There are a lot of possible options for securing your computer using encryption.\u00a0 Perhaps the easiest way to secure your data would be to purchase a new laptop with support for a self encrypting disk drive.\u00a0 Failing that, all the Windows fans could could try Microsoft’s bitlocker to keep your data safe.<\/p>\n
There are of course a lot more options than just those two.\u00a0 There are a number of free encryption choices from the Internet.\u00a0 Despite the fact that they are free doesn’t necessarily make them insecure, some of them are actually used in commercial products.<\/p>\n
One such example is the encryption software eCryptfs<\/a>.\u00a0 This encryption software is used by Ubuntu<\/a> for when encrypting home directories as well as by Google’s ChromeOS.<\/p>\n It is actually a pretty neat implementation of encryption. Rather than actually encrypting the filesystem itself, this encryption solution actually encrypts the individual files while also storing cryptographic metadata in the header of the files. This makes it possible to copy the encrypted files to another location. When the proper key is in the Linux kernel keyring the files will be decrypted. On the web eCryptfs they compare this to be quite similar to gnupg<\/a> which is often used for encrypting single files or documents.<\/p>\n Installing eCryptfs, like most Linux software, is pretty simple if it happens to be in your repository.<\/p>\n sudo apt-get install ecryptfs-utils rsync<\/p>\n The data files are stored in the actual data directory as an encrypted file, while the access to the file as an unencrypted file is done through the mount point.\u00a0 Simply create a directory for the actual encrypted data and one to be used for the mount point.<\/p>\n For my example, I have created my private directory as “.private” and the mount point as “private”.\u00a0 It is actually pretty neat, by having the actual data directory starting with a period it will be not be displayed for most of the directory listings.<\/p>\n The first time that you try and mount the directory you will be asked quite a few questions as well as for a password.<\/p>\n Now that the eCryptfs filesystem has been mounted and the signature has been saved to the sig-cache.txt file. This is great as this piece of information, along with the rest of your choices, is necessary to allow you to re-mount the file system.<\/p>\n Although we want the security of the encrypted files, this would be a serious pain in the backside if we really had to enter these parameters each and every mount.\u00a0 The secret to simplifying was displayed when the file system was mounted the first time.<\/p>\n This text, which is actually the choices that we made the first time, simply need to be saved into the file named\u00a0.ecryptfsrc<\/em> in our home directory for our root user.\u00a0 These will be used instead of being prompted for the values next time you mount the directory.\u00a0 You will simply be asked for the authentication information.<\/p>\n The eCryptfs filesystem is mounted and dismounted in the exact same manner as any other Linux filesystem.<\/p>\n That’s it.\u00a0 It is possible to have files that are encrypted and still access them with all the same programs just as if nothing were encrypted.<\/p>\n Yet, there are a number of other parameters that can also be put into our .ecryptfsrc<\/em> file.\u00a0One such option is for us to put the password for the filesystem into the the configuration file.<\/p>\n This is a very bad idea if security is the goal.\u00a0 The password is stored in clear text on the file system where it could be read by anyone.<\/p>\n There is another solution to the password problem.\u00a0 It is possible to put a directory pointing to our password\u00a0 into the .ecryptfsrc<\/em> file.\u00a0 The link points to a file that contains the password.<\/p>\n Depending on where the file is stored this is only marginally better.\u00a0 The file contains passphrase_passwd=<password><\/p>\n This is not much better than putting the password directly into the .ecryptfsrc<\/em> file.\u00a0 The reason is that it is not too much effort for some other person to see where the password is located.<\/p>\n The exception would be if this password file was stored on some sort of removable media.\u00a0 This way you would not be able to mount the encrypted directory without the media (USB stick or SD Card) being inserted.<\/p>\n The good news is that eCryptfs is a super convenient and fairly simple solution to setup which gives you a bit of security for your files.\u00a0 The bad news is that you are limited to a single encrypted top directory per user.<\/p>\n The other limitation is that this solution is only available for Linux due to it be built into the kernel.<\/p>\n <\/p>\n","protected":false},"excerpt":{"rendered":" There are a lot of possible options for securing your computer using encryption.\u00a0 Perhaps the easiest way to secure your data would be to purchase a new laptop with support for a self encrypting disk drive.\u00a0 Failing that, all the … Continue reading Install<\/h2>\n
