Encrypting data is (relatively) straightforward to do these days, particularly if you have some reasonable technical skills. Here’s an example:
$ gpg -r kae@tiger-computing.co.uk --encrypt secret.txt $
That will create, by default, a file called secret.txt.gpg
. To be able to decrypt that file, you’ll need my gpg
key which, to the best of my knowledge, only I have (although that may not be foolproof).
It’s possible to encrypt to more than one key (omit the –r username
), allowing multiple users to be able to decrypt the data.
Imperfect Solution
There are problems with this approach:
- The non-techies aren’t going to be impressed with having to run a command line tool.
- Even the techies will get fed up with having to remember to add three keys to every file.
We wanted a solution that would be easy to use, would keep the data encrypted, and could be used by non-technical staff.
The Encrypted Filesystem, encfs
The encfs
utility maintains a directory in which all files are automatically encrypted. To decrypt them, a FUSE filesystem is mounted that contains unecrypted versions of the files.
For testing, we’ll have an encrypted directory at /tmp/encrypted
, and we’ll mount the decrypted version at /tmp/source
.
Set it up as follows:
$ mkdir /tmp/source /tmp/encrypted $ encfs /tmp/encrypted/ /tmp/source/ Creating new encrypted volume. Please choose from one of the following options: enter "x" for expert configuration mode, enter "p" for pre-configured paranoia mode, anything else, or an empty line will select standard mode. ?> Standard configuration selected. Configuration finished. The filesystem to be created has the following properties: Filesystem cipher: "ssl/aes", version 3:0:2 Filename encoding: "nameio/block", version 4:0:2 Key Size: 192 bits Block Size: 1024 bytes Each file contains 8 byte header with unique IV data. Filenames encoded using IV chaining mode. File holes passed through to ciphertext. Now you will need to enter a password for your filesystem. You will need to remember this password, as there is absolutely no recovery mechanism. However, the password can be changed later using encfsctl. New Encfs Password: Verify Encfs Password: $
Now let’s create a file in the decrypted directory:
$ echo "do not read" > /tmp/source/secret.txt
Here’s the contents of each directory:
$ ls /tmp/source/ /tmp/encrypted/ /tmp/encrypted/: JXip1Zyysr9IwnTYK3K1f,gN /tmp/source/: secret.txt
As you can see, the name is mangled in the encrypted directory. We can now unmount the source directory. As this is a FUSE filesystem, we need to use fusermount
:
$ fusermount -u /tmp/source
Day to Day Use
To make this easier to use, I set up two aliases:
alias dec='/usr/bin/encfs --idle 1 /home/kae/confidential/.encrypted /home/kae/confidential/BusinessConfidential/' alias enc='/bin/fusermount -u /home/kae/confidential/BusinessConfidential'
This uses a hidden directory, .encrypted
, to save the encrypted versions of the files.
The --idle 1
switch will cause the encrypted file system to be automatically unmounted after one minute of inactivity.
To use this, I type dec
(for “decrypt”) at the command line, and enter the passphrase. I can then add, delete, edit files in the BusinessConfidential
directory. When I’ve finished, I type enc
(“encrypt”), or simply wait one minute, and the BusinessConfidential
directory is no longer available. This works well even for our non-technical staff.
Options
When setting up the initial encrypted filesystem, answering x
to the first question (“expert mode”) will walk you through all the options, such as whether or not to mangle the filenames in the encrypted directory. We opted not to mangle them as that makes restoring individual files from backup a little easier.
Was This Helpful?
Let us know in the comments below.