Implementing a secure file-system in current-day computing is an imperative function, especially with Crypto attacks on the rise. My personal method to ensuring data integrity on a Linux Box is EncFS (you may prefer GEncFSM).
EncFS uses an encrypted and un-encrypted directory. For example, I could use the following assumption: my Dropbox directory is a mirror of my /home directory, and acts as the encrypted mirror for EncFS.
Any data stored in your unencrypted directory, is encrypted using your defined passphrase, in another directory; mirrored data.
Installation of EncFS
Whilst you can download the GitHub project and follow the installation guide, if you are on Ubuntu or another similar flavour (Kubuntu or Lubuntu as an example) you can simply run the following command:
sudo apt-get -y install encfs
If you prefer GEncFSM, then run the following:
sudo add-apt-repository ppa:gencfsm/ppa sudo apt-get update sudo apt-get install gnome-encfs-manager
Usage of EncFS
If you are intending to use EncFS as the command-line option (I usually just default to the UI) then I would suggest inspecting the man page:
NAME encfs - mounts or creates an encrypted virtual filesystem SYNOPSIS encfs [--version] [-s] [-f] [-v|--verbose] [-i MINUTES|--idle=MINUTES] [--extpass=program] [-S|--stdinpass] [--anykey] [--forcedecode] [-d|--fuse-debug] [--public] [--no-default-flags] [--ondemand] [--delaymount] [--reverse] [--standard] [-o FUSE_OPTION] rootdir mountPoint [-- [Fuse Mount Options]]
If you are not too particular with how you want to configure the system, go ahead and perform:
mkdir -p ~/encrypted mkdir -p ~/decrypted
Then mount them for EncFS (you can later see where they mount using the mount command):
encfs ~/encrypted ~/decrypted
You will be prompted to select the mode, and to create a password for the encrypted paths.
Usage of GEncFSM
Using the GUI is probably a lot more manageable here. To create a stash, simply select the plus icon, configure your path and enter a password:
Then go ahead and mount the stash:
When a file is made in the directory “Private” (in our case this is the “un-encrypted” path), a mirror file is created in your “.Private” directory, with multiple rounds of salt using your provided “key” (the passphrase is used to hash the name and content):
Therefore, if we attempt to look at the encrypted file, it would not present any readable data:
Of course, if we read the .encfs6.xml file, we will see the KeyData value:
<encodedKeyData> kWkCBCu5HPY31URJhtdvYM7oynkI3MuQuh8smHadSpStmvkvJibGoSddWvmJjuFQU6xCgQ== </encodedKeyData>
Therefore, it is worth noting that:
- If someone knows your encodedKeyData value, and has a copy of your data, it can be compromised
- The EncFS is only as secure as the passphrase you assign it – there is no Brute Force lockout procedures inplace and;
- Physical access to the files (by mean of PC or RDP) should still be limited.
Therefore, we assume EncFS is a reliable, safe and fast method to encrypt data.