What's the easiest way to encrypt files / folders to a password-protected image?

I have an external hard drive to which I want to backup some of my data. Although no one’s likely to touch my primary computer, I wouldn’t want someone messing with my data on the backup drive. So I want to password protect the important files there. Initially I was hoping ext4 would allow simply setting a password to a folder, but it’s not as easy as that. I could make a password protected zip file… but the data I have is nearly 400GB, and creating / updating such an archive could take a day. Plus that I had cases of large archives becoming corrupted when updating individual files in them.

The only way is apparently to encrypt the folder or partition… but from what I read I couldn’t come to any conclusion. There are many crypt tools, and all of them require a fancy setup I can’t understand. I need something consistent, that I don’t have to worry about having issues mounting / unmounting or the image becoming corrupt. I’m also undecided whether to make an encrypted partition or an encrypted mountable image… though I’d rather go for the second option. I do however need to be able to work with it in realtime (mount it and add / remove / update files and folders like on any drive). I also want my image to be protected by password, NOT a ssh key or any separate file I’d need to use to unlock it. Maybe something that works with the normal mount / umount commands like iso images?

So my question is: What is the most common tool used to encrypt data to an image? By common I mean an implementation that’s available by default on any Linux distribution, that most people use and which is popular, that’s most consistent and stable, and which is still under development or at least being maintained. Then what are the steps to create an encrypted image and mount / unmount it, which I can then work with freely? I’m looking for something as simple as possible, that works with simple and clear commands.

I’m not sure about “most common”.

At present, I am backing up using “dar” which creates an archive file containing whatever I am backing up. There’s an encryption option to “dar”. The external drive itself is NTFS, so that it can also be used with Windows (where I use “acronis” for backups).

The other alternative that I have considered is to use a LUKS encrypted partition. Mounting is not too difficult:


# cryptsetup luksOpen /dev/sdb1 backups
  ##### you are prompted for encryption key here
# mount /dev/mapper/backups /mnt   ## or wherever else you want to mount it.

and to unmount


# umount /mnt
# cryptsetup luksClose backups

You can use “cryptsetup luksFormat” to initially setup the partition. Follow that with the “luksOpen” indicated above, and then use “mkfs” to create the file system.

Another alternative, if you only have a few sensitive files:
install ecryptfs-utils

setup an ecryptfs Private filesystem.

Keep your important files in $HOME/Private
to backup, you should backup $HOME/.Private

To restore, make sure that your “Private” directory is not mounted, then restore “.Private”, then mount your “Private” directory.

On 2012-12-05 13:16, MirceaKitsune wrote:
> I do however need
> to be able to work with it in realtime (mount it and add / remove /
> update files and folders like on any drive). I also want my image to be
> protected by password, NOT a ssh key or any separate file I’d need to
> use to unlock it. Maybe something that works with the normal mount /
> umount commands like iso images?

You are describing LUKS.

You encrypt a partition, and once mounted, you access it as any other
partition. The YaST partitioner can do it (mind that the partition is
empty, it destroys data).

It can be an external device via USB, for example, and when you plug it
in kde or gnome should simply ask for the password and you are ready to
use it.


Cheers / Saludos,

Carlos E. R.
(from 12.1 x86_64 “Asparagus” at Telcontar)

That sounds very much like what I’m looking for. I could make the entire drive that way, sure. So the openSUSE partitioner should allow me to format the external drive to an enxrypted partition format, give it a password, and whenever I plug it in on any Linux machine it just asks for that password to mount it? I’ll try that soon if so, thanks!

[EDIT] Partitioner asks me to install pam_mount when I try to encrypt… apparently only the 32bit version of that comes pre-installed with openSUSE. Might try this all on a virtual machine first to be safe, but I’ll post here what results I get.

Another cross platform, secure and easy option is truecrypt (or realcrypt which is actually the same). It also creates an encrypted file container, it is available for linux, windows and mac, and is quite easy to setup. Has a simple GUI, but also CLI and you can use keyfiles, which I find often better than memorizing endless password stings.

On Wed, 05 Dec 2012 12:16:02 +0000, MirceaKitsune wrote:

> The only way is apparently to encrypt the folder or partition… but
> from what I read I couldn’t come to any conclusion.

encfs is what I use to encrypt directories. I also use truecrypt to do
partition/device-level encryption on my archival drive.

encfs is a FUSE filesystem and it’s pretty straightforward to use and set
up.

Jim

Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

On 2012-12-05 19:46, MirceaKitsune wrote:

> That sounds very much like what I’m looking for. I could make the
> entire drive that way, sure. So the openSUSE partitioner should allow me
> to format the external drive to an enxrypted partition format, give it a
> password, and whenever I plug it in on any Linux machine it just asks
> for that password to mount it? I’ll try that soon if so, thanks!

Yes.

However, a side effect of using the yast partitioner is that it will
write entries in /etc/crypttab and /etc/fstab. It is probably best to do
it manually. Or, on second thoughts, use yast, then comment out both
entries.

Ugh. I’m familiar with doing it in my ways, but I don’t know how it
would be easier for normal people :slight_smile:


Cheers / Saludos,

Carlos E. R.
(from 12.1 x86_64 “Asparagus” at Telcontar)