Week 4: Encrypted Filesystems & Secure Containers

🎯 Goal

Learn how to protect local data at rest using encrypted filesystems and containers. Explore tools like LUKS, cryptsetup, gocryptfs, and veracrypt, and practice encrypting backups using tar and rsync over SSH.

1. Why Encrypt Data at Rest?

Prevent access if your device is lost, stolen, or seized
Protect sensitive logs, identity files, password stores
Essential for laptops, USB drives, and backups

2. Full-Disk and Partition Encryption with LUKS

What Is LUKS?

Standard for Linux disk encryption
Uses cryptsetup to manage encrypted partitions
Key benefits: strong encryption, passphrase support, keyslots

WARNING

The following examples will erase data. Only do this on test devices or virtual machines.

Setup a LUKS Encrypted Volume

sudo cryptsetup luksFormat /dev/sdX

Replace /dev/sdX with the correct device (check carefully with lsblk)

Open the Encrypted Device

sudo cryptsetup luksOpen /dev/sdX secure_volume

🧱 Format and Mount It

sudo mkfs.ext4 /dev/mapper/secure_volume
sudo mount /dev/mapper/secure_volume /mnt/secure

Close It When Done

sudo umount /mnt/secure
sudo cryptsetup luksClose secure_volume

3. Encrypted Containers: gocryptfs

Why Containers?

Portable, simple, user-space encryption
Encrypted files are stored inside a directory, not a block device

Install gocryptfs

sudo apt install gocryptfs

Create an Encrypted Container

mkdir ~/Secure
mkdir ~/Secure.encrypted
gocryptfs -init ~/Secure.encrypted

Enter a strong passphrase.

Mount It

gocryptfs ~/Secure.encrypted ~/Secure

Now use ~/Secure as a decrypted view.

Unmount

fusermount -u ~/Secure

🛡 4. Graphical Alternative: VeraCrypt (Cross-Platform)

GUI tool (and CLI) for creating encrypted containers or full disks
Runs on Linux, macOS, and Windows
https://www.veracrypt.fr

Example CLI Workflow

veracrypt --text --create container.vc

Follow the prompts to choose:

Size, algorithm (AES), password, filesystem
Mount with:

veracrypt --text --mount container.vc /mnt/veracrypt1

🪦 4b. Tomb - GPG-Protected LUKS Containers

What is Tomb?

Tomb combines LUKS encryption with GPG key management for “stealthy” encrypted storage:

LUKS container disguised as regular file
Key protected by GPG (can use smartcard/YubiKey)
Supports key hiding in images (steganography)
Perfect for cypherpunk workflows

Install Tomb

sudo apt install tomb

Or from source: https://github.com/dyne/Tomb

Create a Tomb

# 1. Create the tomb file (100MB example)
tomb dig -s 100 secrets.tomb

# 2. Generate a key file and encrypt with GPG
tomb forge secrets.tomb.key -g

# 3. Lock the tomb with the key
tomb lock secrets.tomb -k secrets.tomb.key

You’ll be prompted for:

GPG passphrase (to encrypt the tomb key)
Optional second passphrase for the tomb itself

Open (Mount) a Tomb

tomb open secrets.tomb -k secrets.tomb.key

Default mount point: /media/secrets

Close a Tomb

tomb close secrets

Or close all open tombs:

tomb close all

Advanced: Hide Key in Image (Steganography)

# Bury the key inside an image
tomb bury -k secrets.tomb.key photo.jpg

# Later, exhume it when needed
tomb exhume photo.jpg -k extracted.key

# Use the buried key
tomb open secrets.tomb -k photo.jpg

Why this matters: Even if someone finds the tomb file, they won’t know where the key is hidden!

🔑 4c. LUKS Key Management (Multi-User Access)

Why Multiple Keyslots?

LUKS supports up to 8 keyslots - each can have a different passphrase:

Share encrypted drive with colleagues (each has own password)
Emergency recovery passphrase
Revoke access by removing a keyslot

Check Current Keyslots

sudo cryptsetup luksDump /dev/sdX

Look for “Key Slot” sections - enabled slots show as “ENABLED”

Add a New Keyslot

sudo cryptsetup luksAddKey /dev/sdX

You’ll need:

Existing passphrase (to prove authorization)
New passphrase to add

Remove a Keyslot

sudo cryptsetup luksRemoveKey /dev/sdX

Enter the passphrase you want to remove.

