How to Encrypt Files and Directories in Ubuntu - EncFS

After the Truecrypt.org went down recebtly and visitors were informed that Truecrypt contains vulnerabilities and it is discontinued I had to search for an alternative. I have known about EncFS for a good while, however the convenience of Truecrypt's cross-platform property has won me. Now however, I have moved to use EncFS on my linux machine.

Advantages

There are some advantages of using EncFS as per explained at arg0.net/encfsintro. Just to sum it up:

• Size grows without need of reformatting
• Backing up is easier (with e.g. rsync or GUI version grsync) as files can be individually backed up
• Can be layered on other file systems

SO in general, one doesn't need to specify a fixed size for the encrypted file system, which simply means there will be no "unused encrypted space". Also, the fact that files are individually available, allows backing them up one-by-one, which makes it, well possible at least to say. With Truecrypt previously, if one wanted to back up a container, the entire encrypted volume had to be uploaded and re-uploaded any time something was changed in the original document. At the cost of some "anonymity" (described below) this is no linger an issue.

Disadvantages

Again as per explained in the above mentioned link:

• Meta Data is available in the encrypted directory
• File size
• Permissions
• Number of files
• Approximate name length (but not the name itself)

Unfortunately, this allows some guessing what the files might be. Not their actual name, or content but definitely what they are. Even though file types are not shown, a couple KB document is probably some sort of text file, whereas a few MB one might be a picture, pdf and so on. Modification dates are also shown in plain text, in some scenarios this might be an issue.

Everyone has t decide, whether or not leaking this kind of information is acceptable or not. It is definitely better than not encrypting the file sin the first place, however it might not be enough in other cases. 

How Does it Work?

Check out the code below. This would create en encrypted directory and mount it to another directory, effectively a mount point.

$ mkdir /tmp/crypt-raw
$ mkdir /tmp/crypt
$ encfs /tmp/crypt-raw /tmp/crypt
Volume key not found, creating new encrypted volume.
Password: [password entered here]
Verify: [password entered here]

This would  do the following

mkdir /tmp/crypt-raw - Create a directory at the specified location. This will be the actual directory holding the encrypted files.

mkdir /tmp/crypt - Create a directory at the specified location. This will be the mount point for your encrypted directory. This directory will not contain any actual file, it will simply link to the encrypted directory. If you have it at /tmp it will be deleted on every restart. You can choose it to be at any other location too, of course.

encfs /tmp/crypt-raw /tmp/crypt - Command to mount the encrypted directory (crypt-raw) to the location of the directory crypt. If running the command for the first time it will ask you to give a password and specify the type of encryption.

 

How to use this

You are technically done. Any files you put in the crypt directory will actually be stored in crypt-raw (encrypted). As long as the directory crypt is mounted, the encrypted files are visible. If you unmount it, the files are only visible in crypt-raw and if you check them you only see scrambled text/data, that is ciphertext.

Example of some files stored in the encrypted directory

As you can see in the example above, file size and modification date is shown as clear text, but file names are encrypted.

Unmount

To unmount the directory run

$ fusermount -u /tmp/crypt

After this the both the mount point and encrypted directories will still be present, but crypt will be "empty" while crypt-raw will only contain unreadable ciphertext.

Note: /tmp is flushed on restart hence crypt directory will be removed. This is, however no problem, running the code will recreate and mount this directory again upon new reboot.

Tip

Create a small script that will mount, unmount and open the encrypted directory you use the most! Take a look at http://pastebin.com/CXRPQUsK for what I am using. This way is much faster and more convenient to use encryption, it only takes a few seconds to open and close the container.

Email Security

Email encryption and digital signature are ways to protect your emails from spying eyes and to make sure the recipient knows that you are the original sender of the email. Enigmail is an Add-on for the Mozilla Thunderbird mail client that allows you to send securely emails.
The term e-mail is a little misleading. When you send a mail trough the post you write something on a paper and put it into a sealed envelope, so the people handling your mail can't actually see what is inside. Now most people think that the e-mail is similar to this, however in reality its more like a postcard...When going trough the servers, basically anyone who knows how to, can read them. This is where Enigmail and OpenGPG appear and add a layer of security.

Digital signature 

Digital signature is the equivalent of a signature in the computer world. It helps to uniquely identify -in this case- the sender of the email. So if A and B are talking (assuming both of them have the software of course) and A sends an e-mail to B and signs it with his own signature, then B knows for sure that the e-mail came from A and it wasn't altered, the information can be trusted.

Digital signature doesn't prevent others from reading your message on its way, but it cannot be altered and the recipient can be sure that the e-mail comes from the right source. You can also sign e-mails and send to a person who doesn't have the software and they will still be able to read it.

Encryption 

Encryption is encryption. You encrypt the whole message making others unable to read it except for the person you have sent it to. This is considered as secure messaging and the contents of the email remain hidden from spying eyes.

The basics for the encryption used here is the use of encryption keys. So if A and B are e-mailing both of them have a key pair on their system, a private key and a public key.

• Private key - Must be kept secret and protected from everyone. It is used to decrypt messages sent TO you.
• Public key - You can share this key with friends and basically anyone. It is used BY OTHERS to send encrypted messages TO YOU.

So for starters A and B have to exchange their public keys, this will identify them and allow to send and receive encrypted e-mails. Here is how it goes briefly:

A takes the public key of B and uses it to encrypt the message and sends it to B. B then receives this message and decrypts it with his own private key. If this private key is secret, only B is able to read the message. Similarly when B replies he encrypts the message with A's public key and A can decrypt it with his own private key.

Step 1. Installing Enigmail for Thunderbird

There are two components to install: Enigmail, the Add-on for Thunderbird and GnuPG encryption software.

Enigmail can be simply downloaded from the Add-on tab of Thunderbird, it is very straightforward, but it uses GnuPG to work so without that it's useless.

1. Open Mozilla Thunderbird
2. Go to Tools/Options/Manage Add-Ons
3. Search for "Enigmail" and download it

(If you can't seem to find it there, download from Mozdev and install, or you can upgrade to the latest Thunderbird version which should be able to find it)

That is Enigmail done.

Step 2. Installing GnuPG

First of all GnuPG depends on the following packages: libgpg-error, libgcrypt, libksba and libassuan.

Now these not installed by default with Ubuntu so if you have not installed them before you will have to do it now. The easiest way to do this is with the synaptic package manager (sudo apt-get install synaptic if you do not have it already). Simply search for each of the above packages and mark them for installation and install them all.

Go to gnupg.org and download GnuPG 2.0 which will come in a .tar.bz2 file. Extract this file and open up a terminal window, cd to the extracted folder and build GnuPG from source as you would do normally:

sudo ./configure

sudo make

sudo make install

If you are still missing a package and error message will warn you at the end of ./congfigure similar to this:

Instructions are straightforward, simply install missing packages and everything will go smoothly. After running make and make install (takes some time) you will get a confirmation of GnuPG installed:

Step 3. Check configuration

First of all Thunderbird and Enigmail need to be set up to use GnuPG, usually it is done by default, but do a manual check. Open Thunderbird and check the new OpenPGP menu point and select Properties and you will be presented the following window

All you have to make sure that the router to gpg is correct (usually it is), however if it is not, specify the correct router in the box below.

DONE.

You can either import you key files from another machine or if this is the first time using Enigmail and OpenGPG then you will need to create a new key pair. This is beyond the installation tutorial, but a step-by-step (quickstart) guide is available on enigmail.net