Protecting Credentials and Configurations with an Encrypted Container.
I use a small pocket computer in my backpack. This device is used for testing and development, and it stores sensitive information such as credentials, passwords, and access keys. I don’t want this data to fall into the wrong hands. Unlike my laptop, which has an encrypted drive, my pocket computer’s drive isn’t encrypted. Drive-wide encryption consumes a lot of processing power and usually requires disabling SSD TRIM, which hurts performance.
To work around this, I decided to create an encrypted container to hold only my sensitive information. This container is mounted only when needed, increasing the overall security of the system.
Creating an Encrypted Container
You need to install the cryptsetup package. To do this, run as root:
sudo apt install cryptsetup
Next, create the encrypted container. First, generate a 200MB file (as an example):
dd if=/dev/urandom of=secure_container.img bs=1M count=200
Initialize LUKS:
cryptsetup luksFormat secure_container.img
Open the container:
cryptsetup open secure_container.img secure_container
Format it (ext4 as an example):
mkfs.ext4 /dev/mapper/secure_container
Mount the container:
mkdir -p /mnt/secure_container
mount /dev/mapper/secure_container /mnt/secure_container
Now the /mnt/secure_container directory is ready to use. You can move your sensitive files there and create symbolic links (for example, from the ~/.ssh directory or AWS access keys in ~/.aws).
Unmounting the Container
To unmount, unmount the directory and close the container:
umount /mnt/secure_container
cryptsetup close secure_container
Automating Mount and Unmount
Since mounting and unmounting the container is repetitive, it’s worth creating scripts to automate this task. These scripts need root privileges to work. You can configure sudo so it doesn’t ask for a password when running them, making the process easier.
Mount Script (mount_secure_container.sh)
#!/bin/sh
[ "root" != "$USER" ] && exec sudo $0 "$@"
# Example paths
IMAGE_PATH="/home/user/secure_container.img"
MAPPER_NAME="secure_container"
MOUNT_POINT="/mnt/secure_container"
# Open the container.
cryptsetup open "$IMAGE_PATH" "$MAPPER_NAME" || {
echo "Failed to open the container."
exit 1
}
# Mount the container.
mount "/dev/mapper/$MAPPER_NAME" "$MOUNT_POINT" || {
echo "Failed to mount the container."
cryptsetup close "$MAPPER_NAME"
exit 1
}
echo "Container mounted at: $MOUNT_POINT"
exit 0
Unmount Script (umount_secure_container.sh)
#!/bin/sh
[ "root" != "$USER" ] && exec sudo $0 "$@"
IMAGE_PATH="/home/user/secure_container.img"
MAPPER_NAME="secure_container"
MOUNT_POINT="/mnt/secure_container"
# Unmount the container.
umount "$MOUNT_POINT" || {
echo "Failed to unmount. Make sure no files are still in use."
exit 1
}
# Close the container.
cryptsetup close "$MAPPER_NAME" || {
echo "Failed to close the LUKS container."
exit 1
}
echo "Container unmounted and closed."
exit 0
Shutdown Script (off)
Create a script named off to ensure the container is unmounted before shutting down:
#!/bin/sh
[ "root" != "$USER" ] && exec sudo $0 "$@"
sync
/home/user/bin/umount_encrypted.sh
poweroff
Then configure sudo so it doesn’t request a password for these scripts:
sudo visudo
Add the following lines:
user ALL=(ALL) NOPASSWD: /home/user/bin/mount_encrypted.sh
user ALL=(ALL) NOPASSWD: /home/user/bin/umount_encrypted.sh
user ALL=(ALL) NOPASSWD: /home/user/bin/off
Remember to replace user in the scripts with your actual username.
Conclusion
This method keeps sensitive data secure and accessible only when needed. The encrypted container simplifies backups and makes it easy to transfer to another computer. In this way, you combine security and convenience in your system.