I want to encrypt folder
I just switched to linux (5 hours ago) I am still trying to encrypt my most important folders.
There seems to be no easy solution for that.
What would you suggest to encrypt few folders?
Solution 1:
If you do not want to create a separate partition (volume) for your encrypted files, then you should use eCryptfs.
eCryptfs stores cryptographic metadata in the header of each file written, so that encrypted files can be copied between hosts; the file will be decryptable with the proper key, and there is no need to keep track of any additional information aside from what is already in the encrypted file itself.
Installation of eCryptfs:
$ sudo apt install ecryptfs-utils
Setup is easy. First, create your “private” directory that will contain the encrypted files and sub-directories. For example:
$ mkdir ~/Documents/private
When this directory is not “mounted”, you can look at the contents of the files in it, but you will see nothing meaningful, since everything will be encrypted. To use (read & write) to the unencrypted version of it, you should “mount” this directory. You can mount this directory over to itself like this:
$ sudo mount -t ecryptfs ~/Documents/private ~/Documents/private
Since this is the first time you try to mount this directory with eCryptfs, you will answer a few questions like this:
- First, enter a passphrase that you will never forget.
- Cipher: aes (default)
- Key bytes: 32
- Plaintext passthrough: n (default)
- Filename encryption: n (default)
Now, the important warning:
WARNING: Based on the contents of [/root/.ecryptfs/sig-cache.txt],
it looks like you have never mounted with this key
before. This could mean that you have typed your
passphrase wrong.
Would you like to proceed with the mount (yes/no)? :
Since this is the first time you mount this directory, you will answer yes so that a new file called ~root/.ecryptfs/sig-cache.txt will be created, which will contain a “signature” of the passphrase.
Would you like to append sig [xxxxxxxxxxxx] to
[/root/.ecryptfs/sig-cache.txt]
in order to avoid this warning in the future (yes/no)? :
Answer also yes to this question so the file ~root/.ecryptfs/sig-cache.txt will be populated.
Later, when we re-mount this directory we should not get this warning, unless we enter the wrong passphrase.
Create a file in the private directory. For example:
$ ls -al > ~/Documents/private/1.txt
Note the length of the file:
$ wc -c ~/Documents/private/1.txt
4935 ...
Unmount the directory:
$ sudo umount ~/Documents/private
Look at the encrypted version of the file in the unmounted ~/Documents/private directory:
$ less ~/Documents/private/1.txt
It seems like a binary file, because its contents are encrypted.
Look at the length of the file:
$ wc -c ~/Documents/private/1.txt
16384 ...
It is a few kilobytes larger than the unencrypted file, since it contains some metadata. This is the whole overhead of eCryptfs on your file system: Each file will be about 8 to 16KB larger that what it would be if it were not encrypted.
Re-mount the directory using the command:
$ sudo mount -t ecryptfs ~/Documents/private ~/Documents/private \
-o ecryptfs_cipher=aes,ecryptfs_key_bytes=32,ecryptfs_passthrough=no,\
ecryptfs_enable_filename_crypto=no,\
ecryptfs_sig=$(sudo cat ~root/.ecryptfs/sig-cache.txt)
Enter correct passphrase. If you enter the wrong passphrase, you will get the message:
WARNING: Based on the contents of [/root/.ecryptfs/sig-cache.txt],
it looks like you have never mounted with this key
before. This could mean that you have typed your
passphrase wrong.
Would you like to proceed with the mount (yes/no)? :
In such a case, answer no to this and re-try with the correct passphrase.
Check the contents once more.
$ less ~/Documents/private/1.txt
$ wc -c ~/Documents/private/1.txt
4935 ...
For more information, look at man ecryptfs.