Cryptmount – A Utility to Create Encrypted Filesystems in Linux

Cryptmount is a powerful utility which allows any user to access encrypted filesystems on-demand under GNU/Linux systems without requiring root privileges. It requires Linux 2.6 or higher. It handles both encrypted partitions as well as encrypted files.

It makes it as easy (compared to older approaches such as cryptoloop device driver and dm-crypt device-mapper target) for ordinary users to access encrypted filesystems on-demand using the newer devmapper mechanism. Cryptmount helps a system administrator in creating and managing encrypted filesystems based on the kernel’s dm-crypt device-mapper target.

Cryptmount offers the following advantages:

  • access to enhanced functionality in the kernel.
  • support for filesystems stored on either raw disk partitions or loopback files.
  • different encryption of filesystem access keys, enabling access passwords to be modified without re-encrypting the whole filesystem.
  • keeping various encrypted filesystems on a single disk partition, using a designated subset of blocks for each.
  • hardly used filesystems don’t need to be mounted during system startup.
  • un-mounting of every filesystem is locked so that this can only be conducted by the user that mounted it, or the root user.
  • encrypted filesystems compatible with cryptsetup.
  • support for encrypted swap partitions (superuser only).
  • support for creating encrypted filesystems or crypto-swap at system boot-up.

How to Install and Configure Cryptmount in Linux

On Debian/Ubuntu distributions, you can install Cryptmount using the apt command as shown.

$ sudo apt install cryptmount

On RHEL/CentOS/Fedora distributions, you can install it from source. First start installing the required package(s) to successfully build and use cryptmount.

# yum install device-mapper-devel

Then download the latest Cryptmount source files using the wget command and install it as shown.

# wget
# tar -xzf  cryptmount-5.2.4.tar.gz
# cd  cd cryptmount-5.2.4
# ./configure
# make
# make install 

After installation successful, it’s time to configure cyptmount and create an encrypted filesystem using the cyptmount-setup utility as superuser, otherwise use the sudo command as shown.

# cyptmount-setup
$ sudo cyptmount-setup

Running the above command will ask you a series of questions to setup a secure filing-system that will be managed by cryptmount. It will ask for target name for your filesystem, user who should own the encrypted filesystem, location and size of the filesystem, filename (absolute name) for your encrypted container, location of the key as well as password for the target.

In this example, we are using the name 'tecmint' for the target filesystem. The following is a sample output of the crytmount-setup command output.

Create Encrypted Filesystem in Linux

Create Encrypted Filesystem in Linux

Once the new encrypted filesystem is created, you can access it as follows (enter the name you specified for your target – tecmint), you will be prompted to enter the password for the target.

# cryptmount tecmint
# cd /home/crypt

To unmount the target run cd command to get out of the encrypted filesystem, then use the -u switch to unmount as shown.

# cd
# cryptmount -u tecmint
Access Encrypted Filesystem

Access Encrypted Filesystem

In case you have created more than one encrypted filesystem, use the -l switch to list them.

# cryptsetup -l 
List Encrypted Filesystems in Linux

List Encrypted Filesystems in Linux

To change the old password for a specific target (encrypted filesystem), use the -c flag as shown.

# cryptsetup -c tecmint
Change Encrypted Filesystem Password

Change Encrypted Filesystem Password

Take a note of the following important points while using this critical tool.

  • Do not forget your password, once you forget it, it’s not recoverable.
  • It is strongly recommended to save a backup copy of the key-file. Deleting or corrupting the key-file implies that the encrypted filesystem will in effect be impossible to access.
  • In case you forget the password or delete the key, you can fully remove the encrypted filesystem and start over, however you will lose your data (which is not recoverable).

If you wish to use more advanced setup options, the setup process will depend on your host system, you can refer to cryptmount and cmtab man pages or visit cyptmount homepage under the “files” sections for a comprehensive guide.

# man cryptmount
# man cmtab

cryptmount enables for management and user-mode mounting of encrypted filesystems on GNU/Linux systems. In this article, we have explained you how to install it on various Linux distributions. You can ask questions or share your thoughts about it, with us via the comment section below.

If You Appreciate What We Do Here On TecMint, You Should Consider:

TecMint is the fastest growing and most trusted community site for any kind of Linux Articles, Guides and Books on the web. Millions of people visit TecMint! to search or browse the thousands of published articles available FREELY to all.

If you like what you are reading, please consider buying us a coffee ( or 2 ) as a token of appreciation.

Support Us

We are thankful for your never ending support.

Aaron Kili

Aaron Kili is a Linux and F.O.S.S enthusiast, an upcoming Linux SysAdmin, web developer, and currently a content creator for TecMint who loves working with computers and strongly believes in sharing knowledge.

Your name can also be listed here. Got a tip? Submit it here to become an TecMint author.

RedHat RHCE and RHCSA Certification Book
Linux Foundation LFCS and LFCE Certification Preparation Guide
The Complete Linux System Administrator Bundle
Become an Ethical Hacker Bonus Bundle

You may also like...

2 Responses

  1. Nathan Tallman says:

    You have some typos, cyptomount and cyptomount-setup should be cryptmount and cryptmount-setup. Thanks for the article.

Leave a Reply to Aaron Kili Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.