Ubuntu 22.04 Specific folder Encryption

From Notes_Wiki

Home > Ubuntu > Ubuntu 22.04 > Ubuntu 22.04 Specific folder Encryption

We can encrypt a particular folder (not the entire drive) on Ubuntu 22.04 using eCryptfs. This method allows you to mount a directory as an encrypted filesystem, so only users with the correct passphrase can access the data. Here's a step-by-step guide:

Install eCryptfs Utilities

apt install ecryptfs-utils

Prepare the Directory

Create a new, empty directory that you want to encrypt. Do not encrypt a directory that already contains data, as existing data will not be encrypted or may become inaccessible. Move any existing data out first. 

mkdir ~/myencryptedfolder

Mount the Directory as Encrypted

Mount the directory to itself with eCryptfs: 

sudo mount -t ecryptfs ~/myencryptedfolder ~/myencryptedfolder

You will be prompted for:

Select passphrase: 

Select key type to use for newly created files: 
 1) passphrase
 2) tspi
Selection: 1

Give the passphrase: 

Passphrase: <passphrase>

Select the default options: 

Select cipher: 
 1) aes: blocksize = 16; min keysize = 16; max keysize = 32
 2) blowfish: blocksize = 8; min keysize = 16; max keysize = 56
 3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24
 4) twofish: blocksize = 16; min keysize = 16; max keysize = 32
 5) cast6: blocksize = 16; min keysize = 16; max keysize = 32
 6) cast5: blocksize = 8; min keysize = 5; max keysize = 16
Selection [aes]: 

Select key bytes: 
 1) 16
 2) 32
 3) 24
Selection [16]: 
Enable plaintext passthrough (y/n) [n]: 
Enable filename encryption (y/n) [n]:

Capture the ecryptfs_sig value in the below output: 

Attempting to mount with the following options:
  ecryptfs_unlink_sigs
  ecryptfs_key_bytes=16
  ecryptfs_cipher=aes
  ecryptfs_sig=39768badc8a99c6e
Mounted eCryptfs

Move Data into the Encrypted Directory

Once mounted, the directory is now encrypted. We can move confidential files into it: 

mv <path/to/your/file/> ~/myencryptedfolder/

Unmount the Encrypted Directory

When that is done, unmount to secure the data: 

sudo umount ~/myencryptedfolder

Now, the data inside the directory is unreadable until you remount it with the correct passphrase.

Remount to Access Data

To access the encrypted files again, repeat the mount command and enter the passphrase: 

sudo mount -t ecryptfs ~/myencryptedfolder ~/myencryptedfolder

Simplifying Mounting by Avoiding Repeated Encryption Parameters

Without having to specify aes, 16, etc. every time. we can follow below steps.

Optionally for non-home folder mounts we can use below in /etc/fstab: 

/home/user/myencryptedfolder  /home/user/myencryptedfolder    ecryptfs  user,noauto,ecryptfs_unlink_sigs,ecryptfs_key_bytes=16,ecryptfs_cipher=aes,ecryptfs_sig=5e0164db38d0d839,ecryptfs_enable_filename_crypto=n,ecryptfs_passthrough=n 0 0

mention the encryptfs-sig in above entry. this is different for each partition

  • After adding the entry to /etc/fstab,
  • When we attempt to mount the folder again, it will only prompt for the passphrase.
sudo mount /home/user/myencryptedfolder/
Select key type to use for newly created files: 
 1) passphrase
 2) tspi
Selection: 1
Passphrase: 
Attempting to mount with the following options:
  ecryptfs_unlink_sigs
  ecryptfs_key_bytes=16
  ecryptfs_cipher=aes
  ecryptfs_sig=39768badc8a99c6e
Mounted eCryptfs
Retrieved from "http://www.sbarjatiya.com/notes_wiki/index.php?title=Ubuntu_22.04_Specific_folder_Encryption&oldid=8697"