قالب وردپرس درنا توس
Home / Tips and Tricks / How to encrypt files with gocryptfs on Linux

How to encrypt files with gocryptfs on Linux



A diagram of a terminal window on a laptop.
Fatmawati Achmad Zaenuri / Shutterstock

Want to encrypt important files, but not your entire Linux system̵

7;s hard drive? In that case, we recommend gocryptfs. You get a directory that essentially encrypts and decrypts everything you store.

gocryptfs offers data protection protection

Privacy is big news. Hardly a week goes by without one or another body having reported a crime. Companies either report recent incidents or reveal intrusions that occurred some time ago. In both cases, there is bad news for those whose data has been exposed.

Because millions of people use services like Dropbox, Google Drive and Microsoft OneDrive, a seemingly endless stream of data is sent to the cloud every day. If you store some (or all) of your information in the cloud, what can you do to protect confidential information and private documents in the event of an intrusion?

Of course, data breaches come in all shapes and sizes and are not limited to the cloud. A lost memory or stolen laptop is just a small-scale data breach. But the scale is not the critical factor. If the information is sensitive or confidential, someone else who has it can be catastrophic.

One solution is to encrypt your documents. Traditionally, this is done by encrypting your hard drive in its entirety. This is for sure, but it also slows down your computer slightly. Also, if you are suffering from a catastrophic error, it can complicate the process of restoring your system from backups.

The gocryptfs the system allows you to encrypt only those directories that need protection and avoid system-wide encryption and decryption costs. It is fast, light and easy to use. It is also easy to move encrypted directories to other computers. As long as you have the password to access that information, it leaves no trace of your files on the other computer.

The gocryptfs the system is designed as a lightweight, encrypted file system. It can also be mounted by regular accounts that are not rooted because it uses the file system in the FUSE package. This acts as a bridge between gocryptfs and the routines of the kernel file system that it needs to access.

Installing gocryptfs

To install gocryptfs on ubuntu, type this command:

sudo apt-get install gocryptfs

sudo apt-get install gocryptfs in a terminal window.

To install Fedora-type:

sudo dnf install gocryptfs

sudo dnf installs gocryptfs in a terminal window

In Manjaro, the command is:

sudo pacman -Syu gocryptfs

sudo pacman -Syu gocryptfs in a terminal window

Create an encrypted directory

Part of the glory of gocryptfs is how easy it is to use. The principles are:

  • Create a directory that contains the files and subdirectories you are protecting.
  • Use gocryptrfs to initialize the directory.
  • Create an empty directory as a mount point and then mount the encrypted directory on it.
  • At the mount point, you can view and use the decrypted files and create new ones.
  • Dismantle the encrypted folder when you are done.

We will create a directory called “vault” to contain encrypted data. To do this, we write the following:

mkdir vault

mkdir vault in a terminal window.

We need to initialize our new directory. This step creates gocryptfs file system in the directory:

gocryptfs -init vault

gocryptfs -init vault in a terminal window.

Enter a password when prompted; you write it twice to make sure it is correct. Choose a strong one: three unrelated words that contain punctuation, numbers or symbols are a good template.

Your master key is generated and displayed. Copy and save this securely and privately. In our example, we create one gocryptfs catalog on a research machine that is dried after each article has been written.

Because it is necessary for an example, you can see the master key for this directory. You definitely want to be much more secretive with yours. If someone retrieves your master key, they can access all of your encrypted data.

If you switch to the new directory, you will see that two files have been created. Write the following:

cd vault
ls -ahl

CD vault in a terminal window.

“Gocryptfs.diriv” is a short binary, while “gocryptfs.conf” contains settings and information that you should keep safe.

If you upload your encrypted data to the cloud or back it up to small, portable media, do not include this file. However, if you back up to local media that remains under your control, you can include this file.

With sufficient time and effort, it may be possible to extract your password from the “encrypted key” and “salt” entries, as shown below:

cat gocryptfs.conf

cat gocryptfs.conf in a terminal window.

Assembly of the encrypted directory

The encrypted directory is mounted on a mounting point, which is simply an empty directory. We’ll create one called “geek”:

mkdir geek

We can now mount the encrypted catalog on the mounting point. Strictly speaking, that is what is actually mounted gocryptfs file system in the encrypted directory. We are asked to enter the password:

gocryptfs vault geek

Once the encrypted directory is mounted, we can use the mount point directory in the same way we would with others. Everything we edit and create in this directory is actually written to the assembled, encrypted directory.

We can create a simple text file, such as the following:

touch secret-notes.txt

We can edit it, add some content to it and then save the file:

gedit secret-notes.txt

Our new file has been created:

ls

mkdir nerd in a terminal window.

If we switch to our encrypted directory, which is shown below, we see that a new file has been created with an encrypted name. You can not even tell what file type it is from the name:

cd vault
ls -hl

CD vault in a terminal window.

If we try to display the contents of the encrypted file, we can see that it is indeed encrypted:

less aJGzNoczahiSif_gwGl4eAUnwxo9CvOa6kcFf4xVgYU

less aJGzNoczahiSif_gwGl4eAUnwxo9CvOa6kcFf4xVgYU in a terminal window.

Our simple text file, shown below, is now anything but easy to decipher.

The contents of an encrypted text file in smaller in a terminal window.

Removal of the encrypted directory

When you are done with your encrypted directory, you can unmount it with fusermount command. Part of the FUSE package, the following command uninstalls gocryptfs file system in the encrypted directory from the mount point:

fusermount -u geek

fusermount -u geek in a terminal window.

If you type the following to check your mount point directory, you will see that it is still empty:

ls

ls in a terminal window.

Everything you did is stored securely in the encrypted directory.

Easy and safe

Simple systems have the advantage that they are used more often, while more complicated processes tend to fall by the wayside. Using gocryptfs it’s not only simple, it’s safe too. Simplicity without security would not pay off.

You can create as many encrypted directories as you need or just one to hold all your sensitive data. You may also want to create some aliases to assemble and unmount your encrypted file system and further simplify the process.

RELATED: How to create aliases and scale functions on Linux




Source link