How to Create an Encrypted Container in Linux for Cloud Storage

March 8, 2017 | Views: 10806

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

How to Create an Encrypted Container in Linux to Use on Cloud Storage Services

Greetings Cybrarians.

This is my first publication, and we will learn how to secure our content when we are using a third party service for Cloud Storage (i.e. Dropbox).

We can use this technique for local encryption too.

Of course, we have to know that the best solution is out there and its name is Open Source, like ownCloud, nextCloud, etc.
But if we don’t have the hardware, the knowledge or the time to build and maintenance our cloud and we are using closed source third party software like Dropbox, it’s a good practice to keep our sensitive data encrypted in the Cloud and unencrypted local only.

This tutorial has created, tested, and it’s working on Ubuntu 16.04 LTS, but it’s expected to work on any other Linux Distribution.

We will use cryptsetup, a tool that it is not preinstalled in Ubuntu.

Module Check and Installation

First, we should check for the right module if it’s loaded.

lsmod | grep dm_crypt

If we have an output, we can proceed. If not, we should load the module with the following command

sudo modprobe -v dm_crypt

Let’s install cryptsetup now with the following command:

 sudo apt-get install cryptsetup

Creating the File Container

With the following command, we will create a File Container of 1GB size. In there we can create and store files and folders of our interest, usually sensitive data we don’t want others to have access.

 fallocate -l 1GB PRIVATE

Now we will encrypt the “PRIVATE” File (container) with cryptsetup.

cryptsetup -v luksFormat PRIVATE

We answer “Yes” at Warning and we write the passphrase twice.

WARNING!
========
This will overwrite data on PRIVATE irrevocably.

Are you sure? (Type uppercase yes): YES
Enter passphrase: 
Verify passphrase: 
Command successful.

We can see information about the encrypted space we just created, with the following command:

cryptsetup -v luksDump PRIVATE

Example Results:

LUKS header information for PRIVATE

Version:        1
Cipher name:    aes
Cipher mode:    xts-plain64
Hash spec:      sha1
Payload offset: 4096
MK bits:        256
......
......
......

Opening the container and creating the filesystem

To create and store files and folders, we have to create a filesystem. That’s the magic here. We will use a simple file (PRIVATE) as a container with a filesystem in where we can store other files and folders.
To do that we have to open the container with the following command:

sudo cryptsetup -v luksOpen PRIVATE DECRYPTED

cryptsetup needs administrative (sudo-root) privileges to work.
We need to specify a NAME for the unencrypted space to be opened.
Here we use the name DECRYPTED.
Keep in mind that in Linux capital letters are different than small.
Now we have our space attached under /dev/mapper/DECRYPTED

Example Output:

[sudo] password for nickth: 
Enter passphrase for PRIVATE: 
Key slot 0 unlocked.
Command successful.

See here that it asks for our passphrase, the one we have created earlier.
Now we can create our filesystem, and I prefer the well tested and reliable ext4.

sudo mkfs -t ext4 /dev/mapper/DECRYPTED

Mounting the Container

From now on, we can mount the unencrypted device (the one under /dev/mapper/)

sudo mount /dev/mapper/DECRYPTED/mnt

Let’s see if it has anything inside.

cd /mnt && ls

What we should see is the standard lost+found directory.

Unmounting and Closing the Container

When we have done with our files and folders inside the (unencrypted) container, we should use the following commands to unmount and close the container properly.

sudo umount /mnt
sudo cryptsetup luksClose DECRYPTED

Of course /mnt is not an excellent place to mounting our (unencrypted) container. Better would be to create a directory somewhere with properly rights, meaning only WE have access.

The only thing we can do now is to move the closed (encrypted) file (container) named PRIVATE to our Dropbox (we took Dropbox here as an example) directory.

How the synchronization works.

We can see that while the container is unencrypted and mounted Dropbox won’t sync any data even if we create a new folder, moving or removing files, etc.
Dropbox doesn’t see the unencrypted storage at all.
When we finish and unmount the unencrypted storage (/dev/mapper/…), then after we close it properly (we saw the command above) we will see Dropbox is starting to synchronize the data.
What it does is indexing the file (PRIVATE) for any changes and writing the encrypted metadata in it.

Summary

What we did in this tutorial is:

1. We created a large file 1GB in size.
2. We formatted the file with cryptsetup to use it as an encrypted container.
3. We created a filesystem, and we converted the file to a container.
4. We opened and mount the container (now we can store our data)
5. We unmounted and closed the container properly.

Share with Friends
FacebookTwitterLinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterLinkedInEmail
Ready to share your knowledge and expertise?
6 Comments
  1. Really useful and well done article… thank you 🙂

Page 2 of 2«12
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel