I am looking for a utility to encrypt certain directories in Linux. I am not looking for any full disk encryption services, but simply to encrypt a few directories for the purposes of storing files in the cloud. Once retrieving them, I should have to decrypt them before they can be accessed. Looking to do this for a couple of directories (a few hundred GB in size). Any ideas? Preferably CLI based.
7 Answers
I use just GnuPG for this task. The folders get first packed into a TAR-GZ archive:
tar czf files.tar.gz /path/to/my/files
If not already done, you need to create a GPG private/public key-pair first:
gpg --gen-key
Follow the instructions. The defaults should be sufficiant for a first test. Something like this will appear:
gpg (GnuPG) 2.0.18; Copyright (C) 2011 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) Your selection? 1 RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) 4096 Requested keysize is 4096 bits Please specify how long the key should be valid. 0 = key does not expire = key expires in n days w = key expires in n weeks m = key expires in n months y = key expires in n years Key is valid for? (0) Key does not expire at all Is this correct? (y/N) y GnuPG needs to construct a user ID to identify your key. Real name: File Encryption Key Email address: admin@company.org Comment: File Encryption Key You selected this USER-ID: "File Encryption Key (File Encryption Key) " Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You will be asked for a passphrase to the key. It's highly recommended to use a strong one. It is not needed for encryption of files anyway, so don't be worried about the batch use later.
If everything is done, something like this will appear on your screen:
We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. gpg: key FE53C811 marked as ultimately trusted public and secret key created and signed. gpg: checking the trustdb gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u pub *****/******** 2013-03-19 Key fingerprint = **** **** **** **** **** **** **** **** **** **** uid File Encryption Key (File Encryption Key) sub *****/******** 2013-03-19
Now you may want export the public keyfile for importing it on other machines:
gpg --armor --output file-enc-pubkey.txt --export 'File Encryption Key'
The File Encryption Key
is the name I entered during the key generation procedure.
Now I'm using GnuPG on the newly created archive:
gpg --encrypt --recipient 'File Encryption Key' files.tar.gz
You now have a files.tar.gz.gpg
file which is encrypted.
You can decrypt it with the following command (you will be asked for your passphrase):
gpg --output files.tar.gz --decrypt files.tar.gz.gpg
That's the whole magic.
Make sure you back up your key! And never forget your passphrase! If not backed up or forgotten, you have gigabytes of data junk!
Backup your private key with this command:
gpg --armor --output file-enc-privkey.asc --export-secret-keys 'File Encryption Key'
Advantages
- None of the encrypters needs to know sensitive information about the encryption - encryption is done with the public key. (You can create the key pair on your local workstation and only transfer the public key to your servers)
- No passwords will appear in script files or jobs
- You can have as much as encrypters on any system you want
- If you keep your private key and the passphrase secret, everything is fine and very very hard to compromise
- You can decrypt with the private key on Unix, Windows and Linux platforms using the specific PGP/GPG implementation
- No need for special privileges on encrypting and decrypting systems, no mounting, no containers, no special file systems
-
1Note that depending on the data, it could be faster to run `tar` without the `z` switch to avoid compressing it. – l0b0 Mar 19 '13 at 13:16
For my part, I mainly use two methods:
First method: tar and openssl
Tar the directory
tar cvf backup.tar /path/to/folder
You can remove the [v] switch from the tar command to switch off the verbose mode.
Encrypt
openssl aes-128-cbc -salt -in backup.tar -out backup.tar.aes -k yourpassword
You can change aes-128-cbc to any other cipher method openssl supports (openssl --help).
Decrypt
openssl aes-128-cbc -d -salt -in backup.tar.aes -out backup.restored.tar
It will ask for the password.
Second method: encrypted zip
zip -r -0 -e backup.zip /path/to/folder
It will ask for the password.
- -r means recursively (whole folder tree)
- -0 means store only (doesn't compress, faster)
- -e means encrypt archive
One advantage of this: it will better operate with windows based system.
- 381
- 2
- 2
-
3Giving password on command line is not a good idea. The password remains in shell history. – pbies May 31 '14 at 09:54
-
1It should be noted that `zip` encryption is rumored to be crackable. – Asclepius Nov 10 '14 at 06:05
If you don't want to encrypt your files with a public/private key pair and use just symmetric encryption with a pass phrase instead, use the following command:
gpg --symmetric --cipher-algo aes256 files.tar.gz
You will be asked for your pass phrase. After that an encrypted file named files.tar.gz.gpg
is created.
To decrypt use the command
gpg --decrypt files.tar.gz.gpg > files.tar.gz
- 1,043
- 2
- 13
- 26
You can use truecrypt very simple and nice solution. It has package for console only use. It's very simple to learn and use. http://www.truecrypt.org
- 5,110
- 13
- 58
- 82
-
4As of 28-May-2014, TrueCrypt is no more. See https://en.wikipedia.org/wiki/TrueCrypt – Bryce Jul 16 '14 at 16:29
For such purpose I would suggest FUSE encryption (such as encfs) - for smaller data I would use gpg.
It is fs implemented in user space so you don't need any special privileges.
- 667
- 1
- 6
- 14
A very simple way to encrypt one file is:
gpg -c filename.ext
You'll be asked for a passphrase twice, and gpg will create filename.ext.gpg
. Upload the encrypted file to your cloud service. To recover the file use:
gpg filename.ext.gpg
Which will recreate filename.ext
. Note that the unencrypted files are not secure, and the relevant data will remain on your storage medium even after deletion. Only the gpg container is secure. EncFS is a more practical alternative for cloud based encryption at the file level.
- 551
- 5
- 13