Encrypting a directory on Linux
The following is being written to describe how to encrypt a directory on a Linux based system. For many administrators, you may wonder why you would encrypt a directory when you can encrypt the entire drive at very low cost to performance
Encrypting a file
First, you will want to archive everything in the directory. Create a Tar file:
tar cf secretarchive.tar filesystem
You can now bzip this with
If you wanted to you could decompress with:
bunzip2 secretarchive.tar.bz2 tar -xvf secretarchive.tar
To encrypt the file secretarchive.tar.bz2, you can use
openssl enc -aes-256-cbc -salt -in secretarchive.tar.bz2 -out secretarchive.tar.bz2.enc
You should enter a strong password when prompted. To decrypt:
openssl enc -d -aes-256-cbc -in secretarchive.tar.bz2.enc -out secretarchive.tar.bz2
Please be aware that this scheme involves mass decryption and encryption. To work on the files, they must be unencrypted. If you are working on the files and there is a power failure or system crash followed by a stolen laptop then your files will be available. This could be used to store content in the cloud, where you have limited trust, but again, you would not want to unencrypt in the cloud. you would download to a local trusted filesystem where you decrypt access/update and the you would re-encrypt before uploading.
Much of the information from this section comes from: https://unix.stackexchange.com/questions/28603/simplest-way-to-password-protect-a-directory-and-its-contents-without-having-to
This section will describe how to encrypt a directory in Linux systems. Start by making sure that you have encfs.
mkdir /root/.encrypted/ /root/encrypted encfs /root/.encrypted /root/encrypted
You can then follow the prompts to sets up an encrypted directory. The encfs command leaves a daemon running, and this daemon handles the encryption (and decryption when you read or write to files to /root/encrypted).
Create some files:
cd /root/encrypted/ touch file1 touch file2 touch file3 touch file4 touch file5
So the files you just created under /root/encrypted, did not translate directly to reading or writing from the disk. They are performed by the encfs process, which encrypts and decrypts the data and uses the /root/.encrypted directory to store the ciphertext.
To better understand this, within /root/encrypted/ type
Then cd into /root/.encrypted
cd /root/encrypted ls
It should be pretty clear that the storage of files in /root/.encrypted is where the files are encrypted and in /root/encrypted the files are accessible. Modify one of the files in /root/encrypted
When you've finished working with your files, you should unmount the filesystem to prevent the directory from being accessed.
fusermount -u /root/encrypted
When you wish to use the directory again you can use:
encfs /root/.encrypted /root/encrypted
Check that the change that you made persisted through the unmounting and mounting process.
Home Directory Encryption
Don't do this for the first time on a production system. Experiment with clone of a virtual machine that you can afford to lose.
sudo pacman -S ecryptfs-utils
Then, make sure that the kernel module is loaded:
sudo modprobe ecryptfs
Then you can encrypt your home directory with (DO NOT RUN WITH SUDO!):
You will be asked your sudo password and a mount password. Enter them
This section is adapted from this very useful page. Install the packages
sudo apt get install ecryptfs-utils lsof
Think of a good password, then create a directory to encrypt.
Use the following command:
sudo mount -t ecryptfs ~/secret ~/secret -o key=passphrase, ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough=no,\ ecryptfs_enable_filename_crypto=no,passphrase_passwd=PASSWORD
Answer yes to both questions.
To check the encryption, with the directory still being mounted, create a test file with
sudo vim secret/test.txt
Enter a pseudo secret message, then save the file and read it back with:
Then unmount the directory
sudo umount ~/secret
Try to re-read the encrypted file.