Resources
File Encryption in Linux
Security is an ongoing concern and a multi-layered approach is optimal. In addition to the steps taken by *lab in network and system administration, you can take the additional step of encrypting your sensitive data. Encryption represents the last line of defense since even if other security levels are breached and your data becomes accessible, encrypted files cannot be read without the decryption key.
There are several methods of encrypting data in Linux. Presented here are two tools: encFS for creating an encrypted filesystem and gpg for encrypting single files.
EncFS
EncFS provides an encrypted filesystem in user-space. It uses a pass-through design and is modeled after CFS - the original Cryptographic Filesystem by Matt Blaze, published in 1993. EncFS runs without any special permissions and uses the FUSE library and Linux kernel module to provide the filesystem interface. It is open source software, licensed under the GPL. More information is available at http://arg0.net/wiki/encfs.
encFS is currently installed on lectura and york. The man page is available on those machines and at http://arg0.net/users/vgough/encfs-man.html. If requested, encFS can be installed on faculty and RA/TA desktops.
Note that due to NFS restrictions, encFS directories on the NetApps (e.g., /home) must be created with specific permissions. Follow the examples below.
Usage Examples
To create a new encrypted filesystem:
The encrypted and decrypted directories must have world read and execute permissions, so they should be in a protected parent directory (e.g., Encrypt):create parent directory for encryption directories
lec:/home/bob>mkdir Encryptremove group and other permissions
lec:/home/bob>chmod 700 Encryptcreate encrypted (.crypt) and decrypted (crypt) directories
lec:/home/bob>mkdir Encrypt/.cryptset read and execute on encrypt/decrypt directories
lec:/home/bob>mkdir Encrypt/crypt
lec:/home/bob>chmod 755 Encrypt/.crypt Encrypt/cryptcheck results (so far...)
lec:/home/bob>ls -al Encryptcreate encrypted structure
total 36
drwx------ 4 bob bob 4096 Feb 23 13:18 .
drwxr-xr-x 45 bob bin 24576 Feb 23 13:17 ..
drwxr-xr-x 2 bob bob 4096 Feb 23 13:18 crypt
drwxr-xr-x 2 bob bob 4096 Feb 23 13:18 .crypt
lec:/home/bob/Encrypt>encfs ~/Encrypt/.crypt ~/Encrypt/crypt(.crypt is the encrypted directory; crypt is the decrypted version of .crypt)
Creating new encrypted volume.
Please choose from one of the following options:
enter "x" for expert configuration mode,
enter "p" for pre-configured paranoia mode,
anything else, or an empty line will select standard mode.
?>
Standard configuration selected.
Configuration finished. The filesystem to be created has
the following properties:
Filesystem cipher: "ssl/blowfish", version 2:1:1
Filename encoding: "nameio/block", version 3:0:1
Key Size: 160 bits
Block Size: 512 bytes
Each file contains 8 byte header with unique IV data.
Filenames encoded using IV chaining mode.
Now you will need to enter a password for your filesystem.
You will need to remember this password, as there is absolutely
no recovery mechanism. However, the password can be changed
later using encfsctl.
New Encfs Password:
Verify Encfs Password:
Now move files into the decrypted directory:
lec:/home/bob/Encrypt>mv ~/CS750.xls crypthere are the files we moved (decrypted)
lec:/home/bob/Encrypt>mv ~/secret.stuff crypt
lec:/home/bob/Encrypt>ls -al crypthere are the encrypted versions
total 36
drwx------ 2 bob bob 4096 Feb 23 09:13 .
drwxr-xr-x 5 bob wheel 4096 Feb 23 09:12 ..
-rw------- 1 bob bob 1589 Jan 9 08:25 CS750.xls
-rw------- 1 bob bob 1325 Jan 14 13:42 secret.stuff
lec:/home/bob/Encrypt>ls -al .cryptWhen finished, we unmount the decrypted directory:
total 40
drwx------ 2 bob bob 4096 Feb 23 09:13 .
drwxr-xr-x 5 bob wheel 4096 Feb 23 09:12 ..
-rw------- 1 bob bob 1597 Jan 9 08:25 dQxWUeTso7NiojItcTHbmdy2
-rw------- 1 bob bob 1333 Jan 14 13:42 u5gpyk3WhD8DHhylP1-ntd9X
-rw------- 1 bob bob 224 Feb 23 09:12 .encfs5
lec:/home/bob/Encrypt>fusermount -u ~/Encrypt/cryptNote that the crypt directory now shows as empty
lec:/home/bob/Encrypt>ls -al cryptNote that encrypted files still show in .crypt
total 8
drwx------ 2 bob bob 4096 Feb 23 09:13 .
drwxr-xr-x 5 bob wheel 4096 Feb 23 09:12 ..
lec:/home/bob/Encrypt>ls -al .crypt
total 40
drwx------ 2 bob bob 4096 Feb 23 09:13 .
drwxr-xr-x 5 bob wheel 4096 Feb 23 09:12 ..
-rw------- 1 bob bob 1597 Jan 9 08:25 dQxWUeTso7NiojItcTHbmdy2
-rw------- 1 bob bob 1333 Jan 14 13:42 u5gpyk3WhD8DHhylP1-ntd9X
-rw------- 1 bob bob 224 Feb 23 09:12 .encfs5
To re-mount the decrypted directory:
We see the file reconstituted in the decrypted directory cryptlec:/home/bob/Encrypt>
encfs /home/bob/Encrypt/.crypt /home/bob/Encrypt/crypt
EncFS Password:
lec:/home/bob/Encrypt>ls -al crypt
total 36
drwx------ 2 bob bob 4096 Feb 23 09:13 .
drwxr-xr-x 5 bob wheel 4096 Feb 23 09:12 ..
