Step 1: Creating a Virtual Disk
To begin, we’ll create a virtual disk image that will act as our encrypted partition. We can use the dd command to create a file of a specified size filled with zeros:
dd if=/dev/zero of=virtual_disk.img bs=1M count=1024
This command creates a file named “virtual_disk.img” with a size of 1024 megabytes (1 GB).
Step 2: Associating the Virtual Disk with a Loop Device
Next, we need to make the virtual disk image accessible as a block device. We can achieve this by associating it with a loop device using the losetup command:
sudo losetup -fP virtual_disk.img
You can now check what loop devices are available for you.
losetup -a
Replace loopX in the following commands with the correct loop device (will have the virtual_disk.img attached to the text).
Step 3: Encrypting the Virtual Disk
Now that we have a virtual disk set up, let’s encrypt it using cryptsetup and LUKS. In this example, we’ll use a passphrase “cafebabe” for encryption. It’s important to choose a strong passphrase in real-world scenarios.
echo -n cafebabe | sudo cryptsetup luksFormat /dev/loopX -
Replace “/dev/loopX” with the actual loop device assigned to your virtual disk (e.g., /dev/loop2).
Step 4: Opening the Encrypted Disk
To access the encrypted disk, we need to open (decrypt) it using the same passphrase:
echo -n cafebabe | sudo cryptsetup open /dev/loopX my_encrypted_vp -
This command decrypts the virtual disk and maps it to a new device at “/dev/mapper/my_encrypted_vp”.
Step 5: Creating a Filesystem
After decrypting the virtual disk, we need to create a filesystem on it to store our files:
sudo mkfs.ext4 /dev/mapper/my_encrypted_vp
Step 6: Mounting the Encrypted Volume
Finally, we can mount the decrypted volume to a mount point to access and modify its contents:
sudo mount /dev/mapper/my_encrypted_vp /mnt/encrypted_vp
Step 7: Accessing the Encrypted Contents
With the encrypted volume mounted, we can now peek inside and browse its contents using standard Linux commands like ls:
ls -l /mnt/encrypted_vp
This command will display the files and directories stored within the encrypted virtual disk.
Step 8: Locking the partition again
To unlock and access the contents of an encrypted volume using LUKS, first, ensure the encrypted device is associated with a loop device. Use echo -n [passphrase] | sudo cryptsetup open /dev/loopX my_encrypted_vp - to unlock, replacing [passphrase] with your actual passphrase and /dev/loopX with your loop device. After unlocking, mount it using sudo mount /dev/mapper/my_encrypted_vp /mnt/encrypted_vp to access its contents. To relock, start by unmounting with sudo umount /mnt/encrypted_vp. Finally, close the encrypted device using sudo cryptsetup close my_encrypted_vp, securing its contents until the next unlock. This process ensures data security, allowing access only to those with the passphrase.
passphrase for us is cafebabe
sudo umount /mnt/encrypted_vp
sudo cryptsetup close my_encrypted_vp
Performing an update via a rootfs
You might decide you need to do OTAs or some other form of updates, the easiest way to go about this on another’s system with an encrypted disk is to create a rootfs.tar.
rootfs.tar typically refers to a compressed archive file containing the root filesystem of a Linux-based operating system. The “root filesystem” (rootfs) is the top-level directory hierarchy in a Linux system, containing essential directories like /bin, /etc, /lib, /sbin, /usr, and /var.
This archive often contains all the files and directories necessary for the operating system to function properly. It includes system binaries, libraries, configuration files, device files, and other essential components.
Archiving the root filesystem into a rootfs.tar file is a common practice for system backups, cloning, or distribution. It allows for easy transfer, duplication, and restoration of the entire operating system environment.
How to export a rootfs.tar
sudo tar -czpvf rootfs.tar -C /mnt/encrypted_vp .
[under construction]