File-Level Encryption in Linux Using ecryptfs

TrueCrypt Logo

With the NSA spying scandal, all eyes are on ways to stop the surveillance and protect privacy. Campaigns such as Reset the Net have been used to encourage and push sites and people to amp up their security methods. Disasters such as Heartbleed shows what happens if security is compromised, whether intentionally or accidentally

I used to use TrueCrypt to allocate a virtual hard disk and put my private files in that. One of the benefits of this was that TrueCrypt also supported full disk encryption and Plausible Deniability (e.g. hiding an OS within another OS). However, one of the most frustrating parts of TrueCrypt is that you allocate space and any space you do not use is lost. e.g. if you allocate 10GB, but use only 1GB, there is still 9GB left that allocated to the TrueCrypt volume, but cannot be used by the unencrypted space.

Unfortunately, I recently found out that TrueCrypt shut down, under very suspicious and mysterious circumstances. (check the related articles section below). Sure, you could use LUKS instead, or VeraCrypt (but I haven’t tried VeraCrypt), but considering I only want to encrypt a subset of my files, and not the whole partition, that might be a little overkill.

So, I investigated the ecryptfs. Details can be found on the Wikipedia page, but in short, it allows you to mount directories (it comes with a wrapper to the mount command), but unlike other mount wrappers, you are allowed to mount on top of the same directory. In other words, you can do:

sudo mount.ecryptfs ~/SecuredData ~/SecuredData

And this will take the data stored in the directory and transparently decrypt it when you try to access the directory.

If you copy data into the directory, ecrypt will encrypt it and store it in the underlying directory in an encrypted manner. When you unmount the directory, only the encrypted data is visible. If you combine the mounting process with the optional Filename Encryption, then all you see are files with garbled filenames.

ecrypt supports various encryption methods, from AES and Blowfish, to 3DES and Twofish. Obviously, the higher you choose the encryption level, the slower the access. 3DES encryption resulted in a transfer rate of 7MB/s for me, when copying to the encrypted space, and AES was 16MB/s, so balance your requirement of high encryption vs slow access.




3 responses

  1. Pingback: ecryptfs Setup | Blender Fox

  2. I’m glad you find eCryptfs helpful. Note that AES is faster due to hardware acceleration. You shouldn’t be using any ciphers other than AES.

    • I am using AES, but it should be noted that a) other options are provided, and b) depending on the circumstances, AES might not be the best option, especially if corporate policies require a different encryption method. Even though the other encryption methods are slower, if access to the files are not required regularly (e.g. in the case of backups), then the slow access can be tolerated.

%d bloggers like this: