We create an encrypted container in Linux using regular means

6 May 2023 6 minutes Author: Cyber Witcher

Technology for encryption of container images

Over the past few years, the cloud industry has seen a major shift from deploying monolithic applications on virtual machines to dividing applications into smaller components (microservices) and packaging them into containers. The popularity of containerization today is largely due to the work of Docker. Docker is the company that has become the main driving force behind containers, providing an easy-to-use tool to create and run Docker containers and a Docker container registry to solve the task of distributing them. The success of containerization technology mainly depends on the safety of containers at various stages of their life cycle. One of the security problems is the presence of vulnerabilities inside individual containers. To detect them, DevOps pipelines used to create containers are supplemented with scanners that look for packages with possible vulnerabilities in containers and alert their owners or technical specialists if they are detected.

Vulnerability Advisor in IBM Cloud is an example of such a utility. This article addresses the still pressing enterprise security issue of data and code privacy in container images. The main goal of security when working with container images is to allow the creation and distribution of encrypted container images to make them available only to a specific set of recipients. In this case, others can access those images, but they won’t be able to run them or see the sensitive data inside them. Container encryption is based on existing cryptography, such as Rivest-Shamir-Adleman (RSA), elliptic curve encryption technology, and Advanced Encryption Standard (AES), also known as Rijndael, a symmetric block encryption algorithm.

Utilities that already exist in Linux “out of the box” or at the kernel level

DD (dataset definition) is a UNIX utility used for copying and converting files, as well as reading data. The name is inherited from the DD (Dataset Definition) operator from the JCL language. Among other things, this utility allows you to copy regions from raw device files, such as backing up the boot sector of a hard drive, or read fixed blocks of data from special files such as /dev/zero or /dev/random.

Cryptsetup is a utility for setting up virtual block devices under the control of the “device mapper” (dm) and dm-crypt kernel services. Virtual volumes of “plain dm-crypt” and LUKS formats are supported. The LUKS format is more functional than “plain dm-crypt” due to the presence of a special metadata block.

These two utilities are present in most distributions initially. Now that it is clear what these utilities are and what functions they perform, let’s move on to creating a container. First, we need to create a key file that we will use to unlock the container every time:

Command parameters

  • if – indicates the source, that is, where we copy from. A file is specified, which can be either a regular file or a device file. In this case, it’s /dev/random, the random number device.

  • of – is the destination file or file path. In this case, it’s the enigma file being created. You can call it whatever you want.

  • bs – the number of bytes that will be written at a time. In this case, we are creating a file that is 4096 bytes long.

  • count – a number indicating how many chunks will be copied.

Simply put, the dd utility creates a 4096-byte key file called enigma for us. You will need to keep this file as the apple of your eye, otherwise if you lose it, the container will not be unlocked, accordingly, and all the data stored in it will become inaccessible.

Now let’s move on to creating the file of the container itself using the same dd utility:

Here everything is already clear, except for the last parameter seek. It indicates exactly the size of the container being created. In short, the dd utility will create a 2 GB mystery.mp3 file in your home folder and overwrite it with zeros. I specifically created a container file in .mp3 format. Although weak, but disguise. Of course, it will not be played, but it can be placed in a directory with a bunch of music files, which will somehow make it difficult to detect.

The next step is to encrypt the created container using the cryptsetup utility:

Here we encrypt the container with the aes-xts-plain64 algorithm indicated by the -c (cipher) option, it is preferred for LUKS containers and is used by default. All algorithms and modules supported by the kernel can be viewed using the command:

The -s option specifies a key size of 512 bits. The -h (hash) parameter specifies the hash function (algorithm), in this case it is sha512. The -i (iter-time) option specifies how many milliseconds to spend on processing. The –use-random luksFormat option will format the container using random numbers generated by the /dev/random device.

If the command is successful, you will be shown the following:

When asked Are you sure? (Type uppercase yes) you will need to enter YES in capital letters, after which encryption will continue. Now, to unlock the container, you need to enter the command:

SECRET is a mount point used to map and mount devices and volumes. You can give it any name you want. Now we need to format the unlocked container into a file system. In Linux distributions, the ext4 format is preferred and used by default. The mkfs command is used for formatting:

What you will get a conclusion for:

The open device file is usually located in /dev/mapper/name. At the same time, you can perform various actions, including formatting. Let’s create a directory in the home folder where we will mount the container, for example:

Now mount the container in this directory:

You see, the container appeared in the list of devices of the file manager, and exactly according to the specified path:

Now let’s give the rights to use the files in the container:

If this is not done, then all actions with files can be performed only with root rights. To unmount the container, you need to execute the command:

To lock the container, run the command:

You can do it with one command:

That’s it, the next time you need to unlock a container and mount it in a directory, just type two commands:


I’m leaning towards SIM. As you can see, you can create an encrypted container with regular Linux utilities, without resorting to installing third-party programs.

Other related articles
Found an error?
If you find an error, take a screenshot and send it to the bot.