Do you want to encrypt important files, but not the entire hard drive of your Linux system? If so, we recommend gocryptfs. You will get a directory that basically encrypts and decrypts whatever you store.
gocryptfs provides protection against data breaches
Confidentiality is big news. Hardly a week goes by without the announcement of a breach in one organization or another. Companies are reporting recent incidents or disclosing violations that occurred some time ago. Either way, that’s bad news for those whose data has been exposed.
Because millions of people use services like Dropbox, Google drive, and Microsoft OneDrive, a seemingly endless stream of data is being pushed into the cloud every day. If you store some (or all) of your data in the cloud, what can you do to protect classified information and private documents in the event of a breach?
Data breaches come in all shapes and sizes, of course, and they’re not limited to the cloud. A lost USB drive or a stolen laptop is just a smaller-scale data breach. But scale is not the critical factor. If the data is sensitive or confidential, another person can be disastrous.
One solution is to encrypt your documents. Traditionally, this is done by encrypting your entire hard drive. This is secure, but it also slows down your computer slightly. Additionally, if you experience a catastrophic outage, it can make the process of restoring your system from backups more difficult.
The gocryptfs system allows you to encrypt only the directories that need protection and to avoid overloading the encryption and decryption system. It is fast, light and easy to use. It is also easy to move encrypted directories to other computers. As long as you have the password to access this data, it leaves no trace of your files on the other computer.
The gocryptfs system is built as a lightweight, encrypted file system. It can also be mounted by standard non-root accounts, since it uses the File system in user space (FUSE) package. This acts as a bridge between gocryptfs and the kernel file system routines that it needs to access.
To install gocryptfs on ubuntu, type this command:
sudo apt-get install gocryptfs
To install it on Fedora type:
sudo dnf install gocryptfs
On Manjaro, the command is:
sudo pacman -Syu gocryptfs
Creating an encrypted directory
Part of the glory of gocryptfs is its ease of use. The principles are:
Create a directory containing the files and subdirectories you are protecting.
Use gocryptrfs to initialize this directory.
Create an empty directory as a mount point, and mount the encrypted directory there.
In the mount point, you can view and use the decrypted files and create new ones.
Unmount the encrypted folder when you are finished.
We will create a directory called “safe” to hold the encrypted data. To do this, we type the following:
We need to initialize our new directory. This step creates the gocryptfs file system in the directory:
gocryptfs -init safe
Enter a password when prompted. you will enter it twice to make sure it is correct. Pick a strong one: three words unrelated to punctuation, numbers or symbols are a good pattern.
Your master key is generated and displayed. Copy and save this in a safe and private place. In our example, we create a gocryptfs directory on a search machine which is deleted after each article is written.
As it is needed for an example, you can see the master key of this directory. You will definitely want to be a lot more secretive with yours. If someone gets your master key, they can access all of your encrypted data.
If you change to the new directory, you will see that two files have been created. Type the following:
“Gocryptfs.diriv” is a short binary file, while “gocryptfs.conf” contains settings and information that you need to keep safe.
If you upload your encrypted data to the cloud or back it up to small transportable media, do not include this file. If, however, you are backing up to local media that remains under your control, you can include this file.
With sufficient time and effort, it may be possible to extract your password from the “encrypted key” and “salt” entries, as shown below:
Mounting the encrypted directory
The encrypted directory is mounted on a mount point, which is simply an empty directory. We are going to create one called “geek”:
We can now mount the encrypted directory on the mount point. Strictly speaking, what is actually mounted is the gocryptfs filesystem inside the encrypted directory. We are asked for the password:
gocryptfs vault geek
When the encrypted directory is mounted, we can use the mount point directory just like any other. Everything we edit and create in this directory is actually written to the mounted and encrypted directory.
We can create a simple text file, like the following:
We can edit it, add content to it, and then save the file:
Our new file has been created:
If we switch to our encrypted directory as shown below, we see that a new file has been created with an encrypted name. You can’t even tell what type of file it is from the name:
If we try to view the contents of the encrypted file, we can see that it is really scrambled:
Our simple text file, shown below, is now anything but simple to decipher.
Unmounting the encrypted directory
When you are done with your encrypted directory, you can unmount it with the fusermount command. As part of the FUSE package, the following command unmounts the gocryptfs file system to the encrypted directory from the mount point:
fusermount -u geek
If you type the following to verify your mount point directory, you will see that it is still empty:
Everything you have done is stored securely in the encrypted directory.
Simple and secure
Simple systems have the advantage of being used more often, while more complicated processes tend to be left out. Using gocryptfs is not only simple, but also secure. Simplicity without security wouldn’t be worth it.
You can create as many encrypted directories as you need or just one to hold all of your sensitive data. You can also create a few aliases to mount and unmount your encrypted file system and further simplify the process.