Linux is being spoken here.
My everyday, at-home computer does not use encryption for the users' filesystems (/home), but there are some things that I like to keep secure. For those, I use encrypted containers.
To make them workable, I use a combination of menu/desktop launcher and scripts. I click the launcher, and, I'm prompted for the passphrase. The container opens; and, makes an entry in Thunar's Devices section. I optionally put an icon for the container on the desktop. When I want to close the container, I repeat the process and everything is closed, detached, and cleaned up.
Sudo is used to handle the encrypted containers. I don't sudo cryptSetup, mount, etc., I sudo the scripts—everything in the script runs as root.
I use one script to do the mounting, and, unmount. When run, it checks if the encrypted is mounted, and, if it is, it unmounts and cleans-up, otherwise, it creates a mount point and attaches the loop device.
Here's the sequence I typically follow: in this example, my user is tom.
Create the container.
(user)=as user, (root)=as root, # comment
And, in this example the user name is tom.
(user) cd /home/tom # destination of encrypted file (container name "tom.img") (user) dd if=/dev/zero of=tom.img count=150k # ~80 MB file (root) losetup -f # find first free loop device, I'll use loop1 (root) losetup /dev/loop1 tom.img # assign the container to loop1 (root) fdisk /dev/loop1 # partition the container n > p > (defaults) > w (root) cryptsetup --verbose --verify-passphrase luksFormat /dev/loop1 # encrypt the container YES tom)(*&6 # yes to overwrite and passphrase (root) cryptsetup luksOpen /dev/loop1 tomenc # Open the container (root) mkfs.ext4 -j /dev/mapper/tomenc # format the container to ext4 (root) mkdir /media/tomenc # make a mount point for the container (root) mount /dev/mapper/tomenc /media/tomenc # mount the container (root) chown tom:tom /media/tomenc # make it writable by tom for test
You should be able to copy to /media/tomenc.
To unmount and cleanup, exit from /media/tomenc, then:
(root) umount /media/tomenc (root) cryptsetup luksClose tomenc (root) losetup -d /dev/loop1
The encrypted container has been created and tested.
sudo must be installed, and, a sudoers file created. Oherwise, if you can't bring yourself to run a secure system, you can use su -c in the launcher.
(root) visudo -f /etc/sudoers.d/tenc
Enter the lines:
# User alias specification User_Alias TENC=tom # Cmnd alias specification Cmnd_Alias TENCMNT=/home/tom/.local/share/bin/dt # User privilege specification TENC ALL=NOPASSWD: TENCMNT # end sudoers.d/tenc
Then save and exit with:
^o, Enter, ^x
Then, the script, which I create as /home/tom/.local/share/bin/dt. If not using a launcher, run it with:
sudo /home/tom/.local/share/bin/dt
Here's the script. When run, it toggles the encrypted container. It checks to see if the container is looped and mounted: if so, it's unmounted and a cleanup is done. Otherwise, it's looped, and, mounted.
#!/bin/bash
if grep -q "[[:space:]]/media/tomenc[[:space:]]" /proc/mounts; then
echo "Unmounting tomenc"
umount -f /media/tomenc
cryptsetup luksClose tomenc
rmdir /media/tomenc
_tomimg=$(losetup -l | grep tom.img | cut -f 1 -d' ')
losetup -d $_tomimg
rm -f /home/tom/Desktop/dt.desktop
else
echo "Mounting tomenc"
mkdir /media/tomenc
chown tom:storage /media/tomenc
chmod 775 /media/tomenc
_ENCTOM=""
_ENCTOM=$(losetup -f)
losetup $_ENCTOM /home/tom/tom.img
cryptsetup luksOpen $_ENCTOM tomenc
mount -t ext4 -o comment=x-gvfs-show,x-gvfs-name=tom-enc /dev/mapper/tomenc /media/tomenc
chmod 777 /media/tomenc
cp /home/tom/.local/share/bin/dt.desktop /home/tom/Desktop/dt.desktop
fi
sleep 2
# end of dt script
To launch the mounter, I add a script, a desktop file, and, and icon. I run Xfce, and I put them in:
/home/tom/.local/share/bin/
This arrangement will put DT Mounter under File Tools on the Application Menu.
If not present, create the directory:
/home/tom/.local/share/bin/
In it there will be three files:
dt.png dt.desktop dt
Make an icon. I call mine dt.png, and, it's just an icon size box. When it appears on the deskktop, it reminders me that I have an encrypted container mounted. This becomes important at shut-down time, as it will hang because the loop device in /home.
Clicking the icon does nothing.
dt.desktop is what puts it on the desktop. The mounting script simply copies it there when mounted, and, removes it when de-looped. Here it is:
[Desktop Entry] Version=1.0 Type=Link Name=DT Mounter Comment=Mount and unmount dt.img Icon=/home/tom/.local/share/bin/dt.png Name[en_US.UTF-8]=dt
The third file (dt) is the script , and, is shown above. It needs to be execuatable.