Encrypting containers with luks

About

This is a summary of what I learned about linux and encryption.
This guide teaches you how to encrypt and mount an ext4 container/file WITHOUT SUDO PERMISSIONS.
This is accomplished by using the user-based udisk instead of a simple mount command. This allows users to mount filesystems (like inserting a USB and it showing up in your file manager).

Requirements: A linux desktop with GUI and time.

Creating the file

First you have to create the container file that you will use as a mountable and encrypted filesystem later.
You can also do this with a drive, but i decided for a single file because it is easier to setup, faster to create and backing it up can be achieved with a simple drag>drop.

To create a file filled with random data that we will use for our filesystem we can use the following dd command: 

me@server:~$ dd if=/dev/urandom of=secret.img bs=1M count=10000 status=progress
10290724864 bytes (10 GB, 9.6 GiB) copied, 31 s, 332 MB/s
10000+0 records in
10000+0 records out
10485760000 bytes (10 GB, 9.8 GiB) copied, 31.6548 s, 331 MB/s
To now create the encryption use the cryptsetup command: 
me@server:~$ sudo cryptsetup luksFormat secret.img 

WARNING!
========
This will overwrite data on secret.img irrevocably.

Are you sure? (Type 'yes' in capital letters): YES
Enter passphrase for secret.img: 
Verify passphrase:
After this you need to create the filesystem itself.
me@server:~$ sudo cryptsetup open secret.img secret
Enter passphrase for secret.img:
The above command opns the secret.img file as secret in /dev/mapper/. You can now create a filesystem on the empty device: 
me@server:~$ sudo mkfs.ext4 /dev/mapper/secret 
mke2fs 1.47.0 (5-Feb-2023)
Creating filesystem with 2555904 4k blocks and 638976 inodes
Filesystem UUID: 483f5d30-2421-4562-9ae4-2a06b5108bc7
Superblock backups stored on blocks:
        32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632

Allocating group tables: done
Writing inode tables: done
Creating journal (16384 blocks): done
Writing superblocks and filesystem accounting information: done
The above command creates an ext4 filesystem on the previously opened secret.img.
To now mount the filesystem you can simply use mount like this: 
me@server:~$ sudo mkdir /mnt/secret
me@server:~$ sudo mount /dev/mapper/secret /mnt/secret
Now you can access the secret.img like a mounted drive in the /mnt/secret folder.

To unmount and close the file you can use "umount" and "cryptsetup close" like this: 
me@server:~$ umount /mnt/secret
me@server:~$ sudo cryptsetup close secret
You now have an encrypted filesystem in your secret.img file that you can easily backup and mount. If you want to know how to mount it without needing to sudo cryptsetup everytime please read the section below.

Resize the file

You can resize the secret.img file easily by appending more data to it.
You can do this while it is unopened and unmounted or you can do these steps while it is actively mounted.
WARNING: Please make sure that the first command has 2 (>>) signs, or else you will loose your data! 

me@server:~$ head -c 7G /dev/urandom >> secret.img
me@server:~$ sudo cryptsetup resize secret
Enter passphrase for /home/me/secret.img:
me@server:~$ sudo resize2fs /dev/mapper/secret
resize2fs 1.47.0 (5-Feb-2023)
Filesystem at /dev/mapper/secret is mounted on /mnt/secret; on-line resizing required
old_desc_blocks = 2, new_desc_blocks = 3
The filesystem on /dev/mapper/secret is now 4390912 (4k) blocks long.

me@server:~$ df -h /mnt/secret
Filesystem          Size  Used Avail Use% Mounted on
/dev/mapper/secret   17G   24K   16G   1% /mnt/secret
As you can see above, we append 7GB of random data to our file, then use the "cryptsetup resize" to make it aware to our new size and then "resize2fs" to make the filesystem aware to the new size. The last command shows that the new filesystem inside our file is now 17GB in size and not 10GB as before.

Mounting (without sudo)

You can easily mount the encrypted partition even as a user without sudo permissions.
Manjaro (with xfce4) has udisk installed which mounts USBs and external hard drives if you connect them to your machine. You can use this mechanism to mount your encrypted filesystem aswell.

First you have to setup a loop device for your image file. 

[rin@rin-80mx ~]$ udisksctl loop-setup -f ind.img
Mapped file ind.img as /dev/loop0.
After the loopX has been created you can unlock it with your password. 
[rin@rin-80mx ~]$ udisksctl unlock -b /dev/loop0
Passphrase: 
Unlocked /dev/loop0 as /dev/dm-0.
After unlocking it you can mount the unlocked device with the following command: 
[rin@rin-80mx ~]$ udisksctl mount -b /dev/dm-0
Mounted /dev/dm-0 at /run/media/rin/cc5748bc-adf5-4a20-8d00-495ae44ac966
Congratulations! You now have mounted your encrypted filesystem! A few commands to verify it's size and content: 
[rin@rin-80mx ~]$ ls /run/media/rin/cc5748bc-adf5-4a20-8d00-495ae44ac966/
lost+found

[rin@rin-80mx ~]$ df -h
Filesystem      Size  Used Avail Use% Mounted on
/dev/dm-0        29M   14K   26M   1% /run/media/rin/cc5748bc-adf5-4a20-8d00-495ae44ac966
To unmount your filesystem you simply have to revert the steps.
First unmount the decrypted device (in this case dm-0): 
[rin@rin-80mx ~]$ udisksctl unmount -b /dev/dm-0 
Unmounted /dev/dm-0.
Then lock your loopback device: 
[rin@rin-80mx ~]$ udisksctl lock -b /dev/loop0
After locking the loop it should be "removed" from the list of active devices. It is still visible, but the output of losetup should be none.
If loop0 is still visible in the output of losetup then you can run udisksctl loop-delete -b /dev/loop0 to try and remove it. (Warning: The file /dev/loop0 will still be there, but losetup should show no loop0 results)