file-level encryption using ecryptfs seems unnaturally easy… too easy some would say.
sure, full-disk should be better, I just want to have a way to hide stuff from prying eyes.
basically you just point it to a folder and that’s it. suspiciously easy.
you need: ecryptfs-utils (via your friendly package manager or compile it yourself…)
then just go and mount the directory using -t ecryptfs
sudo mount -t ecryptfs ~/cat_pictures/ ~/cat_pictures/
this will encrypt the folder “cat_pictures” in your home folder. Be sure it exists but is empty when you run this for the first time (otherwise already existing data will not be encrypted)
it does ask some questions: remember the “passphrase” is the key to decrypt the data.
Passphrase:
Select cipher:
1) aes: blocksize = 16; min keysize = 16; max keysize = 32
2) blowfish: blocksize = 8; min keysize = 16; max keysize = 56
3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24
4) twofish: blocksize = 16; min keysize = 16; max keysize = 32
5) cast6: blocksize = 16; min keysize = 16; max keysize = 32
6) cast5: blocksize = 8; min keysize = 5; max keysize = 16
Selection [aes]:
Select key bytes:
1) 16
2) 32
3) 24
Selection [16]:
Enable plaintext passthrough (y/n) [n]:
Enable filename encryption (y/n) [n]:
Attempting to mount with the following options:
ecryptfs_unlink_sigs
ecryptfs_key_bytes=16
ecryptfs_cipher=aes
ecryptfs_sig=XXXXXXXXXXXXXXXXXX
WARNING: Based on the contents of [/root/.ecryptfs/sig-cache.txt],
it looks like you have never mounted with this key
before. This could mean that you have typed your
passphrase wrong.
Would you like to proceed with the mount (yes/no)? : yes
Would you like to append sig [XXXXXXXXXXXXXx] to
[/root/.ecryptfs/sig-cache.txt]
in order to avoid this warning in the future (yes/no)? : yes
Successfully appended new sig to user sig cache file
Mounted eCryptfs
that’s it – the folder is now mounted. Go and fill it with data.
unmount with
sudo umount ~/cat_pictures/
if you want to mount it again
sudo mount -t ecryptfs ~/cat_pictures/ ~/cat_pictures/
mind you, all options need to be answered in the same way… so you could make this easier by creating a script.. or using a wrapper.. but then, what’s the point of encryption if you store the key in a file???
Edit: turns out you can: edit/create /root/.ecyptfsrc
ecryptfs_enable_filename_crypto=y
ecryptfs_passthrough=n
ecryptfs_unlink_sigs
ecryptfs_fnek_sig=xxxxxxxxxxxxxxxxxxxx
ecryptfs_key_bytes=16
ecryptfs_cipher=aes
ecryptfs_sig=xxxxxxxxxxxxxxxxx
sources:
- https://ostechnix.com/how-to-encrypt-directories-with-ecryptfs-in-linux/
- https://ayedaemon.medium.com/unshadowing-the-etc-shadow-ed-a597db449d18