Linux file system encryption

Linux File Encryption

Alternatives to File Encryption.

Before we dive deeper into file encryption, let’s consider the alternatives and see if the file encryption is suitable for your needs. Sensitive data can be encrypted on different levels of granularity: full disk encryption, filesystem-level, database level and application level. This article does a good job comparing these approaches. Let’s summarize them.

Full disk encryption (FDE) makes sense for devices that are susceptible to physical loss or theft, such as laptops. But FDE is not going to protect your data from much else including remote hacking attempts and is not suitable for encrypting individual files.

In the case of filesystem-level encryption, the file system performs the encryption directly. This can be accomplished by stacking a cryptographic file system on top of the main one or it might be built in. According to this wiki , some of the advantages are: each file can be encrypted with a separate key (managed by the system) and additional access control through public-key cryptography. Of course, this requires modifying OS configuration and might not be suitable for all users. However, it offers protection suitable for most situations, and it is relatively easy to use. It will be covered in down below.

The database level encryption can target specific parts of data such as a specific column in a table. However, this is a specialized tool that deals with file contents rather than entire files and is thus outside the scope of this article.

Application level encryption, may be optimal when security policies require safeguarding specific data. An application can use encryption to protect data in many ways, and encrypting a file is certainly one of them. We will be discussing an application for encrypting files below.

Encrypting a file with an Application

There are several tools available for encrypting files under Linux. This article lists the most common alternatives. As of today the GnuPG seems to be the most straightforward choice. Why? Because, chances are, it is already installed on your system (unlike ccrypt), the command line is simple (unlike using openssl directly), it is being very actively developed and is configured to use an up to date cypher (AES256 as of today).

If you don’t have gpg installed, you can install it by using a package manager appropriate for your platform such as apt-get:

$ sudo apt-get install gpg
Reading package lists. Done
Building dependency tree
Reading state information. Done

Encrypt a file with GnuPG:

$ cat secret.txt
Top Secret Stuff !
pi @ raspberrypi:

$ gpg -c secret.txt
pi @ raspberrypi:

$ file secret.txt.gpg
secret.txt.gpg: GPG symmetrically encrypted data ( AES256 cipher )
pi @ raspberrypi:

$ gpg —decrypt secret.txt.gpg > secret.txt
gpg: AES256 encrypted data
gpg: encrypted with 1 passphrase
pi @ raspberrypi:

$ cat secret.txt
Top Secret Stuff !

Please note “AES256” above. This is the cypher used for encrypting the file in the example above. It is a 256 bit block sized (secure for now) variant of “Advanced Encryption Standard” (also known as Rijndae) cypher suit. Check out this Wikipedia article for more information.

Setting up Filesystem-level Encryption

According to this fscrypt wiki page, ext4 filesystem has built in support for file encryption. It utilizes fscrypt API to communicate with the OS kernel (assuming encryption feature is enabled). It applies the encryption at directory level. The system can be configured to use different keys for different directories. When a directory is encrypted so is all filename related data (and metadata) such as file names, their contents and subdirectories. Non-filename metadata, such as timestamps, are exempt from encryption. Note: this functionality became available in Linux 4.1 release.

While this README has instructions, here is a brief overview. The system adheres to the concepts of “protectors” and “policies”. “Policy” is an actual key that is used (by OS kernel) for encrypting a directory. “Protector” is a user passphrase or equivalent that is used to protect policies. This two level system allows controlling user’s access to directories without having to re-encrypt every time there is a change in the user accounts.

A common use case would be setting up fscrypt policy to encrypt user home directory with their login passphrases (obtained via PAM) as a protector. Doing so would add an additional level of security and allow safeguarding the user data even if the would be attacker managed to get admin access to the system. Here is an example illustrating what setting it up would look like:

/ secret_stuff /
Should we create a new protector? [ y / N ] y
The following protector sources are available:
1 — Your login passphrase ( pam_passphrase )
2 — A custom passphrase ( custom_passphrase )
3 — A raw 256 -bit key ( raw_key )
Enter the source number for the new protector [ 2 — custom_passphrase ] : 1
Enter login passphrase for pi:
«/home/pi/secret_stuff» is now encrypted, unlocked, and ready for use.

This could be completely transparent to the user once set up. The user could add an additional level of security to some subdirectories by specifying different protectors for them.

Conclusion

Encryption is a deep and complex subject and there is much more to cover and it is also a rapidly growing field, especially with the advent of quantum computing. It is crucial to keep in touch with new technological developments as what is secure today could be cracked in a few years. Be assiduous and pay attention to the news.

Works Cited

• Selecting the Right Encryption ApproachThales eSecurity Newsletter, 1 Feb 2019
• Filesystem-level encryptionWikipedia, 10 Jul 2019
• 7 Tools to Encrypt/Decrypt and Password Protect Files in Linux TecMint, 6 Apr 2015
• Fscrypt Arch Linux Wiki, 27 Nov 2019
• Advanced Encryption Standard Wikipedia, 8 Dec 2019

About the author

Sasha Fedyukin

I was born in Tyumen, Russia in 1979. I came to US to finish a degree in Electrical Engineering in 1998 (exchange program). Graduated and decided to pursue MS to Computer Science in 2001. Finished it in 4 years while working as a Software Engineer part time. Continued working full time until 2008, then left for Yahoo!. Spent 9 years in Silicon Valley, met my wife there and decided to move to Seattle, WA area. Lived in WA ever since while doing gigs as a freelance writer and software engineer.

