ecryptfs

file-level encryption using ecryptfs seems unnaturally easy… too easy some would say.
sure, full-disk should be better, I just want to have a way to hide stuff from prying eyes.

basically you just point it to a folder and that’s it. suspiciously easy.

you need: ecryptfs-utils (via your friendly package manager or compile it yourself…)

then just go and mount the directory using -t ecryptfs

 sudo mount -t ecryptfs ~/cat_pictures/ ~/cat_pictures/

this will encrypt the folder “cat_pictures” in your home folder. Be sure it exists but is empty when you run this for the first time (otherwise already existing data will not be encrypted)

it does ask some questions: remember the “passphrase” is the key to decrypt the data.

Passphrase: 
Select cipher: 
 1) aes: blocksize = 16; min keysize = 16; max keysize = 32
 2) blowfish: blocksize = 8; min keysize = 16; max keysize = 56
 3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24
 4) twofish: blocksize = 16; min keysize = 16; max keysize = 32
 5) cast6: blocksize = 16; min keysize = 16; max keysize = 32
 6) cast5: blocksize = 8; min keysize = 5; max keysize = 16
Selection [aes]: 
Select key bytes: 
 1) 16
 2) 32
 3) 24
Selection [16]: 
Enable plaintext passthrough (y/n) [n]: 
Enable filename encryption (y/n) [n]: 
Attempting to mount with the following options:
  ecryptfs_unlink_sigs
  ecryptfs_key_bytes=16
  ecryptfs_cipher=aes
  ecryptfs_sig=XXXXXXXXXXXXXXXXXX
WARNING: Based on the contents of [/root/.ecryptfs/sig-cache.txt],
it looks like you have never mounted with this key 
before. This could mean that you have typed your 
passphrase wrong.

Would you like to proceed with the mount (yes/no)? : yes
Would you like to append sig [XXXXXXXXXXXXXx] to
[/root/.ecryptfs/sig-cache.txt] 
in order to avoid this warning in the future (yes/no)? : yes
Successfully appended new sig to user sig cache file
Mounted eCryptfs

that’s it – the folder is now mounted. Go and fill it with data.

unmount with

sudo umount ~/cat_pictures/

if you want to mount it again

sudo mount -t ecryptfs ~/cat_pictures/ ~/cat_pictures/

mind you, all options need to be answered in the same way… so you could make this easier by creating a script.. or using a wrapper.. but then, what’s the point of encryption if you store the key in a file???

Edit: turns out you can: edit/create /root/.ecyptfsrc

ecryptfs_enable_filename_crypto=y
ecryptfs_passthrough=n
ecryptfs_unlink_sigs
ecryptfs_fnek_sig=xxxxxxxxxxxxxxxxxxxx
ecryptfs_key_bytes=16
ecryptfs_cipher=aes
ecryptfs_sig=xxxxxxxxxxxxxxxxx

sources:

  • https://ostechnix.com/how-to-encrypt-directories-with-ecryptfs-in-linux/
  • https://ayedaemon.medium.com/unshadowing-the-etc-shadow-ed-a597db449d18