In this tutorial, you will learn how to encrypt files and directories with eCryptFS on Ubuntu 20.04. Encryption is the process in which a plain text data, a message or information, is converted to a random and meaningless data, commonly known as ciphertext. Encrypted data can only accessed by authorized parties while those who are not authorized cannot access it.
There are several methods of encrypting data in Linux for example EncFS, eCryptFS for filesystem level encryption, Loop-AES, DMCrypt, CipherShield for full disk encryption.
eCryptfs is a POSIX-compliant enterprise-class stacked cryptographic filesystem for Linux. Layering on top of the filesystem layer eCryptfs protects files no matter the underlying filesystem, partition type, etc
During installation, Ubuntu provides an option to encrypt the /home partition using eCryptfs. This will automatically configure everything needed to encrypt and mount the partition However, if you dont get on pretty well with this, run through the following steps to ecnrypt your files and directories manually.
Using eCryptFS to Encrypt Files and Directories
Install eCryptFS
To use eCryptFS, install the necessary packages. However, if you enabled home directory encryption during installation, this utility should already be installed.
If the package doesn’t already exist, then you need to update your system package cache and install ecryptfs.
apt updateapt install ecryptfs-utils -yEncrypting a Directory with eCryptFS
Now that the installation is done, it is time to see eCryptFS in action.
To encrypt a directory with eCryptFS, mount the directory in question with ecryptfs filesystem type.
Let say you want to encrypt ~/mydocuments, then;
sudo mount -t ecryptfs ~/mydocuments/ ~/mydocuments/When this command is run, it asks for a passphrase and several other prompts. Answer them accordingly.
Passphrase: Enter your passpharase here
Select cipher:
1) aes: blocksize = 16; min keysize = 16; max keysize = 32
2) blowfish: blocksize = 8; min keysize = 16; max keysize = 56
3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24
4) twofish: blocksize = 16; min keysize = 16; max keysize = 32
5) cast6: blocksize = 16; min keysize = 16; max keysize = 32
6) cast5: blocksize = 8; min keysize = 5; max keysize = 16
Selection [aes]: Press Enter
Select key bytes:
1) 16
2) 32
3) 24
Selection [16]: Press Enter
Enable plaintext passthrough (y/n) [n]: n
Enable filename encryption (y/n) [n]: n
Attempting to mount with the following options:
ecryptfs_unlink_sigs
ecryptfs_key_bytes=16
ecryptfs_cipher=aes
ecryptfs_sig=96b6fac91e0a01b8
WARNING: Based on the contents of [/root/.ecryptfs/sig-cache.txt],
it looks like you have never mounted with this key
before. This could mean that you have typed your
passphrase wrong.
Would you like to proceed with the mount (yes/no)? : yes
Would you like to append sig [96b6fac91e0a01b8] to
[/root/.ecryptfs/sig-cache.txt]
in order to avoid this warning in the future (yes/no)? : yes
Successfully appended new sig to user sig cache file
Mounted eCryptfsThe encrypted directory is now mounted. Run the command below to verify the mounting.
sudo mount | grep mydocuments/home/koromicha/mydocuments on /home/koromicha/mydocuments type ecryptfs (rw,relatime,ecryptfs_sig=96b6fac91e0a01b8,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_unlink_sigs)You can now start putting your sensitive data to the directory.
As an example, let us create a file with random data within the encrypted directory.
cat > ~/mydocuments/clients-contacts.txt << 'EOL'
ClientA: 020-000001
ClientB: 020-000002
ClientC: 020-000003
ClientD: 020-000004
EOLAs long as the directory is mounted, the data is accessible.
Let us unmount the directory and see if it is possible to access the data.
sudo umount ~/mydocumentsTry to view the data now.
cat ~/mydocuments/clients-contacts.txtP.p"3DUfw`ք[PJP5~p_CONSOLE9mxǮP|Xt߫0ak!f(BƬ
:i>0o989<Ѥk@OmD(WZ=&Ss<g9#@\e`\A]L!\U]s/zU.x|B$HPmTTzyrrx4%@$8!r]sI\#4q1Z8&ۿGGb$7
^QUﷱIa4ɵK,tyhUUHi 0]h<S+fK2DH-mC[iO-XbKdװ@%xYs, w'
O-nt!z"ɾ6AZyƷ.T`ǡ0FfӲܮ%O{@[ߕ8wLRѻsr&]^ XoeA"m?SVb&/Nrgθo?&[sj!
"lL CЯ5)+H^rA2aKxf.a+}LiA̝|gSOj2y_x~Ma^p.PmPUvdjv34 c5-F\hFQ½CTLB#OI+5.WXsDlbʺ
f50)> AJa7$~4V!R;udP]ޱABSyT!qg D;fY(&4!aX@"JyɬPwvJ"h}B<nS>e
)@[K~w39PK^ j~p"G'eQEK&3Ywe,Ϸ,AVjƺ!yUoX ·@\:!{mQfۢ'wţap]4}% αu[0M#>S魍g9t_A0k=ۊ;
wℍGZN$V2"HI-4oIክEoK?]9sIr0J:{uTJ8D֍+ nɪ7CI&iCELYa̅ÿҞޙn)-]}C
...This is all meaningless.
To access the data, you need to remount the directory.
When prompted for the passphrase, use the one you set while mounting the directory for the first time.
sudo mount -t ecryptfs ~/mydocuments/ ~/mydocuments/Passphrase: ENTER THE PASSPHRASE
Select cipher:
1) aes: blocksize = 16; min keysize = 16; max keysize = 32
2) blowfish: blocksize = 8; min keysize = 16; max keysize = 56
3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24
4) twofish: blocksize = 16; min keysize = 16; max keysize = 32
5) cast6: blocksize = 16; min keysize = 16; max keysize = 32
6) cast5: blocksize = 8; min keysize = 5; max keysize = 16
Selection [aes]:
Select key bytes:
1) 16
2) 32
3) 24
Selection [16]:
Enable plaintext passthrough (y/n) [n]:
Enable filename encryption (y/n) [n]:
Attempting to mount with the following options:
ecryptfs_unlink_sigs
ecryptfs_key_bytes=16
ecryptfs_cipher=aes
ecryptfs_sig=96b6fac91e0a01b8
Mounted eCryptfsYou can now be able to view your data in the encrypted directory.
The process of remounting the directory is so manual and a bit taunting. Therefore, to automate this process, you can create a bash script or use a USB with a passphrase key to automate this process.
See our next tutorial on how to automate this mounting process. Cheers.
Other Tutorials
How to Use VeraCrypt on Command Line to Encrypt Drives on Ubuntu 18.04
Install and Setup VeraCrypt on Ubuntu 20.04
