# LUKS-Encrypted Disk Images on Linux ## Using your package manager: (apt, etc...) install the following: ## Requires: cryptsetup [Example:$ sudo apt install cryptsetup] ## As well as: losetup, mount, umount, findmnt, blkid ## Optional: VBoxManage (VirtualBox), virsh (libvirt) ## 1st Make a symbloic link to your bin path: ``` sudo ln -s "$(pwd)/luks-img.sh" /usr/local/bin/ ``` ## Make a folder for images and change into it. ``` mkdir -p "$HOME/DiskImages" cd "$HOME/DiskImages" ``` ## Quick Starts ``` Have a passphrase ready in mind and then [mydisk.img could be named anything useful like mydocs.img etc...]: 1) Create & mount a new 4 GB encrypted image: sudo luks-img.sh create --file mydisk.img --size 4G 2) Close (unmount, close mapper, detach loop): sudo luks-img.sh close --file mydisk.img 3) Open & mount an existing image [note its easyer if you name the /mnt/mydisk path something like /mnt/mydocs etc... to match the image name]: sudo luks-img.sh open --file mydisk.img --mount /mnt/mydisk 4) Change DIR perms and change into it. sudo chown $USER:$USER /mnt/mydisk cd /mnt/mydisk NOW copy data to it, and use it... 5) Backup the LUKS header: sudo luks-img.sh header-backup --file mydisk.img --out mydisk.header *) Add a new key using an existing keyfile: sudo luks-img.sh add-key --file mydisk.img --keyfile /path/newkey --existing-keyfile /path/oldkey When Done - Repeat step #2 to CLOSE ``` ## How to make a Compressed backup: ``` zstd -19 -T0 mydisk.img ``` ## How to use the backup: ``` First close the image from step #2, then: mv mydisk.img mydisk.old.img unzstd mydisk.img.zst ``` ### If you want to add the image file to a VM: ## Virtual Box: ``` sudo luks-img.sh launch-vbox --file mydisk.img --vm "Ubuntu VM" --start sudo luks-img.sh detach-vbox --vm "Ubuntu VM" ``` ## libvirt/QEMU VM: ``` sudo luks-img.sh attach-virt --file mydisk.img --vm myvm --target vdb --persistent sudo luks-img.sh detach-virt --vm myvm --target vdb --persistent ``` ## Please NOTE: This will not work on an LXC unprivileged container! To make it work inside an LXC: You’d need to modify your container config (as root on the host): ``` lxc.apparmor.profile = unconfined lxc.cap.drop = lxc.cgroup.devices.allow = b 7:* rwm # /dev/loop* lxc.cgroup.devices.allow = c 10:237 rwm # /dev/mapper/control lxc.mount.auto = proc:rw sys:rw lxc.include = /usr/share/lxc/config/common.conf ``` And run the container as privileged (security.privileged = true). ⚠️ Security warning: privileged LXC containers with these capabilities are essentially “mini-VMs” with host-level power. Not recommended on multi-tenant systems!!