Your data is precious. Getting that data in the wrong hands is not. To that end, administrators go to great lengths to secure said data. Some purchase costly third-party software and some cobble together their own solution. If you happen to run the Linux platform, you can easily install an outstanding encryption tool that allows you to mount an encrypted file system, use it, and unmount it. Once unmounted, the data contained within the file system cannot be read.
One particular usage case for such a tool would be rotating backup drives. Using encryption on an external backup drive would ensure (once the drive is properly unmounted) that the data housed in the drive would be inaccessible. Rotate the drive back in, mount it, and the data is ready to go.
One piece of software to make this process very simple is eCryptfs. The eCryptfs system is a POSIX-compliant enterprise cryptographic stacked filesystem for Linux so it’s ready to serve your encryption needs. Do note, this is a command line tool; but it makes the task of encrypting directories a no-brainer. I want to walk you through the process of installing eCryptfs and then using it to mount an encrypted directory.
Because eCryptfs is found in the standard repositories, it can be installed with a single command. However, with any installation, you’ll want to first update apt with the command:
sudo apt-get update
You can optionally run an upgrade with the command:
sudo apt-get upgrade
Naturally, I recommend doing regular upgrades, as that is the best way of ensuring your servers are always patched. If you’re concerned a kernel upgrade will happen, you might want to run this upgrade at a time when the server can be rebooted.
Once you have apt updated and (optionally), your server upgraded, install eCryptfs with the command:
sudo apt-get install ecryptfs-utils
Once the installation is complete, you’re ready to encrypt.
Let’s say you want to create a new directory, we’ll say /opt/data, and you want to use it to house sensitive data, secured by encryption. To mount this as an encrypted directory, issue the following command:
sudo mount -t ecryptfs /opt/data /opt/data
You will be first asked to enter a passphrase for the encryption and then answer a few of questions pertaining to the level and type of encryption you want to apply (Figure A).
Warning: Make sure you do not issue the above command on a directory that already contains data, or your data will not be accessible. The intention is to create the new directory, encrypt it, move data into it, and then unmount it (so the data can only be accessed once the encrypted directory is successfully remounted).
With the questions answered, you will then be asked to confirm the encryption and your directory will be encrypted. You can move data into the directory and unmount it, so the data is no longer accessible. The unmount command (for our example) would be sudo umount /opt/data. If you then attempt to view the data within the directory, you will see the warning that the data may be a binary file (Figure B).
The only way to view the encrypted file is to remount the directory. This is done in the same manner as you did above. You will have to enter the passphrase you used to encrypt the directory, or the mount will fail. Remount the drive and your data is, once again, available.
That’s all there is to it. You can now create an encrypted directory, fill it with data, and unmount the directory so the data cannot be accessed (until you remount the directory).
Get creative with its application
The eCryptfs tool is a very simple way to create a protected directory, safe from prying eyes. Use this to encrypt backup directories or other locations housing sensitive data; mount them, use them, unmount them. Your data is safe. Get creative with how you apply eCryptfs on your system, it can serve you in many and varied ways.