Encrypted disk images allow you to securely store sensitive files on your Linux system. The contents of the image can only be accessed by providing the correct passphrase. In this post, we’ll walk through creating an encrypted image using the cryptsetup utility on Debian 12.

Prerequisites

To follow along on Debian 12, you’ll need:

• The cryptsetup package installed:

  sudo apt install cryptsetup
  

• Enough free disk space to store the encrypted image file

• The passphrase you want to use to encrypt the image

Create the Image File

First, we need to create a file that will be used for our encrypted volume. The dd command makes this easy. Let’s create a 1GB image file:

dd if=/dev/zero of=secret.img bs=1M count=1024

This creates a file called secret.img filled with 1GB of null bytes to use as the container for our encrypted filesystem.

Initialize Encryption

With our image file created, we can now set up encryption on it using cryptsetup. The luksFormat option initializes the encryption parameters:

sudo cryptsetup -y luksFormat secret.img

You’ll be prompted to enter and confirm a passphrase. This passphrase will be required to unlock and access the contents of the image in the future. You can also specify the cipher and key size if desired.

Open the Encrypted Device

Next, we need to “open” the encrypted image which maps it to a logical device mapper node. This allows accessing the encrypted volume similar to a normal block device:

sudo cryptsetup luksOpen secret.img secret

Enter the passphrase when prompted to unlock the device.

Format the Mapped Device

Now that the crypt device is unlocked and mapped, we can format it with a filesystem:

sudo mkfs.ext4 /dev/mapper/secret

This formats the mapped device /dev/mapper/secret with the ext4 filesystem.

Mount the Image

With the device formatted, we can now mount it to access the encrypted contents! First create a mount point and then mount the device:

sudo mkdir /mnt/secret
sudo mount /dev/mapper/secret /mnt/secret

You can now read and write files under /mnt/secret normally and they will be securely stored encrypted.

Unmount and Close the Device

To finish using the encrypted volume for now, first unmount it:

sudo umount /mnt/secret

Then close the device mapping:

sudo cryptsetup luksClose secret

This will close the mapped device and shut down access to the encrypted volume. You’ll have to unlock it again later to mount it.

At this point the image contents are safely encrypted at rest when not in use. To access the files again, repeat steps 3-5 to unlock, map, mount and use the image.

That covers the basics of setting up disk encryption using Linux’s built-in Cryptsetup tool on Debian 12. With a few simple commands, you can create encrypted containers to keep your data secure and private. The encrypted data is inaccessible without the passphrase, providing effective defense against unauthorized access.

There are many other options available with Cryptsetup like keyfiles, multiple key encryption, and resizing images. Be sure to read man cryptsetup for more details on these advanced features.