Most readers will be familiar with services like KeePass and Passpack which allow passwords, keyphrases and chunks of text to be held in an encrypted location. For enterprises needing to share passwords and other secrets they’re ideal, but for data you only need to access yourself, there are simpler ways to keep your files secure that don’t involve using a remote service.
It’s quite possible to encrypt an entire disk of course, and that’s a very useful approach to guard against the situation where you leave your laptop in the back of a cab, along with a gigabyte or two of sensitive information – provided your laptop is switched off at the time it’s examined. For desktop machines which are switched on 24/7 like my own, full disk encryption is not such a good idea because the data I want to protect is only opaque when the system is powered off, or the disk unmounted.
Fortunately, for Linux users, there’s a simple way to encrypt data selectively within a filesystem in such a way that it can be opened and closed easily, like a safe. EncFS is an open source, user-space encrypted filesystem that’s provided with most Linux distros. Once installed, setting up a stash for your secret stuff is as easy as (eg):
$ mkdir $HOME/vault $HOME/.vault_encfs $ encfs $HOME/.vault_encfs $HOME/vault
The first time you issue the encfs command, you’ll be prompted for a password twice and the encrypted filesystem will be created. At this point, you can create or copy files into $HOME/vault/ and you’ll see them turn up, encrypted with bizarre and unusual filenames, in $HOME/.vault_encfs/, which is the underlying location (~/vault being as it were a ‘decrypted view’). Subsequent invocations of the command in exactly the same form will mount a pre-existing stash.
As soon as you unmount the ~/vault directory, like this:
$ fusermount -u $HOME/vault
.. the decrypted view will disappear leaving an empty mount point, and your data will be safe from prying eyes.
A useful tip if you need to share your encrypted data between a number of computers is to use a folder synchronisation service like Dropbox or Insync as the location of your stash, so in the above example this might be $HOME/.vault_encfs.
A tool called gnome-encfs-manager is available for some Linux desktop environments. This provides a panel applet to create, mount and unmount encrypted folders quickly and easily, so you don’t need to get your hands dirty with the command line.