Encrypting a directory on Linux

From packets2photons
Jump to navigation Jump to search

The following is being written to describe how to encrypt a directory on a Linux based system. For many administrators, you may wonder why you would encrypt a directory when you can encrypt the entire drive at very low cost to performance

Encrypting a file

First, you will want to archive everything in the directory. Create a Tar file:

tar cf secretarchive.tar filesystem

You can now bzip this with

bzip2 secretarchive.tar  

If you wanted to you could decompress with:

bunzip2 secretarchive.tar.bz2
tar -xvf secretarchive.tar

To encrypt the file secretarchive.tar.bz2, you can use

openssl enc -aes-256-cbc -salt -in secretarchive.tar.bz2 -out secretarchive.tar.bz2.enc

You should enter a strong password when prompted. To decrypt:

openssl enc -d -aes-256-cbc -in secretarchive.tar.bz2.enc -out secretarchive.tar.bz2

Please be aware that this scheme involves mass decryption and encryption. To work on the files, they must be unencrypted. If you are working on the files and there is a power failure or system crash followed by a stolen laptop then your files will be available. This could be used to store content in the cloud, where you have limited trust, but again, you would not want to unencrypt in the cloud. you would download to a local trusted filesystem where you decrypt access/update and the you would re-encrypt before uploading.

Directory Encryption

Much of the information from this section comes from: https://unix.stackexchange.com/questions/28603/simplest-way-to-password-protect-a-directory-and-its-contents-without-having-to

This section will describe how to encrypt a directory in Linux systems. Start by making sure that you have encfs.

mkdir /root/.encrypted/ /root/encrypted
encfs /root/.encrypted  /root/encrypted

You can then follow the prompts to sets up an encrypted directory. The encfs command leaves a daemon running, and this daemon handles the encryption (and decryption when you read or write to files to /root/encrypted).

Create some files:

cd /root/encrypted/
touch file1
touch file2
touch file3
touch file4
touch file5

So the files you just created under /root/encrypted, did not translate directly to reading or writing from the disk. They are performed by the encfs process, which encrypts and decrypts the data and uses the /root/.encrypted directory to store the ciphertext.

To better understand this, within /root/encrypted/ type


Then cd into /root/.encrypted

cd /root/encrypted

It should be pretty clear that the storage of files in /root/.encrypted is where the files are encrypted and in /root/encrypted the files are accessible. Modify one of the files in /root/encrypted

When you've finished working with your files, you should unmount the filesystem to prevent the directory from being accessed.

fusermount -u /root/encrypted

When you wish to use the directory again you can use:

encfs /root/.encrypted /root/encrypted

Check that the change that you made persisted through the unmounting and mounting process.

Home Directory Encryption


Arch instructions

Don't do this for the first time on a production system. Experiment with clone of a virtual machine that you can afford to lose.

sudo pacman -S ecryptfs-utils

Then, make sure that the kernel module is loaded:

sudo modprobe ecryptfs

Then you can encrypt your home directory with (DO NOT RUN WITH SUDO!):


You will be asked your sudo password and a mount password. Enter them

Raspberry Pi

This section is adapted from this very useful page. Install the packages

sudo apt get install ecryptfs-utils lsof

Think of a good password, then create a directory to encrypt.

mkdir secret

Use the following command:

sudo mount -t ecryptfs ~/secret ~/secret -o key=passphrase, 

Answer yes to both questions.

To check the encryption, with the directory still being mounted, create a test file with

sudo vim secret/test.txt

Enter a pseudo secret message, then save the file and read it back with:

cat secret/test.txt

Then unmount the directory

sudo umount ~/secret

Try to re-read the encrypted file.

cat secret/test.txt

LUKS dm-crypt