Shulou(Shulou.com)06/01 Report--

This article mainly introduces "how to encrypt files and directories on the Linux system". In the daily operation, I believe that many people have doubts about how to encrypt files and directories on the Linux system. Xiaobian consulted all kinds of materials and sorted out simple and easy-to-use methods of operation. I hope it will be helpful to answer the doubts of "how to encrypt files and directories on the Linux system". Next, please follow the editor to study!

Encryption Typ

We have two main ways to encrypt files and directories. One is file system-level encryption, in which you can optionally encrypt certain files or directories (e.g., / home/alice). For me, this is a very good method, and you don't have to reinstall everything in order to enable or test encryption. However, file system-level encryption also has some disadvantages. For example, many modern applications cache files in unencrypted parts of your hard drive, such as swap partitions, / tmp, and / var folders, which can lead to privacy leaks.

Another way is the so-called full encryption, which means that the entire disk will be encrypted (except perhaps the master boot record). Full-disk encryption works at the physical disk level, every bit written to the disk is encrypted, and anything read from the disk is decrypted at run time. This prevents any potential unauthorized access to unencrypted data and ensures that everything in the entire file system is encrypted, including swap partitions or any temporarily cached data.

Available encryption tools

There are several tools to choose from to implement encryption in Linux. In this tutorial, I'm going to introduce one of them: eCryptFS, a user-space file system encryption tool. A summary of the encryption tools available on Linux is provided below for your reference.

File system level encryption

EncFS: one of the easiest ways to try encryption. EncFS works on a FUSE-based pseudo-file system, so you just need to create an encrypted folder and mount it to a folder to work.

ECryptFS: an POSIX-compatible encrypted file system. ECryptFS works the same way as EncFS, so you have to mount it.

Disk level encryption

Loop-AES: the oldest method of disk encryption. It's really fast and applies to older systems (for example, 2.0 kernel branches).

DMCrypt: the most common disk encryption scheme that supports the modern Linux kernel.

CipherShed: an open source branch of the stopped TrueCrypt disk encryption program.

ECryptFS Foundation

ECrypFS is a FUSE-based user-space encrypted file system that is available in the Linux kernel 2.6.19 and later (as an encryptfs module). The pseudo file system encrypted by eCryptFS is mounted to the top of the current file system. It works well on the EXT file system family and other file systems such as JFS, XFS, ReiserFS, Btrfs, and even NFS/CIFS shared file systems. Ubuntu uses eCryptFS as the default method for encrypting its home directory, as does ChromeOS. At the bottom of eCryptFS, the AES algorithm is used by default, but it also supports other algorithms, such as blowfish, des3, cast5, cast6. If you are creating eCryptFS settings by hand, you can choose one of the algorithms.

As I said, Ubuntu lets us choose whether or not to encrypt the / home directory during installation. Well, this is the easiest way to use eCryptFS.

Ubuntu provides a user-friendly toolset that makes life easier with eCryptFS, but enabling eCryptFS during Ubuntu installation only creates a specified preconfigured setting. So, if the default settings don't suit your needs, you need to set them manually. In this tutorial, I will show you how to set up eCryptFS manually on a major Linux distribution.

Installation of eCryptFS

Debian,Ubuntu or its derivative version:

The code is as follows:

$sudo apt-get install ecryptfs-utils

Note that if you choose to encrypt the home directory during Ubuntu installation, eCryptFS should already be installed.

CentOS, RHEL or Fedora:

The code is as follows:

# yum install ecryptfs-utils

Arch Linux:

The code is as follows:

$sudo pacman-S ecryptfs-utils

After installing the package, it is certainly a good practice to load the eCryptFS kernel module:

The code is as follows:

$sudo modprobe ecryptfs

Configure eCryptFS

Now, let's start encrypting some directories and run the eCryptFS configuration tool:

The code is as follows:

$ecryptfs-setup-private

It will ask you to enter your login password and mount password. The login password is the same as your regular login password, while the mount password is used to derive a file encryption master key. Leaving blank here can generate a (complex) one, which will be more secure. Log out and log back in.

You will notice that eCryptFS creates two directories in your home directory by default: Private and .Private. The ~ / .Private directory contains encrypted data, and you can access the decrypted data in the ~ / Private directory. When you log in, the ~ / .Private directory is automatically decrypted and mapped to the ~ / Private directory, so you can access it. When you log out, the ~ / Private directory will be uninstalled automatically, and the contents of the ~ / Private directory will be encrypted back to the ~ / .Private directory.

How does eCryptFS know that you have a ~ / .Private directory and automatically decrypt it to the ~ / Private directory without requiring us to enter a password? This is the trick of eCryptFS's PAM module, which provides us with this convenient service.

If you don't want the ~ / Private directory to be mounted automatically when you log in, just add the "--noautomount" option when you run the ecryptfs-setup-private tool. Similarly, if you do not want the ~ / Private directory to be uninstalled automatically after logging out, you can also automatically "--noautoumount" option. However, after that, you need to manually mount or uninstall the ~ / Private directory:

[/ code] $ecryptfs-mount-private ~ / .Private ~ / Private

$ecryptfs-umount-private ~ / Private

You can verify that the .Private folder is mounted, run:

The code is as follows:

$mount

Now we can start putting any sensitive files in the ~ / Private folder, and they will be automatically encrypted and locked in the ~ / .Private file when we log out.

All of this seems so amazing. This is mainly because the ecryptfs-setup-private tool makes everything simple. If you want to dig a little deeper and set up the aspects specified by eCryptFS, please go to the official documentation.

At this point, the study on "how to encrypt files and directories on the Linux system" is over. I hope to be able to solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.