What is the best way to do an encrypted file system in Linux?
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
In my opinion, a truecrypt file may be a good solution. Truecrypt is cross-platform, fast, and light.
I've largely gone with an actual file (usually named something innocent) instead of a whole partition, just because it's easier to backup/copy/move around.
It is not likely to be compromised, so far as I know.
There are other solutions, of course, but this is what I have found to be the easiest and cleanest. It's also handy if you have to access the same data frequently on multiple hosts (in my case, I often do this with SD cards/USB drives).
Like all of the "what is the best ...." questions, the answer depends on what and why you want encryption. You might get less frustrating advice if you explicitly state your needs. Truecrypt has advantages and disadvantages. LUKS is good as well for disk encryption. Email encryption is another matter entirely and most people use some variety of PGP, from what I can tell.
I suggest using LUKS. Some distros (recent Fedora for sure, for some reason I suspect Ubuntu as well) provide install-time support for encrypted roots, at which point all you really notice is that your boot is interrupted by a password prompt. I am sure a bit of Googling can help you set this up with other distros. Though I notice 'CentOS w/Cpanel' - do you have exclusive control over the machine in question?
I don't know what you want. Are you defending against your evil older brother or against the NSA?
Repos. Google, also.
Anything worthwhile is done transparently. However, at some point you have to authenticate (or there's no point in having the encryption), so you will be required to enter a password somewhere before the data is accessible. For an encrypted root with LUKS, that's about 5 seconds after grub.
Again, depends on who wants it. Odds are that you are not important enough for anyone to even try decrypting your data, and it's not like AES is a piece of crap or something.
There is necessarily some performance hit, but I don't think it's much on a modern system. My laptop's got the aforementioned LUKS encrypted root setup (primarily so I can pull some civil disobedience should I cross a border with it), and I never noticed a difference.
I've never been a big fan of LUKS for many of the same reasons that I don't like whole-disk encryption under PGP. It becomes painfully obvious you're using it in the first place, which defeats one of the major benefits of encryption. The best secret is one that nobody knows the existence of.
Personally, I like things that i can lock and unlock as needed - for example, there are things like family photos and finances (personal lock), business information (shared lock) and possibly even multiple shared tiers (consulting, for example).
On my desktop right now, I have a mount open for secure docs that my coworkers have the password for, a mount open for secure docs that my clients have a password for, and a mount with just my data that nobody has a password for.
In reality, these are just 3 files sitting on a USB drive that I frequently sync between windows and linux.
My point being - encryption is very personal to the user. The best part of systems like Linux is you have lots of choices.
First off security through obscurity, is not security. So if you're relying on people not knowing your data is "protected"/encrypted you're already in the wrong mindset.
At some point your encryption becomes visible, whether it is when you have to unencrypt it, or when you try to view the encrypted file itself.
To my knowledge there is no such thing as completely transparent encryption. At some point there is an interaction between, you and the encrypted data.
Truecrypt, and LUKS both do a good job at whole disk encryption which is the best option if trying to encrypt the whole OS. If you're just looking to encrypt certain data, then an encrypted volume/file is the general practice. Truecrypt has the ability to create an encrypted volume, with a hidden volume inside of it. Using one password opens the outer volume, and another password opens the inner volume. Thus if you're forced to reveal a password, the outer password can be given and the inner volume remains hidden.
Realistically the best choice you can make for yourself is to completely understand what you need. Start researching ways that other people encrypt/protect the type of data you're looking at. More often than not there is a best practice available for most types of data protection if it's business/enterprise related.
Lastly, Fedora Core, RHEL, and CentOS's more recent version, all give the option when installing to encrypt the partition you're creating/installing on.
First off security through obscurity, is not security. So if you're relying on people not knowing your data is "protected"/encrypted you're already in the wrong mindset.
At some point your encryption becomes visible, whether it is when you have to unencrypt it, or when you try to view the encrypted file itself.
-Rob
I agree - but I believe my point was not security through obscurity, but that obscurity in addition to security buys you time.
Case in point example: A 'tech store employee' snoops on your system. This individual likely lacks the means to bypass any encryption, so unless you hand them the passwords, you're probably fine.
Example 2: TSA/Police cursory inspection. In some cases, even suspicion of encrypted systems will cause them to harass you. They have the legal authority to make life difficult, and the lack of skill to really foul things up. They will not, however, be looking for encrypted files unless you're stupid obvious.
Example 3: Police/Government seizure. Here you're just generally screwed, so only things like nested security volumes and "duress" passwords and the like will save you. This would require a pretty high level of paranoia, really.
I know I keep mentioning it, but really - whole disk encryption is just not something I would recommend, based on a great deal of current and past experience. I've had 3 employers insist on it, and it seriously blows. Back up regularly. Really regularly. It doesn't take much to lose everything.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.