Want to encrypt important files, but not your entire Linux system̵7;s hard drive? In that case, we recommend
gocryptfs. You get a directory that essentially encrypts and decrypts everything you store.
gocryptfs offers data protection protection
Privacy is big news. Hardly a week goes by without one or another body having reported a crime. Companies either report recent incidents or reveal intrusions that occurred some time ago. In both cases, there is bad news for those whose data has been exposed.
Because millions of people use services like Dropbox, Google Drive and Microsoft OneDrive, a seemingly endless stream of data is sent to the cloud every day. If you store some (or all) of your information in the cloud, what can you do to protect confidential information and private documents in the event of an intrusion?
Of course, data breaches come in all shapes and sizes and are not limited to the cloud. A lost memory or stolen laptop is just a small-scale data breach. But the scale is not the critical factor. If the information is sensitive or confidential, someone else who has it can be catastrophic.
One solution is to encrypt your documents. Traditionally, this is done by encrypting your hard drive in its entirety. This is for sure, but it also slows down your computer slightly. Also, if you are suffering from a catastrophic error, it can complicate the process of restoring your system from backups.
gocryptfs the system allows you to encrypt only those directories that need protection and avoid system-wide encryption and decryption costs. It is fast, light and easy to use. It is also easy to move encrypted directories to other computers. As long as you have the password to access that information, it leaves no trace of your files on the other computer.
gocryptfs the system is designed as a lightweight, encrypted file system. It can also be mounted by regular accounts that are not rooted because it uses the file system in the FUSE package. This acts as a bridge between
gocryptfs and the routines of the kernel file system that it needs to access.
gocryptfs on ubuntu, type this command:
sudo apt-get install gocryptfs
To install Fedora-type:
sudo dnf install gocryptfs
In Manjaro, the command is:
sudo pacman -Syu gocryptfs
Create an encrypted directory
Part of the glory of
gocryptfs is how easy it is to use. The principles are:
- Create a directory that contains the files and subdirectories you are protecting.
gocryptrfsto initialize the directory.
- Create an empty directory as a mount point and then mount the encrypted directory on it.
- At the mount point, you can view and use the decrypted files and create new ones.
- Dismantle the encrypted folder when you are done.
We will create a directory called “vault” to contain encrypted data. To do this, we write the following:
We need to initialize our new directory. This step creates
gocryptfs file system in the directory:
gocryptfs -init vault
Enter a password when prompted; you write it twice to make sure it is correct. Choose a strong one: three unrelated words that contain punctuation, numbers or symbols are a good template.
Your master key is generated and displayed. Copy and save this securely and privately. In our example, we create one
gocryptfs catalog on a research machine that is dried after each article has been written.
Because it is necessary for an example, you can see the master key for this directory. You definitely want to be much more secretive with yours. If someone retrieves your master key, they can access all of your encrypted data.
If you switch to the new directory, you will see that two files have been created. Write the following:
“Gocryptfs.diriv” is a short binary, while “gocryptfs.conf” contains settings and information that you should keep safe.
If you upload your encrypted data to the cloud or back it up to small, portable media, do not include this file. However, if you back up to local media that remains under your control, you can include this file.
With sufficient time and effort, it may be possible to extract your password from the “encrypted key” and “salt” entries, as shown below:
Assembly of the encrypted directory
The encrypted directory is mounted on a mounting point, which is simply an empty directory. We’ll create one called “geek”:
We can now mount the encrypted catalog on the mounting point. Strictly speaking, that is what is actually mounted
gocryptfs file system in the encrypted directory. We are asked to enter the password:
gocryptfs vault geek
Once the encrypted directory is mounted, we can use the mount point directory in the same way we would with others. Everything we edit and create in this directory is actually written to the assembled, encrypted directory.
We can create a simple text file, such as the following:
We can edit it, add some content to it and then save the file:
Our new file has been created:
If we switch to our encrypted directory, which is shown below, we see that a new file has been created with an encrypted name. You can not even tell what file type it is from the name:
If we try to display the contents of the encrypted file, we can see that it is indeed encrypted:
Our simple text file, shown below, is now anything but easy to decipher.
Removal of the encrypted directory
When you are done with your encrypted directory, you can unmount it with
fusermount command. Part of the FUSE package, the following command uninstalls
gocryptfs file system in the encrypted directory from the mount point:
fusermount -u geek
If you type the following to check your mount point directory, you will see that it is still empty:
Everything you did is stored securely in the encrypted directory.
Easy and safe
Simple systems have the advantage that they are used more often, while more complicated processes tend to fall by the wayside. Using
gocryptfs it’s not only simple, it’s safe too. Simplicity without security would not pay off.
You can create as many encrypted directories as you need or just one to hold all your sensitive data. You may also want to create some aliases to assemble and unmount your encrypted file system and further simplify the process.
RELATED: How to create aliases and scale functions on Linux