Linux installation using eCryptFS to encrypt files

eCryptFS is a file encryption system in Linux system. It can encrypt files or directories, and the encryption level is high. The security is stronger than the general software. The following small series will introduce you how to use eCryptFS to encrypt files.

Encryption Types

We mainly have two methods for encrypting files and directories. One is file system level encryption, in which you can selectively encrypt certain files or directories (eg, /home/alice). For me, this is a great way to do it, you don't need to reinstall everything in order to enable or test encryption. However, file system level encryption also has some drawbacks. For example, many modern applications cache (partially) files in unencrypted portions of your hard drive, such as swap partitions, /tmp, and /var folders, which can lead to privacy leaks.

Another way is the so-called full disk encryption, which means that the entire disk will be encrypted (possibly in addition to the master boot record). Full disk encryption works at the physical disk level, and every bit written to disk is encrypted, and anything read from disk is decrypted on the fly. This will prevent any potential unauthorized access to unencrypted data and ensure that everything in the entire file system is encrypted, including swap partitions or any temporary cached data.

Available Encryption Tools

There are several tools to choose from to implement encryption in Linux. In this tutorial, I am going to introduce one of them: eCryptFS, a user space file system encryption tool. A summary of the encryption tools available on Linux is provided below for your reference.

File System Level Encryption

EncFS: One of the easiest ways to try encryption. EncFS works on a FUSE-based pseudo file system, so you only need to create an encrypted folder and mount it to a folder to work.

eCryptFS: A POSIX-compliant encrypted file system, eCryptFS works the same way as EncFS, so you have to mount it.

Disk Level Encryption

Loop-AES: The oldest method of disk encryption. It's really fast and works with older systems (like the 2.0 kernel branch).

DMCrypt: The most common disk encryption scheme that supports modern Linux kernels.

CipherShed: An open source branch of the stopped TrueCrypt disk encryption program.

eCryptFS basis

eCrypFS FUSE is a user space encrypting file system can be used (as encryptfs module) in the Linux kernel 2.6.19 and later. The pseudo file system encrypted by eCryptFS is mounted to the top of the current file system. It works well on the EXT file system family and other file systems such as JFS, XFS, ReiserFS, Btrfs, and even NFS/CIFS shared file systems. Ubuntu uses eCryptFS as the default method for encrypting its home directory, as is ChromeOS. At the bottom of eCryptFS, the AES algorithm is used by default, but it also supports other algorithms such as blowfish, des3, cast5, and cast6. If you created the eCryptFS settings by hand, you can choose one of them.

As I did, Ubuntu lets us choose whether to encrypt the /home directory during the installation process. Ok, this is the easiest way to use eCryptFS.

Ubuntu provides a user-friendly set of tools that can make our lives easier by eCryptFS, but enable the Ubuntu installation process eCryptFS only created a pre-configured settings specified. So, if the default settings don't suit your needs, you'll need to do it manually. In this tutorial, I will show you how to manually set up eCryptFS on mainstream Linux distributions.

Installation of eCryptFS

Debian, Ubuntu or its derivatives:

$ sudo apt-get install ecryptfs-utils

Note that if you are on Ubuntu The encrypted home directory is selected during the installation process and eCryptFS should already be installed.

CentOS, RHEL or Fedora:

# yum install ecryptfs-utils

Arch Linux:

$ sudo pacman -S ecryptfs-utils
Previous12Next page Total 2 pages