Create a Secure Storage for your Precious Data
Create a Secure Storage for your Precious Data
David "DeMO" Martínez Oliveira

Creating a secure encrypted disk with GNU/Linux is really simple. Typing a couple of commands on the command-line will do the trick and your data will be safe. Keep reading to find out how to do this with this quick recipe.
First create a file that will actually store your data (actually your filesystem).

$ dd if=/dev/zero of=.secure_store bs=1G count=1

The command above will create a 1 Gigabyte hidden file (starts with a dot) named .secure_store.

Creating the Secure Device

Now we have to enable the access to this file as an encrypted device. The cryptsetup command will manage.

$ sudo cryptsetup -y create .secure_dev ./.secure_store

Let's explain what the command above had just done.

  • It had created a virtual hardrive. In other words, /dev/mapper/.secure will behave like /dev/sda1 or any other drive in your system.
  • When accessing that drive you will be storing your data in the file we had created early, instead of in a physical device (OK, the file is actually in a physical device, but you understand what I mean, don't you?)
  • And, last but not least, all the data stored in that file will be encrypted.

Creating Your Filesystem

So, we are almost there. From this point on, we just proceed as with any drive in the system. We have to create a file system and mount it, in order to use our secure storage. Something like this

$ sudo mkfs.ext4 /dev/mapper/.secure_dev
$ sudo mkdir -p /mnt/.secure_disk
$ sudo mount /dev/mapper/.secure_dev /mnt/.secure_disk

Now you can write whatever information under /mnt/.secure_disk and it will be encrypted and stored in that file. As a plus you can move the file around with all your data in. As a final step, you might want to change the ownership of /mnt/.secure_disk.

$ sudo chown mysecuser.mysecgroup /mnt/.secure_disk

Were mysecuser and mysecgroup shall be valid user and group names on your system.

When you are done, Unmount the crypted filesystem and remove the virtual hard drive

$ sudo umount /mnt/.secure_disk/
$ sudo cryptsetup remove .secure_dev


The method we had just described has some pros and cons. Let's start with the pros

  • The file is treated as a raw device. There is no cryptographic information whatsoever stored on the file itself (no password, no algorithm) so there is no way know if it is a crypted disk or not.
  • This method is really efficient. It works OK even in quite modest machines

However there are a couple of Cons

  • As no cryptographic information is stored, if you forget your key you cannot longer access the device.
  • Not sure about this, but it is probably hard to use your secure driver on a platform different of GNU/Linux

Well, that is it. Simple and neat.

Header Image Credits: DasWortgewand