Install Luks
sudo apt install cryptsetup
Create an empty file, size 512 Mb
cd ~/
dd if=/dev/urandom of=vaultfile.img bs=1M count=512
Create Luks Volume
sudo cryptsetup -v --verify-passphrase luksFormat vaultfile.img
Check if Luks device
sudo cryptsetup -v isLuks vaultfile.img
A look at LUKS header
sudo cryptsetup luksDump vaultfile.img
Test passphrase
sudo cryptsetup --verbose open --test-passphrase vaultfile.img
Add another passphrase
sudo cryptsetup -v luksAddKey vaultfile.img
Remove a passphrase
sudo cryptsetup -v luksRemoveKey vaultfile.img
Add key file for automount
sudo mkdir -p /etc/luks-keys/
sudo dd if=/dev/random of=/etc/luks-keys/myvault_key bs=32 count=1
sudo cryptsetup -v luksAddKey vaultfile.img /etc/luks-keys/myvault_key
# open volume with key-file
sudo cryptsetup -v open --type luks --key-file /etc/luks-keys/myvault_key vaultfile.img myvault
Open Volume
sudo cryptsetup -v open --type luks vaultfile.img myvault
ls /dev/mapper
Create Filesystem
sudo mkfs.ext4 -L myvault /dev/mapper/myvault
Add Permissions
mkdir ~/myvault
sudo mount /dev/mapper/myvault ~/myvault
sudo chown -R $USER:$USER ~/myvault # or sudo chown -R root:root ~/myvault
sudo chmod a+rwxt ~/myvault
find ~/myvault -type f -exec chmod 777 {} \;
find ~/myvault -type d -exec chmod 777 {} \;
sudo umount ~/myvault
Close
sudo cryptsetup -v close myvault
Backup and recovery of LUKS header
sudo cryptsetup luksHeaderBackup --header-backup-file /root/myvault.luks.bin vaultfile.img
# restore
sudo cryptsetup luksHeaderRestore --header-backup-file /root/myvault.luks.bin vaultfile.img
Check header dump
sudo file /root/myvault.luks.bin
sudo stat /root/myvault.luks.bin
sudo cryptsetup luksDump /root/myvault.luks.bin
Use it like this
sudo cryptsetup -v open --type luks vaultfile.img myvault
sudo mount /dev/mapper/myvault ~/myvault
Unmount and Close
sudo umount ~/myvault
sudo cryptsetup -v close myvault
List your gpg key
gpg --list-secret-keys --keyid-format=long --with-keygrip --with-subkey-fingerprints -vvv
Import it into root keyring
gpg --export-secret-subkeys 28B03D68D333871691DC245609867128C44DF037 | sudo gpg --batch --import
Encrypt luks file key with gpg
sudo gpg --encrypt --recipient 28B03D68D333871691DC245609867128C44DF037 /etc/luks-keys/myvault_key
sudo shred -vzu -n5 /etc/luks-keys/myvault_key
Mount luks device using gpg to decrypt
sudo gpg --pinentry-mode loopback --quiet --decrypt /etc/luks-keys/myvault_key.gpg | sudo cryptsetup open --type luks --key-file=- vaultfile.img myvault
sudo mount /dev/mapper/myvault ~/myvault
https://cryptsetup-team.pages.debian.net/cryptsetup/encrypted-boot.html#enabling-cryptomount-in-grub2