I want to use GPG for local encryption only, and after reading the man file, I'm doing the following in order to encrypt a whole directory:
I zip the directory with a password "zip -r -e foo foo", then I encrypt it with "gpg -c foo.zip" using a passphrase. Is this an elegant and secure way of encrypting directories? Am I using GPG's full cryptographic power? Are there better alternatives?
So there's no a way to encrypt a whole directory without zip it or tar it?
Is this an elegant and secure way of encrypting directories?
Elegant -- no. Secure -- as secure as gpg.
Am I using GPG's full cryptographic power?
Yes.
Are there better alternatives?
tar the directory first instead of zip. gpg compresses data anyway.
Related
Hopefully a very simple question.
I have a read-only mount, and a encfs FUSE mount reads over that to decrypt the files. How do I know which encrypted file each decrypted file relates to?
For example: I want to delete a file, however won't be able to do that via the read-only filesystem. How do I know the true filename?
I am possibly looking for a more programmatic way of doing this
I found this is possible encfsctl. You can use encode function to turn the human readable name into the real path on the filesystem.
$ ENCFS6_CONFIG='encfs6.xml' encfsctl encode /encfs/mountpoint readable/name/in/mountpoint
EncFS Password:
decryptedname
http://manpages.ubuntu.com/manpages/hardy/man1/encfsctl.1.html
I found a solution I am not amazingly happy with. I can make up two directories encrypted and decrypted and use the same .encfs6.xml file to mount the decrypted/ directory as the encfs mountpoint.
I can then mkdir -p decrypted/parent/of/file and touch the filename. Then if I check in decrypted I will have the full path of the encrypted file I want.
It's not elegant but it's a solution. Does anyone have any better ideas?
I am having trouble with encrypting/decrypting a tar archive using Bouncy Castle OpenPGP library.
I'm using TarArchiveOutputStream to add files to a tar archive and Bouncy Castle OpenPGP to encrypt the archive. Afterwards I am using Kleopatra to manually decrypt the file using the option "Input file is an archive; unpack with: TAR(PGP compatible)".
After unpacking the archive all files except one are lost and the one remaining has all contents removed. (Also happens with other decrypting programs)
I have already confirmed that the tar archive contains all the files before it is encrypted. I have also tried decrypting with that option unchecked and then the archive also contains all the files. My question is why it doesn't work with that option checked since the input file is indeed an archive so it makes sense to check that option.
What I have also tried:
Using another library to make the tar file (JTar)
Comparing a manually made tar file to the one generated. The main difference that I saw was that the one made manually was smaller (22KB vs 30KB) while containing same files.
I am open to suggestions.
Thanks!
lately, I installed encfs for encryption. and I encrypted files.
as far as I know, there are two directories. first directory is encrypted files stored and second directory is unencrypted files stored (It's original files).
I think the purpose of using encfs is reading or writing files safely using encrypted file(in first directory). I'm wrong..??
So my question is how to read encrypted files. the files are encrypted so I can't read or write files without decryption. How to decrypt files??
I think I don't know principle of encfs.. Anyone can explain this problem??
How EncFS works is well explained here: http://ninjatips.com/encrypt-dropbox-using-encfs/
EncFS uses two directories in mounting an EncFS filesystem: the
“rootdir” and the “mountPoint”. Under the “rootdir” directory, every
file is encrypted including its filename and what’s in it. Each file
in the “mountPoint” has a specific file in the “rootdir” directory
that corresponds to it. The file in the “mountPoint” provides the
unencrypted view of the one in the “rootdir” directory
When you mount an EncFS drive, it creates a virtual encrypted filesystem on your computer and stores encrypted data in the rootdir directory and makes the unencrypted data visible at the mountPoint. You add, read, delete... files in the mountPoint. The actual encrypted files are in "rootdir".
Is there a directory-encryption variant similar to VIM's "vim -x file"? I am looking for something like "mkdir -encrypt folder".
There is no "general" way to encrypt directories (ie, one that works across all file and operating systems) (see below).
You can, however (as Dante mentioned) use TrueCrypt to create an encrypted filesystem in a file, then mount ("attach", in Windows terminology?) that file.
If you're using Linux, you can even mount that file at a particular directory, to make it appear that the directory is encrypted.
If you want to know how to use TrueCrypt, checkout the docs for Windows here: http://www.truecrypt.org/docs/?s=tutorial and for Linux here: http://www.howtoforge.com/truecrypt_data_encryption (scroll down to the "TrueCrypt Download" heading).
