Encrypted Storage

Your files are vulnerable.

If your laptop is stolen, lost, or seized, anyone with physical access can read everything: your documents, photos, financial records, passwords database, browser history. Disk encryption is the solution.

You enabled disk encryption when installing Linux Mint (Week 2). But encryption isn’t just for your system drive—it’s for USB drives, backup drives, cloud storage, and sensitive file containers.

This week, you’ll learn to create encrypted containers with VeraCrypt, understand LUKS (your existing Linux encryption), and establish secure backup practices.

Understanding Disk Encryption

Why Encrypt?

Without encryption:

  • Stolen laptop = all files exposed
  • Lost USB drive = sensitive data in stranger’s hands
  • Repair shop = technician can browse your files
  • Border crossing = customs can image your drive
  • Warrant = law enforcement gets everything

With encryption:

  • Stolen laptop = worthless encrypted blob
  • Lost USB drive = random garbage without password
  • Repair shop = can’t access your data
  • Border crossing = protected (but see legal notes)
  • Warrant = depends on jurisdiction and your cooperation

Full Disk Encryption (FDE)

Your Linux Mint installation uses LUKS (Linux Unified Key Setup) for full disk encryption:

  • Everything encrypted: OS, applications, files, swap
  • Decrypted at boot with your passphrase
  • Transparent once unlocked (no extra steps)

Limitation: Once unlocked, all data is accessible. If laptop is powered on, encryption doesn’t help.

Container-Based Encryption

VeraCrypt and similar tools create encrypted containers:

  • Single encrypted file that acts like a virtual drive
  • Mount when needed, unmount when done
  • Can keep sensitive data encrypted even when system is on
  • Portable (container file can live on USB, cloud, etc.)

Use case: Keep financial documents encrypted even while logged in.

File-Level Encryption

Individual files encrypted with specific keys:

  • GPG encrypts specific files
  • Age (modern alternative) encrypts files
  • Password-protected archives (7z, etc.)

Use case: Encrypt specific files for sharing or cloud storage.

Part 1: Understanding Your LUKS Encryption

Check Your Encryption Status

Your Linux Mint system is already encrypted (from Week 2). Verify:

# List block devices and their encryption
lsblk

# Look for "crypt" type entries

You should see something like:

sda                   disk
├─sda1                part   /boot/efi
├─sda2                part   /boot
└─sda3                part
  └─sda3_crypt        crypt
    └─mint--vg-root   lvm    /

The sda3_crypt indicates your encrypted partition.

How LUKS Works

At boot:

  1. GRUB loads from unencrypted /boot
  2. You enter passphrase
  3. Kernel decrypts root partition using LUKS
  4. System boots with decrypted access

Key concepts:

  • Passphrase: What you type to decrypt
  • Master key: Actual encryption key (derived from passphrase)
  • Key slots: LUKS supports 8 passphrases for same volume

Add Backup Passphrase to LUKS

Add a backup passphrase in case you forget your primary:

# Add new key slot (you'll need current passphrase)
sudo cryptsetup luksAddKey /dev/sda3

Enter current passphrase, then new backup passphrase.

Important: Store backup passphrase securely (password manager, safe, trusted person).

LUKS Header Backup

The LUKS header contains key material. If corrupted, your data is lost forever.

# Backup LUKS header
sudo cryptsetup luksHeaderBackup /dev/sda3 --header-backup-file luks-header-backup.img

Store this file:

  • NOT on the encrypted drive (defeats the purpose)
  • On separate USB drive, in safe location
  • This backup allows recovery if header corrupts

Security note: Anyone with header backup + passphrase can decrypt your drive. Protect it accordingly.

Part 2: VeraCrypt Encrypted Containers

VeraCrypt creates encrypted containers—perfect for sensitive files you want encrypted even when logged in.

