temp$ chmod go-rwx containerfile.img 

laptop:~/temp$ ls -l
total 244149
-rw------- 1 bjonkman bjonkman 250000000 Oct  8 23:34 containerfile.img
drwxr-xr-x 3 bjonkman bjonkman      1024 Oct  8 23:14 mountpoint

laptop:~/temp$

Do some work in the encrypted drive:


laptop:~/temp$ echo "Hello World" > mountpoint/hello.txt

laptop:~/temp$ ls -l mountpoint/
total 13
-rw-rw-r-- 1 bjonkman bjonkman    12 Oct  8 23:53 hello.txt
drwx------ 2 root     root     12288 Oct  8 23:14 lost+found

laptop:~/temp$

And finally, unmount the encrypted filesystem and close the encrypted volume:


laptop:~/temp$ sudo umount mountpoint/

laptop:~/temp$ sudo cryptsetup luksClose cryptvolume 

laptop:~/temp$

Using an encrypted file container

Next time you want to do some work:


laptop:~/temp$ sudo cryptsetup luksOpen containerfile.img cryptvolume
Enter passphrase for containerfile.img: 

laptop:~/temp$ sudo mount /dev/mapper/cryptvolume mountpoint

laptop:~/temp$ echo "Hello again" > mountpoint/again.txt

laptop:~/temp$ ls -l mountpoint/
total 14
-rw-rw-r-- 1 bjonkman bjonkman    12 Oct  9 00:12 again.txt
-rw-rw-r-- 1 bjonkman bjonkman    12 Oct  8 23:53 hello.txt
drwx------ 2 root     root     12288 Oct  8 23:14 lost+found

laptop:~/temp$ sudo umount mountpoint/

laptop:~/temp$ sudo cryptsetup luksClose cryptvolume 

laptop:~/temp$

Using an encrypted file container from the GUI

Once the encrypted file container has been created you can open it from the graphical file manager just by double-clicking:
File manager window

Enter the passphrase to unlock the volume:
A file manager window and a password prompt window

A file manager window for the encrypted volume opens:
Two file manager windows

Note that the mountpoint is /media/bjonkman/cryptdrive/, chosen by the Gnome Disk Mounter application that runs when you doubleclick the container:


laptop:~/temp$ lsblk
NAME                                          MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINT
sda                                             8:0    0 465.8G  0 disk  
├─sda1                                          8:1    0   243M  0 part  
├─sda2                                          8:2    0    14G  0 part  /
└─sda3                                          8:3    0     1K  0 part  
loop5                                           7:5    0 238.4M  1 loop  
└─luks-54f8e41b-73bf-4adf-aa29-a147733c5202   252:11   0 236.4M  1 crypt /media/bjonkman/cryptdrive

laptop:~/temp$

Also, note that the encrypted drive is mounted read-only:


laptop:~/temp$ mount | grep cryptdrive
/dev/mapper/luks-54f8e41b-73bf-4adf-aa29-a147733c5202 on /media/bjonkman/cryptdrive type ext4 (ro,nosuid,nodev,relatime,data=ordered,uhelper=udisks2)

laptop:~/temp$

Gnome Disk Mounter can be launched from the command line with a --writeable or -w parameter:
Command line window and Enter Passphrase window

Happily, this all works without elevated privileges; no sudo required. I don’t know how to open an encrypted file container using only command line tools without using sudo, nor how to launch Gnome Disk Manager in writeable mode just by doubleclicking — if you know, leave a comment or send me e-mail!

TL;DR:


fallocate -l 250MB containerfile.img

sudo cryptsetup luksFormat containerfile.img

sudo cryptsetup luksOpen containerfile.img cryptvolume

sudo mkfs -L cryptdrive -t ext4 /dev/mapper/cryptvolume

mkdir mountpoint

sudo mount /dev/mapper/cryptvolume mountpoint

sudo chown bjonkman: mountpoint/

chmod go-rwx containerfile.img

(do some work)

sudo umount mountpoint/

sudo cryptsetup luksClose cryptvolume

-----

sudo cryptsetup luksOpen containerfile.img cryptvolume
sudo mount /dev/mapper/cryptvolume mountpoint
(do some work)
sudo umount mountpoint/
sudo cryptsetup luksClose cryptvolume

Tags: , , ,
Posted in GNU/Linux | 1 Comment »

 
Better Tag Cloud