For some time I have being thinking of the idea to have a portable encrypted vault file that could be used to store sensitive information on a portable usb stick, and I have finally figured out a way to do so. Here are the instructions:

1) Create a file with random bytes to unlock the vault:

dd if=/dev/urandom of=/path/to/master.keyfile bs=16384 count=1 This will generate a 16384 byte key file, that I can encrypt with gnupg for extra security.

2) Create the vault:

dd if=/dev/zero of=/path/to/vault_file bs=1 count=0 seek=60G Tip: name the vault file something that must disguise it, like movie.mp4, e.g. This will create a file with 60 GB.

3) Encrypt the vault:

sudo cryptsetup -y -c aes-xts-plain64 -s 512 -h sha512 -i 5000 --use-random luksFormat /path/to/vault_file /path/to/master.keyfile This will format the vault and encrypt it using the master key file.

4) Unlock the vault

sudo cryptsetup luksOpen /path/to/vault_file VAULT --key-file /path/to/master.keyfile This will unlock the vault with the key file under the alias “VAULT”, which will allow us to format the vault file.

5) Format the unlocked volume

sudo mkfs.ext4 /dev/mapper/VAULT

6) Mount the unlocked volume, and set its permissions

$ sudo mkdir /tmp/VAULT
$ sudo mount /dev/mapper/VAULT /tmp/VAULT
$ sudo chown -R $(id -u):$(id -g) 600 /tmp/VAULT

Now you can use your vault, under the directory /tmp/VAULT.

7) Umount the unlocked volume, to lock the vault when you’re finished

$ sudo umount /tmp/VAULT && sudo cryptsetup luksClose VAULT

8) Open the vault when you need to work on it:

sudo cryptsetup luksOpen /path/to/vault_file VAULT --key-file /path/to/master.keyfile && sudo mount /dev/mapper/VAULT /tmp/VAULT This will unlock the vault with the key file under the alias “VAULT”. After you finish, unmount and close it (step 7 above).