Encrypted Code Vault
The vault is a LUKS2-encrypted BTRFS loopback image used to store source code and sensitive project files. It lives at ~/.vault.img and mounts to ~/Code.
Creating the Vault (First Time)
bash
bash scripts/00-setup-vault.shThe script will ask for:
- Vault size — default 60G (can be grown later)
- LUKS2 passphrase — choose a strong one; this encrypts everything in the vault
What it creates:
~/.vault.img ← encrypted container (BTRFS inside LUKS2)
~/Code/ ← mount point (empty when vault is locked)Daily Use
bash
# Unlock and mount
bash scripts/05-mount-vault.sh
# Lock and unmount
bash scripts/06-unmount-vault.shVault Details
| Property | Value |
|---|---|
| Image path | ~/.vault.img |
| Mapper name | code_vault |
| Mount point | ~/Code |
| Filesystem | BTRFS |
| Label | CODE_REPOS |
| Encryption | LUKS2 (AES-256-XTS) |
| Current size | 60G (41% used on reference system) |
Manual Operations
bash
# Open the vault manually
sudo cryptsetup open ~/.vault.img code_vault
sudo mount /dev/mapper/code_vault ~/Code
sudo chown -R $USER:$USER ~/Code
# Close the vault manually
sudo umount ~/Code
sudo cryptsetup close code_vault
# Check vault usage
df -h ~/CodeGrowing the Vault
If you run out of space:
bash
# Close the vault first
bash scripts/06-unmount-vault.sh
# Grow the image by 20G
sudo dd if=/dev/zero bs=1G count=20 >> ~/.vault.img
# Reopen and resize
sudo cryptsetup open ~/.vault.img code_vault
sudo cryptsetup resize code_vault
sudo mount /dev/mapper/code_vault ~/Code
sudo btrfs filesystem resize max ~/CodeBackup
Back up by copying the raw image file. The entire encrypted container is a single file:
bash
# Close vault before backup
bash scripts/06-unmount-vault.sh
# Backup (rsync preserves sparse files)
rsync -avP --sparse ~/.vault.img /path/to/backup/