How can I make an encrypted file / directory? (Ubuntu 20.04 LTS)

encryption

Solution 1:

How to Make an Encrypted File / Directory

  • Install p7zip-full from universe repository

  • Right click file or folder and select Compress.

  • Confirm archive name and select .7z, then Create.

  • Right click .7z archive select open with Archive Manager.

  • Select three line icon upper right, click Password to create AES-256 encrypted archive.

Notes

You will need to install 7Zip to open archive on a Windows machine.

Selecting and remembering a strong password is an important part of encryption security. There are many good articles about this topic on the internet.

HDD's, SSD's and flash drives can all brick without notice. SLC, (Single Level Cell) SSD's and flash drives have the longest life spans. It is a good idea to keep a backup drive and copy of the password in your safety deposit box.

A full tutorial on P7Zip-Desktop can be found at: https://www.how2shout.com/linux/how-to-install-p7zip-gui-on-ubuntu-20-04-lts/

Solution 2:

(For a directory I would tar it to a file)

Encrypting can be done with ...

gpg -c {file}

Provide a decent password. To decrypt:

gpg {file}.gpg

and provide the password you used. If you want to decrypt using Windows you can use "gpg4win". Remove the original file after you are done.

rinzwind@schijfwereld:~$ ls -ltr test
-rwx------ 1 rinzwind rinzwind 418 mei 14 18:11 test
rinzwind@schijfwereld:~$ file test
test: POSIX shell script, ASCII text executable
rinzwind@schijfwereld:~$ gpg -c test
rinzwind@schijfwereld:~$ file test*
test:     POSIX shell script, ASCII text executable
test.gpg: GPG symmetrically encrypted data (AES256 cipher)
rinzwind@schijfwereld:~$ more test.gpg 
�
�KY+�7���S/?Gp��(�ր��z&ĥ��Ag�����)|�IT[���>e�:\#/����Xko��^�)��@��m�6�'�
                                                                        �vp;��؞
    �XX���&�>Uk�v���rY!��sD����A�
r��=���'Ug�G�|6&(�l���\����fc��Q�Xn \�k�^�
�-�����G*��J��E

I would then add some extra security:

  • sudo -i
  • chown root:root {file}
  • chmod 000 {file}
  • chattr +i {file}

The last one sets the immutable bit and to change anything you 1st need to do chattr -i {file}. It will look like this:

---------- 1 root     root       353 mei 16 09:05  test.gpg

An extra extra method could be to add a "." to the beginning of the file to make it hidden.

Solution 3:

You can use cryptsetup on a sparse file to create an auto-growing, encrypted container.

If you don't have cryptsetup installed yet, run:

$ sudo apt update && sudo apt install cryptsetup

Note: This will not work on FAT32 or exFAT volumes because they don't support sparse files. You need to use NTFS or ext4, or preallocate the disk space ahead of time.

Root required because cryptsetup creates devices in /dev.

  1. Create a sparse file which will be used to store the encrypted data. Sparse files don't take all the space upfront, but grow as you add data to them. 10G here means that you'll be able to store up to 10 GB of data in the container (actually slightly less due to filesystem overhead).

    $ truncate -s 10G encrypted.luks

    (some tools will report this file as 10 GB in size from the very beginning - that's fine)

  2. Create an encrypted container inside the file.

    $ sudo cryptsetup luksFormat encrypted.luks


WARNING!
========
This will overwrite data on encrypted.luks irrevocably.

Are you sure? (Type uppercase yes): YES
Enter passphrase for encrypted.luks:
Verify passphrase:

  3. Open the encrypted container.

    $ sudo cryptsetup open encrypted.luks encrypted
Enter passphrase for encrypted.luks:

  4. Create a filesystem inside the container. (Choose any - it doesn't have to match drive's filesystem.)

    $ sudo mkfs.ext2 -m0 -Lencrypted /dev/mapper/encrypted
mke2fs 1.45.5 (07-Jan-2020)
Creating filesystem with 2617344 4k blocks and 655360 inodes
Filesystem UUID: d61f80bc-e3aa-41c8-91ca-97b8302d8bc0
Superblock backups stored on blocks:
        32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632

Allocating group tables: done
Writing inode tables: done
Writing superblocks and filesystem accounting information: done

  5. You can now mount the filesystem.

    $ sudo mount /dev/mapper/encrypted /mnt
$ ls /mnt
lost+found

The container file should be much less than 10 GB if checked with the right tool:

$ du -h encrypted.luks
249M    encrypted.luks
$ du -h --apparent-size encrypted.luks
10G     encrypted.luks

To "eject" or remove the container:

  1. Unmount it.

    $ sudo umount /mnt

  2. Close the container.

    $ sudo cryptsetup close encrypted

  3. Optionally remove the file if you want to destroy the container.

    $ sudo rm encrypted.luks

Note that the container won't shrink when you remove files from it. You can try to open it with --allow-discards and then fstrim -v /mnt to punch holes in the sparse file again. It worked for me on local disks, but not on an USB drive. Maybe it depends on the "parent" filesystem, I don't know.

Related

Unique sorting: Redirect output to the same file
Should I alphabetically order the flags in a command as good practice?
can not install libpq-dev in ubuntu 14.04
Remove all but every 12th file
How to activate PHP7.0 PDO in 16.04 LTS?
grep – show lines until certain pattern [duplicate]
How can I stop following output in less, without affecting the command generating the output?
How do I change the "label" reported by lsblk? [duplicate]
Problem installing phpMyAdmin on Ubuntu 19.10 (Eoan Ermine)
Best Graphics Card For Ubuntu [closed]
How to find out where the "grub" is installed [duplicate]
Overwrite an existing directory?