-rw------- 1 bob bob 1589 Jan 9 08:25 CS750.xls
-rw------- 1 bob bob 1325 Jan 14 13:42 secret.stuff
Caveats
- Be sure to umount the decrypted directory when finished. Otherwise, you have not protected your files.
- Be sure that the parent directory of the encrypted and decrypted directories has permission 700 to provide security
- The encFS process is local to a particular machine (lectura or
york). This means that multiple ssh or X-windows sessions on the same
machine can access a decrypted directory, but not sessions on different
machines.
Example: if you have decrypted /home/bob/Encrypt/.crypt to /home/bob/Encrypt/crypt on lectura, you can't access /home/bob/Encrypt/crypt on york at the same time.
gpg
gpg (GnuPG) is an encryption and signing tool. More information is available at http://www.gnupg.org/documentation.
gpg is currently installed on all Linux machines in the department. The man page is available on those machines and at http://www.gnupg.org/documentation/manpage.en.html. Also see the GnuPG mini HOWTO.
Simple encryption:
To encrypt myfile
lec:/home/bob>gpg -c myfile gpg will prompt for passphrase to encrypt
gpg: CAST5 encrypted data
gpg: encrypted with 1 passphrase
gpg: WARNING: message was not integrity protected
lec:/home/bob>ls -al myfile* Note encrypted version has .gpg extension
-rw------- 1 bob bob 13023 Feb 24 11:21 myfile
-rw------- 1 bob bob 5073 Feb 24 11:20 myfile.gpg
lec:/home/bob>rm myfile remove original file, leaving only encrypted version
lec:/home/bob>ls -al myfile*
-rw------- 1 bob bob 5073 Feb 24 11:20 myfile.gpg
To decrypt myfile.gpg
lec:/home/bob>gpg myfile.gpg gpg will prompt for passphrase to decrypt
lec:/home/bob>ls -al myfile* myfile is restored from myfile.gpg
-rw------- 1 bob bob 13023 Feb 24 11:21 myfile
-rw------- 1 bob bob 5073 Feb 24 11:20 myfile.gpg
To encrypt - specifying output filename
lec:/home/bob>gpg -c -o myfile.enc myfile creates encrypted file myfile.enc
To decrypt - specifying output filename
lec:/home/bob>gpg -o myfilenew myfile.enc creates decrypted myfilenew from myfile.enc
Encryption with keys:
The first step is to create a key pair:
lec:/home/bob>gpg --gen-key generate secret and public keys (follow prompts -- can leave comment blank)
To list keys
lec:/home/bob>gpg --list-keys
/home/bob/.gnupg/pubring.gpg
----------------------------
pub 1024D/45F39F41 2006-02-23
uid Bob User <bob@somewhere.edu>
sub 2048g/FA303B4D 2006-02-23
Note username is Bob User and email is bob@somewhere.com
To encrypt with a key
lec:/home/bob>gpg -e -r 'Bob User' myfile encrypts with key based on name
lec:/home/bob>gpg -e -r 'bob@somewhere.edu' myfile encrypts with key based on email addresslec:/home/bob>ls -al myfile* Note that either command creates encrypted file myfile.gpg
-rw------- 1 bob bob 13023 Feb 24 11:25 myfile
-rw------- 1 bob bob 5484 Feb 24 11:32 myfile.gpg
To delete keys
- First, list keys
lec:/home/bob>gpg --list-keys Note that there are two sets of keys for Bob
/home/bob/.gnupg/pubring.gpg
----------------------------
pub 1024D/45F39F41 2006-02-23
uid Bob User <bob@somewhere.edu>
sub 2048g/FA303B4D 2006-02-23
pub 1024D/30849979 2006-02-24
uid Bob User <bob@somewhere.edu>
sub 2048g/7F08115A 2006-02-24
- Next, delete the keys
Delete the secret key first
lec:/home/bob>gpg --delete-secret-key 45F39F41
gpg (GnuPG) 1.4.2.1; Copyright (C) 2005 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.
sec 1024D/45F39F41 2006-02-23 Bob User <bob@somewhere.edu>
Delete this key from the keyring? (y/N) y
This is a secret key! - really delete? (y/N) y
Then delete the public key
lec:/home/bob>gpg --delete-key 45F39F41
gpg (GnuPG) 1.4.2.1; Copyright (C) 2005 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.
pub 1024D/45F39F41 2006-02-23 Bob User <bob@somewhere.edu>
Delete this key from the keyring? (y/N) y
- Then, list the keys to confirm
lec:/home/bob>gpg --list-keys
gpg: checking the trustdb gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u /home/bob/.gnupg/pubring.gpg ---------------------------- pub 1024D/30849979 2006-02-24 uid Bob User <bob@somewhere.edu> sub 2048g/7F08115A 2006-02-24Note that the first key pair is gone
Caveats
- Be sure to delete original file after creating encrypted version. Otherwise, there is no protection.
- Be sure to remember keys or passphrases. There is no recovery.
Last updated January 7, 2008, by Tom Lowry
Send questions about this page to