Install VeraCrypt

# Add VeraCrypt repository
sudo add-apt-repository ppa:unit193/encryption
sudo apt update
sudo apt install veracrypt

Or download from: https://www.veracrypt.fr/en/Downloads.html

Create Encrypted Container

  1. Open VeraCrypt (Menu → Accessories → VeraCrypt)
  2. Click Create Volume
  1. Select Create an encrypted file container
  2. Click Next

  1. Select Standard VeraCrypt volume

    • (Hidden volumes covered later)

  2. Click Next

  3. Click Select File

  4. Navigate to where you want the container

  5. Enter filename (e.g., secure-files.vc)

  6. Click Save, then Next

  1. Choose encryption algorithm:

    • AES is fine for most users (fast, secure)
    • AES-Twofish-Serpent for paranoid (slower, multiple algorithms)

  2. Choose hash algorithm:

    • SHA-512 recommended

  3. Click Next

  4. Enter container size:

    • Start small (1 GB) to test
    • Can create larger ones later

  5. Click Next

  6. Enter a strong password:

    • Use your password manager to generate
    • Different from your login password
    • Must be memorable or stored securely

  7. Click Next

  1. Move mouse randomly to generate entropy
  2. Choose filesystem:
    • Ext4 for Linux-only use
    • FAT32 for cross-platform (max 4GB files)
    • exFAT for cross-platform with large files
  3. Click Format
  1. Click Exit when complete

Mount Encrypted Container

  1. In VeraCrypt, select a slot (e.g., Slot 1)
  2. Click Select File
  3. Navigate to your .vc container
  4. Click Mount
  5. Enter password
  6. Container mounts as /media/veracrypt1

You can now access it like any folder. Files saved here are encrypted.

Unmount When Done

Critical: Unmount when you’re done to re-encrypt:

  1. Select mounted slot in VeraCrypt
  2. Click Dismount

Or right-click the mounted drive and unmount.

Files are only protected when unmounted.

Auto-Mount at Login (Optional)

For containers you use frequently:

  1. In VeraCrypt, mount the container
  2. Go to FavoritesAdd Mounted Volume to Favorites
  3. Enable Mount selected volume upon logon
  4. You’ll enter password at each login

Part 3: Hidden Volumes (Plausible Deniability)

VeraCrypt supports hidden volumes—a second encrypted volume hidden inside the first.

Why Hidden Volumes?

Scenario: You’re forced to reveal your encryption password (coercion, border crossing, etc.).

Standard volume: You give password, attacker sees everything.

Hidden volume: You give outer password, attacker sees decoy files. The inner hidden volume remains undetectable.

How It Works

[ Outer Volume (decoy files) ][ Hidden Volume (real files) ][ Free Space ]
                             └── Hidden within apparent free space ──┘
  • Outer volume has normal files (nothing too innocent, that’s suspicious)
  • Hidden volume is encrypted within the “free space” of outer volume
  • Without hidden password, hidden volume is indistinguishable from random data

Creating Hidden Volume

  1. In VeraCrypt, click Create Volume
  2. Select Create an encrypted file container
  3. Select Hidden VeraCrypt volume
  4. Select Normal mode (creates outer + hidden)
  5. Follow prompts to create outer volume first
  6. Add some decoy files to outer volume
  7. Then create hidden volume within it
  8. Different password for hidden volume

Important: When mounting outer volume, VeraCrypt protects hidden volume from being overwritten. If mounting to modify outer volume, enable “Protect hidden volume” option.

Plausible Deniability Limitations

Works against:

  • Casual adversaries
  • Some legal situations
  • People who don’t know VeraCrypt well

Doesn’t work against:

  • Sophisticated forensics (file timestamps, access patterns)
  • Repeated demands (“give us the OTHER password”)
  • Jurisdictions that criminalize refusing to decrypt
  • People who know you use hidden volumes

Use with realistic expectations.

Part 4: Encrypted USB Drives

USB drives are easily lost. Always encrypt them.

Option 1: LUKS-Encrypted USB (Linux Only)

Format USB with LUKS:

  1. Insert USB drive
  2. Open Disks application (Menu → Accessories → Disks)
  3. Select your USB drive (careful—don’t select your system drive!)
  4. Click the gear icon → Format Partition
  5. Choose LUKS + Ext4
  6. Enter encryption passphrase
  7. Click Format

Using LUKS USB:

  1. Insert drive
  2. System prompts for passphrase
  3. Drive mounts after unlocking
  4. Unmount when done (automatically locks)

Limitation: Only works on Linux systems.

