privmnt - easy ad-hoc management of personal encrypted file systems
Tool for easy ad-hoc management of personal encrypted file systems on Linux using dm-crypt and LUKS.
Create, open/mount and unmount/close encrypted file systems on demand through very simple commands. It is meant to be invoked as regular user, but due to using Linux kernel block level encryption facilities, the user must have administrative privileges on the system, and sudo will be invoked by privmnt where required. Privmnt attempts to ensure that any failed operations are properly cleaned up, checks for many error conditions and hides the tedious sequence of commands which are necessary to mount, unmount and properly close dm-crypt/LUKS encrypted file systems.
It is not meant to be used as a system tool to setup general purpose shared encrypted disk partitions, although it is able to create standard encrypted file systems on block devices, as well as in regular files.
If you're already using properly set up full disk encryption on your computer, you probably don't need this tool. It's more useful when handling smaller encrypted "vaults" inside your computer, or when using encrypted thumb drives, which can be opened and closed on demand.
Privmnt can be invoked without a terminal and prompt for encryption
passphrase using a graphical dialog box. It supports a simple
graphical informational user interface through
Zenity for all operations exception
create command, which does require an interactive terminal.
Requirements and installation
This script requires a Linux distribution of some sort, as the technology used is Linux specific. The cryptsetup command must be installed.
Copy the script to some place in your PATH:
sudo cp privmnt /usr/local/bin/ sudo chmod 755 /usr/local/bin/privmnt
.. or similar.
Give it a test:
If it complains about missing requirements, check the command paths at the top of the script, and make sure they are present on the system. If the paths are wrong, adjust to suit your Linux distro by editing the privmnt script directly.
Use: privmnt COMMAND [OPTIONS] Manage and create personal encrypted file systems COMMAND may be one of: m, mount Open encrypted file system and mount it. u, umount Unmount encrypted file system and close it. t, toggle Mount if not already mounted, umount otherwise. s, status Test if mounted and exit with code 0 if so, or a non-zero code otherwise. No output is produced. c, create Make a new encrypted file system (terminal interactive wizard) Options: -d <dir>, set the mount directory, default: /home/$USER/Private -i <img>, set path to file/device containing LUKS encrypted file system image By default, a storage file path is derived from mount directory. -m <opts>, set mount options for file system -s Silent errors, do not fail even if already unmounted or mounted -h Show this help. Commands that require root privileges will be invoked using /usr/bin/sudo. This includes /sbin/cryptsetup, /bin/lsblk, /bin/mount and /bin/umount. Version 1.0
Create a private file system, with storage in a file
Issue command, and assuming your username is
privmnt create -d ~/Private
This will start an interactive wizard in the terminal.
# Create a new encrypted file system Use <CTRL+C> to abort wizard. ## Enter directory path where it should be mounted: Path> /home/theuser/Private
Hit enter to accept the default mount point as specified with option
## Enter a file or block device path to use as storage: Path> /home/theuser/.Privatefs
The suggested place to use as storage for the new encrypted file
system is a regular file that sits alongside the mount point
directory, and is named similarly. You can also specify a block device
(partition or disk) instead, like
/dev/sdb1. In that case, the whole
partition is used as storage.
Using new file /home/theuser/.Privatefs as storage ## Enter desired size of storage file in in mega og gigabytes: Size(xM or xG)> 1G
The size needs to be preallocated, and you must specify the size of the file used as storage. Here we say one gigabyte of storage. This will give somewhere close to one gigabyte of free space in the encrypted file system to be created.
## Select file system type (choose ext4 if unsure): 1) ext4 2) ext2 3) vfat #? 1
Select option 1 to create a standard ext4 file system.
## Summary of parameters: Mount at: /home/theuser/Private Using storage file: /home/theuser/.Privatefs File system: ext4 Size: 1024 M Proceed ? [y/N]> y
Finally, we are presented with a summary of the options. Type
y <RETURN> to proceed, or just hit enter to abort.
## Creating directory /home/theuser/Private .. ## Creating empty file at /home/theuser/.Privatefs .. ## Filling storage with pseudo-random data, this can take a while ..
In this step, the storage file is filled with pseudo-random data. This operation can take a long time, depending on how large the file system is. For large block devices/partitions, it can take very long. This examples does not use a block device directly, but only a small 1GiB file, so it will be quick.
1024+0 records in 1024+0 records out 1073741824 bytes (1,1 GB, 1,0 GiB) copied, 9,29179 s, 116 MB/s ## Setting up LUKS on /home/theuser/.Privatefs .. WARNING! ======== This will overwrite data on /home/theuser/.Privatefs irrevocably. Are you sure? (Type uppercase yes): YES
The next step is cryptsetup formatting the storage file into an encrypted LUKS-container.
Enter passphrase for /home/theuser/.Privatefs: Verify passphrase: ## Opening encrypted device .. Enter passphrase for /home/theuser/.Privatefs:
Type and verify your desired passphrase, then type it a third time to open the LUKS container. The setup process continues.
