What is the easiest way to encrypt a dir? (on Ubuntu)

What is the easiest way to encrypt a directory on a Ubuntu based system?

Let's say I have a laptop that is running Ubuntu 10.04, and on that I have some documents that should be kept safe (if I lose the laptop).

Let's say all to documents is in a dir called ~/work/, and nothing secret is outside this dir. So no need to encrypt the entire home dir.

There shall be a way to lock/unlock this dir from the command line.

There seem to be some different ways of doing this:

ecryptfs-utils
cryptsetup
truecrypt (however not OSI approved open source)

But what is the easiest and most reliable method?

Thanks Johan

Update: Related question, but not the same What's the easiest way to encrypt all of my files in ubuntu 10.04?

Johan

Posted 2010-08-29T10:33:43.073

Reputation: 4 827

2Who cares if Truecrypt isn't OSI approved? OSI approved does not equal better software. Truecrypt is the best around and has even thwarted the FBI in several cases. – TheLQ – 2010-08-29T15:04:11.220

3Software that uses OSI approved licenses feels safer. – Johan – 2010-08-29T19:41:08.910

@TheLQ, @Johan: http://superuser.com/questions/164162/is-truecrypt-truly-safe

– Hello71 – 2010-08-29T20:01:37.417

Answers

There are three methods: set up an encrypted volume on a partition (dm-crypt, configured with cryptsetup), set up a file which is an encrypted volume (truecrypt), set up a directory where each file is encrypted separately (ecryptfs or encfs).

Setting up an encrypted volume gives a little more confidentiality, because the metadata (size, modification time) of your files is invisible. On the downside, it's less flexible (you have to decide on the size of the encrypted volume in advance). The ecryptfs FAQ lists some differences between the two approaches.

If you elect to encrypt file by file, I'm aware of two options: ecryptfs and encfs. The former uses an in-kernel driver while the latter uses FUSE. This may give ecryptfs a speed advantage; it gives encfs a flexibility advantage as nothing needs to be done as root. A possible benefit of ecryptfs is that once you've done the initial setup, you can use your login password as a filesystem password thanks to the pam_ecryptfs module.

For my own use in a similar situation, I chose encfs, because I didn't see any actual security benefit to other solutions so ease-of-use was the determining factor. Performance hasn't been a problem. The workflow is very simple (the first run of encfs creates the filesystem):

aptitude install encfs
encfs ~/.work.encrypted ~/work
... work ...
fusermount -u ~/work

I recommend you also encrypt your swap space and any place where temporary confidential files may be written to, such as /tmp and /var/spool/cups (if you print confidential files). Use cryptsetup to encrypt your swap partition. The easiest way of dealing with /tmp is to keep it in memory by mounting it as tmpfs (this may give a slight performance benefit in any case).

Gilles 'SO- stop being evil'

Posted 2010-08-29T10:33:43.073

Reputation: 58 319

I did not think about /tmp, but tmpfs solves this problem in a nice way. Just do real shutdown:s. – Johan – 2010-08-29T19:37:47.033

1Thanks for teaching encfs! This is fantastic! – user39559 – 2010-09-09T17:58:47.807

Quick and easy way is to tar and compress and then bcrypt.

tar cfj safe-archive.tar.bz2 Directory/ 
bcrypt safe-archive.tar.bz2 
# will ask you an 8 char password twice to lock it up.
# But, remember to delete your Directory after this,
rm -rf Directory/ 
# And, I hope you don't forget the password, or your data is gone!

Makes safe-archive.tar.bz2.bfe -- which you can rename if you feel paranoid about it.

To open the encrypted pack,

bcrypt safe-archive.tar.bz2.bf3 # Or, whatever you called it
tar xfj safe-archive.tar.bz2 
# And, your directory is back!

If you are ready to get more messy, I'd suggest truecrypt, and making encrypted volumes.
But, I don't think that is necessary for regular data (like not related to national security, say).

^{ps: note that I am not suggesting bcrypt is weak or incapable of national security in any way.}

Reply to the comments on my answer above.
I tried to give a simple answer -- and, I do agree that my choice of not suggesting Truecrypt as the first option may be inappropriate to some here.

The question asks for an easy way to encrypt a directory.
My measure of security here is based on two things,

What do you want to secure and
Who do you want to secure it from

I rate this as the level of your 'paranoia'.

Now, without saying Truecrypt (or other similar methods) are costlier,
all I want to say is, a bcrypt sequence run in tmpfs is sufficient for your daily use today
(it won't be so, probably, in about a decade, I guess, but it really is for now).
And, I also assume that the value of data being secured here is not going to be comparable for a mona-lisa class 'recovery' attempt.

