How to encrypt files and directories on a Linux system

Source: Internet
Author: User
Tags file system arch linux

Encryption type

We have two main methods of encrypting files and directories. One is file system level encryption, in which you can selectively encrypt certain files or directories (e.g.,/home/alice). This is a very good way for me, and you don't have to reinstall everything to enable or test encryption. However, there are some drawbacks to file system-level encryption. For example, many modern applications cache (partially) files in unencrypted portions of your hard disk, such as swap partitions,/tmp, and/var folders, which can cause privacy leaks.

Another way is the so-called total encryption, which means that the entire disk will be encrypted (possibly except for the master boot record). Full encryption work at the physical disk level, each bit written to the disk is encrypted, and anything read from the disk is decrypted in the run. This prevents any potential unauthorized access to unencrypted data and ensures that everything in the entire file system is encrypted, including swap partitions or any temporary cached data.

Available encryption Tools

To implement encryption in Linux, there are several tools to choose from. In this tutorial, I intend to introduce one of these: Ecryptfs, a user-space File system encryption tool. A summary of the encryption tools available on Linux is provided below for your reference.

File system level Encryption

EncFS: One of the easiest ways to try encryption. ENCFS works on a fuse-based pseudo file system, so you just need to create an encrypted folder and mount it to a folder to work.

ECRYPTFS: A POSIX compliant Encrypting File System, ECRYPTFS works the same way as ENCFS, so you have to mount it.

Disk-level encryption

Loop-aes: The oldest method of disk encryption. It's really fast and applies to old systems (such as the 2.0 Kernel branch).

Dmcrypt: The most common disk encryption scheme that supports the modern Linux kernel.

Ciphershed: An open source branch of the TrueCrypt disk encryption program that has been stopped.

ECRYPTFS Foundation

ECRYPFS is a fuse user-space Encrypting File system that is available as a ENCRYPTFS module in the Linux kernel 2.6.19 and later versions. The Ecryptfs encrypted pseudo file system is mounted to the top of the current file system. It works well in the Ext file system family and other file systems such as JFS, XFS, ReiserFS, Btrfs, and even nfs/cifs shared file systems. Ubuntu uses Ecryptfs as the default method for encrypting its home directory, ChromeOS. At the bottom of the ECRYPTFS, the AES algorithm is used by default, but it also supports other algorithms, such as Blowfish, Des3, Cast5, and Cast6. If you are creating ecryptfs settings by hand, you can choose one of these algorithms.

Like I did, Ubuntu lets us choose whether to encrypt the/home directory during the installation process. Well, this is one of the easiest ways to use ECRYPTFS.

Ubuntu provides a user-friendly toolset that allows us to make life easier through ECRYPTFS, but enabling Ecryptfs during the Ubuntu installation creates only one of the preconfigured settings that you specify. So, if the default settings are not appropriate for your needs, you need to set them manually. In this tutorial, I'll explain how to manually set up Ecryptfs on a mainstream Linux distribution.

Installation of Ecryptfs

Debian,ubuntu or its derivative version:

The code is as follows:

$ sudo apt-get install Ecryptfs-utils

Note that if you select the encryption home directory during the Ubuntu installation process, the ECRYPTFS should already be installed.

CentOS, RHEL or Fedora:

The code is as follows:

# yum Install Ecryptfs-utils

Arch Linux:

The code is as follows:

$ sudo pacman-s ecryptfs-utils

After the package is installed, loading the ECRYPTFS kernel module will certainly be a good practice:

The code is as follows:

$ sudo modprobe ecryptfs

Configure Ecryptfs

Now let's start by encrypting some directories and running the ECRYPTFS Configuration tool:

The code is as follows:

$ ecryptfs-setup-private

It will require you to enter a login password and a mount password. The login password is the same as your regular login password, and the Mount password is used to derive a file encryption master key. It's safer to leave this blank to generate one (complex). Log out and login again.

You will notice that ECRYPTFS has created two directories in your home directory by default: private and. Private. ~/. The private directory contains encrypted data, and you can access the corresponding decrypted data in the ~/private directory. When you log in, ~/. The private directory is automatically decrypted and mapped to the ~/private directory, so you can access it. When you log out, the ~/private directory is automatically uninstalled, and the contents of the ~/private directory are encrypted back to ~/. Private directory.

How Ecryptfs know you have ~/. Private directory, and automatically decrypt it to the ~/private directory without requiring us to enter a password? This is the ghost of the Ecryptfs Pam module, which provides us with this convenience service.

If you don't want the ~/private directory to mount automatically when you log on, simply add the "--noautomount" option when you run the Ecryptfs-setup-private tool. Similarly, if you do not want the ~/private directory to automatically uninstall after logout, you can also automatically "--noautoumount" option. However, after that, you will need to manually mount or uninstall the ~/private directory yourself:

[/code]$ ecryptfs-mount-private ~/. Private ~/private

$ ecryptfs-umount-private ~/private

You can test it out. Whether the private folder is mounted and running:

The code is as follows:

$ mount

Now we can start putting any sensitive files into the ~/private folder, which will automatically be encrypted and locked in ~/as we log out. Private file.

All of this seems so magical. This is primarily a ecryptfs-setup-private tool to make everything easier. If you want to delve deeper and set the ecryptfs specified, go to the official document.


To sum up, if you are concerned about your privacy, it is best to combine encryption and overall encryption based on the Ecryptfs file system level. Remember that only file encryption does not guarantee your privacy.

Related Article

E-Commerce Solutions

Leverage the same tools powering the Alibaba Ecosystem

Learn more >

Apsara Conference 2019

The Rise of Data Intelligence, September 25th - 27th, Hangzhou, China

Learn more >

Alibaba Cloud Free Trial

Learn and experience the power of Alibaba Cloud with a free trial worth $300-1200 USD

Learn more >

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.