eCryptfs: Single-File Encryption in Linux

f you need to share data in a Linux environment, some basic encryption solutions and practices will allow you to do so in a very secure manner. Many tools enable data encryption in Linux, and each has its pros and cons. Yet many developers try to build their own cryptographic technology, which often gets them in trouble. A better approach is to employ tools that rely on proven cryptography techniques and algorithms. A great example of this approach is eCryptfs, a complete cryptographic file system for Linux that essentially is a robust implementation of mature cryptographic technology.

eCryptfs, which is embedded inside the Linux kernel, is a stackable solution for single-file encrypting. Stackable means that eCryptfs is a layer that works on top of other standard, lower file systems, such as ext3, FAT, FS, XFS, ReiserFS, and (since kernel version 2.6.24.X) NFS. eCryptfs delivers its encryption solution by using relevant existing kernel services such as keyring management.

This article steps you through the necessary operations for installing and using eCryptfs to allow secure data sharing in your Linux environment. (See the eCryptfs site for more details about how it works.)

Copy, Move, and Backup
One of the great advantages of eCryptfs is that the encryption is made at the single-file level and all the metadata needed for encryption/decryption are embedded in the file itself. This process makes each file a little larger than the decrypted version, but it enables:

• Having under the same directory files encrypted by different users and with different encryption contexts, and each user can access only his/her files;
• Moving individual files by copying them in encrypted form to another location where they will be accessible simply by using the right encryption context;
• Using backup tools that allow incremental file transfer.

For backup tools, you can use rsync to mirror secret archives in an efficient way. Rsync will use secure connections as ssh sessions to transfer data on the network, even if this is a redundant feature when you transfer eCryptfs directories. You periodically can mirror the /data directory on the backup_server with this command:

rsync -a --delete /data backup_server:/backup/data

The option -a is equivalent to –rlptgoD. It means recurse into directories, copy symlinks as symlinks, preserve permissions, preserve modification times, preserve group, preserve owner, preserve device files (super-user only), and preserve special files.