In this section, we'll create a file container, you can think of it as a vault, and we encrypt whatever is put inside. As long as the vault is unlocked, files can be added to or deleted from it just like any regular filesystem, but once we lock it, no one will be able to peek inside or guess what's in the vault.
We'll be using a tool called
cryptsetup that will help us create and manage the encrypted containers. Type the following command to install cryptsetup and the optional dosfstools
if you'd like your vault to be accessible on a Windows machine:
pi@raspberrypi ~ $ sudo apt-get install cryptsetup dosfstools
This technique will give you an encrypted vault mounted under a directory. You can then add files to it as you wish, and once locked, you can copy it and open it up on Windows.
[size]
with the number of megabytes you'd like to allocate:pi@raspberrypi ~ $ dd if=/dev/zero of=~/myvault.vol bs=1M count=[size]
myvault.vol
file compatible with a platform-independent standard called Linux Unified Key Setup (LUKS). We'll specify -t vfat
to get a FAT32 filesystem that can be accessed under Windows. If you don't intend to move the container, you may prefer ext4
.pi@raspberrypi ~ $ sudo luksformat -t vfat ~/myvault.vol
Since formatting something will overwrite whatever was there before, even though it's just a single file in this case, you'll be prompted with a warning and will have to type YES
in all caps to initiate the process. Next, you'll be asked (three times) for a password that will be required to unlock your vault. You can safely ignore the warning from mkfs.vfat
about drive geometry.
pi@raspberrypi ~ $ sudo cryptsetup luksDump ~/myvault.vol
You'll see that cryptsetup
uses AES encryption by default and that the LUKS format actually allows multiple passwords to unlock your vault as displayed by the Key Slots. Type cryptsetup --help
to get a list of possible actions that can be performed on your vault.
pi@raspberrypi ~ $ sudo cryptsetup luksOpen ~/myvault.vol myvault
Once you've entered the correct password, your vault will be made available in /dev/mapper/
under the name we've specified at the end of the line, /dev/mapper/myvault
in this case. You can now use this device as if it was a regular attached hard disk.
/home/pi/
for easy access. Let's create the directory first:pi@raspberrypi ~ $ mkdir ~/vault
pi@raspberrypi ~ $ sudo mount -o uid=1000,gid=1000 /dev/mapper/myvault ~/vault
The user ID/group ID arguments that we specify here are specifically for the FAT32 filesystem. It ensures that the pi
user (which has an uid/gid of 1000) will be able to write to the ~/vault
directory. With an ext4
filesystem these extra flags are not necessary because the permissions of the directory itself determine access.
That's all there is to it. You can now start filling up the ~/vault
directory. Use df -h ~/vault
to keep an eye on the space available in the vault.
To safely close the vault, you need to unmount it first with the following command:
pi@raspberrypi ~ $ sudo unmount ~/vault
Now most importantly, remember to lock your vault:
pi@raspberrypi ~ $ sudo cryptsetup luksClose myvault
To make the daily locking/unlocking routine a little less tedious, you can define these aliases:
alias vaulton='sudo cryptsetup luksOpen ~/myvault.vol myvault && sudo mount -o uid=1000,gid=1000 /dev/mapper/myvault ~/vault' alias vaultoff='sudo umount ~/vault && sudo cryptsetup luksClose myvault'
To access your vault from Windows, visit http://www.freeotfe.org/download.html to download the latest version of FreeOTFE or FreeOTFE Explorer. I's a portable application and very easy to use.
3.145.73.207