Option 2: VeraCrypt USB (Cross-Platform)

Create VeraCrypt container on USB:

  1. Format USB as exFAT (for cross-platform compatibility)
  2. Create VeraCrypt container on the USB
  3. Container file works on Linux, Windows, macOS (with VeraCrypt installed)

For whole-drive encryption:

  1. In VeraCrypt, select Create Volume
  2. Select Encrypt a non-system partition/drive
  3. Select your USB drive
  4. Choose encryption options
  5. Format (destroys all data on USB)

Note: Whole-drive VeraCrypt USB requires VeraCrypt to be installed on any computer that accesses it.

Portable VeraCrypt

For USB drives you’ll use on computers without VeraCrypt:

  1. Download VeraCrypt portable from official site
  2. Copy to unencrypted portion of USB
  3. Run portable VeraCrypt to mount container
  4. No installation required on target computer

Part 5: Secure Backups

Backups are critical. Encrypted backups are essential.

The 3-2-1 Rule

  • 3 copies of important data
  • 2 different storage types (e.g., SSD + external HDD)
  • 1 offsite (in case of fire, theft, disaster)

Local Encrypted Backup

Use Déjà Dup (built into Linux Mint):

  1. Open Backup (Menu → Administration → Backup)
  2. Folders to save: Select important folders
  3. Storage location: Choose external drive
  4. Encryption: Enable and set password

Déjà Dup creates incremental encrypted backups.

Schedule: Weekly automatic backups recommended.

Encrypted External Drive Backup

For full system backup:

# Create encrypted backup of home directory
tar -cvf - /home/yourusername | gpg -c > /media/backup-drive/home-backup.tar.gpg

To restore:

gpg -d home-backup.tar.gpg | tar -xvf -

Offsite Backup Options

Option 1: Encrypted cloud backup

  1. Create VeraCrypt container locally
  2. Put sensitive files in container
  3. Sync container file to cloud (Dropbox, etc.)
  4. Cloud provider sees encrypted blob

Option 2: Encrypted backup service

  • Backblaze — Cheap, you manage encryption key
  • Tarsnap — Expensive but paranoid-friendly, client encrypts
  • Borg Backup + rsync.net — Deduplicating encrypted backup

Option 3: Physical offsite

  1. Create encrypted backup on USB drive
  2. Store at trusted location (family, safe deposit box)
  3. Rotate monthly

Backup Verification

Test your backups regularly:

  1. Pick a random file from backup
  2. Restore it to temporary location
  3. Verify it’s intact
  4. Delete test restore

Untested backups are not backups.

Part 6: Cloud Storage Encryption

Cloud storage is convenient but not private. Encrypt before uploading.

Option 1: VeraCrypt Container

  1. Create VeraCrypt container
  2. Put files in container
  3. Unmount container
  4. Sync container file to cloud
  5. Cloud sees only encrypted file

Limitation: Large containers = large syncs for small changes.

Cryptomator encrypts files individually before cloud sync:

  • Each file encrypted separately
  • Changes only sync changed files
  • Open source, cross-platform
  • Works with any cloud provider

Install:

sudo add-apt-repository ppa:sebastian-stenzel/cryptomator
sudo apt update
sudo apt install cryptomator

Setup:

  1. Open Cryptomator
  2. Click Add VaultCreate New Vault
  3. Choose location in your cloud sync folder
  4. Set vault password
  5. Vault appears as virtual drive

Use:

  1. Unlock vault with password
  2. Save files to vault drive
  3. Files encrypted individually in cloud folder
  4. Lock vault when done

Option 3: rclone crypt

For command-line users, rclone with crypt backend:

# Configure rclone with encryption
rclone config
# Create remote with crypt wrapper

# Sync encrypted
rclone sync /local/folder encrypted-remote:

Rclone encrypts file names and contents before uploading.

Part 7: File-Level Encryption with Age

Age is a modern, simple file encryption tool (easier than GPG for file encryption).

Install Age

sudo apt install age

Generate Key Pair

# Generate key pair
age-keygen -o ~/.age/key.txt

Output shows your public key (starts with age1...).

