Under Linux, is it possible to encrypt a folder/partition in a way that it is not accessible to anyone without the password?

I was reviewing the different alternatives I have (like ext4 encryption) but I think all of them are vulnerable for root to just enter into my home account and see what's stored in there, which is something really easy to do when someone gets ahold of the computer.

I'm looking for a way to make my files unaccesible, even for root, even if someone takes on the bare metal. I'm willing to risk losing my data if I forget the key, that's not an issue, it's actually desirable.

almosnow

Posted 2016-03-11T11:36:45.063

Reputation: 265

Answers

eCryptFS can encrypt your home folder (& subfolders), and automatically decrypt with your login passphrase - root can't just change your passphrase, it needs your actual login passphrase. The ecryptfs-migrate-home script/tool can encrypt an existing home, or many distributions can encrypt a home when a new user's created. It's available for most distributions, Debian, Mint & Ubuntu derived, Arch, Gentoo, etc. And is free to expand it's size.

Or, it can use just a single encrypted "Private" folder too, with ecryptfs-setup-private
EncFS encrypts a folder too, but may need more customization for secure auto-decrypt.
LUKS or plain dm-crypt uses a container file or device, of a fixed size, not as easy to expand as the above file-based solutions, but it doesn't reveal as much info (file number & approximate size) either
TrueCrypt or derivatives work similar to LUKS
Many distributions can also be installed with "full disk encryption" (usually using LUKS & LVM), that requires the correct passphrase entered at boot. It's a good solution for a single-user ("personal") computer that doesn't need to reboot all by itself, but on a multi-user computer it would be "decrypted" to every other user too.

Xen2050

Posted 2016-03-11T11:36:45.063

Reputation: 12 097

You can use dm-crypt for that. You need to create an empty file which will be used as a storage device. You can create one with a specific size with either dd or for example fallocate:

fallocate -l 512M /home/user/cryptedDevice` 
dd if=/dev/zero of=/home/user/cryptedDevice bs=1M count=512

This will create a 512 MB file in your home directory called cryptedDevice. Then you can set luks on top of that file cryptsetup -y luksFormat /home/user/cryptedDevice With Luks you can easily change size of the container etc.

To open the crypted file you can do: cryptsetup luksOpen /home/user/cryptedDevice someDeviceName

Then you need to format this partition with a file system: mkfs.ext4 -j /dev/mapper/someDeviceName

And after that you can simply mount that device to a folder: mount /dev/mapper/someDeviceName /mnt/.

Reference digitalocean

mstruebing

Posted 2016-03-11T11:36:45.063

Reputation: 256

Is it possible to mount that file automatically on startup? So, my service could be running even if the machine is rebooted. – almosnow – 2016-03-11T19:00:23.933

1Then the file is always decrypted, so it is not the solution you seek for, or I am missing something? – mstruebing – 2016-03-11T20:32:21.317

Yeah, it wouldn't work for my scenario. Is there a way to "lock up" a Linux deployment in a way that no one else can access into it? – almosnow – 2016-03-11T21:11:33.287