Looking for best tool for folder encryption

General Discussion
1

Hi

I am looking for good encryption local-only folder tool.

I took a look on VeraCrypt but… I tried to find Linux install guide, but I can’t find it.

Official one for Microsoft (evil corp):
https://www.veracrypt.fr/en/Beginner%27s%20Tutorial.html

I run Linux mint 22 Xia

Secondly, how really secure VC? I need to store some really important information (journalism) and in my situation it MUST be encrypted and treated as highly classified information. It is really important.

I am journalist, so this is highly important n

Also… I read somewhere that VC supports chipper cascading. Is it true?

I really don’t have time to try everything myself, as if I will mess something up, I will be in whole ocean of trouble.

2

Hi Davi - and welcome to the Forum.

A web search of “install veracrypt on linux mint 22” came up with several suggestions, so it looks like you can do it. Have a look at this
As far as I can tell from the web, Veracrypt is still regarded as a good encryption tool.

I am not at all conversant with encryption methods but a web search of “how to encrypt a directory in Linux” came up with some other useful examples.
All methods will involve a certain amount of effort to implement each time you use them but that’s the price one has to pay for extreme privacy.

The one that caught my eye is eCryptfs which looks reasonably straightforward to use.

Our resident expert may provide more detailed general advice when he is free, so watch this space.

Keith

3

Hi Davi,

There are lots of ways to encrypt data on a computer, many of these are secure to the extent that unless someone finds a flaw in the software, trying to break in electronically isn’t really a feasible option for gaining access. (hence recent requests by various governments for back-door access to various end-to-end encrypted platforms)

So as long as you are careful with your encryption keys / passwords, it’s difficult or maybe even impossible to differentiate between secure, very secure and very very secure.

I don’t know anything about Veracrypt, however I do use transparent volume level encryption for protecting data I carry around. One mechanism as Keith mentions is eCryptfs, which I think is the software Ubuntu used (or still use?) to provide encrypted home folders. The principle being that your home folder is stored in an encrypted file which is protected by (hopefully) a very long password. When you log in, this file is mounted on /home/username and all reads and writes go through the eCryptfs software, which encrypts and decrypts read/write requests on the fly. It slows down disk access to some extent, but it’s not generally noticeable. When the machine is powered down (or the user logs out), all that’s visible ia a file that just looks like it’s full of garbage.

I’ve not tried it recently, but the Ubuntu installed user to offer a tick box with something like “Encrypt Home directories?” as a option, if it’s still there this is probably the easiest approach / way to get set up, and it’s transparent to you as the user. (so long as you don’t lose your password) From memory it tries to use your login password as the eCryptFs encryption password, and I think when you change your login password it effectively changes the eCryptFs password.

I would recommend at least 16 digits for modern encryption based passwords, longer if possible. A combination of words to > 30 digits is great.

Note however that I don’t use this approach any more for a few reasons;

  • afaik eCryptFs only supports regular files, so it’s not a proper filesystem, which can be problematic if you’re a developer and want to create non-file type devices or indeed files which you don’t want to be encrypted due to performance issues. (non-sensitive databases etc)
  • It’s a third-party approach and can present integration issues with your desktop software
  • It always felt a like a bit of a, well, I don’t want to say hack it strikes me as good software, but it felt like something that should be a part of the filesystem

What I do use now …

All my machines, server and workstation use ZFS. As a filesystem this has many features including the option to transparently encrypt any mounted volume. Essentially you give it a password when you mount the volume, pretty much like eCryptFs except that it’s an integral part of a real filesystem and as I understand it, somewhat more efficient than other options.

Other reasons to use ZFS;

  • Many options for RAID
  • Many options for transparent compression
  • Instant snapshots of any volume at any time
  • An incredible snapshot based system for replicating data between systems
  • Lots of stuff under the hood you just never think about

CKSUM

Here’s one of those things where ZFS (fairly) recently saved me from a major disaster. When ZFS writes a block to disk, it calculates a checksum for that block and saves the checksum as well as the block. When it reads the block back in from disk, it re-calculates the checksum and makes sure the checksum for the read data matches the checksum it stored when it wrote the data. This is primarily done for RAID setups to detect failing disks and give the system chance to re-read the block correctly off another disk.

Why on earth would you do this?

If you read a block from disk using a normal filesystem, it will work or it won’t. If it works, the filesystem will use the data assuming it is “ok”. If you have a situation where the disk is reading and returning blocks, reporting them as “OK”, but actually returning corrupted data, not only is this likely to eventually knock your system over, in the meantime it could literally corrupt anything. It does kinda make you think, “why on earth don’t all file-systems perform this check?!” if it’s possible for read data not to be the same as the data that was written ?!

Be Afraid! (literally)

Last year I bought what I thought were a bunch of quite reputable SSD’s which performed very well and started rolling them out across my machines. I initially tried one in my machine for a couple months (ext4 filesystem), looked good so I stuck a couple into servers running ZFS.