Protect your key file:

chmod 600 ~/.age/key.txt

Encrypt a File

# Encrypt to your key
age -r age1yourpublickeyhere -o document.txt.age document.txt

# Or encrypt to key file
age -R ~/.age/key.txt -o document.txt.age document.txt

Decrypt a File

age -d -i ~/.age/key.txt -o document.txt document.txt.age

Password-Based Encryption

For sharing without key exchange:

# Encrypt with password
age -p -o document.txt.age document.txt
# Enter password when prompted

# Decrypt
age -d -o document.txt document.txt.age
# Enter password when prompted

Share the password securely (Signal, in person, etc.).

Privacy Checkpoint

Your data is now encrypted at multiple levels:

What changed:

  • System drive encrypted (LUKS from Week 2)
  • Sensitive files in VeraCrypt containers
  • USB drives encrypted
  • Backups encrypted
  • Cloud storage encrypted

What you gained:

  • Physical theft doesn’t expose data
  • Lost devices don’t compromise privacy
  • Cloud providers can’t read your files
  • Backups are safe even if stolen

What you traded:

  • Passwords to remember/manage
  • Slight performance overhead
  • Risk of data loss if passwords forgotten

Troubleshooting

Forgot VeraCrypt password

No recovery possible. VeraCrypt has no backdoor by design.

Prevention:

  • Store password in password manager
  • Keep backup of password in safe location
  • Use passwords you can remember

LUKS won’t decrypt at boot

Try:

  1. Double-check passphrase (caps lock?)
  2. Try backup passphrase
  3. Boot from live USB and mount manually:
    sudo cryptsetup luksOpen /dev/sda3 crypt-recovery

VeraCrypt container won’t mount

Check:

  1. File not corrupted (hash matches original?)
  2. Password correct
  3. Container not already mounted
  4. Sufficient permissions

Lost LUKS header

If you have header backup:

sudo cryptsetup luksHeaderRestore /dev/sda3 --header-backup-file luks-header-backup.img

No backup = data lost forever.

Backup restore fails

  1. Check encryption password is correct
  2. Verify backup file integrity
  3. Try different backup copy
  4. This is why 3-2-1 rule matters

Going Further (Optional)

Deniable Encryption with VeraCrypt

Advanced hidden OS setup:

  • Hidden operating system inside hidden volume
  • Boot from decoy or hidden OS based on password
  • Extreme plausible deniability
  • Very complex setup

Documentation: https://www.veracrypt.fr/en/Hidden%20Operating%20System.html

Full Disk Encryption with VeraCrypt

VeraCrypt can encrypt entire Windows systems:

  • Pre-boot authentication
  • Rescue disk required
  • Alternative to BitLocker with more transparency

Linux users should stick with LUKS.

Hardware Encrypted Drives

Self-encrypting drives (SEDs):

  • Encryption handled by drive hardware
  • Very fast (no CPU overhead)
  • Trust the manufacturer’s implementation

Examples: Samsung T7 Touch, iStorage datAshur

Tomb (Linux Encrypted Folders)

Tomb creates encrypted folders with neat features:

  • Keys stored separately from data
  • Can bind to specific hardware
  • Scriptable for automation
sudo apt install tomb
tomb dig -s 100 secret.tomb
tomb forge secret.tomb.key
tomb lock secret.tomb -k secret.tomb.key
tomb open secret.tomb -k secret.tomb.key

What’s Next

Your data is now encrypted at rest and in transit. The final week brings everything together—operational security practices, ongoing maintenance, and the privacy mindset that makes all these tools effective.

Week 10 covers operational security and tying it all together.

Summary

This week you:

  • Understood your existing LUKS full disk encryption
  • Created VeraCrypt encrypted containers for sensitive files
  • Learned about hidden volumes for plausible deniability
  • Encrypted USB drives for portable secure storage
  • Established encrypted backup practices
  • Learned to encrypt cloud storage with Cryptomator
  • Used Age for simple file-level encryption

Your data is now encrypted at rest. Combined with encrypted communications (Weeks 6), VPN (Week 7), and Tor (Week 8), you have comprehensive protection. Next we’ll add two-factor authentication for account security.

💻 Ready for the command line? Cypherpunk 101 covers the same ground with cryptsetup/LUKS, gocryptfs, and encrypted backups over SSH: Cypherpunk 101 Week 4: Encrypted Filesystems & Containers →

← Back to Week 8: Tor Browser

Continue to Week 10: Two-Factor Authentication →