How to Encrypt Files and Folders with eCryptFS on Ubuntu 18.04

0
6840

Encryption is the process in which a plain text data, a message or information, is converted to a random and meaningless data, commonly known as ciphertext. Encrypted data can only accessed by authorized parties while those who are not authorized cannot access it.

There are several methods of encrypting data in Linux for example EncFS, eCryptFS for filesystem level encryption, Loop-AES, DMCrypt, CipherShield for full disk encryption. Well, in this tutorial, we are going to learn how to encrypt files and folders on Ubuntu 18.04 by using eCryptFS utility.

eCryptfs is a POSIX-compliant enterprise-class stacked cryptographic filesystem for Linux. Layering on top of the filesystem layer eCryptfs protects files no matter the underlying filesystem, partition type, etc

During installation, Ubuntu provides an option to encrypt the /home partition using eCryptfs. This will automatically configure everything needed to encrypt and mount the partition However, if you dont get on pretty well with this, run through the following steps to ecnrypt your files and directories manually.

Install eCryptFS

To use eCryptFS, install the necessary packages. However, if you enabled home directory encryption during installation, this utility should already be installed.

# apt install ecryptfs-utils -y 

Encrypting a Directory

Now that the installation is done, it is time to see ecryptfs in action. Let say  you want to encrypt /home/amos/mydocuments.

To encrypt the directory above, mount it with ecryptfs filesystem type as shown below.

$ sudo mount -t ecryptfs mydocuments/ mydocuments/

When this command is run, it asks for a passphrase and several other prompts. Answer them accordingly.

Passphrase:    Enter your passpharase here
Select cipher:
1) aes: blocksize = 16; min keysize = 16; max keysize = 32
2) blowfish: blocksize = 8; min keysize = 16; max keysize = 56
3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24
4) twofish: blocksize = 16; min keysize = 16; max keysize = 32
5) cast6: blocksize = 16; min keysize = 16; max keysize = 32
6) cast5: blocksize = 8; min keysize = 5; max keysize = 16
Selection [aes]:  Press Enter
Select key bytes: 
1) 16
2) 32
3) 24
Selection [16]:  Press Enter
Enable plaintext passthrough (y/n) [n]: n
Enable filename encryption (y/n) [n]: n
Attempting to mount with the following options:
ecryptfs_unlink_sigs
ecryptfs_key_bytes=16
ecryptfs_cipher=aes
ecryptfs_sig=96b6fac91e0a01b8
Mounted eCryptfs

The encrypted directory is now mounted. Run the command below to verify the mounting.

$ sudo mount | grep mydocuments
/home/amos/mydocuments on /home/amos/mydocuments type ecryptfs (rw,relatime,ecryptfs_sig=96b6fac91e0a01b8,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_unlink_sigs)

You can now start putting your sensitive data to the directory. As an example, let us create a file with random data within the encrypted directory.

$ cat mydocuments/clients-contacts.txt
ClientA: 020-000001
ClientB: 020-000002
ClientC: 020-000003
ClientD: 020-000004

As long as the directory is mounted, the data is accessible. Let us unmount the directory and see if it is possible to access the data.

$ sudo umount /home/amos/mydocuments

Try to view the data now.

$ cat mydocuments/clients-contacts.txt
P.p"3DUfw`ք[PJP5~p_CONSOLE9mxǮP|Xt߫0ak!f(BƬ 
:i>0o989<Ѥ[email protected](WZ=&Ss<g9#@\e`\A]L!\U]s/zU.x|B$HPmTTzyrrx4%@$8!r]sI\#4q1Z8&ۿGGb$7
^QUﷱIa4ɵK,tyhUUHi 0]h<S+fK2DH-mC[iO-XbKdװ@%xYs, w'
O-nt!z"ɾ6AZyƷ.؃T`ǡ0FfӲܮ%O{@[ߕ8wLRѻsr&]^ XoeA"m?SVb&/Nrgθo?&[sj!
"lL CЯ5)+H^rA2aKxf.a+}LiA̝|gSOj2y_x~Ma^p.PmPUvdjv34 c5-F\hFQ½CTLB#OI+5.WXsDlbʺ
f50)> AJa7$~4V!R;udP]ޱABSyT!qg D;fY(&[email protected]"JyɬPwvJ"h}B<nS>e
)@[K~w39PK^ j~p"G'eQEK&3Ywe,Ϸ,AVjƺ!yUoX ·@\:!{mQfۢ'wţap]4}% αu[0M#>S魍g9t_A0k=ۊ;
wℍGZN$V2"HI-4oIክEoK?]9sIr0J:{uTJ8D֍+ nɪ7CI&iCELYa̅ÿҞޙn)-]}C
/ʄ46}u4bo\B4I۫+1hdH2:)>Vj{#B8<p6)3XHwluDkQ{\ngnk|Pˑqw0Es%ۗ(?q>L~٪|d9KN;bJZ]>1㛬a.SClߴ?<
k ҥfjnX(nҽH^>vs&tb?:?c7o\Ur2˵շĝ;X+$W/$PE5omɦbu9Y0jxR^C)C~J&J>~8l#D4$5iOhX !07mhB
V̧ðE<? "5h7#d|p#ɘSJܸ<<Uu9̔㕦QIr"xaבzM^*''SCn~;kA
'΢9Cj#@kо-=wK ;jtIPlP}I&9 *]nL2XYG||V fyha4SC:Ox<AJ2ݣ',fy:[p0u2t+ ?Եʫ̅x~Z%ڔ22#&7*Yxdg
#t-7dZZUnGJ/6[,e_m꡹]N=~cɏ|tQ0c4Q.,-AZaJ/n%-zPm絳v`#+{[n%l}U\9=_'(Sdq&b&44C5,
U9߯YK˟{[email protected]~tŧK0荩t]?qwN!dMԞWl]SD;4>yr|a.
֐665G|-ulJw$2<F1nn"ѠX7PF<,q*~aW%'C&I2'ս
S{[email protected];,?o ïqx+5q69{i]ax1;[email protected]>HOX:=M|zb<I凢K3QFz"?02C}mdj/|8xPܫߜ9b3~Q2̜h

This is all meaningless. To access the data, you need to remount the directory. When prompted for the passphrase, use the one you set while mounting the directory for the first time.

$ sudo mount -t ecryptfs mydocuments/ mydocuments/
Passphrase:    Enter your Previous passpharase here
Select cipher:
1) aes: blocksize = 16; min keysize = 16; max keysize = 32
2) blowfish: blocksize = 8; min keysize = 16; max keysize = 56
3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24
4) twofish: blocksize = 16; min keysize = 16; max keysize = 32
5) cast6: blocksize = 16; min keysize = 16; max keysize = 32
6) cast5: blocksize = 8; min keysize = 5; max keysize = 16
Selection [aes]:  Press Enter
Select key bytes: 
1) 16
2) 32
3) 24
Selection [16]:  Press Enter
Enable plaintext passthrough (y/n) [n]: n
Enable filename encryption (y/n) [n]: n
Attempting to mount with the following options:
ecryptfs_unlink_sigs
ecryptfs_key_bytes=16
ecryptfs_cipher=aes
ecryptfs_sig=96b6fac91e0a01b8
Mounted eCryptfs

You can now be able to view your data in the encrypted directory.

The process of remounting the directory is so manual and a bit taunting. Therefore, to automate this process, you can create a bash script or use a USB with a passphrase key to automate this process.

See our next tutorial on how to automate this mounting process. Cheers.

LEAVE A REPLY

Please enter your comment!
Please enter your name here