## Creating file system .. [sudo] password for theuser:
At this point, sudo is invoked to access the mapped block device which represents the opened LUKS container. The file system will now be created.
mke2fs 1.44.1 (24-Mar-2018) Creating filesystem with 261632 4k blocks and 65408 inodes Filesystem UUID: ac188730-8fa3-43d8-9165-974c74fe1bac Superblock backups stored on blocks: 32768, 98304, 163840, 229376 Allocating group tables: done Writing inode tables: done Creating journal (4096 blocks): done Writing superblocks and filesystem accounting information: done ## Mounting and adjusting permissions .. ## Unmounting .. ## Closing encrypted device .. ## Completed the process.
After creating file system, permissions are adjusted for maximum privacy, then it is unmounted and the LUKS container is closed. It is now ready to use.
## To mount the newly created encrypted file system, use command: privmnt mount -d '/home/theuser/Private' ## To unmount and close the encrypted file system, use command: privmnt umount -d '/home/theuser/Private'
The process ends with a description of the commands required to mount and access the encrypted file system, and unmount/close it.
When using the default directory
~/Private as mount point, and a
default storage file
~/.Privatefs, then you do not need to specify
any options to mount or unmount. Just say
privmnt m to mount and
privmnt u to unmount. You can also call these commands without a
terminal, e.g. run from window manager, and you will get a graphical
prompt for passphrase and progress status.
Mount a private file system
MOUNTPOINT with storage in a regular
privmnt m -d MOUNTPOINT -i FILE
-i FILE is not necessary if the file exists in the same
directory as the mount point and is named like the basename of the
mount point directory with a leading dot and a suffix of "fs".
Unmount and close a private file system
Unmount encrypted file system mounted at
privmnt u -d MOUNTPOINT
This unmounts the file system and closes the LUKS container.
Setting up sudo to avoid password prompts
This tool invokes sudo for system commands that require root
privileges. To avoid getting prompted about sudo-password in addition
to your encrypted file system passphrase, the following can be added
Cmnd_Alias PRIVMNT = /sbin/cryptsetup *, /sbin/lsblk *, /bin/mount *, /bin/umount * theuser ALL=NOPASSWD: PRIVMNT
theuser is your username.
Setting up an encrypted file system on a thumb drive
Find out which device is your thumbdrive. A helpful command may be
lsblk to show block devices attached to the system.
For the following example, we assume that
/dev/sdh is the device of
the inserted USB thumb drive. You must be absolutely certain of this,
as all data on the drive will be erased.
Create an encrypted file system on the drive:
privmnt c -i /dev/sdh -d ~/securethumb
(The mount directory does not matter, you can mount it anywhere you can. It is only asked as a convenience.)
Follow the wizard. The entire thumbdrive will be used as storage.
Mount thumb drive:
privmnt m -i /dev/sdh -d ~/securethumb
Unmount and secure thumb drive:
privmnt u -d ~/securethumb
The thumb drive will also be mountable using standard operating system procedures for LUKS-encrypted volumes, and likely you will be asked of passphrase by your desktop environment automatically when inserting the thumb drive. Privmnt can be useful when such streamlined integrations are not in place, or you prefer to control the mounting manually.
There is no replacement for a proper understanding of important security aspects when dealing with encrypted file systems. Here are some things to think about:
Use a long passphrase that you can easily remember. Most real security is lost if a weak password is chosen to secure your data.
Be aware of surroundings. When an encrypted file system is open and mounted, the files are accessible to the operating system in general. This means that tools like mlocate/slocate, backup services and indexing services might access the files without you being aware of it. Contents of files can be cached by programs you use to work with private data, and store the cache on unencrypted media.
This point can be significantly mitigated by using full disk encryption in addition, but then you likely will not find privmnt useful.
Data integrity. With LUKS-formatted encryption containers, the real master decryption key is stored as part of the header. Be aware that if the first 2 MiB of the storage device gets corrupted or becomes unreadable, generally all data in the LUKS container is lost. Therefore, LUKS header backups is recommended, but how to do that is beyond the scope of this document (see cryptsetup/LUkS docs).
Also, when using a regular file as storage, the file cannot safely be copied while the encrypted file system is mounted (risk of corrupting the encrypted file system). You must unmount before taking a backup of it, for instance.
File system permissions. Privmnt tries to ensure that the file systems it creates limit permissions to the current user. This applies both to the encrypted storage file (file system image) and when the encrypted file system is mounted. Still, you should double check that permissions look ok when using it on a shared system.
Specific to this tool, when using the graphical interface for obtaining the passphrase, the secret will be stored in memory temporarily in the zenity and privmnt bash process, before being passed on to cryptsetup. You can avoid this and directly input to cryptsetup by using the terminal interface (e.g. invoking privmnt from a terminal instead of running directly from window system.). I personally do not deem this a great risk, but it is something to keep in my when using a shared system.
Privmnt has been tested on Ubuntu 16.04 and Ubuntu 18.04.
If you've tested it on other distributions, I'd like to hear about it, so I can update this section with the results.
Øyvind Stegard firstname.lastname@example.org
Distributed under the GPL v3 license, this is free and open source software.