Ubuntu – the easiest way to encrypt a dir? (on Ubuntu)


What is the easiest way to encrypt a directory on a Ubuntu based system?

Let's say I have a laptop that is running Ubuntu 10.04, and on that I have some documents that should be kept safe (if I lose the laptop).

Let's say all to documents is in a dir called ~/work/, and nothing secret is outside this dir. So no need to encrypt the entire home dir.

There shall be a way to lock/unlock this dir from the command line.

There seem to be some different ways of doing this:

  • ecryptfs-utils
  • cryptsetup
  • truecrypt (however not OSI approved open source)

But what is the easiest and most reliable method?


Update: Related question, but not the same What's the easiest way to encrypt all of my files in ubuntu 10.04?

Best Answer

There are three methods: set up an encrypted volume on a partition (dm-crypt, configured with cryptsetup), set up a file which is an encrypted volume (truecrypt), set up a directory where each file is encrypted separately (ecryptfs or encfs).

Setting up an encrypted volume gives a little more confidentiality, because the metadata (size, modification time) of your files is invisible. On the downside, it's less flexible (you have to decide on the size of the encrypted volume in advance). The ecryptfs FAQ lists some differences between the two approaches.

If you elect to encrypt file by file, I'm aware of two options: ecryptfs and encfs. The former uses an in-kernel driver while the latter uses FUSE. This may give ecryptfs a speed advantage; it gives encfs a flexibility advantage as nothing needs to be done as root. A possible benefit of ecryptfs is that once you've done the initial setup, you can use your login password as a filesystem password thanks to the pam_ecryptfs module.

For my own use in a similar situation, I chose encfs, because I didn't see any actual security benefit to other solutions so ease-of-use was the determining factor. Performance hasn't been a problem. The workflow is very simple (the first run of encfs creates the filesystem):

aptitude install encfs
encfs ~/.work.encrypted ~/work
... work ...
fusermount -u ~/work

I recommend you also encrypt your swap space and any place where temporary confidential files may be written to, such as /tmp and /var/spool/cups (if you print confidential files). Use cryptsetup to encrypt your swap partition. The easiest way of dealing with /tmp is to keep it in memory by mounting it as tmpfs (this may give a slight performance benefit in any case).