How To Encrypt Directories with eCryptfs on Linux
Today we are going to analyze eCryptfs; it is a powerful tool to encrypt our directories in Linux.
What is eCryptfs?
eCryptfs is a stacked file system that provides a cryptographic environment that is compatible with POSIX for Linux.
It encrypts the metadata of each file header so that they can be copied between the devices.
eCryptfs is an enterprise-level cryptographic file system which is compatible with POSIX in Linux environments, remember that POSIX is the abbreviation of Portable Operating System Interface.
We can implement this tool to encrypt directories or partitions independent of the format they have.
eCryptfs is responsible for storing cryptographic metadata in the file headers so that encrypted files can be moved between computers without difficulties. To decrypt the file or directory will require the respective key. Otherwise, it will be impossible to access its content.
To decrypt the file we must enter the key created at the time of encrypting the file.
Install the eCryptfs Tool
The first step is to create a folder, in this case called access, which will be encrypted to see the correct functioning of eCryptfs. For this we execute the following:
Once we have the folder that we have to encrypt, we proceed to the installation of eCryptfs in Ubuntu 16 using the following command:
sudo apt-get -f install ecryptfs-utils
Create encrypted directory in Debian
For this tutorial we are going to create a directory called solvetic_secure in the home of the system, for that we enter the following command:
In case the directory already exists and contains non-encrypted information, we must make a backup copy in order to execute the encryption, for which we will enter the following:
cp -pfr /home/solvetic_secure/ /tmp/
Let’s move on to encryption now.
How to encrypt directory in Debian
Then we will start the encryption process of our solvetic_seguro directory, for this, we will enter the following syntax:
mount -t ecryptfs /home/solvetic_seguro /home/solvetic_secure
In the first option that we see we must define the type of key that we will enter, to remember it is better to select option 2: “Passphrase.”
Press Enter, and you must enter the password to assign and later we will see the following:
In this row we press Enter (without adding anything) and we will see the following:
There we select the number of bytes that our password will have to improve security, in this case we choose option 2 (32 bytes).
Press Enter and then we will see the following:
In the rows Enable plaintext passthrough (y/n) [n] and Enable filename encryption (y/n) [n] we simply press Enter without adding information.
We see that a summary of the process performed is shown.
Finally we enter the word yes to start the encryption process.
We see that the encryption was finally mounted in our directory.
Now we enter the term mount to validate the encrypted directory.
We see in the final part how our solvetic_secure directory has been encrypted with the text:
/home/solvetic_seguro on /home/solvetic_seguro type ecryptfs (rw,relatime,ecryptfs_sig=f47572356788c1c7,ecryptfs_cipher=aes,ecryptfs_key_bytes=32,ecryptfs_unlink_sigs)
If you already have the directory created and have executed a copy as described above, you must restore that copy using the commands.
We are going to validate this directory that we have encrypted.
cp -pfr /tmp/solvetic_secure/ /home/
rm -fr /tmp/solvetic_secure/
Check the Encryption in Debian
To verify how the encryption works in the directory, we are going to copy the content of a route to our solvetic_seguro directory. We can enter the following:
cp /etc/hosts /home/solvetic_secure
While the directory is mounted we will be able to visualize the content that we copy in it, as we see below using the cat command:
Now let’s unmount the directory using the umount command like this:
If now we try again to visualize the content using the cat command:
We see how the content of the route is illegible and thus we have protected our directory of unauthorized access.
In this way we can use eCryptfs to increase the levels of security in our system and in the directories and folders stored in it.
How to Encrypt Directory in Ubuntu
Before starting the encryption process it is important to create a backup copy of the file, in case of having information already stored in it, for this we will use the following command:
cp -pfr /home/acceso/ /tmp/
Once this is done, if necessary, we proceed to encrypt our directory called access using the following command.
At this point it is important that we indicate that the File System is ecryptfs.
sudo mount -t ecryptfs /home/acceso /home/acceso
As soon as we execute the command we will see a series of questions which with:
Passphrase: There we indicate a secure password.
Selection aes: There we must press Enter.
Selection 16: There we enter the value 32 (Key size).
Enable plaintext passthrough (y / n) n: Press Enter.
Enable filename encryption (y / n) n: Press Enter.
Later we will see two associated questions about whether we wish to proceed with the respective assembly to which we respond yes.
Up to this point we have encrypted the contents of the directory but not the name of it. We can use the mount command to see the content that we just encrypted.
Check Encryption in Ubuntu
To perform the respective tests of how eCryptfs works we have created the hosts file (/etc/hosts) to our directory, for this we use the following command:
sudo cp /etc/hosts /home/acceso
Next, we will use the cat command to visualize the content in the path /home/acceso/hosts. As we can see we have full access to the content of this route since the directory is mounted.
Now we will dismount it using the following command:
And then we will try to visualize the content in the route /home/access/hosts again, and the result will be the following:
As we can see, the content has been encrypted to protect our files, directories, and folders in a simple and totally secure way.
This tool is simple, easy to implement and with an encryption system that helps us to have an additional security system in Linux either in Debian or in Ubuntu.