How do I create an encrypted growable disk image?

disk-image encryption iso 13.04

I don't want to encrypt my whole home directory, just my work folder. So I figured that having my work stuff in an encrypted ISO would be a good idea.

How do I create an ISO?
How do I encrypt that iso?
How do I make the iso grow as the contents grow? (having it only take up as much space as it needs to)


Since EncFs is deemed unsecure it is not adviced to use it. It's planned to be fixed in the next version, but it would be unwise to start using it now while it's insecure. eCryptfs is secure and you can have a private directory in your home dir with:

ecryptfs-setup-private --noautomount

And follow the direction. It will make .Private as encrypted directory and Private as the where it's mounted. With the option --noautomount it won't mount until you doubleclick "Access my private data" inside the Private directory.

Old answer

The current version of EncFs has known security flaws covered in January 2014. Please read the report before preceding using EncFs.

Based on you comments you should have a look at encfs. I have been using this long before Ubuntu got ecyptfs and even though I keep my files private under ~/Private today I still have my old ~/safe which i use for sensitive information that doesn't need to be mounted all the time.

# install encfs
sudo apt-get install encfs

# setup. directories need to be absolute paths
SAFE=~/safe
SAFE_ENC=~/.safe
mkdir $SAFE
mkdir $SAFE_ENC

# this is for mounting the fs (or create for first time mount)
encfs -i 10 $SAFE_ENC $SAFE

The first time you run this you'll be asked if you want to create a new encrypted filesystem. Just pressiong RETURN creates one with default options. The option -i 10 will make the drive get unmounted if there has been ten minutes of inactivity. Remember not to do cd $SAFE or to keep it open in a file manager since it's considered activity.

If you have several systems that are going to access this (eg. by having $SAFE_ENC in a cloud storage) you should create it with the oldest version of Ubuntu you have or else it might not work on that system if it gets created with a newer system. (it's possible but you need to specify options that are compatible) I've used this since 2006 and am very happy with it.

Encfs has several applications. E.g. lately I have started using it for my USB thumb drive as well. I have a 16GB thumb that has 2GB live ubuntu-presistence with a 14GB which the live system mounts after asking for password. When using it from other systems i mount the drive manually in the terminal, but it would be trivial to get my systems to identify it as my safe drive and mount it with my keyring. I also mount it on my Windows work machine.

When setting this up I found there are some supplimentary packages that can be used to manage encfs from the desktop environment and get it mouted like ecryptfs.


If you want to encrypt data stored on the computer, there exists some different choises you can make. You was offered them when you installed Ubuntu in the first place[1].

Before you do anything like this, make a back up of your data! You have been warned!!!

All Disks

The obvious one, and the most secure, is to encrypt the whole disk[2]. In that way, noone can steal your computer and use any information stored in your computer, like your passwords in /etc/passwd and /etc/shadow or look at your temporary files which will give lots of information away. So to use that, look up dm-crypt/LUKS/cryptsetup for more information.

Directories in $HOME

There are also support for encryption of directories in your $HOME directory[3]. Either you can use the older version, which encrypt a separate directory called $HOME/Private or you could encrypt whole of your $HOME.

To create an encrypted $HOME/Private, just run the command 

ecryptfs-setup-private

in a terminal and this should be set up for you.

To encrypt a users $HOME, you need to install the package encryptfs-utils and then create a new user with the command 

sudo adduser --encrypt-home username

where username should be the new users login name. You could still make your $HOME encrypted after installation, but remember to back up your data before doing this[4].

Encrypting Removable Disks

Lastly, if you want to encrypt your USB Memory stick, you could do that too. Just install package cryptsetup and partition it with the graphical tool gnome-disk-utility or follow the instruktions for doing this from the command line[5].

For more information about encryption of disks and directories, please read here:

  1. https://help.ubuntu.com/community/EncryptedFilesystemHowto
  2. https://help.ubuntu.com/community/EncryptedFilesystems
  3. https://help.ubuntu.com/community/EncryptedHome
  4. http://ubuntuforums.org/showthread.php?t=1449168
  5. https://help.ubuntu.com/community/EncryptedFilesystemsOnRemovableStorage

Related

Can't add any PPA's after reinstalling Ubuntu 13.10
Does Kingsoft Office Official PPA exist?
Usb boot device totally unable to be formatted
Updating variables in my.cnf
How to set the default workspace?
No USB Devices picked up on restart to windows 7 from ubuntu
What is the correct location for a maintained virtualenv service?
Why is /usr/local/games after /usr/games in the default PATH?
My graphic drivers are gone
Why bonding does not improve network speed?
debuild: no upstream tarball found
How can I use digital output instead of analog output for USB headset on 14.04?