Cryptmount – A Utility to Create Encrypted Filesystems in Linux

Cryptmount is a Linux utility that allows you to create encrypted filesystems. With cryptmount, you can create an encrypted container that can be mounted as a virtual drive, and any data stored in that container will be automatically encrypted and decrypted as needed. This provides a secure way to protect sensitive data, even if your computer is compromised.

What is Cryptmount?

Cryptmount works by creating a virtual block device that can be mounted as a regular filesystem. The data stored on this virtual device is encrypted using strong ciphers, and a key is required to decrypt the data. This key is stored in a keyfile, which is itself encrypted using a passphrase for additional security.

Cryptmount uses the Linux kernel's dm-crypt module to provide encryption. This module is a device-mapper target that allows you to create encrypted block devices on top of existing block devices. Cryptmount leverages dm-crypt to create an encrypted block device and then mounts it as a regular filesystem.

Features

• Strong encryption using AES and other industry-standard ciphers

• Keyfile protection with passphrase-based encryption

• Flexible storage on local files, removable media, or remote locations

• Integration with Linux filesystem and mount infrastructure

• Smart card support for enhanced security

Installation

Cryptmount is available in most Linux distributions' repositories. Install it using your package manager:

sudo apt-get install cryptmount    # Debian/Ubuntu
sudo yum install cryptmount        # RHEL/CentOS
sudo pacman -S cryptmount          # Arch Linux

Creating an Encrypted Filesystem

Step 1: Create a Container File

First, create a container file to store encrypted data. This example creates a 1GB container:

dd if=/dev/zero of=/home/user/encrypted_container bs=1M count=1024

Step 2: Create and Configure the Keyfile

Generate a random keyfile for encryption:

sudo dd if=/dev/urandom of=/etc/cryptmount/mykey bs=1 count=256
sudo chmod 600 /etc/cryptmount/mykey

Step 3: Initialize the Encrypted Container

Set up the container with cryptmount configuration:

sudo cryptmount --prepare mycontainer /home/user/encrypted_container \
    --key-file=/etc/cryptmount/mykey --cipher=aes --keysize=256

Step 4: Mount the Encrypted Filesystem

Mount the encrypted container to access it:

sudo cryptmount --mount mycontainer

The encrypted filesystem will be mounted at /mnt/mycontainer by default. You can now store files securely in this location.

Configuration File

Cryptmount uses /etc/cryptmount/cmtab for configuration. A typical entry looks like:

mycontainer {
    dev=/home/user/encrypted_container
    dir=/mnt/mycontainer  
    fstype=ext4
    keyfile=/etc/cryptmount/mykey
    cipher=aes
    keysize=256
}

Advanced Usage

Smart Card Integration

For enhanced security, store keyfiles on smart cards:

sudo cryptmount --prepare mycontainer /path/to/container \
    --key-file=/dev/smartcard --cipher=aes

Remote Keyfile Storage

Store keyfiles on remote servers for centralized key management:

# Copy keyfile to remote server
scp /etc/cryptmount/mykey user@server:/secure/path/

# Configure remote keyfile access in cmtab
mycontainer {
    keyfile=user@server:/secure/path/mykey
    ...
}

Common Use Cases

Security Best Practices

• Use strong passphrases for keyfile encryption

• Store keyfiles securely separate from encrypted containers

• Regular backups of keyfiles to prevent data loss

• Monitor access using system logs and audit tools

Unmounting

Always properly unmount encrypted filesystems when finished:

sudo cryptmount --unmount mycontainer

Conclusion

Cryptmount provides a robust solution for creating encrypted filesystems in Linux, offering strong security through dm-crypt integration and flexible key management options. It's ideal for protecting sensitive data on local systems, removable media, and network storage, making it an essential tool for security-conscious Linux users.