Geek Answers Handbook

How can I create a standalone encrypted file in Linux?

I recently met this little noob adventure on the Linux desktop:

  • Take a text file with confidential information
  • PGP-encrypt it (e.g. with Seahorse)
  • Backup
  • Reinstall the OS, remove the hard drive, remove the computer to the pool, etc. etc.
  • Remove the encrypted file from the backup and breathe in horror to understand that you cannot decrypt it, even if you know the password, because you did not create the backup ~ / .gnupg where your key was saved.

Why am I for this? The reason I was a Mac user, where I would create an encrypted sparse disk image, dropped the file in it and disabled it. I could move this file everywhere, drop it on any Mac, mount it, enter my password and ta-da! As long as I remember the password, everything was fine.

Does anyone know how to do something like this with Linux?

(I hope this is related to programming for SOF ... this is important for my programming work anyway!)

+4
source share
7 answers

Summary: if you want to do this, use the --symmetric when encrypting.

Let's look at the details of what is really happening here; a little understanding often helps in trying to get things right.

When you encrypt a file using GnuPG, it uses "symmetric" encryption. That is, it uses one key, which will encrypt plaintext and decrypt cyphertext. Why is he doing this? Of course, symmetric algorithms are much faster than public / private key algorithms (where separate keys are used for encryption and decryption), and for other reasons we will see later.

Where does he get this key, which he uses to encrypt the file? This is a random case. No, I'm not joking here.

Now you might think that we have a small problem. The file is encrypted with a random key, and no one (except for this specific GnuPG process) knows what it is. So what will happen next?

Here's the trick: this random key is then encrypted with other keys and stored in a file. So we allow several users to decrypt the file. For example, backups in my company are encrypted so that my business partner and I can decrypt them: GnuPG encrypts the file encryption key with the public key and separately with the partner’s public key and saves both of these files with encrypted data. Now, using my private key, I can decrypt the copy encrypted with my public key (or my partner can do the same with its copy), extract the symmetric key used to encrypt the data, and decrypt it.

So what does --symmetric do? It simply encrypts this random encryption key using the most symmetric algorithm, this time using the key based on the provided passphrase. Now anyone who knows the passphrase can also decrypt the file.

This is good for one file, but it soon becomes inconvenient when you have many files encrypted with different phrases so that different groups of people can access them, which is one of the reasons we usually use the public key of systems.

But now you have learned that, unfortunately, this is a very valuable lesson: your secret key is important! If you lose this, you will lose access to anyone who has ever been encrypted using your public key. Create it once, save it and save it in several places.

What you wanted to do was add the --symmetric option to allow decryption of the file with just a passphrase.

The problem was that you encrypted the file using the public key, and when you do this, you will need your private key (stored in ~/.gnupg ) to decrypt it.

+8
source

TrueCrypt is an easy-to-use disk encryption solution that works with Linux (and other systems).

Linux only lower-level solutions are dm-crypt and crpytoloop.

+3
source

I use ccrypt, which is also available in Cygwin.

  ccrypt is a utility for encrypting and decrypting files and streams. It was designed to replace the standard unix crypt utility, which is noto‐ rious for using a very weak encryption algorithm. ccrypt is based on the Rijndael block cipher, which was also chosen by the US government as the Advanced Encryption Standard (AES, see http://www.nist.gov/aes/). This cipher is believed to provide very strong cryptographic security.
+2
source

Kurt Sampson did a great job with concepts. I will give some details.

Unfortunately, Seahorse and friends do not allow symmetric encryption, although they can handle decryption of files with symmetric encryption. In the meantime, as already mentioned, you can perform encryption from the command line, for example.

 gpg --symmetric --force-mdc --cipher-algo aes256 -o outfile infile

If you are happy with gpg but really want gui, you can use gpg-frontend Pyrite . It doesn't integrate with Nautilus like seahorses plugins, but it's still pretty sweet, so to speak. :)

As already mentioned, eCryptfs is a great option that sorta falls into this area, providing encryption on each file, although it does it in a much more convenient way, basically providing you with a folder that transparently encrypts / decrypts all records and reads / from it. At first it looks like an encrypted container solution, but in fact it encrypts the files individually - as soon as you unmount the folder, you will get a bunch of files with one encrypted file. This LJ article gives a good overview and contrast comparison of eCryptfs compared to some other parameters. Here's how to simply get eCryptfs:

 $ mkdir ~/vault $ sudo mount -t ecryptfs ~/vault ~/vault Select key type to use for newly created files: 1) openssl 2) passphrase 3) pkcs11-helper 4) tspi Selection: 2 ....... (truncated) $ echo hello > ~/vault/encfile $ sudo umount ~/vault $ ls -a ~/vault . .. encfile $ cat ~/vault/encfile稖  )!x "3DUfw`  ȿ_   E     _CONSOLE W v0 + ' hV   Q  VZ  eP     l⟮j%    ?O  V ....... (truncated)

If you're interested, check out the ecryptfs-setup-private command ecryptfs-setup-private , which eliminates the need for sudo and allows you to automate everything. We move on.

The best other options are those mentioned by pts: TrueCrypt (it's cross-platform) and dm-crypt , which allows you to encrypt any block device (e.g. partitions, logical volumes, individual files), and then, of course, you drop fs on top of that. Do not use Cryptoloop (predecessor of dm-crypt).

I basically only have experience with Red Hat, Fedora and friends, but in them you can use the excellent gui palimpset disk management to create and modify encrypted disks / partitions directly from the gate without installing anything superfluous. Of course, the command line is used for this: cryptsetup ... here is a simple example to give you an idea of ​​what is possible with dm-crypt, using cryptsetup to make an encrypted file system from an extensible logical volume:

 lvcreate -L 2G -n mybox volgroup cryptsetup luksFormat /dev/volgroup/mybox cryptsetup luksOpen /dev/volgroup/mybox mybox mkfs.ext4 /dev/mapper/mybox cryptsetup luksClose mybox

After you have done this, Nautilus should not have problems with automatic detection, and then you can unlock it and make a secure user interface there.

EDIT: I feel stupid. When I came across this question, I was looking at gpg tags. I did not notice how many years passed until I finished typing everything and did not want to serve it. Well. Perhaps this will be useful for posterity.

+2
source

I used mcrypt. It supports several modern encryption algorithms and is pretty good on Linux machines (or at least it’s easy to get a pre-compiled package for most distors).

+1
source

ecryptfs is easy to configure and use.

  • Potential: you do not reserve a place in advance; it works like a layer on top of the file system

  • Downside: file names are not encrypted. Obviously, you can work with this zipping or tarring path for the whole tree and allowing ecryptfs to encrypt the zip or tar file, but this is unpleasant.

    UPDATE As of March 2012, this problem is being resolved (and has been resolved for some time): ecryptfs encrypts file names. I could not easily find the version number or date when this feature was introduced.

+1
source

You can also use openssl to encrypt files.

0
source

More articles:


All Articles