Security

How to create an encrypted vault with KDE Vaults

If you're looking for a way to seamlessly work with encryption on the desktop, give KDE vaults a try.

Back in 2017, a new feature was introduced to KDE Plasma, called Vaults. As the name implies, the ability to create encrypted vaults is built into the desktop environment, making it incredibly easy for users to work with encryption.

The tool works in conjunction with CryFS and can be used locally and even function with cloud services, such as Dropbox, iCloud, OneDrive, and more. With CryFS, you don't have to worry about the system exposing information about the encrypted directory structure. However, the one caveat to working with CryFS is that there hasn't been an independent security audit which confirms its claims, so use it with discretion.

SEE: Encryption policy (Tech Pro Research)

With that said, let's walk through the process of creating an encrypted vault with KDE's Vaults.

What you need

The only thing you need is a PC running KDE Plasma (preferably a fully updated one). The Vaults system came into play at version 5.1 of KDE, so if you're running a version of the Plasma desktop, installed or upgraded in 2018, you should be good to go.

Creating a vault

On the KDE desktop panel, you'll see a small lock icon in the system tray. Click that and the Vaults menu will appear (Figure A).

Figure A

Figure A

The Vaults menu will display any current vaults you have.


In this menu, click the Create a New Vault button. In the resulting window (Figure B), you'll be prompted to give your new vault a name. At this point, you can also change the encryption backend by clicking the Change button. The available encryption backends will depend upon what you have installed on your system. Out of the box, you will only see CryFS and EncFS. If you're not keen on using a backend that hasn't been fully audited, select EncFS, otherwise, stick with CryFS.

Figure B

Figure B

Naming your vault and selecting the encryption backend.


Once you've named your vault and selected the backend, click the Next button. The resulting screen is simply a description and warning about CryFS (that, although it is safe, it hasn't been audited), so click Next again. In the following screen (Figure C), type and verify a strong password for your vault. I highly recommend using a password manager for this step (using a password you cannot memorize).

Figure C

Figure C

Use a very strong password for your vault.


Now we must select an encryption location and a mount point (Figure D). If you want to incorporate Vaults into Dropbox (or another cloud service), select a mount point that is within your locally stored cloud directory (such as ~/Dropbox/Vaults). Unless you have a valid reason not to, I'd stick with the default locations and click Next.

Figure D

Figure D

Locations for encrypted data and mount point.


The final window (Figure E), offers one very interesting option. Near the bottom, you'll see the option for Go offline while this vault is open. If you're paranoid about the data contained within the created vault, you can enable this option so that both networking and Bluetooth will be disabled while the vault is open. This is an option you don't find in many similar products and should help to satisfy those looking for the utmost protection from a standard desktop encryption tool.

Figure E

Figure E

Disable networking and bluetooth while the vault is open.


Click the create button, and your vault is ready. You will notice, immediately, that your KDE desktop networking has been taken offline. Why? Because your newly created vault is open.

Accessing your vault

Open the Dolphin file manager. Unless you've changed the mount point for your vault, you should see a directory in your user home (~/) called Vaults. Navigate into that directory, and you should see any vaults you have created. Because you just created this new vault, it will appear unlocked in Dolphin (Figure F).

Figure F

Figure F

Our unlocked vault on the right.


How do you lock a vault? Easy. Click on the Vaults icon in the system tray (Figure G). The unlocked vaults appear with an upward-pointing icon (for unmount), whereas the locked vaults appear with a downward pointing arrow (for mount). Unlocked vaults will also include a green indicator that networking was disabled.

Figure G

Figure G

Locked and unlocked vaults in the Vaults popup menu.


Within Dolphin, locked vaults will appear with a standard folder icon. This is very important here: While the vault is locked, you can still add files to the folder. However, any file you add to a locked folder will not only be unencrypted, but it will also interfere with the vault's ability to be locked or unlocked. In other words, if you add files to a locked vault, you will not be able to unlock it until you delete those files, so only add files/folders to an unlocked vault.

When you open the Vaults pop-up menu and click to unlock a vault, you will be prompted for the vault password. Enter that and the vault will unlock, giving you access to the data within. Remember, if you enabled the feature to take the machine offline when a vault is unlocked, you will not be able to access your network, until you lock the vault.

Easy desktop encryption

The developers of KDE made one of the handiest encryption tools I've used in a long time. If you're looking for a way to seamlessly work with encryption on the desktop, give Vaults a try, you'll be surprised how easy desktop encryption can be.

Also see

kdevaultshero.jpg
Image: Jack Wallen

About Jack Wallen

Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website jackwallen.com.

Editor's Picks

Free Newsletters, In your Inbox