cryptmount - a utility for accessing Linux encrypted filesystems

cryptmount is a utility for GNU/Linux operating systems which allows an ordinary user to mount an encrypted filing system without requiring superuser privileges. It can operate on LUKS volumes created by cryptsetup.

The device-mapper technologies offered by the Linux kernel provide many options for creating encrypted filesystems, but require a number of steps before an encrypted filing system can actually be mounted and made available in user-space. These steps are typically not supported directly by the 'mount' or 'pmount' commands, nor does the syntax of /etc/fstab lend itself to describing all the necessary filesystem parameters. This is especially so if the filesystem is stored in an ordinary file, which would require separate configuration of a loopback device and a devmapper target before the filesystem could be accessed.

cryptmount was created to make it as easy for ordinary users to access encrypted filesystems on-demand using the modern devmapper mechansism as it was to use the older, now deprecated, cryptoloop methods. As well as acting as a front-end to LUKS (cryptsetup) encrypted containers, it offers the following options:

transparent support for filesystems stored on either raw disk partitions or loopback files
optional separate encryption of filesystem access keys, allowing access passwords to be changed without re-encrypting the entire filesystem
storing multiple encrypted filesystems within a single disk partition, using a designated subset of blocks for each
rarely used filesystems do not need to be mounted at system startup
un-mounting of each filesystem is locked so that this can only be performed by the user that mounted it, or the superuser
encrypted access-keys can be chosen to be compatible with OpenSSL; managed via libgcrypt, or use built-in SHA1/Blowfish ciphers
support for encrypted swap partitions (superuser only)
support for setting up encrypted filesystems or crypto-swap at system boot-up

There are a number of different ways of accessing encrypted filesystems under Linux, each with their own strengths and weaknesses. Some of the closest alternatives to cryptmount are as follows:

dmsetup (part of the libdevmapper package) is a powerful tool for performing very low-level configuration of device-mapper targets, but requires root privileges and is not straightforward to use interactively for setting up dm-crypt targets.
cryptsetup is a powerful tool for performing lower-level configuration of the 'dm-crypt' target through libdevmapper. cryptsetup is supplied with scripts that can setup and mount encrypted filesystems at system startup, but this does not give ordinary users control over their own encrypted filesystems.
sudo + dmsetup/cryptsetup - neither dmsetup nor cryptsetup is suitable for unrestricted use by ordinary users. 'sudo' would only appear to help get round the problem of needing root privileges if one had a script that performed the necessary calls to dmsetup/cryptset/losetup before mounting the filesystem. Such a script would probably have to perform many of the tasks that cryptmount already handles.
PAM-mount allows filing systems to be automatically mounted when a user logs in, but this makes it more difficult to decouple normal logins & passwords from occasional access to encrypted data having a separate password.

cryptmount is currently available within a variety of Linux distributions, including:

The development history is hosted on GitHub, and source packages can also be found on Sourceforge.

The manual pages of cryptmount-6.2.0 for the executable and its configuration file are also available online.

The author would welcome constructive feedback on this webpage or on cryptmount itself. These can be sent to rwpenney«AT»users«DOT»sourceforge«DOT»net .