What is a good solution to encrypt some files in unix? [closed]

unix linux encryption

I am looking for a utility to encrypt certain directories in Linux. I am not looking for any full disk encryption services, but simply to encrypt a few directories for the purposes of storing files in the cloud. Once retrieving them, I should have to decrypt them before they can be accessed. Looking to do this for a couple of directories (a few hundred GB in size). Any ideas? Preferably CLI based.


Solution 1:

I use just GnuPG for this task. The folders get first packed into a TAR-GZ archive:

tar czf files.tar.gz /path/to/my/files

If not already done, you need to create a GPG private/public key-pair first:

gpg --gen-key

Follow the instructions. The defaults should be sufficiant for a first test. Something like this will appear:

gpg (GnuPG) 2.0.18; Copyright (C) 2011 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
        = key expires in n days
      w = key expires in n weeks
      m = key expires in n months
      y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: File Encryption Key
Email address: [email protected]
Comment: File Encryption Key
You selected this USER-ID:
    "File Encryption Key (File Encryption Key) "

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o

You will be asked for a passphrase to the key. It's highly recommended to use a strong one. It is not needed for encryption of files anyway, so don't be worried about the batch use later.

If everything is done, something like this will appear on your screen:

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key FE53C811 marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
pub   *****/******** 2013-03-19
      Key fingerprint = **** **** **** **** **** **** **** **** **** ****
uid                  File Encryption Key (File Encryption Key) 
sub   *****/******** 2013-03-19

Now you may want export the public keyfile for importing it on other machines:

gpg --armor --output file-enc-pubkey.txt --export 'File Encryption Key'

The File Encryption Key is the name I entered during the key generation procedure.

Now I'm using GnuPG on the newly created archive:

gpg --encrypt --recipient 'File Encryption Key' files.tar.gz

You now have a files.tar.gz.gpg file which is encrypted.

You can decrypt it with the following command (you will be asked for your passphrase):

gpg --output files.tar.gz --decrypt files.tar.gz.gpg

That's the whole magic.

Make sure you back up your key! And never forget your passphrase! If not backed up or forgotten, you have gigabytes of data junk!

Backup your private key with this command:

gpg --armor --output file-enc-privkey.asc --export-secret-keys 'File Encryption Key'

Advantages

  • None of the encrypters needs to know sensitive information about the encryption - encryption is done with the public key. (You can create the key pair on your local workstation and only transfer the public key to your servers)
  • No passwords will appear in script files or jobs
  • You can have as much as encrypters on any system you want
  • If you keep your private key and the passphrase secret, everything is fine and very very hard to compromise
  • You can decrypt with the private key on Unix, Windows and Linux platforms using the specific PGP/GPG implementation
  • No need for special privileges on encrypting and decrypting systems, no mounting, no containers, no special file systems

Solution 2:

For my part, I mainly use two methods:

First method: tar and openssl

Tar the directory

tar cvf backup.tar /path/to/folder

You can remove the [v] switch from the tar command to switch off the verbose mode.

Encrypt

openssl aes-128-cbc -salt -in backup.tar -out backup.tar.aes -k yourpassword

You can change aes-128-cbc to any other cipher method openssl supports (openssl --help).

Decrypt

openssl aes-128-cbc -d -salt -in backup.tar.aes -out backup.restored.tar

It will ask for the password.

Second method: encrypted zip

zip -r -0 -e backup.zip /path/to/folder

It will ask for the password.

  • -r means recursively (whole folder tree)
  • -0 means store only (doesn't compress, faster)
  • -e means encrypt archive

One advantage of this: it will better operate with windows based system.

Related

Where did "Wait 30 seconds before turning it back on" come from?
How to update cURL CA bundle on RedHat?
Rogue DHCP Server Can't be found
How can I find the biggest directories in unix / Ubuntu?
PostgreSQL Replication
.nfsXXXX files appearing, what are those?
Is it possible to enable http compression for requests?
nginx name-based virtual hosts on IPv6
MySQL: creating a user that can connect from multiple hosts
Why rsync is faster than NFS?
Generate an OpenVPN profile for client user to import
Why was I able to delete a file owned by root in my home directory without being root?