Quick Walkthrough of Cryptsetup

Just a quick guide on how to use "cryptsetup" for creating LUKS containers and encrypted devices


Creating a container: You need a file that you can use as a container. I just use fallocate -l $SIZE $OUTPUT (change $SIZE to the size you wish to use, such as 10G for 10gb and $OUTPUT to the output file name you wish). Then, cryptsetup luksFormat $OUTPUT. If you wish to use a keyfile, you can do cryptsetup luksAddKey $OUTPUT $KEYFILE ($KEYFILE being the keyfile you wish to use [1]) after you have created your LUKS container

Opening a container: In order to mount the container, you have to format it with a file system (only once, then you can just mount the file), which I will use BTRFS right now. cryptsetup open $OUTPUT $TEMP ($TEMP being a temporary name, does not matter what you use), then mkfs.btrfs /dev/mapper/$TEMP. Then you can sudo mount /dev/mapper/$TEMP /path/to/mountpoint (mountpoint should be empty, just create a directory with mkdir mountpoint). If you get errors saying permission denied when you interact with it, sudo chown -R $USER:$GROUP /path/to/mountpoint ($USER and $GROUP are usually the same, which would be your username)

Closing a container: sudo umount /path/to/mountpoint and then sudo cryptsetup close $TEMP.

Full Disk Encryption on Devices

To encrypt a device, it is the same as above but instead of generating a file with fallocate, your file will be in /dev/. You can do lsblk (if it shows as "sda", your device file will be in /dev/sda and so on) to see which one is the one you wish to encrypt. Make sure to use another file system if you wish.


Is this it?

No. Cryptsetup is much more flexible than that, but this is all you would probably need if you wish to get started

PS: This post will be updated later on


Footnotes:

[1] A secure way to generate a keyfile would be with dd if=/dev/urandom of=$KEYFILE bs=32 count=1, which will generate a 32 byte keyfile with random data which provides you 256 bits of security, but you can increase the block size (bs) or the count if you wish to have longer keyfiles with more bits for better security.