{"id":20755230,"url":"https://github.com/formix/cypherdrive","last_synced_at":"2026-04-21T11:36:20.968Z","repository":{"id":51340788,"uuid":"364656769","full_name":"formix/cypherdrive","owner":"formix","description":"Create an encrypted file system within your linux file system for sensitive data at rest","archived":false,"fork":false,"pushed_at":"2021-05-19T11:56:55.000Z","size":12,"stargazers_count":0,"open_issues_count":0,"forks_count":1,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-01-18T04:26:44.699Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/formix.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2021-05-05T17:32:21.000Z","updated_at":"2022-01-07T16:18:29.000Z","dependencies_parsed_at":"2022-09-24T20:12:46.077Z","dependency_job_id":null,"html_url":"https://github.com/formix/cypherdrive","commit_stats":null,"previous_names":[],"tags_count":2,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/formix%2Fcypherdrive","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/formix%2Fcypherdrive/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/formix%2Fcypherdrive/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/formix%2Fcypherdrive/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/formix","download_url":"https://codeload.github.com/formix/cypherdrive/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":243059330,"owners_count":20229551,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-17T09:24:05.931Z","updated_at":"2025-12-24T11:54:07.107Z","avatar_url":"https://github.com/formix.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Saving Sensitive Data In a Linux File System\n\nSometimes, we need to make sure our data at rest is safe from prying eyes. This article explains how to make an encrypted loopback block device mounted by systemd. To execute most of these commands, you have to be root. I recommend opening a root session with `sudo su -`. Having the encrypted file within a folder masked 700 and owned by root:root is the best way to go.\n\nOver time, I plan to integrate as much of that documentation into some command line python script or UI thing if that makes sense. Come back often and ask questions in the issue tab if you need help actionning all this.\n\nI documented my process of doing an ecrypted mount point on a RHEL7 (Red Hat Enterprise Linux 7) system. I tried to make the documentation and scripts as universal as possible but distro variations may require some tweaking. I'll try it on my Debian based machine at home as soon as possible and mark any distro dependent commands in the future, if any. Have fun!\n\n## Install required packages\n\n```bash\nyum install cryptsetup parted\n```\n\n## Create and attach the loopback block device\n\nThe following line will create a 10 megabytes file filled with zeros. Obviously you should create a file with a size that makes sense for your needs. Then it will attach that file as a loopback device named *loop0*.\n\n```bash\ndd if=/dev/zero of=encryptedfile.img bs=1M count=10\nsudo losetup loop0 -P encryptedfile.img\n```\n\nYou can check if the loop device was attached properly by running the following command:\n\n```bash\nlosetup -a\n```\n\nIt shall display:\n\n```text\n/dev/loop0: []: (/root/encryptedfile.img)\n```\n\nDoes it show up properly? Then we have it! A new block device now exists in your system. From there you could already format it, mount it, etc. But that is not what we want. We want an encrypted file system. Read-on...\n\n## Initialize and map the encrypted device\n\nWe will use LUKS to encrypt our block device. The next step is to prepare our blank device to be encrypted:\n\n```bash\ncryptsetup luksFormat /dev/loop0\n```\n\nThat command will ask you for a passphrase. Enter a secure passphrase and don't forget it. Doing that creates a secure symmetric key encoded with this password. Do not forget that our goal is to mount that volume automatically at boot. We need a way to provide the password without typing it. To do that, we have to add a keyfile to store a secure password:\n\n```bash\ndd if=/dev/random bs=32 count=1 of=/root/encryptedfile.key\ncryptsetup luksAddKey /dev/loop0 /root/encryptedfile.key\n```\n\nWhen prompted, enter the password you created earlier. It takes a few seconds to apply that new key. Now both your initial password and that new key file can unlock your encrypted device.\n\nNext we will create a new mapped device to handle the encryption and decryption. We will leverage that new keyfile to see if that works. Execute the following command:\n\n```bash\ncryptsetup open /dev/loop0 encryptedfile -d /root/encryptedfile.key\n```\n\nIt should create a new device at /dev/mapper/encryptedfile. Nice work!\n\n## Formatting the drive for your needs\n\nNext, just format that new device with the file system you like. In this case, I'll use ext4fs because why not. In your case vfat might be something desirable, or else.\n\n```bash\nmkfs -t ext4 /dev/mapper/encryptedfile\n```\n\n## Configure fstab\n\nFor this one, I'll drop the line here without explaining it much. If you want more information on how fstab works, just check at the reference links at the end of the article. Edit `/etc/fstab` and add that line:\n\n```bash\n/dev/mapper/encryptedfile  /home/\u003cuser\u003e/mnt   ext4    defaults,noauto      0 0\n```\n\nThe file system could as well be mounted somewhere in `/var` for a more general use case. In the case I have in mind, I'm targetting a usage where a particular application for a given service has to work with that data exclusively. That is why I mount it into a private user directory.\n\nNote that we don't want to automount that drive at boot since there is a lot of commands to execute to bring the loopback and mapper devices into existence. To do that, we will create a systemd service to mount and unmount that device in the next section.\n\n## Create Systemd scripts to mount the device\n\nYou can dowload the scripts [here](https://github.com/formix/cypherdrive/archive/refs/tags/1.0.1.tar.gz). Change the values inside of it to fit your needs. You probably want to change the directory and the file name if the IMG file, the directory and key file name, loop and mapper device names, etc. Make it your own. Once ready, call the install shell script as root and it should work!\n\n## References\n\n1. [How to create virtual block device in linux](https://www.thegeekdiary.com/how-to-create-virtual-block-device-loop-device-filesystem-in-linux/)\n2. [Encrypting block devices using LUKS](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/encrypting-block-devices-using-luks_security-hardening)\n3. [Adding a key file to an existing LUKS volume](https://access.redhat.com/solutions/230993)\n4. [fstab man page](https://man7.org/linux/man-pages/man5/fstab.5.html)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fformix%2Fcypherdrive","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fformix%2Fcypherdrive","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fformix%2Fcypherdrive/lists"}