In this tutorial, we’ll take a look at the different tools we can use to encrypt and decrypt directories and their contents in Linux.
gpgtar is a tool that offers encryption and decryption of a directory in Linux. It encrypts a directory by first archiving it. Then, it encrypts the archive using the gpg command.
To get the gpgtar binary, we can install gnupg-utils in Debian based Linux such as Ubuntu with apt-get:
$ apt-get install -y gnupg-utils
Then, we can verify that the gpgtar command has been installed successfully:
$ gpgtar --version gpgtar (GnuPG) 2.2.19
2.2. General Syntax
Let’s look at the general syntax for the gpgtar command:
gpgtar [options] directory
The options are a list of flags, which we can specify to change the gpgtar command’s behavior. Then, the command accepts one or more directory paths for encryption.
2.3. Encrypting Directory Using Symmetric Key
To ease our demonstration, let’s create a directory top-secret:
$ mkdir top-secret
In that directory, we’ll create a text file secret.txt:
$ echo "this is a secret" > top-secret/secret.txt
Then, let’s encrypt the directory top-secret with gpgtar using a symmetric key:
$ gpgtar --encrypt --symmetric --output top-secret.gpg --gpg-args="--passphrase=top-secret-passphrase --batch" top-secret
Let’s breakdown the command and look at the functionality of each flag.
Firstly, the flag –encrypt instructs gpgtar to encrypts the directory top-secret. Then, the flag –symmetric specifies that the encryption should be carried out using the symmetric key algorithm.
By default, the underlying gpg command will prompt for a passphrase for symmetric key encryptions. To specify the passphrase inline, we pass it using the flag –passphrase. Additionally, the flag –batch is needed to suppress the prompts. Since both –passphrase and –batch flags are actually gpg options, we’ll need to put it into the flag –gpg-args.
Finally, we save the encrypted archive as top-secret.gpg with the flag –output.
2.4. Listing Encrypted Directory
To list an encrypted directory, we can use gpgtar with the flag –list-archive:
$ gpgtar --list-archive --gpg-args "--passphrase=top-secret --batch" top-secret.gpg gpgtar: gpg: AES256 encrypted data gpgtar: gpg: encrypted with 1 passphrase drwxrwxr-x 0 1000/1000 0 2021-01-16 07:11:55 top-secret -rw-rw-r-- 0 1000/1000 9 2021-01-16 07:11:55 top-secret/secret.txt
As we can see from the output, the command simply lists the directory structure of the encrypted archive. This is a convenient feature when we want to peek at an archive without decrypting it explicitly.
Similarly, we’ve supplied the same set of gpg options using the flag –gpg-args to prevent the interactive prompt.
2.5. Decrypting an Encrypted Directory
Using the same tool, we can decrypt an archive:
$ mkdir decrypted $ gpgtar --decrypt --directory decrypted top-secret.gpg gpgtar: gpg: AES256 encrypted data gpgtar: gpg: encrypted with 1 passphrase
Firstly, we’ll need to create a directory to put the decrypted contents. Then, we invoke the gpgtar command with the flag –decrypt to decrypt the archive.
encfs is a tool that provides directory encryption on a filesystem level through an encrypted virtual filesystem. It creates an encrypted filesystem using a pair of directories: an unencrypted directory and an encrypted directory. The unencrypted directory serves as the virtual mount to the encrypted directory.
Behind the scene, encfs encrypt any files in the unencrypted directory. Then, it stores the encrypted files into the encrypted directory. This process happens continuously until the directory has been unmounted.
We can install encfs using apt-get:
$ apt-get install -y encfs
Similarly, the same installation can be performed using yum:
$ yum install -y encfs
3.2. General Syntax
Let’s look at the general syntax of encfs:
encfs [options] rootdir mountPoint [-- [Fuse Mount Options]]
The rootdir argument refers to the directory that contains the encrypted files. On the other hand, mountPoint is the directory that contains the unencrypted files. Following our terminology, the rootdir is referring to the encrypted directory, whereas mountPoint is the unencrypted directory.
Additionally, encfs also accepts a list of Fuse Mount Options. These are the options that will be passed to the underlying FUSE command during the mount creation.
3.3. Creating Encrypted Virtual Filesystem
Firstly, we’ll create 2 directories, unencrypted and encrypted.
$ mkdir -p ~/<em>unencrypted</em> $ mkdir -p ~/encrypted
Then, we can create an encrypted virtual filesystem using encfs:
$ echo "password" | encfs --standard --stdinpass ~/encrypted ~/<em>unencrypted</em>
The command above creates a virtual encrypted filesystem using the encrypted and unencrypted directories pair. Additionally, the flag –standard has been specified to select the standard configuration. To prevent the interactive prompt for the password, the flag –stdinpass has been applied to accept the piped string “password” as the passphrase to this encrypted filesystem.
After executing the command, the encrypted virtual filesystem will be created and mounted onto the path ~/unencrypted.
To demonstrate the capability of encfs, let’s create a file top-secret.txt in the unencrypted folder:
$ cd <em>unencrypted</em> $ echo "this is a top secret" > top-secret.txt
Then, we can see in the encrypted directory. There’s now a new file with a scrambled name:
$ cd ../encrypted $ ls P2DASe2BjMlRWzPBc-XrtKoQ $ cat P2DASe2BjMlRWzPBc-XrtKoQ O?+?3?
As expected, the filename and the content of top-secret.txt in the folder unencrypted has been encrypted.
As we can see, encfs automatically encrypt the file and store it in the other directory. This is a convenient feature when we are handling a directory with active updates. Once mounted, any subsequent writes do not require another command invocation to encrypt the new contents.
Once we’re done interacting, we’ll need to unmount it. This step is important to prevent users without the password from accessing the unencrypted files.
Let’s unmount the encrypted directory with fusermount:
$ fusermount -u ~/<em>unencrypted</em>
After running the command, we can check that the folder unencrypted is now empty:
$ ls -l ~/<em>unencrypted</em> total 0
Whereas the encrypted folder still contains the encrypted file:
$ ls -l encrypted total 4 -rw-r--r-- 1 root root 29 Jan 16 13:17 P2DASe2BjMlRWzPBc-XrtKoQ
To decrypt the files in the encrypted folder, we’ll need to remount the encrypted directory using encfs:
$ echo "password" | encfs --stdinpass ~/encrypted ~/<em>unencrypted</em>
When we remount the encrypted directory, we’ll be prompted for a password by default. This password is the one we’ve entered when we create the encrypted filesystem. Using the flag –stdinpass, we can make encfs to read the password from the standard input stream.
After we’ve remounted the directory, we’ll now see the unencrypted file in the unencrypted folder:
$ ls -l <em>unencrypted</em> total 4 -rw-r--r-- 1 root root 21 Jan 16 13:17 top-secret.txt
In this article, we’ve looked at the different command-line tools to encrypt and decrypt directories in Linux.
We’ve started out with the gpgtar. It is a tool that first archives a directory and then encrypts it.
Finally, we’ve also looked at encfs, which creates a virtual encrypted filesystem. Contrary to gpgtar, encfs mount a virtual filesystem on top of the encrypted folder. Then, it performs the encryption transparently.