Simple question then -- do you expect someone to try grabbing your powered-off laptop and attempt recovering data from its cold RAM space?
If you do, you probably ought to reconsider your hardware and software in the first place, check which ISP you connect to, who can hear your key-presses, and so on.

^{ps: I like Truecrypt and use it. The OSI compliance, or lack of it, does not really matter. And, I am not staging bcrypt and the scheme proposed here in competition to it.}

nik

Posted 2010-08-29T10:33:43.073

Reputation: 50 788

2While I give the answer +1, for the truely paranoid among us ... depending on the value of your data this could be a bad idea. The user must realise that this method obviously leaves the deleted directory's files on disk where they can potentially be recovered by the "bad guys". Just look around SU for "recover deleted files in Linux" to see how safe that is... – hotei – 2010-08-29T13:15:30.670

@hotei, yes, Truecrypt will tackle such complications. Another trick would be to use a tmpfs mount on RAM for working with the encrypted directory -- copy the bfe to ramdisk, work with it there, encrypt again and save the encrypted archive back to file system. – nik – 2010-08-29T14:08:07.623

2I would go a step farther than @hotei did and say that this doesn't actually quality as encryption since its so easy to recover the files (there is an entire market dedicated to file recovery). Encryption needs to be encryption. This is only a false sense of encryption – TheLQ – 2010-08-29T15:02:59.973

@TheLQ, which part of bcrypt on tmpfs or Truecrypt handling do you find is not encryption? – nik – 2010-08-29T17:37:24.320

@nik I was talking about the content of your answer, not your comment. – TheLQ – 2010-08-29T18:25:51.457

2@nik: Not only is the method in your answer insecure as hotei has explained, it's also error-prone (what if you forget to remove the decrypted files?). Even your proposal of using tmpfs is very risky: what if you forget to reencrypt the files and lose your modifications? what if the computer crashes (you'll lose all your modifications)? It's also needlessly complicated. There are many actual ways to solve this problem using appropriate tools, just use one of them. – Gilles 'SO- stop being evil' – 2010-08-29T19:02:01.993

1@nik There was an exhibition at a nearby university that showed that even after an hour of the RAM being off, you can still make out a picture of the Mona Lisa that was loaded into memory. Unless you reboot the machine immediately afterwards, it's super easy to recover the data from RAM. Truecrypt, IIRC, encrypts its RAM. – digitxp – 2010-08-29T19:25:49.747

@digitxp RAM is indeed a possible way to leak data, but frankly it's on another level. Where is truecrypt's key is written by the way? One could retrieve the key from the RAM if the computer is suddenly powered off. – user39559 – 2010-09-17T11:37:53.017

@user39 The computer doesn't even have to be suddenly powered off, per the experiment. You can wait as long as 5 minutes after. – digitxp – 2010-09-17T23:24:09.353

I exclusively use TrueCrypt for such things. OSI-approved or not, I find it's never let me down, and I -have- needed encryption multiple times.

easyegoism

Posted 2010-08-29T10:33:43.073

Reputation: 89

If you are only worried about losing your laptop, Ubuntu has ecryptfs already set up for you.

Just choose "encrypted home directory" when you create your user account and give it a decent password. This will protect whatever is inside your home folder.

Yes, it will encrypt more than ~/work, but it's seamless.

For the /tmp use tmpfs.

Pros:

You don't need to do anything else, Ubuntu does everything for you.
Your friends may use your computer on-the-go, they will only need a password if they want to access your files.

Con:

There are other places where you make leak data -- Gilles' answer is the most complete (+1 for him).

So, if you don't think some forensic expert will try to get data from stuff you have printed, this is good enough.

ecryptfs can encrypt the swap as well, but I recommend you just disable swap unless it has happened to you that you went out of RAM. Life is better without swap. (or just run ecryptfs-setup-swap and follow the instructions to change fstab)

Warning: In any case, unless you just got this laptop, there is already lots of stuff written to your hard disk. I found a bunch of stuff in mine and nothing would clear it out. You need to make a backup to another drive or partition, overwrite your current filesystem with zeros, and restore your files (of course, only restore the sensitive files after the encryption is set up).

user39559

Posted 2010-08-29T10:33:43.073

Reputation: 1 783

The easiest, fastest way to set this up is to install ecryptfs-utils and cryptkeeper:

sudo apt-get install ecryptfs-utils cryptkeeper

Then, once done, look in your systray. You'll see an icon of two keys. Click it and choose New Encrypted Folder. Type in the name and click the Forward button (oddly in the bottom left, not right). Then, type in the password you want, reconfirm it, and click Forward again, and then OK.

This will mount the encrypted folder and you can copy files into it. When done, if you logout or uncheck that mounted folder (click the Keys icon in the systray to do so), it will require a password again before you remount it.

Volomike

Posted 2010-08-29T10:33:43.073

Reputation: 691