Ultimately, I have settled on a system known as eCryptfs. Of course, this runs only on Linux. However Windows/MAC users could access encrypted data on a Linux server if the decrypted data were presented with a SAMBA share.

eCryptfs is a kernel-native, stacked cryptographic filesystem for Linux. This means that it will run seamlessly with an existing Linux install and its filesystem. A stacked filesystem is one that is layered ontop of an existing filesystem (such as a transparency laid over a page beneath). As data is read from or written to the disk, data is encrypted or decrypted on the fly.

The flexible part of eCryptfs is that it embeds the cryptographic metadata into the header of each file. The benefit of storing the cryptographic metadata into each file is that any one file can be given to a friend, or sent through e-mail or copied by any other means and the recipient can conveniently decrypt the file so long as they have correct key (password).

Most encryption programs are not this versatile. They require special software or require that the file be separately encrypted so that it could be transmitted, and even then the recipient needs to jump through many hoops to decrypt the file. The only exception to this is PGP or GPG. GPG makes is very convenient to transmit files, but does not work well on large directories of files. eCryptfs bridges this gap very nicely. Also, since eCryptfs uses a stacked filesystem, there is no limit to what can be put into the directory for encryption, or subdirectories. They will simply and naturally fill the drive like any file would without any preset encrypted container limitations.

In Ubuntu (or any other Debian based distro) the following steps will allow one to easily encrypt an entire drive, directory or file.

To begin encrypting and decrypting your data, simply install the ecryptfs utilities.

sudo apt-get install ecryptfs-utils

Once installed, create a directory mystuff (or any name you like). This will be where you’ll store your data to be encrypted. The directory can be made anywhere, your home directory or any storage device (USB key or USB hard drive). It is important to note that you cannot encrypt a directory with data already in it. The easy way to accomplish this is to follow the steps below, then move the data from the original directory to the newly encrypted directory. You can rename the newly encrypted directory to match the original once the files have been moved and the original directory deleted.

mkdir ./mystuff

To be extra safe here, be sure only your Linux user has rights to the files in the directory. To accomplish this, simply change the permissions on the directory. The commands below assume you’re already in the directory where your new directory was just created (like your home directory). You may need to specify the full path to the directory if you’re not executing the command from that location.

chmod 700 ./mystuff

Now, you just have to leverage the encryption already available in your Linux kernel. To do this, you must layer the encrypted transparency, if you will, over the unencrypted directory. This is done by re-mounting the directory with the encrypted transparency layer.

sudo mount -t ecryptfs ./mystuff ./mystuff

This command simply remounts the exact same directory, however with the encryption overlay in place. From this moment forward, any files written to the mystuff directory will be encrypted. Also any files read from the directory will be decrypted on the fly (until the transparency is removed by unmounting the transparency, but more on this later.) Until the directory is dismounted from its encrypted transparency layer, the files will be easily readable and silently encrypted/decrypted on the fly.

Once the above command is executed, eCryptfs is going to ask some questions. The answers to these questions dictate the nature of the encryption.

It is perfectly safe to keep hitting <enter> on every one of these questions. This will use the defaults which are very well selected. There is one exception however. One question asks if you’d like to enable filename encryption. The default answer here is no. In many cases, the filenames themselves offer a lot of information about its contents and that alone is more than many want revealed. For example, a filename named “Bank Account PIN numbers 2009” would certainly be a target file and while helpful for you in organizing your data, would be too much information to reveal if anyone were able to get a directory listing of the files in question. To prevent this, answer yes when eCryptfs asks to enable filename encryption (again, the default will be to not scramble the filenames).

One other question which might confuse is the plaintext passthrough question. If enabled, this option allows non-encrypted files to be used inside the mount, which to me defeats the purpose of an encrypted directory. Allow for the default answer to this: no.

