Protecting my data
Q I was burgled last week! They took two TVs and a load of PC equipment including all my external drives. This has made me really paranoid about keeping the data on my laptops and desktop safe. Is there a way to encrypt the hard drives of my PC and laptops without reformatting them?
A Sorry for your bad news. There are two main ways of encrypting a filesystem: one is to create an encrypted block device and then create a filesystem on top of that. This is the method I generally use, but the actual implementation depends on your chosen distro as it has to request a decryption key and unlock the filesystem before it can be mounted during the boot process. The commands (run as root) to implement this are
cryptsetup luksFormat /dev/sda2 cryptsetup luksOpen /dev/sda2 home
The first creates an encrypted block device on /dev/sda2, and only needs to be done once. The second opens the encrypted device, prompting for a passphrase when used like this, although it can also use a keyfile on a removable device. It creates the block device /dev/mapper/home, which you can format, mount and use just as you would any other block device. The main drawback here is that you have to reformat part of your disk to use it. The other option is a stacked filesystem, which is where one filesystem is layered on top of another. The most popular option for encrypted stacked filesystems used to be EncFS (a Fuse) filesystem, but now the Linux kernel has ecryptfs built in. You need to install ecryptfsutils, which should be in your distro's repositories and may already be installed. This contains the tools to create and manage ecryptfs filesystems. Then you can create one with the following:
mkdir .private mkdir private sudo mount -t ecryptfs .private private
You will be asked some questions; set the key type to passphrase, the encryption cipher to AES, key bits to 16 and passthrough to off. You can use different settings if you wish, but these are a good starting point. The encrypted layer is created and anything you write to private is actually saved as an encrypted file in .private. Try copying some files to private and then reading them. Now try to read the same files in .private. Unmount private with
sudo umount private
and this directory will now be empty while the encrypted files are still present in .private. To mount the directory again, you need to specify the options you gave when you created it.
sudo mount -t ecryptfs .private private -o key=passphrase,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough=n
You will be asked for the passphrase again, and then your files will be readable. You can attach this command to a launcher icon or call it from your desktop's session manager to have the directory mounted automatically when you log in. Make sure that you set the command to run in a terminal, as this will be needed if you want to input the password. You could also put the options in /etc/fstab, like this:
home/user/.private /home/user/private ecryptfs oauto,user,key=passphrase,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough=n 0 0
The use of noauto prevents a mount attempt when booting while the user option lets any user mount it, provided they know the passphrase, without the need for sudo. You can either keep your confidential data in private and change the configuration of your programs, or move the various data directories into the private directories and set up symbolic links from their original locations. When making backups, copy .private instead of private, then your backed up data will remain encrypted.
- Restoring data in RAID setup when a disk dies
- Sharing data
- Safely transfer data between partitions
- Rename files and change timestamps according to EXIF data
- Safe updates, and knowing which data to back up