Encrypted LUKS volume inside a file
LUKS can be used to encrypt a volume that’s stored inside a single file.
Start by creating a 2GB file (1M * 2k) that will hold the LUKS volume and fill it with random bytes. If you’re wondering why the strange filename, Solaris.1971.1080p.BluRay.x264-[YTS.AM].mp4.part, that’s so it is “hidden” as a temporary Transmission torrent file, away from prying eyes (unless your threat model is the NSA). If you want to use a qBittorrent temporary extension, change .part to .!qB.
Also, don’t put the volume file inside a CONFIDENTIAL or VERY_IMPORTANT_STUFF or HIDDEN_LUKS_VOLUMES directory, keep it somewhere where you’d store your downloaded files (maybe even add a subtitle file next to it, just for fun). You can cleverly disguise the volume file (depending on its size) in Windows dlls, macOS resource files, etc.
There might be an image on this website, that contains a small encrypted LUKS volume sandwitched between the PNG chunks.
$ dd if=/dev/urandom of=Solaris.1971.1080p.BluRay.x264-[YTS.AM].mp4.part bs=1M count=2k status=progress
1735393280 bytes (1735 MB, 1655 MiB) transferred 2.002s, 867 MB/s
2048+0 records in
2048+0 records out
2147483648 bytes transferred in 2.456553 secs (874185759 bytes/sec)
Setup a LUKS volume on the file we just created.
$ sudo cryptsetup luksFormat --pbkdf argon2id Solaris.1971.1080p.BluRay.x264-[YTS.AM].mp4.part
WARNING!
========
This will overwrite data on Solaris.1971.1080p.BluRay.x264-[YTS.AM].mp4.part irrevocably.
Are you sure? (Type uppercase yes): YES
Enter passphrase for Solaris.1971.1080p.BluRay.x264-[YTS.AM].mp4.part:
Verify passphrase:
Open the volume.
$ sudo cryptsetup luksOpen Solaris.1971.1080p.BluRay.x264-[YTS.AM].mp4.part volume1
Create a filesystem on the newly opened volume.
$ sudo mkfs.ext4 -v -m0 /dev/mapper/volume1
mke2fs 1.44.5 (15-Dec-2018)
fs_types for mke2fs.conf resolution: 'ext4'
Filesystem label=
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
Stride=0 blocks, Stripe width=0 blocks
64512 inodes, 258048 blocks
0 blocks (0.00%) reserved for the super user
First data block=0
Maximum filesystem blocks=264241152
8 block groups
32768 blocks per group, 32768 fragments per group
8064 inodes per group
Filesystem UUID: db889711-6c4d-45ce-a9c1-c57004a890b7
Superblock backups stored on blocks:
32768, 98304, 163840, 229376
Allocating group tables: done
Writing inode tables: done
Creating journal (4096 blocks): done
Writing superblocks and filesystem accounting information: done
Mount the new filesystem.
$ sudo mount /dev/mapper/volume1 /mnt
Copy all the files you want on the LUKS volume, mounted on the /mnt path. When you’re done, unmount the volume.
$ sudo umount /mnt
Now, when you need to copy to/from the volume you only need to:
Unlock the volume
$ sudo cryptsetup luksOpen Solaris.1971.1080p.BluRay.x264-[YTS.AM].mp4.part volume1
Mount the volume
$ sudo mount /dev/mapper/volume1 /mnt
And when done, unmount the volume
$ sudo umount /mnt
Enjoy.