The University of Arizona

Resources

File Encryption in Linux

Security is an ongoing concern and a multi-layered approach is optimal.  In addition to the steps taken by *lab in network and system administration, you can take the additional step of encrypting your sensitive data.  Encryption represents the last line of defense since even if other security levels are breached and your data becomes accessible, encrypted files cannot be read without the decryption key.

There are several methods of encrypting data in Linux.  Presented here are two tools:  encFS for creating an encrypted filesystem and gpg for encrypting single files.

EncFS

EncFS provides an encrypted filesystem in user-space. It uses a pass-through design and is modeled after CFS - the original Cryptographic Filesystem by Matt Blaze, published in 1993.  EncFS runs without any special permissions and uses the FUSE library and Linux kernel module to provide the filesystem interface.  It  is open source software, licensed under the GPL.  More information is available at http://arg0.net/wiki/encfs.

encFS is currently installed on lectura and york.  The man page is available on those machines and at http://arg0.net/users/vgough/encfs-man.html.  If requested, encFS can be installed on faculty and RA/TA desktops.

Note that due to NFS restrictions, encFS directories on the NetApps (e.g., /home) must be created with specific permissions.  Follow the examples below.


Usage Examples

To create a new encrypted filesystem:

The encrypted and decrypted directories must have world read and execute permissions, so they should be in a protected parent directory (e.g., Encrypt):

create parent directory for encryption directories
lec:/home/bob>mkdir Encrypt
remove group and other permissions
lec:/home/bob>chmod 700 Encrypt
create encrypted (.crypt) and decrypted (crypt) directories
lec:/home/bob>mkdir Encrypt/.crypt
lec:/home/bob>mkdir Encrypt/crypt
set read and execute on encrypt/decrypt directories
lec:/home/bob>chmod 755 Encrypt/.crypt Encrypt/crypt
check results (so far...)
lec:/home/bob>ls -al Encrypt
total 36
drwx------   4 bob bob  4096 Feb 23 13:18 .
drwxr-xr-x  45 bob bin 24576 Feb 23 13:17 ..
drwxr-xr-x   2 bob bob  4096 Feb 23 13:18 crypt
drwxr-xr-x   2 bob bob  4096 Feb 23 13:18 .crypt
create encrypted structure
lec:/home/bob/Encrypt>encfs ~/Encrypt/.crypt ~/Encrypt/crypt
Creating new encrypted volume.
Please choose from one of the following options:
enter "x" for expert configuration mode,
enter "p" for pre-configured paranoia mode,
anything else, or an empty line will select standard mode.
?>

Standard configuration selected.

Configuration finished. The filesystem to be created has
the following properties:
Filesystem cipher: "ssl/blowfish", version 2:1:1
Filename encoding: "nameio/block", version 3:0:1
Key Size: 160 bits
Block Size: 512 bytes
Each file contains 8 byte header with unique IV data.
Filenames encoded using IV chaining mode.

Now you will need to enter a password for your filesystem.
You will need to remember this password, as there is absolutely
no recovery mechanism. However, the password can be changed
later using encfsctl.

New Encfs Password:
Verify Encfs Password:

(.crypt is the encrypted directory; crypt is the decrypted version of .crypt)

Now move files into the decrypted directory:

lec:/home/bob/Encrypt>mv ~/CS750.xls crypt
lec:/home/bob/Encrypt>mv ~/secret.stuff crypt
here are the files we moved (decrypted)
lec:/home/bob/Encrypt>ls -al crypt
total 36
drwx------  2 bob bob   4096 Feb 23 09:13 .
drwxr-xr-x  5 bob wheel 4096 Feb 23 09:12 ..
-rw-------  1 bob bob   1589 Jan  9 08:25 CS750.xls
-rw-------  1 bob bob   1325 Jan 14 13:42 secret.stuff
here are the encrypted versions
lec:/home/bob/Encrypt>ls -al .crypt
total 40
drwx------  2 bob bob   4096 Feb 23 09:13 .
drwxr-xr-x  5 bob wheel 4096 Feb 23 09:12 ..
-rw-------  1 bob bob   1597 Jan  9 08:25 dQxWUeTso7NiojItcTHbmdy2
-rw-------  1 bob bob   1333 Jan 14 13:42 u5gpyk3WhD8DHhylP1-ntd9X
-rw-------  1 bob bob    224 Feb 23 09:12 .encfs5
When finished, we unmount the decrypted directory:
lec:/home/bob/Encrypt>fusermount -u ~/Encrypt/crypt
Note that the crypt directory now shows as empty
lec:/home/bob/Encrypt>ls -al crypt
total 8
drwx------  2 bob bob   4096 Feb 23 09:13 .
drwxr-xr-x  5 bob wheel 4096 Feb 23 09:12 ..
Note that encrypted files still show in .crypt
lec:/home/bob/Encrypt>ls -al .crypt
total 40
drwx------  2 bob bob   4096 Feb 23 09:13 .
drwxr-xr-x  5 bob wheel 4096 Feb 23 09:12 ..
-rw-------  1 bob bob   1597 Jan  9 08:25 dQxWUeTso7NiojItcTHbmdy2
-rw-------  1 bob bob   1333 Jan 14 13:42 u5gpyk3WhD8DHhylP1-ntd9X
-rw-------  1 bob bob    224 Feb 23 09:12 .encfs5

To re-mount the decrypted directory:

lec:/home/bob/Encrypt>

    encfs /home/bob/Encrypt/.crypt /home/bob/Encrypt/crypt
EncFS Password:

We see the file reconstituted in the decrypted directory crypt
lec:/home/bob/Encrypt>ls -al crypt
total 36
drwx------  2 bob bob   4096 Feb 23 09:13 .
drwxr-xr-x  5 bob wheel 4096 Feb 23 09:12 ..
-rw-------  1 bob bob   1589 Jan  9 08:25 CS750.xls
-rw-------  1 bob bob   1325 Jan 14 13:42 secret.stuff

Caveats


gpg

gpg (GnuPG) is an encryption and signing tool.  More information is available at http://www.gnupg.org/documentation.

gpg is currently installed on all Linux machines in the department.  The man page is available on those machines and at http://www.gnupg.org/documentation/manpage.en.html.  Also see the GnuPG mini HOWTO.


Simple encryption:

To encrypt myfile

lec:/home/bob>gpg -c myfile           gpg will prompt for passphrase to encrypt
gpg: CAST5 encrypted data
gpg: encrypted with 1 passphrase
gpg: WARNING: message was not integrity protected
lec:/home/bob>ls -al myfile*         Note encrypted version has .gpg extension
-rw------- 1 bob bob 13023 Feb 24 11:21 myfile
-rw------- 1 bob bob  5073 Feb 24 11:20 myfile.gpg
lec:/home/bob>rm myfile                  remove original file, leaving only encrypted version
lec:/home/bob>ls -al myfile*
-rw------- 1 bob bob  5073 Feb 24 11:20 myfile.gpg

To decrypt myfile.gpg

lec:/home/bob>gpg myfile.gpg         gpg will prompt for passphrase to decrypt
lec:/home/bob>ls -al myfile*     myfile  is restored from  myfile.gpg
-rw------- 1 bob bob 13023 Feb 24 11:21 myfile
-rw------- 1 bob bob  5073 Feb 24 11:20 myfile.gpg

To encrypt - specifying output filename

lec:/home/bob>gpg -c -o myfile.enc myfile      creates encrypted file  myfile.enc

To decrypt  - specifying output filename

lec:/home/bob>gpg -o myfilenew myfile.enc      creates decrypted  myfilenew  from  myfile.enc

Encryption with keys:

The first step is to create a key pair:

lec:/home/bob>gpg --gen-key        generate secret and public keys  (follow prompts -- can leave comment blank)

To list keys

lec:/home/bob>gpg --list-keys
/home/bob/.gnupg/pubring.gpg
----------------------------
pub 1024D/45F39F41 2006-02-23
uid Bob User <bob@somewhere.edu>
sub 2048g/FA303B4D 2006-02-23


Note username is Bob User and email is bob@somewhere.com

To encrypt with a key

lec:/home/bob>gpg -e -r 'Bob User' myfile            encrypts with key based on name
lec:/home/bob>gpg -e -r 'bob@somewhere.edu' myfile   encrypts with key based on email addresslec:/home/bob>ls -al myfile*            Note that either command creates encrypted file   myfile.gpg

-rw------- 1 bob bob 13023 Feb 24 11:25 myfile
-rw------- 1 bob bob  5484 Feb 24 11:32 myfile.gpg

To delete keys

lec:/home/bob>gpg --list-keys             Note that there are two sets of keys for Bob
/home/bob/.gnupg/pubring.gpg
----------------------------
pub 1024D/45F39F41 2006-02-23
uid Bob User <bob@somewhere.edu>
sub 2048g/FA303B4D 2006-02-23

pub 1024D/30849979 2006-02-24
uid Bob User <bob@somewhere.edu>
sub 2048g/7F08115A 2006-02-24
Delete the secret key first
lec:/home/bob>gpg --delete-secret-key 45F39F41
gpg (GnuPG) 1.4.2.1; Copyright (C) 2005 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.

sec 1024D/45F39F41 2006-02-23 Bob User <bob@somewhere.edu>

Delete this key from the keyring? (y/N) y
This is a secret key! - really delete? (y/N) y
Then delete the public key
lec:/home/bob>gpg --delete-key 45F39F41       
gpg (GnuPG) 1.4.2.1; Copyright (C) 2005 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.

pub 1024D/45F39F41 2006-02-23 Bob User <bob@somewhere.edu>

Delete this key from the keyring? (y/N) y
lec:/home/bob>gpg --list-keys
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, 
     PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 
     0n, 0m, 0f, 1u
/home/bob/.gnupg/pubring.gpg
----------------------------
pub   1024D/30849979 2006-02-24
uid                  Bob User <bob@somewhere.edu>
sub   2048g/7F08115A 2006-02-24
Note that the first key pair is gone

Caveats


Last updated January 7, 2008, by Tom Lowry
Send questions about this page to