Quick, easy and transportable encryption in Linux

I have tried many types of encryption, and I’ve had issues with them all. For many reasons, some programs make it too complicated to access the data, while others require special software to be made available on the system so that the data could be accessed. Others require that fixed-size containers be used, which can create all sorts of issues if there’s a corruption or if the container needs to be resized.

Ultimately, I have settled on a system known as eCryptfs. Of course, this runs only on Linux. However Windows/MAC users could access encrypted data on a Linux server if the decrypted data were presented with a SAMBA share.

eCryptfs is a kernel-native, stacked cryptographic filesystem for Linux. This means that it will run seamlessly with an existing Linux install and its filesystem. A stacked filesystem is one that is layered ontop of an existing filesystem (such as a transparency laid over a page beneath). As data is read from or written to the disk, data is encrypted or decrypted on the fly.

The flexible part of eCryptfs is that it embeds the cryptographic metadata into the header of each file. The benefit of storing the cryptographic metadata into each file is that any one file can be given to a friend, or sent through e-mail or copied by any other means and the recipient can conveniently decrypt the file so long as they have correct key (password).

Most encryption programs are not this versatile. They require special software or require that the file be separately encrypted so that it could be transmitted, and even then the recipient needs to jump through many hoops to decrypt the file. The only exception to this is PGP or GPG. GPG makes is very convenient to transmit files, but does not work well on large directories of files. eCryptfs bridges this gap very nicely. Also, since eCryptfs uses a stacked filesystem, there is no limit to what can be put into the directory for encryption, or subdirectories. They will simply and naturally fill the drive like any file would without any preset encrypted container limitations.

In Ubuntu (or any other Debian based distro) the following steps will allow one to easily encrypt an entire drive, directory or file.

To begin encrypting and decrypting your data, simply install the ecryptfs utilities.

sudo apt-get install ecryptfs-utils

Once installed, create a directory mystuff (or any name you like). This will be where you’ll store your data to be encrypted. The directory can be made anywhere, your home directory or any storage device (USB key or USB hard drive). It is important to note that you cannot encrypt a directory with data already in it. The easy way to accomplish this is to follow the steps below, then move the data from the original directory to the newly encrypted directory. You can rename the newly encrypted directory to match the original once the files have been moved and the original directory deleted.

mkdir ./mystuff

To be extra safe here, be sure only your Linux user has rights to the files in the directory. To accomplish this, simply change the permissions on the directory. The commands below assume you’re already in the directory where your new directory was just created (like your home directory). You may need to specify the full path to the directory if you’re not executing the command from that location.

chmod 700 ./mystuff

Now, you just have to leverage the encryption already available in your Linux kernel. To do this, you must layer the encrypted transparency, if you will, over the unencrypted directory. This is done by re-mounting the directory with the encrypted transparency layer.

sudo mount -t ecryptfs ./mystuff ./mystuff

This command simply remounts the exact same directory, however with the encryption overlay in place. From this moment forward, any files written to the mystuff directory will be encrypted. Also any files read from the directory will be decrypted on the fly (until the transparency is removed by unmounting the transparency, but more on this later.) Until the directory is dismounted from its encrypted transparency layer, the files will be easily readable and silently encrypted/decrypted on the fly.

Once the above command is executed, eCryptfs is going to ask some questions. The answers to these questions dictate the nature of the encryption.

It is perfectly safe to keep hitting <enter> on every one of these questions. This will use the defaults which are very well selected. There is one exception however. One question asks if you’d like to enable filename encryption. The default answer here is no. In many cases, the filenames themselves offer a lot of information about its contents and that alone is more than many want revealed. For example, a filename named “Bank Account PIN numbers 2009” would certainly be a target file and while helpful for you in organizing your data, would be too much information to reveal if anyone were able to get a directory listing of the files in question. To prevent this, answer yes when eCryptfs asks to enable filename encryption (again, the default will be to not scramble the filenames).

One other question which might confuse is the plaintext passthrough question. If enabled, this option allows non-encrypted files to be used inside the mount, which to me defeats the purpose of an encrypted directory. Allow for the default answer to this: no.

At the end of the process, eCryptfs will alert that this is the first time you have used your passphrase, and will ask if it can save a hash of it. It is safe to answer yes to this question. If keeping a hash of your passphrase is a source of concern, then I would encourage more research on the subject.

At this point, you may write, delete, read as much data into that directory as you’d like. The files will remain free to access until you dismount the encrypted layer, leaving you with the closed, encrypted files. To dismount the transparency, simply dismount the directory.

sudo umount ./mystuff

At this point, any attempt to read the files will fail. You can browse the encrypted files themselves, but the filenames will be scrambled random characters and the contents will be totally incomprehensible.

To reopen your encrypted files, simply remount the encrypted directory as we first did earlier. However, upon doing this eCryptfs will ask all the same questions it did before (key type, your passphrase, the cipher, and the key length), so it will know the parameters of this particular encrypted directory. It will ask these questions every time you attempt to mount your encrypted directory. Fortunately, this can all be automated (except the passphrase entry obviously) so as to speed up the process.

The command can be given ahead of time and written into an executable script:

sudo mount -t ecryptfs /home/johnny/mystuff /home/johnny/mystuff -o key=passphrase,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough=n,ecryptfs_enable_filename_crypto=y,ecryptfs_fnek_sig=ed221f243b153323

Be mindful of the last option in the command above, namely ecryptfs_fnek_sig. When you first encrypt your directory, eCryptfs will tell you what the ecryptfs_fnek_sig is for your specific directory (or drive). You’ll need to enter this unique number into your command so that you will have a smooth and quick mounting process. Type this entire command into a text file (obviously replacing /home/johnny/mystuff with the actual path to your encrypted directory and entering your unique ecryptfs_fnek_sig number), save it (I’ll call mine crypt) and make it executable by typing:

chmod +x ./crypt

While you’re at it, create a quick script to dismount the encrypted mount.

sudo umount /home/johnny/mystuff

Then make it executable using the chmod command as shown above.

Of course in Linux you can also create a custom application launcher (a graphic on your taskbar or desktop) that can execute these scripts with the click of the mouse.