We're an ISO27001:2013 Certified Supplier

blog-post-featured-image

Encrypting data is (relatively) straightforward to do these days, particularly if you have some reasonable technical skills. Here’s an example:

$ gpg -r kae@tiger-computing.co.uk --encrypt secret.txt
$

That will create, by default, a file called secret.txt.gpg. To be able to decrypt that file, you’ll need my gpg key which, to the best of my knowledge, only I have (although that may not be foolproof).

It’s possible to encrypt to more than one key (omit the –r username), allowing multiple users to be able to decrypt the data.

Imperfect Solution

There are problems with this approach:

  • The non-techies aren’t going to be impressed with having to run a command line tool.
  • Even the techies will get fed up with having to remember to add three keys to every file.

We wanted a solution that would be easy to use, would keep the data encrypted, and could be used by non-technical staff.

The Encrypted Filesystem, encfs

The encfs utility maintains a directory in which all files are automatically encrypted. To decrypt them, a FUSE filesystem is mounted that contains unecrypted versions of the files.

For testing, we’ll have an encrypted directory at /tmp/encrypted, and we’ll mount the decrypted version at /tmp/source.

Set it up as follows:

$ mkdir /tmp/source /tmp/encrypted
$ encfs /tmp/encrypted/ /tmp/source/
Creating new encrypted volume.
Please choose from one of the following options:
 enter "x" for expert configuration mode,
 enter "p" for pre-configured paranoia mode,
 anything else, or an empty line will select standard mode.
?> 

Standard configuration selected.

Configuration finished.  The filesystem to be created has
the following properties:
Filesystem cipher: "ssl/aes", version 3:0:2
Filename encoding: "nameio/block", version 4:0:2
Key Size: 192 bits
Block Size: 1024 bytes
Each file contains 8 byte header with unique IV data.
Filenames encoded using IV chaining mode.
File holes passed through to ciphertext.

Now you will need to enter a password for your filesystem.
You will need to remember this password, as there is absolutely
no recovery mechanism.  However, the password can be changed
later using encfsctl.

New Encfs Password: 
Verify Encfs Password: 
$

Now let’s create a file in the decrypted directory:

$ echo "do not read" > /tmp/source/secret.txt

Here’s the contents of each directory:

$ ls /tmp/source/ /tmp/encrypted/
/tmp/encrypted/:
JXip1Zyysr9IwnTYK3K1f,gN

/tmp/source/:
secret.txt

As you can see, the name is mangled in the encrypted directory. We can now unmount the source directory. As this is a FUSE filesystem, we need to use fusermount:

$ fusermount -u /tmp/source

Day to Day Use

To make this easier to use, I set up two aliases:

alias dec='/usr/bin/encfs --idle 1 /home/kae/confidential/.encrypted /home/kae/confidential/BusinessConfidential/'
alias enc='/bin/fusermount -u /home/kae/confidential/BusinessConfidential'

This uses a hidden directory, .encrypted, to save the encrypted versions of the files.

The --idle 1 switch will cause the encrypted file system to be automatically unmounted after one minute of inactivity.

To use this, I type dec (for “decrypt”) at the command line, and enter the passphrase. I can then add, delete, edit files in the BusinessConfidential directory. When I’ve finished, I type enc (“encrypt”), or simply wait one minute, and the BusinessConfidential directory is no longer available. This works well even for our non-technical staff.

Options

When setting up the initial encrypted filesystem, answering x to the first question (“expert mode”) will walk you through all the options, such as whether or not to mangle the filenames in the encrypted directory. We opted not to mangle them as that makes restoring individual files from backup a little easier.

Was This Helpful?

Let us know in the comments below.