dock@asus:$ sudo apt-get install ecryptfs-utils rsync\r\nReading package lists... Done\r\nBuilding dependency tree\u00a0\u00a0\u00a0\u00a0\u00a0 \u00a0\r\nReading state information... Done\r\nThe following packages were automatically installed and are no longer required:\r\n\u00a0 gstreamer1.0-pulseaudio libfreerdp-rail1.1 liblivemedia23 libmpg123-0 libpostproc52 libproxy-tools libusageenvironment1\r\nUse 'apt-get autoremove' to remove them.\r\nSuggested packages:\r\n\u00a0 cryptsetup\r\nThe following NEW packages will be installed:\r\n\u00a0 ecryptfs-utils rsync\r\n0 upgraded, 2 newly installed, 0 to remove and 0 not upgraded.\r\nNeed to get 0 B\/488 kB of archives.\r\nAfter this operation, 1,101 kB of additional disk space will be used.\r\nSelecting previously unselected package ecryptfs-utils.\r\n(Reading database ... 143885 files and directories currently installed.)\r\nPreparing to unpack ...\/ecryptfs-utils_103-5_amd64.deb ...\r\nUnpacking ecryptfs-utils (103-5) ...\r\nSelecting previously unselected package rsync.\r\nPreparing to unpack ...\/rsync_3.1.1-3_amd64.deb ...\r\nUnpacking rsync (3.1.1-3) ...\r\nProcessing triggers for man-db (2.7.0.2-5) ...\r\nProcessing triggers for systemd (215-17+deb8u2) ...\r\nSetting up ecryptfs-utils (103-5) ...\r\nSetting up rsync (3.1.1-3) ...\r\ndock@asus:\/media\/dock\/disk$ \r\n<\/code><\/pre>\nSetup<\/h2>\n
dock@asus:$ sudo mount -t ecryptfs \/media\/dock\/disk\/.private \/media\/dock\/disk\/private\r\nSelect key type to use for newly created files:\r\n1) tspi\r\n2) passphrase\r\nSelection: 2<\/strong>\r\nPassphrase: badpassword<\/strong>\r\nSelect cipher:\r\n1) aes: blocksize = 16; min keysize = 16; max keysize = 32\r\n2) blowfish: blocksize = 8; min keysize = 16; max keysize = 56\r\n3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24\r\n4) twofish: blocksize = 16; min keysize = 16; max keysize = 32\r\n5) cast6: blocksize = 16; min keysize = 16; max keysize = 32\r\n6) cast5: blocksize = 8; min keysize = 5; max keysize = 16\r\nSelection [aes<\/strong>]:\r\nSelect key bytes:\r\n1) 16\r\n2) 32\r\n3) 24\r\nSelection [16<\/strong>]:\r\nEnable plaintext passthrough (y\/n) [n<\/strong>]:\r\nEnable filename encryption (y\/n) [n<\/strong>]:\r\nAttempting to mount with the following options:\r\necryptfs_unlink_sigs\r\necryptfs_key_bytes=16\r\necryptfs_cipher=aes\r\necryptfs_sig=04f11152141160c7\r\nWARNING: Based on the contents of [\/root\/.ecryptfs\/sig-cache.txt],\r\nit looks like you have never mounted with this key\r\nbefore. This could mean that you have typed your\r\npassphrase wrong.\r\n\r\nWould you like to proceed with the mount (yes\/no)? : yes<\/strong>\r\nWould you like to append sig [04f11152141160c7] to\r\n[\/root\/.ecryptfs\/sig-cache.txt]\r\nin order to avoid this warning in the future (yes\/no)? : yes<\/strong>\r\nSuccessfully appended new sig to user sig cache file\r\nMounted eCryptfs\r\ndock@asus:\/media\/dock\/disk$\r\n\r\nNote: The password \"badpassword\" isn't actually displayed to the screen.\r\n<\/code><\/pre>\n<\/div>\necryptfs_unlink_sigs\r\necryptfs_key_bytes=16\r\necryptfs_cipher=aes\r\necryptfs_sig=04f11152141160c7\r\n<\/code><\/pre>\ndock@asus:$ sudo mount -t ecryptfs \/media\/dock\/disk\/.private \/media\/dock\/disk\/private\r\nSelect key type to use for newly created files:\r\n1) tspi\r\n2) passphrase\r\nSelection: 2<\/strong>\r\nPassphrase: badpassword<\/strong>\r\nAttempting to mount with the following options:\r\necryptfs_unlink_sigs\r\necryptfs_fnek_sig=04f11152141160c7\r\necryptfs_key_bytes=16\r\necryptfs_cipher=aes\r\necryptfs_sig=04f11152141160c7\r\nMounted eCryptfs\r\ndock@asus:\/media\/dock\/disk$\r\nNote: the password \"badpassword\" isn't actually displayed to the screen.\r\n<\/code><\/pre>\nmount -t ecryptfs <encrypted dir> <unencrypted mount point>\r\n\r\nmount -t ecryptfs \/media\/dock\/disk\/.private \/media\/dock\/disk\/private\r\n\r\numount \/media\/dock\/disk\/private\r\n<\/code><\/pre>\nkey=passphrase:passphrase_passwd=badpassword<\/strong>\r\necryptfs_unlink_sigs\r\necryptfs_fnek_sig=04f11152141160c7\r\necryptfs_key_bytes=16\r\necryptfs_cipher=aes\r\necryptfs_sig=04f11152141160c7<\/code><\/pre>\nkey=passphrase:passphrase_passwd_file=\/media\/dock\/disk\/passwd_file.txt\r\necryptfs_sig=04f11152141160c7\r\necryptfs_cipher=aes\r\necryptfs_key_bytes=16\r\necryptfs_passthrough=n\r\necryptfs_enable_filename_crypto=n<\/code><\/pre>\npassphrase_passwd=badpassword\r\n<\/code><\/pre>\nLimitations<\/h2>\n