How to make files protected?

The best method you have is chattr +i {file}. This sets the immutable attribute and then a file can not be modified, deleted, renamed or a hardlink created by anyone including root.

The only person that can edit the file is root. (S)he has to undo this by removing the immutable bit: chattr -i {file} and can then do whatever with the file. Setting the +i again locks the file from any modification.

This will not prevent from formatting the partition where the file is stored though. It will prevent theft of the file.


You can even do this on a complete mountpoint if you want:

chattr +i -R /discworld

would make the whole "discworld" and anything in it immutable (chattr -i -R /discworld to undo it ;) )


  • man chattr

Without doing anything special, you can make it difficult for others to read, change or delete the file by removing permissions for everyone but the owner. Make root the owner of the file and put it inside a directory that only root has access to...

sudo mkdir /home/secret     #this directory will be owned by root, no need to chown
sudo chmod 700 /home/secret

move (sudo mv file /home/secret) your file in there and do

sudo chown root: /home/secret/file
sudo chmod 600 /home/secret/file

chmod and chown take multiple arguments: chmod 600 file1 file2 or chmod 600 file*

other than that, use encryption...


A quite secure way to protect documents is encryption (provided you destroy the original and store the encrypted version properly).

Permissions (as suggested by the other answers) can be circumvented (see this).

Therefore, I recommend you properly encrypt the file. Here is how:

(For a graphical interface method, see the end of this answer)

Ensure you have gpg installed.

For example, to encrypt a file named Important_File.txt, use

$ gpg -c Important_File.txt

Now enter the password (this will be used later when having to read it).

You will now get a file with the original's name and a .gpg extension, for example Important_File.txt.gpg.

Remove the original file, and keep the .gpg version. It might be easy to get the original file from the disk if you don't use the secure shred utility (which will still not work on SSD drives or SD cards):

$ shred Important_File.txt

Now we only have Important_File.txt.gpg with us.

Whenever you need to read it, simply

$ gpg Important_File.txt.gpg

Then enter the password you set in the first command. You will get the original Important_File.txt.

NOTE: This will only protect the contents of the encrypted .gpg file from being read by anyone (using encryption), but anyone can remove, copy or move it! For basic protection from that, use the permission methods of the other answers on the encrypted .gpg file.

Graphical Interface (GUI) method

Install the Seahorse application.

Then you can do this from the Files application:

Screenshot of GNOME Files encrypting


Just set a very strict permission 600, so that only the owner can read, and write it (if you need execution permissions, that would be 700).

You can also do it graphically -- simply right click on the file, select Properties > Permissions > Set, and set all but the owner field to nothing.

See the picture as an example:

the picture


If you're the single user on the system, and nobody can reasonably access your computer without your permissions, then you can just block access by using this command, as per Zanna's answer:

sudo chown root:root /my/secret/file.txt
sudo chmod 600 /my/secret/file.txt

In this case, the file can only be read and/or written to by the root user. This is considered "secure enough" if nobody can boot your computer without your permission, or lift your hard drive. We're using the root user in this case, because the root user can always read files, even if they don't have permission. By using the root user, we enforce that only one user can access it.

If you want to mark the file as unchangeable in any way, shape, or form, you can use the i attribute to mark the file as immutable. In this case, the file's permissions are locked in and may not be changed under any circumstance. Thereby, you can do the following command to make the file unchangeable, and protect it from deletion and permission changes:

sudo chattr +i /my/secret/file.txt

If you want to change it, replace the +i with a -i to unlock the file temporarily. See Rinzwind's answer for a more in-depth view.

Now, if other people have access to your computer (either remote sudo access or any form of physical access), this falls apart instantly. An attacker can use root powers to read your file, insert a Live USB, or just pull your hard drive.

Therefore, we need to encrypt the file. I personally prefer to use "file containers," so that you can stick more in there and have it grow as needed. chattr +i is still recommended so that the file isn't accidentally deleted (or altered). Finally, if you're using an encrypted image, you can set permissions to let others access a very limited subset of files when the disk is mounted, making it good for a server. This guide was originally available here, and was adapted for use here.

First off, you want to create a disk image for your use. In this example, we're gonna make it 5 GB.

dd if=/dev/zero bs=1M count=5000 of=~/NSA-Data-Dump-20161012.img

Then, we need to make your image encrypted:

sudo cryptsetup luksFormat ~/NSA-Data-Dump-20161012.img

You will have a choice here to enter your preferred encryption password. Once this is done, we need to expose the raw block device:

sudo cryptsetup luksOpen ~/NSA-Data-Dump-20161012.img my-secret-device

Right now, we have a decrypted file container, but there's no filesystem, and it's as good as useless. Let's fix that:

sudo mkfs.ext4 /dev/mapper/my-secret-device

Now, we need a place to mount our new partition. In this case, I'll be putting it at /crypt. I'm user 1000, so, I'm going to set my partition to only allow me (and root) to read/write from it.

sudo mkdir /crypt
sudo mount /dev/mapper/my-secret-device /crypt -o umask=0700,gid=1000,uid=1000

Now, I can use my file tool to navigate to /crypt and I can store all of my sensitive files there. Once I'm done, I'll need to unmount and re-encrypt my partition.

sudo umount /crypt
sudo cryptsetup luksClose my-secret-device

Now, I'm going to set appropriate partitions on my image file, such that only I and root can access it, and that it can't be changed anymore.

chmod 400 ~/NSA-Data-Dump-20161012.img
sudo chattr +i ~/NSA-Data-Dump-20161012.img

Whenever I want to open this file for reading, I just need to run these two commands, which I can easily alias:

sudo cryptsetup luksOpen ~/NSA-Data-Dump-20161012.img my-secret-device
sudo mount /dev/mapper/my-secret-device /crypt -o umask=0700,gid=1000,uid=1000,ro

My encrypted data will be available at /crypt and it will remain read-only and only accessible to me and root.

If I want to alter the file, I need to change permissions and then mount:

sudo chattr -i ~/NSA-Data-Dump-20161012.img
chmod 700 ~/NSA-Data-Dump-20161012.img
sudo cryptsetup luksOpen ~/NSA-Data-Dump-20161012.img my-secret-device
sudo mount /dev/mapper/my-secret-device /crypt -o umask=0700,gid=1000,uid=1000,ro

Now, you need to be careful here because if a user has root on their system, they can modify/destroy your encrypted partition, rendering it useless. They can also steal data from the drive, but only when it's open. However, they can't steal data or even see that data exists without you explicitly opening it. Therefore, it's your duty to make sure that your system is secure enough to not have any root users online when you're opening your encrypted volume.


TL;DR:

  1. Make the vault:

    dd if=/dev/zero bs=1M count=5000 of=~/NSA-Data-Dump-20161012.img
    sudo cryptsetup luksOpen ~/NSA-Data-Dump-20161012.img my-secret-device
    sudo mkfs.ext4 /dev/mapper/my-secret-device
    
  2. Fill the vault:

    sudo mkdir /crypt
    sudo mount /dev/mapper/my-secret-device /crypt -o umask=0700,gid=1000,uid=1000
    
  3. Lock the vault:

    sudo umount /crypt
    sudo cryptsetup luksClose my-secret-device
    
  4. Freeze the vault:

    chmod 400 ~/NSA-Data-Dump-20161012.img
    sudo chattr +i ~/NSA-Data-Dump-20161012.img
    
  5. Open the vault:

    sudo cryptsetup luksOpen ~/NSA-Data-Dump-20161012.img my-secret-device
    sudo mount /dev/mapper/my-secret-device /crypt -o umask=0700,gid=1000,uid=1000,ro