So, a quick explanation why you can encrypt files but not directories:
As far as the "computer" (that is, the hardware, operating system, filesystem drivers, etc) is considered, "files" are just "a bunch of bits on disk" (in the same way a book is "just a bunch of ink on paper"). When a program reads from or writes to a file, it can read or write whatever the heck it wants -- so if that program wants to encrypt some data before writing it to the file, or read a file then decrypt the data that it reads, great.
Directories are a different story, though: to read (ie, list) or write (ie, create) directories, the program (be it, mkdir, ls, Windows Explorer or Finder) has to ask the operating systeme, then the operating system asks the filesystem driver "Hey, can you make the directory /foo/bar?" or "hey, can you tell me what's in /bar/baz?" -- all the program or operating system see (basically) is a function to make directories and a function to list the contents of a directory.
So, to encrypt a directory, you can see that it would have to be the filesystem driver that is doing the encryption, not the program creating/listing the directories... And no modern filesystems support per-directory encryption.
On Linux, the simplest way is probably to use EncFS
"EncFS provides an encrypted filesystem in user-space. It runs without any special permissions and uses the FUSE library and Linux kernel module to provide the filesystem interface."
it basically mounts an encrypted folder as a plain one.
More info on wikipedia
TrueCrypt Its open source and supports multiple types of encryption.. What operating system do you wish to know about?
Edit: Windows Vista/XP, Mac OS X, and Linux are all supported.
I would recommend Enterprise Cryptographic Filesystem i.e. ecryptfs found in apt-get as ecryptfs-utils in Debian/Ubuntu because more flexible than TrueCrypt.
It is probably one of the strongest way here to encrypt the directory.
It can be used with two passwords: login passhrase and password so making it a kind of double password system.
It is also POSIX implemented.
The limitation of this system like many other encryption systems is that it supports only filenames/directory names up to 144, in contrast to 255 Linux standard.
Maintained four years and last update 4 months ago so a good thing for future.
Comparison between TrueCrypt and encryptfs from this blog post
Truecrypt is simulated hardware encryption. It creates a virtual
encrypted hard disk, which your operating system can more or less
treat like an ordinary hard disk, but for the kernel hooks Truecrypt
adds to lock and unlock the disk. EcryptFS is an encrypted filesystem.
Unlike Truecrypt, which encrypts individual disk blocks, systems like
EcryptFS encrypt and decrypt whole files.
and more comparasion between the two systems here:
Those complications (and the fact that ecryptfs is slower) are part of
why people like block-level encryption like TrueCrypt, but I do
appreciate the flexibility of ecryptfs.
I am a Mac/Ubuntu user. I have folders such as "AWK", "awk", "awk_tip" and "awk_notes". I need to archive them, but the variety of utilities confuse me. I had a look at Tar, cpio and pax, but Git has started to fascinate me. I occasionally need encryption and backups.
Please, list the pros and cons of different archiving utilities.
Tar, cpio and pax are ancient Unix utilities. For instance, tar (which is probably the most common of these) was originally intended for making backups on tapes (hence the name, tar = tape archive).
The most commonly used archive formats today are:
tar (in Unix/Linux environments)
tar.gz or tgz (a gzip compressed tar file)
zip (in Windows environments)
If you want just one simple tool, take zip. It works right out of the box on most platforms, and it can be password protected (although the protection is technically weak).
If you need stronger protection (encryption), check out TrueCrypt. It is very good.
Under what OS / toolchain are you working? This might limit the range of existing solutions. Your name suggests Unix, but which one? Further, do you need portability or not?
The standard linux solution (at least to a newbie like me) might be to tar and gzip or bzip2 the folders, then encrypt them with gnupg if you really have to (encrypting awk tutorials seems a bit of overkill to me). You can also use full-fledged backup solutions like bacula, sync to a different location with rsync (perhaps sync to a backup server?).
If you've backing up directories from an ext2/ext3 filesystem, you may want to consider using dump. Some nice features:
it can backup a directory or a whole partition
it saves permissions and timestamps,
it allows you to do incremental backups,
it can compress (gzip or bzip2)
it will automatically split the archive into multiple parts based on a size-limit if you want
it will backup over a network or to a tape as well as a file
It doesn't support encryption, but you can always encrypt the dump files afterwards.