How to encrypt files using eCryptFS during Linux installation

eCryptFS is a file encryption system in Linux systems. It can encrypt files or directories with a high level of encryption and is more secure than ordinary software. Below, Huajun editor will share with you how to use eCryptFS to encrypt files in Linux installation. There are hidden mysteries in the simple process. You still need to study carefully. If you like it, please remember to collect it! .

Encryption type

We have two main methods of encrypting files and directories. One is file system level encryption, in which you can selectively encrypt certain files or directories (for example, /home/alice). To me, this is a pretty good approach as you don't need to reinstall everything in order to enable or test encryption. However, file system level encryption also has some disadvantages. For example, many modern applications cache (part of) files in unencrypted parts of your hard drive, such as the swap partition, /tmp and /var folders, which can lead to privacy leaks.

Another option is so-called full disk encryption, which means the entire disk is encrypted (except perhaps the master boot record). Full disk encryption works at the physical disk level, every bit written to the disk is encrypted, and anything read from the disk is decrypted on the fly. This blocks any potential unauthorized access to unencrypted data and ensures that everything throughout the file system is encrypted, including the swap partition or any temporary cached data.

Available encryption tools

To implement encryption in Linux, there are several tools to choose from. In this tutorial, I plan to introduce one of them: eCryptFS, a userspace file system encryption tool. A summary of encryption tools available on Linux is provided below for your reference.

File system level encryption

EncFS: One of the easiest ways to try encryption. EncFS works on a FUSE-based pseudo file system, so you only need to create an encrypted folder and mount it to a folder to work.

eCryptFS: A POSIX-compliant encrypted file system, eCryptFS works the same as EncFS, so you must mount it.

Disk level encryption

Loop-AES: The oldest disk encryption method. It's really fast and works on older systems (eg, 2.0 kernel branch).

DMCrypt: The most common disk encryption scheme, supported by modern Linux kernels.

CipherShed: An open source fork of the discontinued TrueCrypt disk encryption program.

eCryptFS Basics

eCrypFS is a FUSE-based userspace encrypted file system available in Linux kernel 2.6.19 and later (as the encryptfs module). The eCryptFS encrypted pseudo file system is mounted on top of the current file system. It works well on the EXT file system family and other file systems such as JFS, XFS, ReiserFS, Btrfs, and even NFS/CIFS shared file systems. Ubuntu uses eCryptFS as the default method of encrypting its home directories, as does ChromeOS. At the bottom of eCryptFS, the AES algorithm is used by default, but it also supports other algorithms, such as blowfish, des3, cast5, and cast6. If you are creating the eCryptFS setup manually, you can choose one of these algorithms.

As I mentioned, Ubuntu allows us to choose whether to encrypt the /home directory during the installation process. Well, this is the easiest way to use eCryptFS.

Ubuntu provides a user-friendly toolset to make our lives easier with eCryptFS, but enabling eCryptFS during the Ubuntu installation process only creates a specified pre-configured setup. So, if the default settings don't suit your needs, you'll need to set them up manually. In this tutorial, I'll cover how to manually set up eCryptFS on major Linux distributions.

eCryptFS installation

Debian, Ubuntu or its derivatives:

$ sudo apt-get install ecryptfs-utils

Note that if you chose to encrypt your home directory during the Ubuntu installation, eCryptFS should already be installed.

CentOS, RHEL or Fedora:

# yum install ecryptfs-utils

Arch Linux:

$ sudo pacman -S ecryptfs-utils