What is the easiest way to encrypt a dir? (on Ubuntu)
There are three methods: set up an encrypted volume on a partition (dm-crypt
, configured with cryptsetup
), set up a file which is an encrypted volume (truecrypt), set up a directory where each file is encrypted separately (ecryptfs
or encfs
).
Setting up an encrypted volume gives a little more confidentiality, because the metadata (size, modification time) of your files is invisible. On the downside, it's less flexible (you have to decide on the size of the encrypted volume in advance). The ecryptfs FAQ lists some differences between the two approaches.
If you elect to encrypt file by file, I'm aware of two options: ecryptfs
and encfs
. The former uses an in-kernel driver while the latter uses FUSE. This may give ecryptfs
a speed advantage; it gives encfs
a flexibility advantage as nothing needs to be done as root. A possible benefit of ecryptfs
is that once you've done the initial setup, you can use your login password as a filesystem password thanks to the pam_ecryptfs
module.
For my own use in a similar situation, I chose encfs
, because I didn't see any actual security benefit to other solutions so ease-of-use was the determining factor. Performance hasn't been a problem. The workflow is very simple (the first run of encfs
creates the filesystem):
aptitude install encfs
encfs ~/.work.encrypted ~/work
... work ...
fusermount -u ~/work
I recommend you also encrypt your swap space and any place where temporary confidential files may be written to, such as /tmp
and /var/spool/cups
(if you print confidential files). Use cryptsetup
to encrypt your swap partition. The easiest way of dealing with /tmp
is to keep it in memory by mounting it as tmpfs
(this may give a slight performance benefit in any case).
I exclusively use TrueCrypt for such things. OSI-approved or not, I find it's never let me down, and I -have- needed encryption multiple times.