WARNING: Don’t remove the last keyslot or you’ll be permanently locked out!

Backup LUKS Header

Before experimenting with keyslots, always backup the LUKS header:

sudo cryptsetup luksHeaderBackup /dev/sdX --header-backup-file luks-header-backup.img

Store this file somewhere safe (encrypted USB, offline storage).

Restore LUKS Header (Emergency Recovery)

If LUKS header gets corrupted:

sudo cryptsetup luksHeaderRestore /dev/sdX --header-backup-file luks-header-backup.img

This is your lifeline if the header is damaged!

5. Encrypted Backups with `tar`, `gpg`, and `rsync`

🗃 Archive + Encrypt a Folder

tar czf - ~/Secure | gpg -c -o backup.tar.gz.gpg

Decrypt + Extract

gpg -d backup.tar.gz.gpg | tar xz

🔁 rsync Over SSH (Encrypted Transfer)

rsync -avz -e "ssh -i ~/.ssh/id_ed25519" ~/Secure user@remote:/backups/Secure

Use --delete to mirror:

rsync -avz --delete -e "ssh -i ~/.ssh/id_ed25519" ~/Secure user@remote:/backups/Secure

6. Journal & Git Commit

Reflect on Week 4

echo "Week 4: Encrypted volumes with LUKS, tested gocryptfs and Tomb, practiced keyslot management and LUKS header backups, created secure encrypted backups." >> notes/week4_journal.md

Git Commit

git add .
git commit -S -m "Week 4 - Disk encryption, containers, Tomb, and backup security"

✅ Week 4 Checklist

Created a LUKS encrypted volume with cryptsetup
Used gocryptfs to make a lightweight encrypted directory
Explored VeraCrypt for GUI encryption
NEW: Created a Tomb with GPG-protected keys
NEW: Practiced LUKS keyslot management (add/remove)
NEW: Backed up LUKS header for emergency recovery
Encrypted a backup with tar + gpg
Synced an encrypted folder using rsync over SSH
Updated journal and signed Git commit

🔜 Up Next: Week 5 Preview

SSH deep dive: key-based authentication, tunneling, port forwarding
Git commit signing with SSH and GPG
Modern alternatives: age, minisign, signify
SSH hardening and config management

Notes

Always store encryption passphrases in a secure password manager
Use unique, long passphrases for every encrypted container
LUKS header backups are critical - corruption = permanent data loss
Tomb’s steganography feature adds plausible deniability (key hidden in innocent image)
Multiple LUKS keyslots enable shared access without sharing passwords
Always unmount encrypted filesystems before powering off or suspending your device
Test your recovery procedures BEFORE you need them in an emergency

🎯 Goal#

1. Why Encrypt Data at Rest?#

2. Full-Disk and Partition Encryption with LUKS#

What Is LUKS?#

WARNING#

Setup a LUKS Encrypted Volume#

Open the Encrypted Device#

🧱 Format and Mount It#

Close It When Done#

3. Encrypted Containers: gocryptfs#

Why Containers?#

Install gocryptfs#

Create an Encrypted Container#

Mount It#

Unmount#

🛡 4. Graphical Alternative: VeraCrypt (Cross-Platform)#

Example CLI Workflow#

🪦 4b. Tomb - GPG-Protected LUKS Containers#

What is Tomb?#

Install Tomb#

Create a Tomb#

Open (Mount) a Tomb#

Close a Tomb#

Advanced: Hide Key in Image (Steganography)#

🔑 4c. LUKS Key Management (Multi-User Access)#

Why Multiple Keyslots?#

Check Current Keyslots#

Add a New Keyslot#

Remove a Keyslot#

Backup LUKS Header#

Restore LUKS Header (Emergency Recovery)#

5. Encrypted Backups with tar, gpg, and rsync#

🗃 Archive + Encrypt a Folder#

Decrypt + Extract#

🔁 rsync Over SSH (Encrypted Transfer)#

6. Journal & Git Commit#

Reflect on Week 4#

Git Commit#

✅ Week 4 Checklist#

🔜 Up Next: Week 5 Preview#

Notes#