Under Linux, is it possible to encrypt a folder/partition in a way that it is not accessible to anyone without the password?

security linux encryption

  • eCryptFS can encrypt your home folder (& subfolders), and automatically decrypt with your login passphrase - root can't just change your passphrase, it needs your actual login passphrase. The ecryptfs-migrate-home script/tool can encrypt an existing home, or many distributions can encrypt a home when a new user's created. It's available for most distributions, Debian, Mint & Ubuntu derived, Arch, Gentoo, etc. And is free to expand it's size.

    Or, it can use just a single encrypted "Private" folder too, with ecryptfs-setup-private

  • EncFS encrypts a folder too, but may need more customization for secure auto-decrypt.

  • LUKS or plain dm-crypt uses a container file or device, of a fixed size, not as easy to expand as the above file-based solutions, but it doesn't reveal as much info (file number & approximate size) either

  • TrueCrypt or derivatives work similar to LUKS

  • Many distributions can also be installed with "full disk encryption" (usually using LUKS & LVM), that requires the correct passphrase entered at boot. It's a good solution for a single-user ("personal") computer that doesn't need to reboot all by itself, but on a multi-user computer it would be "decrypted" to every other user too.


You can use dm-crypt for that. You need to create an empty file which will be used as a storage device. You can create one with a specific size with either dd or for example fallocate: 

fallocate -l 512M /home/user/cryptedDevice` 
dd if=/dev/zero of=/home/user/cryptedDevice bs=1M count=512

This will create a 512 MB file in your home directory called cryptedDevice. Then you can set luks on top of that file cryptsetup -y luksFormat /home/user/cryptedDevice With Luks you can easily change size of the container etc.

To open the crypted file you can do: cryptsetup luksOpen /home/user/cryptedDevice someDeviceName

Then you need to format this partition with a file system: mkfs.ext4 -j /dev/mapper/someDeviceName

And after that you can simply mount that device to a folder: mount /dev/mapper/someDeviceName /mnt/.

Reference digitalocean


Just a side-note if when running:

cryptsetup -y luksFormat /home/user/cryptedDevice

you get this error:

"Not compatible PBKDF options"

run it with --type luks1

cryptsetup -y luksFormat /home/user/cryptedDevice --type luks1

reference: https://github.com/latchset/luksmeta/pull/10

Related

unix:///var/run/supervisor.sock no such file
Windows Subsystem for Linux & SSH Port Forwarding
openssl req -new with some default subj values
Is there a way to push and pop all environment variables in a batch script?
Is there a way to set metadata that marks a song to "Not play when friends are over"?
Is it important for a USB 3.0 hub to be powered? [closed]
How can I prevent Microsoft Online login Portal from redirecting to an old SSO page?
replacing only part of matched pattern in sed
How can I convert all .svg files in a directory to .pdf on Linux in the commandline
Can I configure KeePass to prompt for master key/password on Windows restore?
How to simulate a shell without tty?
DBeaver how to get back results window