Encrypt and Decrypt a Single File on Linux with AES256 and GPG


gpg --cipher-algo AES256 --symmetric --output encrypted.file plain.file


gpg --output plain.file --decrypt encrypted.file

Change the key file for a LUKS device

cryptsetup luksChangeKey /dev/sdX --key-file /keys/old.keyfile /keys/new.keyfile

Create a LUKS Encrypted Image Container File

Create an empty 1GB img file

dd if=/dev/zero of=encrypted.img bs=1 count=0 seek=1G

Choose a keyfile that will be used to encrypt and unlock the image. Any regular file works as a key. A random key can be generated like so.

dd if=/dev/urandom of=mykey.keyfile bs=1024 count=1

Encrypt the disk image file.

sudo cryptsetup luksFormat encrypted.img mykey.keyfile

Unlock/open the encrypted image using the keyfile.

sudo cryptsetup luksOpen encrypted.img myVolume --key-file mykey.keyfile

The volume now exists at /dev/mapper/myVolume like any block device and can be mounted normally with mount.

Mount a Veracrypt Hidden Partition With Cryptsetup

The options below are specific for a hidden Veracrypt encrypted volume. Not a “normal” Veracrypt encrypted volume.

# /etc/crypttab


my-mapper-name /my/file.img /dev/null tcrypt-veracrypt,tcrypt-hidden,tcrypt-keyfile=/keys/my.key,nofail