Encryption

General Notes:

Here I will post some thoughts on encryption, using and tinkering with encryption is a hobby I enjoy.

I get a lot of questions about encryption, so I thought I’d post some HowTo’s and other thoughts here. I expect this page to be updated and edited often. I am going to assume that anyone reading this has a basic understanding of the concepts of public/private key encryption and encryption in general.

Normally under Linux for encryption, people think of GPG or PGP. PGP, of course stands for Pretty Good Privacy. It is not free for corporate use (though free for personal use). GPG is the open source equivalent. I have always felt that while GPG and PGP both support symmetric cipher encryption (encryption that uses a password, as opposed to an encrypted key) that they’re more appropriate for emailing people and encrypting text-messages on-the-fly.

For long term storage you can either encrypt your entire partition with Truecrypt (open source for both Windows and Linux) or under Linux you can also use partition-based encryption with either Linux with LUKS, Linux dm-crypt, FreeBSD GELI or FreeBSD pwd only (gbde and geli are two types of encryption available in FreeBSD, though GELI is better & faster). Also you can use file-based encryption with EncFS for Linux which works very well.

Using FreeNAS, you can also encrypt whole partitions with AES encryption so you can have a streamlined, easy to access encrypted data store. FreeNAS allows you to take a computer and with some hard drives, present a NAS Server that will present the drives as CIFS, NFS, iSCSI resources, and much more.

Often I encrypt with containers, that are premade to a certain size, then mounted with Loop-AES. I hope to be posting HowTo’s on many of these methods.

For simple single-file or mutliple-file or directory-level encryption, one can also use OpenSSL (in Linux).

Encrypt and decrypt a single file under Linux with OpenSSL:

Encrypt:
openssl aes-256-ecb -salt -in filename -out file.aes
Decrypt:
openssl aes-256-ecb -d -salt -in filename.aes -out filename

Tar and encrypt a whole directory

Encrypt:
tar -cf - directory | openssl aes-256-ecb -salt -out directory.tar.aes
Decrypt:
openssl aes-256-ecb -d -salt -in directory.tar.aes | tar -x

Tar zip and encrypt a whole directory

Encrypt:
tar -zcf - directory | openssl aes-256-ecb -salt -out directory.tar.gz.aes
Decrypt:
openssl aes-256-ecb -d -salt -in directory.tar.gz.aes | tar -xz

Note: The -salt option is for key derivation routines, and is to be used whenever you’re deriving your key from a password as opposed to a certificate, which in this case is true.