Encrypting a directory in Linux

Safety is something we developers care about. In this modern life our most valuable information is in our electronic devices, and if you are reading this you probably use Linux. Then yes, you found the proper post to keep your secrets safe from the bad guys.

Supposing you use Ubuntu I’ll explain how to encrypt the folder where you keep stuff you don’t want anyone to have access to — for example if someone steals your laptop.

For this task we’ll use eCrypfs. It’s a stacked filesystem for Linux. It can be mounted in a single directory and it does not not require a separate partition.

The mechanism of encryption will be based in mounting the folder using eCryptfs. Once the directory has been mounted with the tool you can manage it as if it was an standard folder. When you finish your work and you want to keep the files inaccessible you need to unmount the directory. If you want to keep using the files you need to mount the folder again.

Preparation steps:

Install eCryptfs

sudo apt-get install ecryptfs-utils

Create the required folders and change their permissions

mkdir ~/.private ~/private 
chmod 0700 ~/.private ~/private
Initialize the folder mounting

Initialize eCryptfs (1 1 n n yes yes) (Grab ecryptfs_sig and remember your passphrase)

mount -t ecryptfs ~/.private ~/private 
...
WARNING: Based on the contents of [/root/.ecryptfs/sig-cache.txt], it looks like you have never mounted with this key before. This could mean that you have typed your passphrase wrong.
Would you like to proceed with the mount (yes/no)? : yes 
Would you like to append sig [2f5efa91218fe4d3] to [/root/.ecryptfs/sig-cache.txt]  in order to avoid this warning in the future (yes/no)? : yes 
Successfully appended new sig to user sig cache file Mounted eCryptfs 
Once the folder has been mounted you can add your files.

The file /root/.ecryptfsrc that saves your preferences will be automatically created. It should look like the image shown below. Check that no passphrase location is in the file, if you see it delete the line:

If you need the ecryptfs_sig it is located in:

root/.ecryptfs/sig-cache.txt

Unmount

Now when you want to unmount your folder, so that nobody can access it:

sudo umount ~/private

Get your UID

id -u

Append one entry to /etc/fstab (use your UID and SIG obtained in previous steps)

# eCryptfs $HOME/.private mounted to $HOME/private
/home/foo/.private /home/foo/private ecryptfs rw,noauto,nofail,uid=1000,umask=0077,relatime,ecryptfs_sig=2f5efa91218fe4d3,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_unlink_sigs,ecryptfs_passthrough=no,ecryptfs_enable_filename_crypto=no 0 0

Ready to use

Remount

And to remount, so that you can read the data again:

sudo mount -t ecryptfs ~/private

You’ll be asked to insert your passphrase every time you want to mount your folder. I hope you chose a safe one.

If you type wrong the mount passphrase then you need to unmount the folder in order to be able to mount it correctly again.

sudo mount -t ecryptfs ~/private/ (wrong passphrase) 
sudo umount ~/private/ sudo mount -t ecryptfs ~/private/ (right passphrase)

And this is it.

In conclusion, if you are like me and has villain enemies all around the globe it’s worth the 10 minute setup. Your data will be in a safer place and you’ll have a better sleep.

You’re welcome.

Useful links:

http://ecryptfs.org/about.html

https://wiki.archlinux.org/index.php/ECryptfs

By Diego Borchers — DevOps Engineer