All was good for a few weeks, then one of my servers locked up for no apparent reason … until I discovered the ZFS filesystem had gone onto Read-Only mode. As it turns out, it had started seeing CKSUM errors when reading blocks from the disk and had initially survived by re-reading those blocks until it got a “good” read. Unfortunately at the time I wasn’t tracking CKSUM errors across file-systems so I didn’t see the warning signs, however once the system could no longer cope it locked down the filesystem so’s to avoid any data corruption as a result of the read-fails.

So yes, this CAN happen, disks CAN fault in this way, and normal file-systems don’t see the fault. ZFS not only sees the fault, it reports it, tries to compensate for it and in the end literally protects your from data corruption.

ZFS Backups

I run ~ 50 virtual machines across ~ 10 machines, all ZFS. The ZFS send/recv mechanism allows me to snapshot each machine and copy incremental backups to a central store. i.e. it just copies changed blocks. An end-to-end backup of the entire estate generally takes around 90 seconds, actual run-time on each machine for a full incremental copy is generally < 1s, this is because the file-system is keeping track of changes at block-level and has an incredibly efficient mechanism for packing up those changes and sending them over the network.

It’s quite feasible for example on sensitive machines to snapshot and backup every minute so you have a working off-machine copy of all your data that’s never > 60s out of date.

4

This is a truly impressive performance. But I feel best left to the experts. Are you aware of a simpler application that could be used, say, on just one directory/file?

5

Ok, how about this;

Create an encrypted folder “encrypted.img”

$ dd if=/dev/urandom of=encrypted.img bs=1M count=512  # create 512Mb folder
512+0 records in
512+0 records out
536870912 bytes (537 MB, 512 MiB) copied, 2.43861 s, 220 MB/s

$ cryptsetup --verify-passphrase luksFormat encrypted.img

WARNING!
========
This will overwrite data on encrypted.img irrevocably.

Are you sure? (Type 'yes' in capital letters): YES
Enter passphrase for encrypted.img: ********
Verify passphrase: ********

$ sudo cryptsetup open --type luks encrypted.img encrypted
Enter passphrase for encrypted.img: ********

$ sudo mkfs.ext4 -L Encrypted /dev/mapper/encrypted
mke2fs 1.47.2 (1-Jan-2025)
Creating filesystem with 126976 4k blocks and 126976 inodes
Filesystem UUID: 95036b94-3c47-44b3-b112-2898eb790e82
Superblock backups stored on blocks: 
	32768, 98304

Allocating group tables: done                            
Writing inode tables: done                            
Creating journal (4096 blocks): done
Writing superblocks and filesystem accounting information: done
$ sudo cryptsetup close encrypted

Using the encrypted folder

To use the encrypted folder, we need to open it and mount it somewhere in our current filesystem, then it will behave like any other folder;

#
#    Open and mount "encrypted.img"
#
$ sudo cryptsetup open --type luks encrypted.img encrypted
Enter passphrase for encrypted.img: ********
$ sudo mkdir encrypted
$ sudo mount /dev/mapper/encrypted encrypted

At this point, the folder “encrypted” in our current path is actually the contents of encrypted.img, anything we write to this folder is encrypted and stored in the file.

#
#    Any file operations on the "encrypted" folder should work ...
#
$ echo "Hello World" > encrypted/encrypted.txt
$ ls -la encrypted
total 28
drwxr-xr-x 3 root root  4096 Apr  6 15:41 .
drwxr-xr-x 4 root root  4096 Apr  6 15:39 ..
-rw-r--r-- 1 root root    12 Apr  6 15:41 encrypted.txt
drwx------ 2 root root 16384 Apr  6 15:32 lost+found

We do need to make sure we close and un-mount when finished to make sure all writes are flushed to the file.

#
#    Unmount the volume and close the crypt device
#
$ sudo umount encrypted
$ sudo cryptsetup close encrypted

You can script this to make it easier, but as I say, the automated “encrypt home folders” option on Ubuntu is probably the easiest approach … it pretty much does the same as this, but transparently for your entire home folder, in the background.

encrypted.img is obviously just a file, so you can back it up, copy it around, rename it or indeed copy it to a USB key … then use via the open/mount procedure above.

6

If you want to encrypt just files ( not directories ) you could install “ccrypt” which should be available in most packet managers.

$ sudo apt-get install ccrypt

Then to encrypt a file open a terminal where the file is stored and

$ ccencrypt filename.xxx
You will then be asked to enter a password twice (to double check spelling)
Which will give you a file called filename.xxx.cpt

To decrypt a file

$ ccdecrypt filename.xxx.cpt
You will then be asked for the password

Note you can use wildcards to encrypt/decrypt multiple files at the same time as long as they are in the same directory.

7

Gaz & MP

Many thanks for these methods. Worth having a play.

I remember that Ubuntu used to have a facility at installation for encrypting the Home directory but I don’t remember seeing that the last time I installed it. Mark Greaves didn’t recommend doing that (I can’t remember why) so encrypting just a file or directory might be safer.

I’ll have a go.