Best solution to create an encrypted container

.:B:. · 2011-11-18 00:21:02

I am looking to encrypt my data. I'd rather not encrypt my /home partition (or any other partition) and stick with a container that I can hide inside it. Truecrypt comes to mind, but I know there are other solutions out there like eCryptFS and loop-AES (I have used the latter a few years back for full-disk encryption).

I was just wondering if Truecrypt is the way to go, or if there are any better solutions for this setup? I already use GnuPG for ad-hoc file encryption, but using it to encrypt whole directories would be rather cumbersome I imagine .

lagagnon · 2011-11-18 00:28:49

I use ecryptfs as per the wiki and then wrote a simple script like this to deal with my ~/Private folder when I need to encrypt something:

#
# Script to make creation of encrypted files easier.
# L. G. Gagnon, Nov 2010
#
#this line 6 below does not act as planned
ans=`zenity --entry --hide-text --text="Enter your encryption passphrase now."`
echo $ans | ecryptfs-add-passphrase
mount -i /home/larry/Private
zenity --info --text="About to launch file manager.\nMove files you wish to encrypt to the Private directory.\nWhen done exit file manager to encrypt and unmount."
xfe /home/larry/Private
umount -i /home/larry/Private
exit 0

/dev/zero · 2011-11-18 00:30:11

Maybe my information is out of date, but the last I heard, Truecrypt has some minor security flaws.

A solution that comes to mind would be to create an encrypted partition using LUKS + LVM, which you mount in your home directory using a crypttab.

However, I'm under the impression that this also creates information leaks (eg think about what's going in /tmp and /var), and really the safest bet is to use full disk encryption with only /boot left unencrypted.

Last edited by /dev/zero (2011-11-18 00:30:53)

thisoldman · 2011-11-18 01:38:40

I've used encfs. It uses fuse for the filesystem interface and acts very much like an encrypted directory – growing and shrinking on demand.

I was happily impressed with how simple it is to use: you don't have to be root to create an encrypted container and it's layered on top of the existing filesystem, meaning no reformatting or setting up a separate partition.

It doesn't hide files should someone get their hands on your PC, but they won't be able to read the encrypted file or determine a stored file's unencrypted name.

milomouse · 2011-11-18 01:44:22

Not sure if this is exactly what you want but you could look at using "Elettra" ( http://www.winstonsmith.info/julia/elettra/ ) and have a large container with all your private files stored inside with jumble of static-like padding filling the gaps, where each or all files have a certain password to extract the desired (single, group, or all) file(s) from the container. This should create what's called a "plausible deniability" because there's no telling what's actually data and what's just jumble inside the container, also helped with compression. The website and docs detail it much better (with different methods of storing, etc), and will also show whether or not it's something you want to try. This method of "plausible deniability" is better suited for pro-active defense when faced with real-life opposition as opposed to remote intrusion, I think so. I still prefer loop-AES for external drives and partitions, but it's getting harder to maintain a loop-AES (losetup) system especially with all the GIT updates going on. AFAIK, it's one of the best encryption methods (which I think we've discussed before). Anyway, (*disappears*)

.:B:. · 2011-11-18 13:35:31

Thanks guys, I'll look into those.

/dev/zero: I was afraid of Truecrypt having some problems. Nevertheless fully encrypting the whole disk seems to be a bit overkill for what I'm trying to achieve - the main goal is my data being safe when my laptop gets lost or stolen, not when it's active.

Leonid.I · 2011-11-18 17:19:17

Ha, so paranoia kicks in again

When it comes to security -- the simpler the better. I just use gpg to encrypt text/pdf/tar.xz files.

Also, don't forget email passwords. For instance, if you have thunderbird/claws your passwd is stored in MD5 form in .mozilla/.claws dir. IMHO this is security-by-obscurity because anyone could rip-off the decoding code (it's OSS) and use it to extract passwords. The only software, to my knowledge, which interfaces with gpg on-the-fly is msmtp, so you can store your password in an encrypted file.

Last edited by Leonid.I (2011-11-18 17:19:58)

gregor · 2011-11-19 09:07:46

i'm using http://www.arg0.net/encfs

fabertawe · 2011-11-19 11:30:20

I use ecryptfs with the Private folder automatically mounted when I login. I symlink things like Firefox and Thunderbird to it. I backup /home with encfs.

Arch Linux

#1 2011-11-18 00:21:02

Best solution to create an encrypted container

#2 2011-11-18 00:28:49

Re: Best solution to create an encrypted container

#3 2011-11-18 00:30:11

Re: Best solution to create an encrypted container

#4 2011-11-18 01:38:40

Re: Best solution to create an encrypted container

#5 2011-11-18 01:44:22

Re: Best solution to create an encrypted container

#6 2011-11-18 13:35:31

Re: Best solution to create an encrypted container

#7 2011-11-18 17:19:17

Re: Best solution to create an encrypted container

#8 2011-11-19 09:07:46

Re: Best solution to create an encrypted container

#9 2011-11-19 11:30:20

Re: Best solution to create an encrypted container

Board footer