Announcement

Collapse
No announcement yet.

Easiest simple folder encryption method these days?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Easiest simple folder encryption method these days?

    I used to use ecryptfs to set up encrypted directories in linux, but apparently it's no longer recommended, developed, or supported, so I'm wondering about the current best practice.

    I have a newbie friend who has made the jump to linux (debian+kde) (edit to add: I'm asking re: kubuntu here, but general info is welcome) and he wants to set up an encrypted directory to contain sensitive client data. We opted not to do full-disk/partition encryption on install because I thought it would be simpler to just have an encrypted dir somewhere... that might have been a bad call!

    I've been looking into fscrypt.
    Things I like:
    - though still painful, not a terrible pain to set up
    - PAM integration means he doesn't have to enter extra passwords or go to the CLI after login to access the data
    Things I don't like:
    - can't back up the folder when it is locked, which is basically a deal-breaker

    I looked into LUKS, but that seems like a minor nightmare to get set up. I was tempted by this answer, though, which makes it look pretty simple, but I still have more to research...

    Are there any other options? (I don't mean to whine; it's surprising how difficult this is to do on linux in 2024... I'd have thought by now that you could just right-click a folder in any file manager and say "encrypt with my login password", be able to back it up, etc.)

    Thanks!

    #2
    Sorry for the bump -- just seeking any perspectives or help people might have on this subject. Seems pretty important, so surely I'm not the only one struggling with these questions. Thanks!

    Comment


      #3
      Plasma's built-in Vaults
      iirc they are unlocked at login.
      https://www.zdnet.com/article/how-to...th-kde-vaults/

      Originally posted by chconnor View Post
      - can't back up the folder when it is locked, which is basically a deal-breaker
      That will be a given, though you can of course back up the encrypted files/directories as part of the backup regimen.

      If you want to decrypt specific folders at login, why not just encrypt the whole user $HOME, or the entire install?

      Originally posted by chconnor View Post
      I'd have thought by now that you could just right-click a folder in any file manager and say "encrypt with my login password",
      There are service menus for Dolphin that can be installed that include encryption.
      But tbh, if it is decrypted at login, what is the point of having a user directory encrypted, instead of the whole shebang?
      If these files are copied or backed up somewhere unencrypted, what is the point?

      Comment


        #4
        Originally posted by claydoh View Post
        Plasma's built-in Vaults
        Thanks! Didn't know about those but they are neat; unfortunately they are not decrypted on login and require password entry to unlock. It does appear that you can copy the encrypted directory to do a backup and can restore it, but the restoration process looks a little rough [see edit below] (replacing the directory in place went smoothly -- just had to remove the "integritydata" file, but recreating from scratch looks more involved.) Maybe there's not going to be an easy way around that, but these systems (CryFS in this case) seem to always have relatively complicated dot files here and there that make it a bit technical to do a restoration. TLDR: looks great overall but the login issue remains.

        EDIT: just went through the restoration-to-new-location and it wasn't bad at all... This post details the procedure.

        That will be a given, though you can of course back up the encrypted files/directories as part of the backup regimen.
        Sorry, we might have miscommunicated here: with ecryptfs I was able to back up files/folders when they were encrypted by just copying the encrypted directory. I could then copy it back to some other location and decrypt as needed to extract files from the backup. Not possible with fscrypt, IIUC (documentation says you can't do it, at least that was my interpretation; I believe because of filesystem-level encryption used).

        If you want to decrypt specific folders at login, why not just encrypt the whole user $HOME, or the entire install?
        Yeah, that would have been better. The reasons were:

        1) not wanting to deal with encryption when backing up non-essential stuff, e.g. doing a partition backup of /home leaves most of the files in the backup more easily accessible (for the non-tech user I'm supporting). I've had to recover things from encrypted dirs before and it was a pain, especially when 99% of the stuff in /home didn't really need it. Having to jump through all the hoops just to e.g. recover a config file for an app that got corrupted is tiresome.
        2) believing (incorrectly) that it would be simple to set up an encrypted directory that could be easily backed up in encrypted form that would open upon login.
        3) I know that performance isn't a big concern with this, but given that I believed (2) it seemed nice to avoid full-partition encryption as a small win.

        If these files are copied or backed up somewhere unencrypted, what is the point?
        They wouldn't be backed up unencrypted, just in encrypted form.
        Last edited by chconnor; Jun 27, 2024, 10:40 PM.

        Comment


          #5
          Just following up in case anyone else finds this: best way to back up vaults seems to be to copy the ~/.local/share/plasma-vault/MyVault.enc directory (or wherever you specified it) to your backups (presumably it's smart to lock it first if it is not already), then when you want to restore files:

          - make a new vault that will contain the vault contents
          - cryfs /backup/location/MyVault.enc /temporary/mount/location/for/files/myvault_files/
          - copy decrypted files from the mount location into the new vault location
          - unmount /temporary/mount/location/for/files/myvault_files/

          ...apparently in KDE6 you will be able to do:

          Code:
          qdbus6 org.kde.kded6 /modules/plasmavault requestImportVault
          ...which should be a lot easier? Relevant link:

          https://bugs.kde.org/show_bug.cgi?id=386200#c38

          Comment


            #6
            Try giving Silent Space Encryptor a try. I'm not sure about decryption at login but it's very simple to use

            Comment

            Working...
            X