At the end of the process, eCryptfs will alert that this is the first time you have used your passphrase, and will ask if it can save a hash of it. It is safe to answer yes to this question. If keeping a hash of your passphrase is a source of concern, then I would encourage more research on the subject.

At this point, you may write, delete, read as much data into that directory as you’d like. The files will remain free to access until you dismount the encrypted layer, leaving you with the closed, encrypted files. To dismount the transparency, simply dismount the directory.

sudo umount ./mystuff

At this point, any attempt to read the files will fail. You can browse the encrypted files themselves, but the filenames will be scrambled random characters and the contents will be totally incomprehensible.

To reopen your encrypted files, simply remount the encrypted directory as we first did earlier. However, upon doing this eCryptfs will ask all the same questions it did before (key type, your passphrase, the cipher, and the key length), so it will know the parameters of this particular encrypted directory. It will ask these questions every time you attempt to mount your encrypted directory. Fortunately, this can all be automated (except the passphrase entry obviously) so as to speed up the process.

The command can be given ahead of time and written into an executable script:

sudo mount -t ecryptfs /home/johnny/mystuff /home/johnny/mystuff -o key=passphrase,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough=n,ecryptfs_enable_filename_crypto=y,ecryptfs_fnek_sig=ed221f243b153323

Be mindful of the last option in the command above, namely ecryptfs_fnek_sig. When you first encrypt your directory, eCryptfs will tell you what the ecryptfs_fnek_sig is for your specific directory (or drive). You’ll need to enter this unique number into your command so that you will have a smooth and quick mounting process. Type this entire command into a text file (obviously replacing /home/johnny/mystuff with the actual path to your encrypted directory and entering your unique ecryptfs_fnek_sig number), save it (I’ll call mine crypt) and make it executable by typing:

chmod +x ./crypt

While you’re at it, create a quick script to dismount the encrypted mount.

sudo umount /home/johnny/mystuff

Then make it executable using the chmod command as shown above.

Of course in Linux you can also create a custom application launcher (a graphic on your taskbar or desktop) that can execute these scripts with the click of the mouse.

eCryptfs is a POSIX-compliant enterprise-class stacked cryptographic filesystem for Linux.It provides advanced key management and policy features. eCryptfs stores cryptographic metadata in the header of each file written, so that encrypted files can be copied between hosts; the file will be decryptable with the proper key, and there is no need to keep track of any additional information aside from what is already in the encrypted file itself. Think of eCryptfs as a sort of “gnupgfs”.eCryptfs is a native Linux filesystem. The kernel module component of eCryptfs is part of the Linux kernel since 2.6.19.

Howto use Cryptsetup with LUKS support. (Debian Linux).

One caveat: All your DNS lookups will be unencrypted, an easy way to correct this in Firefox is to go to the about:config page (just type about:config in Firefox’s address bar) and go down to network.proxy.socks_remote_dns = false and change “false” to “true”, which will force Firefox to use the SSH server (via the encrypted tunnel) for all DNS lookups.

A simple article on how easy it is to hack WPA / WPA2, also known as ROT-26 security.

A technique for cracking computer passwords using inexpensive off-the-shelf computer graphics hardware is causing a stir in the computer security community.

Elcomsoft, a software company based in Moscow, Russia, has filed a US patent for the technique. It takes advantage of the “massively parallel processing” capabilities of a graphics processing unit (GPU) – the processor normally used to produce realistic graphics for video games.

Using an $800 graphics card from nVidia called the GeForce 8800 Ultra, Elcomsoft increased the speed of its password cracking by a factor of 25, according to the company’s CEO, Vladimir Katalov.

The toughest passwords, including those used to log in to a Windows Vista computer, would normally take months of continuous computer processing time to crack using a computer’s central processing unit (CPU). By harnessing a $150 GPU – less powerful than the nVidia 8800 card – Elcomsoft says they can cracked in just three to five days. Less complex passwords can be retrieved in minutes, rather than hours or days.

Click here for the full article.