I would like to password protect or encrypt a directory and all the files within it (for the whole directory tree below it). I do not want to bother the whole home directory, I want a specific directory with some files and folders in it. I would like to be able to encrypt the directory or decrypt it using a password. Command line would be nicest to use. I don't want to have to create a new file as an encrypted version and then, delete the previous ones which are the non-encrypted version.
5
- Interesting, "without having to create new files"...phunehehe– phunehehe2012-01-08 12:36:50 +00:00Commented Jan 8, 2012 at 12:36
- You mean mount as an encrypted filesystem?Faheem Mitha– Faheem Mitha2012-01-08 12:52:21 +00:00Commented Jan 8, 2012 at 12:52
- @FaheemMitha, I also would like to avoid the filesystem route, it sounds complicated.Vass– Vass2012-01-08 13:03:52 +00:00Commented Jan 8, 2012 at 13:03
- 1@Vass The filesystem route is the simplest method by far. You'll make your life easier if you don't reject solutions arbitrarily.Gilles 'SO- stop being evil'– Gilles 'SO- stop being evil'2012-01-08 16:34:20 +00:00Commented Jan 8, 2012 at 16:34
- NOTE: encfs is not considered secure: askubuntu.com/questions/813290/encfs-insecure-what-to-use-nowKeiran Raine– Keiran Raine2019-07-11 12:56:20 +00:00Commented Jul 11, 2019 at 12:56
Add a comment |
3 Answers
Use encfs (available as a package on most distributions). To set up:
mkdir ~/.encrypted ~/encrypted encfs ~/.encrypted ~/encrypted # enter a passphrase mv existing-directory ~/encrypted The initial call to encfs sets up an encrypted filesystem. After that point, every file that you write under ~/encrypted is not stored directly on the disk, it is encrypted and the encrypted data is stored under ~/.encrypted. The encfs command leaves a daemon running, and this daemon handles the encryption (and decryption when you read a file from under ~/encrypted).
In other words, for files under ~/encrypted, actions such as reads and writes do not translate directly to reading or writing from the disk. They are performed by the encfs process, which encrypts and decrypts the data and uses the ~/.encrypted directory to store the ciphertext.
When you've finished working with your files for the time being, unmount the filesystem so that the data can't be accessed until you type your passphrase again:
fusermount -u ~/encrypted After that point, ~/encrypted will be an empty directory again.
When you later want to work on these files again, mount the encrypted filesystem:
encfs ~/.encrypted ~/encrypted # enter your passphrase This, again, makes the encrypted files in ~/.encrypted accessible under the directory ~/encrypted.
You can change the mount point ~/encrypted as you like: encfs ~/.encrypted /somewhere/else (but mount the encrypted directory only once at a time). You can copy or move the ciphertext (but not while it's mounted) to a different location or even to a different machine; all you need to do to work on the files is pass the location of the ciphertext as the first argument to encfs and the location of an empty directory as the second argument.
answered Jan 8, 2012 at 16:32
Gilles 'SO- stop being evil'
866k205 gold badges1.8k silver badges2.3k bronze badges
- the answer is very useful and practical. I would appreciate very much if you could add some more text to explain what each operation is doing if that is not a bother to you. And could you explain what is meant by a filesystem in this context, and the relevance of mounting?Vass– Vass2012-01-08 22:50:06 +00:00Commented Jan 8, 2012 at 22:50
- 1@Vass I've updated my answer with more explanations. For background on filesystems and mounting, see What mount points exist on a typical Linux system? and What is meant by mounting a device in Linux?Gilles 'SO- stop being evil'– Gilles 'SO- stop being evil'2012-01-08 23:17:22 +00:00Commented Jan 8, 2012 at 23:17
- That is an amazing explanation. I feel like I learned alot. And the extra links help. So the filesystem made by encfs is 'jumbled up blocks of the original file' and through encfs you can navigate and read it; because the original filesystem is not compatible to use these blocks of data. and the encrypted directory is hidden to not get into it by accident. and if you did you would see nothing?Vass– Vass2012-01-08 23:44:48 +00:00Commented Jan 8, 2012 at 23:44
- 1@Vass “the filesystem made by encfs is 'jumbled up blocks of the original file' and through encfs you can navigate and read it”: yes, exactly. The directory
~/.encryptedcontains the ciphertext; you can access it without going throughencfs, but you'll only see encrypted data there.Gilles 'SO- stop being evil'– Gilles 'SO- stop being evil'2012-01-08 23:48:30 +00:00Commented Jan 8, 2012 at 23:48
I don't want to have to create a new file as an encrypted version and then, delete the previous ones which are the non-encrypted version
But that's exactly the scenario you've described...."be able to encrypt the directory or decrypt it"
I suspect the solution you're looking for is an encrypted FUSE or similar. The filesystem is stored in an encrypted file and when mounted (with a passphrase) there is transparent access via the VFS layer.
- creating a new file and deleting previous is a .zip route with password protection. I don't understand the file system and mounting route you refer to. Is there not some program which jumbles up the file in some way and then can put it back into order?Vass– Vass2012-01-08 13:03:07 +00:00Commented Jan 8, 2012 at 13:03
-
- @Vass I don't understand what you mean by “the zip path”: there's no zip involved. The plaintext is never stored on disk (that would be a lot more complicated and defeat most of the purpose of encryption).Gilles 'SO- stop being evil'– Gilles 'SO- stop being evil'2012-01-08 16:33:39 +00:00Commented Jan 8, 2012 at 16:33
- 2The zip route/zip path is to recursively zip a directory with the encryption/password option(s). Then however, when one wants to access a file, one must extract the unencrypted file from the zip, read file and then delete, or edit file and then update zip with new file, then delete intermediate file. He's seeking the transparency of an encrypted filesystem but at a directory level. I, and others suggest FUSE with an encrypted fs. "Simple" though, is a matter of perspective and experience.bsd– bsd2012-01-08 21:37:40 +00:00Commented Jan 8, 2012 at 21:37
- @bdowning, yes, you articulated it correctly. I do not understand filesystems and their operation. I would work blindly with the commands without understanding the concepts.Vass– Vass2012-01-08 22:33:43 +00:00Commented Jan 8, 2012 at 22:33
I would recommend looking into eCryptfs, which makes it fairly simple to create a folder for storing encrypted contents. Although FedKad's linked response suggests mounting the folder over itself, I personally prefer to mount the folder into a separate directory; this makes it easier to avoid accidentally backing up the unencrypted version.
You can create and edit unencrypted versions of documents within the mounted version of your eCryptFS folder; meanwhile, if you've done your setup correctly, the original eCryptFS folder will remain encrypted (unless you've mounted it onto itself). Don't take my word for it, though--check the folder periodically to make sure the files are indeed encrypted (which will become pretty clear when you try opening them with a text editor).
If you need a folder that can also be opened within other operating systems, consider creating a VeraCrypt file instead. This file, once mounted, will then serve as an encrypted folder for the files you put in it.
