A linux file system view on a console

Creating an Encrypted Local File System in a File

By TheJan | Gray Hats | 21 Sep 2022


So you'd like to store your secrets in plain sight, and only want to decrypt and use them when you know it's safe?

The Scenario

Here's a use-case:

  • You have access to a remote machine, which you do not have physical access to.
  • At any point in time, someone unknown to you may unplug the network, shutdown the computer, and extract the hard-drive.
  • They have access to all the files on the system.
  • Still, with the machine accessible to you right now, you want to make good use of the compute it offers.

And here is a proposed solution:

  • Create an encrypted file of your chosen capacity, and store it on the local system.
  • Mount it as a loop-back device file system at an arbitrary mount point.
  • Encrypt it using stock Linux tools, and secure it with a password.
  • Whenever you access the machine, manually mount the encrypted file system and use it as it were a regular part of the system setup.
  • When you log out, unmount. No-one will be able to peek into your secrets. Worst thing they can do is keep the file (not knowing what's inside) or delete it.

This sounds easy, but there are a couple things you need to keep in mind:

  • Don't, I repeat: Don't (!) store the password locally. Not in a script, not in the bash history, not in a credentials file. Always decrypt manually. If you fail to follow this advice, all the effort of encrypting a file system in the first place won't help you.
  • Make sure you don't leave your file system decrypted and mounted when you log out. With remote machines, there may be other user accounts (potentially with root access) that can easily get a hold of your account and browse through your files. Remember, root has access to everything on Linux.

How to get it Working

To get your safe file system up and running, you follow three simple steps:

  • Creating an encrypted file system
  • Mounting it for use
  • Unmounting it when done

The below sections will guide you through all three steps on a reasonably modern Ubuntu system. As a prerequisite, install the following dependency:

sudo apt install cryptsetup

This is required for interacting with the LUKS part of the file system encryption. You don't need to know more about this for the whole process, but should DYOR if you want to make sure you understand what's going on behind the scenes.

Creating the Container File

The following snippet creates a file "container.img" with a size of 100MB. The loopback device "/dev/loop100" will be used. If you are not sure which loop-back device to use, run "df" and look for the next unused (i.e., not in the list) "/dev/loop*" device and use that. For the size, choose whatever size you need - obviously it has to fit into your hard-drive, as the space gets allocated right away.

CONTAINER_FILE=container.img
SIZE_IN_MB=100
LOOPBACK_DEVICE=/dev/loop100

dd if=/dev/urandom of=$CONTAINER_FILE bs=1M count=$SIZE_IN_MB
sudo losetup $LOOPBACK_DEVICE $CONTAINER_FILE
sudo cryptsetup luksFormat $LOOPBACK_DEVICE
sudo cryptsetup luksOpen $LOOPBACK_DEVICE $CONTAINER_FILE
sudo mkfs.ext2 /dev/mapper/$CONTAINER_FILE
sudo cryptsetup luksClose $CONTAINER_FILE
sudo losetup -d $LOOPBACK_DEVICE

The script then goes on to initialize the cryptographic environment for the new file system and creates a compact ext2 file system. During the process you will be asked for a passphrase you want to define for your file system; choose something you can remember but that is not easily guessable. You'll be asked to enter it again to verify you didn't mistype it. Finally, you will be asked whether you really want to format the new file system - enter "YES". You're done with creating the encrypted file system, which is now stored in "container.img".

Mounting the Container File

After you successfully created the encrypted file system, you will want to mount it to use it. Here I use the example container file "container.img" from above. As mount point I chose "mp" - this should be an empty directory in your current directory (create it with "mkdir mp" if it does not exist yet). I use the same loop-back device as above, although this is not required.

CONTAINER_FILE=container.img
MOUNT_POINT=mp
LOOPBACK_DEVICE=/dev/loop100

sudo losetup $LOOPBACK_DEVICE $CONTAINER_FILE
sudo cryptsetup luksOpen $LOOPBACK_DEVICE $CONTAINER_FILE
sudo mount /dev/mapper/$CONTAINER_FILE $MOUNT_POINT

During mounting you will be asked for the passphrase you defined above. Enter it to decrypt and mount the file system from the container file.

Once this is done, "mp" will contain the mounted file system. This is currently owned by "root" and your regular user will not have write access to it. Create a user folder below "mp" doing the following:

cd mp
sudo mkdir user
sudo chown $USER:$USER user

The "mp" folder now contains two folders: A "lost+found" folder that you can safely ignore, and a "user" folder that is readable and writable by your current user. You can store/retrieve your files to/from there now as long as the file system is mounted.

Any sensitive data or programs you want to hide from prying eyes can go into here. Once you're done, don't forget to unmount the file system, which I will cover next.

Unmounting the Container File

After you're done working with your encrypted file system (e.g., when you log off or finish a sensitive task), you should unmount it. Do this with the following commands:

CONTAINER_FILE=container.img
MOUNT_POINT=mp
LOOPBACK_DEVICE=/dev/loop100

sudo umount $MOUNT_POINT
sudo cryptsetup luksClose $CONTAINER_FILE
sudo losetup -d $LOOPBACK_DEVICE

Use the same container file, mount point, and loop-back device as above to ensure proper unmounting. Your sensitive data is safely stored in "container.img" and can only be decrypted using the passphrase you chose when creating the container file.

Final Words

You now have an encrypted file system in a file that you can move around, backup, or simply delete, leaving no traces of its actual unencrypted content. Since no-one can peek into your encrypted file, you can store your sensitive content safely. You now have a reasonable degree of deniability of owning any data that is stored inside your new container.

Remember to not store the passphrase you chose for the container on the same system or anywhere publicly accessible. It would also be advisable to store sensitive data from different contexts in separate files with different passphrases. This way, even if one of your containers gets compromised, you don't lose all of it.

How do you rate this article?

5


TheJan
TheJan

Technology evangelist, enthusiast, tinkerer, coder. I like all things new and fancy, but also like to dig in old, dusty things to uncover lost treasure.


Gray Hats
Gray Hats

Gray Hat hacker topics

Send a $0.01 microtip in crypto to the author, and earn yourself as you read!

20% to author / 80% to me.
We pay the tips from our rewards pool.