44

I am looking for a utility to encrypt certain directories in Linux. I am not looking for any full disk encryption services, but simply to encrypt a few directories for the purposes of storing files in the cloud. Once retrieving them, I should have to decrypt them before they can be accessed. Looking to do this for a couple of directories (a few hundred GB in size). Any ideas? Preferably CLI based.

Peter
  • 1,450
  • 2
  • 15
  • 26

7 Answers7

50

I use just GnuPG for this task. The folders get first packed into a TAR-GZ archive:

tar czf files.tar.gz /path/to/my/files

If not already done, you need to create a GPG private/public key-pair first:

gpg --gen-key

Follow the instructions. The defaults should be sufficiant for a first test. Something like this will appear:

gpg (GnuPG) 2.0.18; Copyright (C) 2011 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
        = key expires in n days
      w = key expires in n weeks
      m = key expires in n months
      y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: File Encryption Key
Email address: admin@company.org
Comment: File Encryption Key
You selected this USER-ID:
    "File Encryption Key (File Encryption Key) "

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o

You will be asked for a passphrase to the key. It's highly recommended to use a strong one. It is not needed for encryption of files anyway, so don't be worried about the batch use later.

If everything is done, something like this will appear on your screen:

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key FE53C811 marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
pub   *****/******** 2013-03-19
      Key fingerprint = **** **** **** **** **** **** **** **** **** ****
uid                  File Encryption Key (File Encryption Key) 
sub   *****/******** 2013-03-19

Now you may want export the public keyfile for importing it on other machines:

gpg --armor --output file-enc-pubkey.txt --export 'File Encryption Key'

The File Encryption Key is the name I entered during the key generation procedure.

Now I'm using GnuPG on the newly created archive:

gpg --encrypt --recipient 'File Encryption Key' files.tar.gz

You now have a files.tar.gz.gpg file which is encrypted.

You can decrypt it with the following command (you will be asked for your passphrase):

gpg --output files.tar.gz --decrypt files.tar.gz.gpg

That's the whole magic.

Make sure you back up your key! And never forget your passphrase! If not backed up or forgotten, you have gigabytes of data junk!

Backup your private key with this command:

gpg --armor --output file-enc-privkey.asc --export-secret-keys 'File Encryption Key'

Advantages

  • None of the encrypters needs to know sensitive information about the encryption - encryption is done with the public key. (You can create the key pair on your local workstation and only transfer the public key to your servers)
  • No passwords will appear in script files or jobs
  • You can have as much as encrypters on any system you want
  • If you keep your private key and the passphrase secret, everything is fine and very very hard to compromise
  • You can decrypt with the private key on Unix, Windows and Linux platforms using the specific PGP/GPG implementation
  • No need for special privileges on encrypting and decrypting systems, no mounting, no containers, no special file systems
zero0
  • 1,407
  • 16
  • 14
  • 1
    Note that depending on the data, it could be faster to run `tar` without the `z` switch to avoid compressing it. – l0b0 Mar 19 '13 at 13:16
28

For my part, I mainly use two methods:

First method: tar and openssl

Tar the directory

tar cvf backup.tar /path/to/folder

You can remove the [v] switch from the tar command to switch off the verbose mode.

Encrypt

openssl aes-128-cbc -salt -in backup.tar -out backup.tar.aes -k yourpassword

You can change aes-128-cbc to any other cipher method openssl supports (openssl --help).

Decrypt

openssl aes-128-cbc -d -salt -in backup.tar.aes -out backup.restored.tar

It will ask for the password.

Second method: encrypted zip

zip -r -0 -e backup.zip /path/to/folder

It will ask for the password.

  • -r means recursively (whole folder tree)
  • -0 means store only (doesn't compress, faster)
  • -e means encrypt archive

One advantage of this: it will better operate with windows based system.

Julien R.
  • 381
  • 2
  • 2
22

If you don't want to encrypt your files with a public/private key pair and use just symmetric encryption with a pass phrase instead, use the following command:

gpg --symmetric --cipher-algo aes256 files.tar.gz

You will be asked for your pass phrase. After that an encrypted file named files.tar.gz.gpg is created.

To decrypt use the command

gpg --decrypt files.tar.gz.gpg > files.tar.gz
chiborg
  • 1,043
  • 2
  • 13
  • 26
2

You can use truecrypt very simple and nice solution. It has package for console only use. It's very simple to learn and use. http://www.truecrypt.org

B14D3
  • 5,110
  • 13
  • 58
  • 82
2

For such purpose I would suggest FUSE encryption (such as encfs) - for smaller data I would use gpg.

It is fs implemented in user space so you don't need any special privileges.

Maciej Piechotka
  • 667
  • 1
  • 6
  • 14
1

There are some Linux filesystems destined for data encrypting purpose. Have you already thought about LUX e.g.?

Guardian
  • 199
  • 4
1

A very simple way to encrypt one file is:

gpg -c filename.ext

You'll be asked for a passphrase twice, and gpg will create filename.ext.gpg. Upload the encrypted file to your cloud service. To recover the file use:

gpg filename.ext.gpg

Which will recreate filename.ext. Note that the unencrypted files are not secure, and the relevant data will remain on your storage medium even after deletion. Only the gpg container is secure. EncFS is a more practical alternative for cloud based encryption at the file level.

Bryce
  • 551
  • 5
  • 13