I have a Lenovo pc and am running Ubuntu 20.04 LTS.
I would like to encrypt a file or directory on an external-HDD attached to the pc via USB port (to store data that should be VERY VERY SECURE).
How does one go about this?
135 Answers
How to Make an Encrypted File / Directory
Install p7zip-full from universe repository
Right click file or folder and select
Compress.Confirm archive name and select
.7z, thenCreate.Right click .7z archive select open with Archive Manager.
Select three line icon upper right, click Password to create AES-256 encrypted archive.
Notes
You will need to install 7Zip to open archive on a Windows machine.
Selecting and remembering a strong password is an important part of encryption security. There are many good articles about this topic on the internet.
HDD's, SSD's and flash drives can all brick without notice. SLC, (Single Level Cell) SSD's and flash drives have the longest life spans. It is a good idea to keep a backup drive and copy of the password in your safety deposit box.
A full tutorial on P7Zip-Desktop can be found at:
6(For a directory I would tar it to a file)
Encrypting can be done with ...
gpg -c {file}Provide a decent password. To decrypt:
gpg {file}.gpgand provide the password you used. If you want to decrypt using Windows you can use "gpg4win". Remove the original file after you are done.
rinzwind@schijfwereld:~$ ls -ltr test
-rwx------ 1 rinzwind rinzwind 418 mei 14 18:11 test
rinzwind@schijfwereld:~$ file test
test: POSIX shell script, ASCII text executable
rinzwind@schijfwereld:~$ gpg -c test
rinzwind@schijfwereld:~$ file test*
test: POSIX shell script, ASCII text executable
test.gpg: GPG symmetrically encrypted data (AES256 cipher)
rinzwind@schijfwereld:~$ more test.gpg
�
�KY+�7���S/?Gp��(�ր��z&ĥ��Ag�����)|�IT[���>e�:\#/����Xko��^�)��@��m�6�'� �vp;��؞ �XX���&�>Uk�v���rY!��sD����A�
r��=���'Ug�G�|6&(�l���\����fc��Q�Xn \�k�^�
�-�����G*��J��EI would then add some extra security:
sudo -ichown root:root {file}chmod 000 {file}chattr +i {file}
The last one sets the immutable bit and to change anything you 1st need to do chattr -i {file}. It will look like this:
---------- 1 root root 353 mei 16 09:05 test.gpgAn extra extra method could be to add a "." to the beginning of the file to make it hidden.
3You can use cryptsetup on a sparse file to create an auto-growing, encrypted container.
If you don't have cryptsetup installed yet, run:
$ sudo apt update && sudo apt install cryptsetupNote: This will not work on FAT32 or exFAT volumes because they don't support sparse files. You need to use NTFS or ext4, or preallocate the disk space ahead of time.
Root required because cryptsetup creates devices in /dev.
Create a sparse file which will be used to store the encrypted data. Sparse files don't take all the space upfront, but grow as you add data to them.
10Ghere means that you'll be able to store up to 10 GB of data in the container (actually slightly less due to filesystem overhead).$ truncate -s 10G encrypted.luks(some tools will report this file as 10 GB in size from the very beginning - that's fine)
Create an encrypted container inside the file.
$ sudo cryptsetup luksFormat encrypted.luks WARNING! ======== This will overwrite data on encrypted.luks irrevocably. Are you sure? (Type uppercase yes): YES Enter passphrase for encrypted.luks: Verify passphrase:Open the encrypted container.
$ sudo cryptsetup open encrypted.luks encrypted Enter passphrase for encrypted.luks:Create a filesystem inside the container. (Choose any - it doesn't have to match drive's filesystem.)
$ sudo mkfs.ext2 -m0 -Lencrypted /dev/mapper/encrypted mke2fs 1.45.5 (07-Jan-2020) Creating filesystem with 2617344 4k blocks and 655360 inodes Filesystem UUID: d61f80bc-e3aa-41c8-91ca-97b8302d8bc0 Superblock backups stored on blocks: 32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632 Allocating group tables: done Writing inode tables: done Writing superblocks and filesystem accounting information: doneYou can now mount the filesystem.
$ sudo mount /dev/mapper/encrypted /mnt $ ls /mnt lost+found
The container file should be much less than 10 GB if checked with the right tool:
$ du -h encrypted.luks
249M encrypted.luks
$ du -h --apparent-size encrypted.luks
10G encrypted.luksTo "eject" or remove the container:
Unmount it.
$ sudo umount /mntClose the container.
$ sudo cryptsetup close encryptedOptionally remove the file if you want to destroy the container.
$ sudo rm encrypted.luks
Note that the container won't shrink when you remove files from it. You can try to open it with --allow-discards and then fstrim -v /mnt to punch holes in the sparse file again. It worked for me on local disks, but not on an USB drive. Maybe it depends on the "parent" filesystem, I don't know.
I suggest using gocryptfs or something similar, so you don't waste your CPU time on compressing files.
To install:
$ sudo apt install gocryptfsTo start working, create an empty folder:
$ mkdir user-secret-stuffInitialize encrypted filesystem:
$ gocryptfs -init user-secret-stuffIt asks your for a password. Give it a secure long password/passphrase that you can remember. Then it gives you a "master key"; save it in a safe place.
Now to open the encrypted directory and save/access files in there, use:
$ mkdir /tmp/files
$ gocryptfs user-secret-stuff /tmp/filesGive it your password and your files are available at /tmp/files.
To clean-up:
$ fusermount -u /tmp/files
$ rm -d /tmp/filesAnother great tool to create an encrypted file container is VeraCrypt:
Cryptsetup and LUKS are better in terms of Linux integration and security while VeraCrypt main advantage is portability, ie. you can mount the same container both in Linux and MS-Windows and multiple other systems.
Daily use of VeraCrypt in Linux has its own disadvantages that are discussed in other questions.
Please note that no encryption could save you from the lack of daily security hygiene, but that's a very broad topic worth of multivolume doctoral thesis.
1
