Do cryptsetup encryption from user space, possibly as ordinary user

I have the duty to create a package format which has its contents compressed and encrypted and which can be mounted. I have modelled it to be a squashfs embedded in a cryptsetup raw device. Alas, this prevents me from building such a package from a build server such as jenkins, as I would need root access in order to set up a cryptsetup. And doing the same from within a docker container doesn't work either, as docker isn't transparent for the device mapper. So I have the following options: 1. Only create the squashfs on the build server and complete the cryptsetup layer "manually" 2. Somehow do the cryptsetup encryption without kernel involvement. As 1. would add another step to the process, I'd prefer to do something like 2. In order to be a little more comprehensible: Currently, I do something along the lines of mksquashfs tempfile -noappend cryptsetup open -q -d keyfile outfile mksquashfs /dev/mapper/ -noappend cryptsetup close I would like to simplify this into mksquashfs tempfile -noappend user_space_crypt_create -q -d keyfile tempfile outfile where user_space_crypt_create just transforms the unencrypted tempfile to a (raw) encrypted outfile which later can be mounted on the target system via cryptsetup. Does something like this exist?