Источник

7 Tools to Encrypt/Decrypt and Password Protect Files in Linux

Encryption is the process of encoding files in such a way that only those who are authorized can access it. Mankind is using encryption from ages even when computers were not in existence. During war they would pass some kind of message that only their tribe or those who are concerned were able to understand.

Linux distribution provides a few standard encryption/decryption tools that can prove to be handy at times. Here in this article we have covered 7 such tools with proper standard examples, which will help you to encrypt, decrypt and password protect your files.

If you are interested in knowing how to generate Random password in Linux as well as creating random password you may like to visit the below link:

1. GnuPG

GnuPG stands for GNU Privacy Guard and is often called as GPG which is a collection of cryptographic software. Written by GNU Project in C programming Language. Latest stable release is 2.0.27.

In most of the today’s Linux distributions, the gnupg package comes by default, if in-case it’s not installed you may apt or yum it from repository.

We have a text file (tecmint.txt) located at

/Desktop/Tecmint/, which will be used in the examples that follows this article.

Before moving further, check the content of the text file.

Now encrypt tecmint.txt file using gpg. As soon as you run the gpc command with option -c (encryption only with symmetric cipher) it will create a file texmint.txt.gpg. You may list the content of the directory to verify.

Note: Enter Paraphrase twice to encrypt the given file. The above encryption was done with CAST5 encryption algorithm automatically. You may specify a different algorithm optionally.

To see all the encryption algorithm present you may fire.

Now, if you want to decrypt the above encrypted file, you may use the following command, but before we start decrypting we will first remove the original file i.e., tecmint.txt and leave the encrypted file tecmint.txt.gpg untouched.

Note: You need to provide the same password you gave at encryption to decrypt when prompted.

2. bcrypt

bcrypt is a key derivation function which is based upon Blowfish cipher. Blowfish cipher is not recommended since the time it was figured that the cipher algorithm can be attacked.

If you have not installed bcrypt, you may apt or yum the required package.

Encrypt the file using bcrypt.

As soon as you fire the above command, a new file name texmint.txt.bfe is created and original file tecmint.txt gets replaced.

Decrypt the file using bcrypt.

Note: bcrypt do not has a secure form of encryption and hence it’s support has been disabled at least on Debian Jessie.

3. ccrypt

Designed as a replacement of UNIX crypt, ccrypt is an utility for files and streams encryption and decryption. It uses Rijndael cypher.

If you have not installed ccrypt you may apt or yum it.

Encrypt a file using ccrypt. It uses ccencrypt to encrypt and ccdecrypt to decrypt. It is important to notice that at encryption, the original file (tecmint.txt) is replaced by (tecmint.txt.cpt) and at decryption the encrypted file (tecmint.txt.cpt) is replaced by original file (tecmint.txt). You may like to use ls command to check this.

Provide the same password you gave during encryption to decrypt.

4. Zip

It is one of the most famous archive format and it is so much famous that we generally call archive files as zip files in day-to-day communication. It uses pkzip stream cipher algorithm.

If you have not installed zip you may like to apt or yum it.

Create a encrypted zip file (several files grouped together) using zip.

Here mypassword is the password used to encrypt it. A archive is created with the name tecmint.zip with zipped files tecmint.txt, tecmint1.txt and tecmint2.txt.

Decrypt the password protected zipped file using unzip.

You need to provide the same password you provided at encryption.

5. Openssl

Openssl is a command line cryptographic toolkit which can be used to encrypt message as well as files.

You may like to install openssl, if it is not already installed.

Encrypt a file using openssl encryption.

Explanation of each option used in the above command.

1. enc : encryption
2. -aes-256-cbc : the algorithm to be used.
3. -in : full path of file to be encrypted.
4. -out : full path where it will be decrypted.

Decrypt a file using openssl.

6. 7-zip

The very famous open source 7-zip archiver written in C++ and able to compress and uncompress most of the known archive file format.

If you have not installed 7-zip you may like to apt or yum it.

Compress files into zip using 7-zip and encrypt it.

Decompress encrypted zip file using 7-zip.

Note: Provide same password throughout in encryption and decryption process when prompted.

All the tools we have used till now are command based. There is a GUI based encryption tool provided by nautilus, which will help you to encrypt/decrypt files using Graphical interface.

7. Nautilus Encryption Utility

Steps to encrypt files in GUI using Nautilus encryption utility.

Encryption of file in GUI

1. Right click the file you want to encrypt.

2. Select format to zip and provide location to save. Provide password to encrypt as well.

Encrypt File Using Nautilus

3. Notice the message – encrypted zip created successfully.

Encrypted Zip File Confirmation

Decryption of file in GUI

1. Try opening the zip in GUI. Notice the LOCK-ICON next to file. It will prompt for password, Enter it.

Decryption of File

2. When successful, it will open the file for you.

Decryption Confirmation

That’s all for now. I’ll be here again with another interesting topic. Till then stay tuned and connected to Tecmint. Don’t forget to provide us with your valuable feedback in the comments below. Like and share us and help us get spread.

If You Appreciate What We Do Here On TecMint, You Should Consider:

TecMint is the fastest growing and most trusted community site for any kind of Linux Articles, Guides and Books on the web. Millions of people visit TecMint! to search or browse the thousands of published articles available FREELY to all.

If you like what you are reading, please consider buying us a coffee ( or 2 ) as a token of appreciation.

We are thankful for your never ending support.

Источник