= LUKS like truecrypt

In a LINK-TO-LUKS-ARTICLE[previous article], I demonstrated how to implement full-drive encryption on Linux with LUKS and the `cryptsetup` command.
While encrypting a whole drive is useful in many cases, there are many reasons you might not want to encode an entire drive.
For instance, you might require a drive to work across several platforms, some of which may not have LUKS integration.
Furthermore, it's the 21st century, the Cloud exists, and you may not be using a physical drive for all of your data.

Several years ago, there was a system called Truecrypt that allowed users to create encrypted file "vaults", which could be decrypted by Truecrypt to provide read and write access.
It was a useful technique, and provided, essentially, a virtual portable and  fully-encrypted  drive where you could store important data.
Truecrypt closed down, but it serves as an interesting model.

LUKS is a flexible system, fortunately.
You can use LUKS and `cryptsetup` to create an encrypted vault as a self-contained file, which you can save on a physical drive or in cloud storage.

== 1. Create an empty file

First, you must create an empty file of a predetermined size.
This serves as a kind of vault or safe in which you can store other files.
The command you use for this is `fallocate`, from the *util-linux* package:

[source,bash]
----
$ fallocate --length 512M vaultfile.img
----

In this example, I've created a file 512 MB in size, but you can make yours any size you want.

== 2. Create a LUKs

Next, you must create a LUKS volume within the empty file.

[source,bash]
----
$ cryptsetup --verify-passphrase \
luksFormat vaultfile.img
----

== 3. Open the LUKS volume

So you can create a file system ready for file storage, you must first open the LUKS volume and mount it on your computer.

[source,bash]
----
$ sudo cryptsetup open \
--type luks vaultfile.img myvault
$ ls /dev/mapper
myvault
----

== 4. Create a file system

Make a file system in your open vault:

[source,bash]
----
$ sudo mkfs.ext4 -L myvault /dev/mapper/myvault
----

If you don't need it for anything right now, you can close it:

[source,bash]
----
$ sudo cryptsetup close myvault
----

== How to use your encrypted vault

Now that it's all set up, you can use your encrypted file vault whenever you need to store or access private data.
To access your vault, you must mount it as a usable file system:

[source,bash]
----
$ sudo cryptsetup open \
--type luks vaultfile.img myvault
$ ls /dev/mapper
myvault
$ sudo mkdir /myvault
$ sudo mount /dev/mapper/myvault /myvault
----

In this example, I open the vault with `cryptsetup`, and then mount the vault from `/dev/mapper` to a new directory called `/myvault`.
As with any volume on Linux, you can mount the LUKS volume anywhere you want, so instead of `/myvault` you can use `/mnt` or `~/myvault` or whatever you prefer.

While it's mounted, your LUKS volume is decrypted.
You can read and write files to it just as if it itself were a physical drive.

When you're finished using your encrypted vault, unmount and close it:

[source,bash]
----
$ sudo umount /myvault
$ sudo cryptsetup close myvault
----

== Encrypted file vaults

The image file you encrypt with LUKS is as portable as any other file, so you can store your vault on your hard drive, or an external drive, or even on the Internet.
As long as you have LUKS available, you can decrypt, mount, and use it to keep your data safe.
It's easy encryption for improved data safety, so give it a try.

You are viewing proxied material from sdf.org. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.