this post was submitted on 10 Oct 2023
60 points (98.4% liked)

Linux

48266 readers
433 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago
MODERATORS
 

I'm vaguely interested in having a few different encrypted folders on my computer, with different passwords on each. I don't have any particular strong requirements. It's more of a velleity; mostly just to try it so that I know more about it.

That said, when I search for encryption options, I see a lot of different advice from different times. I'm seeings stuff about EncFS, eCryptFS, CryFS; and others... and I find it a bit confusing because to me all those names look basically the same; and it's not easy for me to tell whether or not the info I'm reading is out of date.

So figure I'd just ask here for recommendations. The way I imagine it, I want some encrypted data on my computer with as little indication of what it is as possible; and but with a command and a password I can then access it like a normal drive or folder; copying stuff in or out, or editing things. And when I'm done, I unmount it (or whatever) and now its inaccessible and opaque again.

I'm under the impression that there are a bunch of different tools that will do what I've got in mind. But I'm interested in recommendations (since most of the recommendations I've seen on the internet seem to be from years ago, and for maybe slightly different use-cases).

all 24 comments
sorted by: hot top controversial new old
[–] [email protected] 16 points 1 year ago* (last edited 1 year ago) (2 children)

The CryFS developers have a comparison page here that might help you decide what to use. There's a summary table at the bottom that gives a comparison of features between encryption filesystems if you don't feel like reading through it all.

I personally use and would recommend CryFS because it's the only one (that I'm aware of) that plays nice with data synchronization software (i.e. doesn't store the container as a single file) while keeping the directory structure encrypted.

[–] [email protected] 4 points 1 year ago (2 children)

I don't see Cryptomator in the comparison. Doesn't it have a similar feature set?

[–] [email protected] 2 points 1 year ago* (last edited 1 year ago) (1 children)

Was not aware of this, thanks! Looks like it does, with a notable difference being that Cryptomator has better cross-platform support in exchange for not having file size obfuscation.

[–] [email protected] 2 points 1 year ago (1 children)

Yeah, Cryptomator does sound like a good option. But I personally found the comment from the developer at the bottom to be a bit off-putting. I don't like when people needlessly trash-talk other options.

If you value privacy higher than availability and integrity, this certainly is a point for CryFS. With Cryptomator, we strive for the best of all three primary security targets [...] [...] I personally dislike snakeoil statements on their website like “the security of CryFS has been proven”. While I don’t see a problem with the cryptography, I prefer to keep some distance from phrases used by all those “military grade security” bogus companies.

He seems to belittle the importance of a key advantage of CryFS, and then goes on to accuse them of being 'snakeoil statements' because CryFS said their security was 'proven' in a masters thesis. I'm sure that 'proven' is not a great choice of word here, but I don't think CryFS was trying to trick anyone. They're just saying that the tool has been thoroughly analysed in a masters thesis and found to be secure.

One of the 'advantages' being touted for Cryptomator is that it is more 'stable' than CryFS. But the claim of stability coimes from CryFS saying their software is in beta while Cryptomator says theirs is complete. The way I see it, that's not really a measure of stability; it's a measure of caution from the developers. Stability and reliability are not things you can just claim, or base on whether or not something is called 'beta'. It's about testing, and analysing. So, in that context of CryFS expressing caution, to say their masters thesis statement is a 'snake oil statement', I think is disingenuous.

(Note: I've given an in-depth explanation of something that really isn't a big deal. What the developer said is not that bad. I just wanted to articulate why I found it off putting.)

[–] [email protected] 1 points 1 year ago

Seems like a pretty minor complaint all in all. It's a free open source project that solves a real world issue well.

Is not like he even bashed the project that much, just pointed out a few of his own pet peeves.

[–] [email protected] 1 points 1 year ago

IMO it has a better feature set because it has a native android app with remote storage support built in, and native desktop apps with a GUI.

[–] [email protected] 3 points 1 year ago

I guess it's mostly because it way written by CryFS people - but that does make CryFS sound pretty good; with the main downside being that it is less mature than some other tools. And it gives useful info on the others regardless.

[–] [email protected] 11 points 1 year ago

What about veracrypt?

It's very easy to use and cross-platform. You can create a volume of arbitrary size, either as a file or using a device/partition, then mount it when you need it.

[–] [email protected] 6 points 1 year ago

I use gocryptfs because it can be used on Android (DroidFs) and Linux desktop so I can sync my shares.

There's a few GUIs for desktop for it that you can try out and see if they help with your use case.

[–] [email protected] 4 points 1 year ago

I appreciate all the comments and links, everyone. Thanks a heap. I feel like I've got a much stronger and up-to-date understanding of what's available now.

While checking out various links, I've found this detailed comparison provided by GoCrypt. It includes comparisons of features, encryption methods, and a couple of performance metrics. So that's valuable information for decision making. I found the CryFS comparison page useful too, but that felt more about highlighting the advantages of their tool rather than a thorougher comparison of different tools.

[–] [email protected] 3 points 1 year ago* (last edited 1 year ago) (1 children)
[–] [email protected] 2 points 1 year ago (1 children)

Yes, until you've to build it from the source because... https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928956

Unfortunately ECryptfs seems to be only one that supports inotify as the other popular solutions (gocryptfs, encfs, cryfs) are all FUSE based and it doesn't seem to play very well with inotify. And cryptomator is another FUSE joke that will lead to data loss.

[–] [email protected] 1 points 1 year ago (1 children)

I had forgotten about LUKE, have you tried it?

[–] [email protected] 1 points 1 year ago (1 children)

I need something that is able to encrypt single files - not an entire disk / partition / volume or a disk image. I'm using Syncthing on those encrypted files so having them as a partition or single file doesn't work out.

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago) (1 children)

On a folder level that is how I work both in Linux and windows.

For single use encryption the is also GPG.

https://devconnected.com/how-to-encrypt-file-on-linux/

Edit2:

With Syncthing there is options to use a / partition / volume or a disk image. I am assuming you are using a linux desktop.

You can use tools like LUKE with Systemd-homed, where the home folder is encrypted, that get mount at login, and Syncthing service get started after mount.

[–] [email protected] 1 points 1 year ago

Unless I'm missing something, what I need is something that I can point to a folder and say "this is encrypted" and it will mount an unencrypted version of that somewhere. What ECryptfs does is that it encrypts any file I place on the foder individually / doesn't create a single block of data that is hard to sync. GPG is file by file manually.

[–] [email protected] 2 points 1 year ago* (last edited 1 year ago)

I used to use encfs. While it was fine, it hasn't really gotten any dev work in several years, and I wouldn't recommend it as a first choice.

[–] [email protected] 2 points 1 year ago (1 children)

I had pretty good luck with tomb.

[–] [email protected] 2 points 1 year ago (1 children)

I'm not sure what you mean by 'good luck' here. Perhaps you got some really cool random encryption blocks or something? In any case, I hadn't heard of that one yet. So thanks for mentioning it.

Their approach with separate key-files is probably a wise idea for serious security... but I don't think I'm that serious right now.

The puns in the commands feel like they are a style from the past. I don't think people would do that in serious software made today. I guess this one has been around for awhile!

[–] [email protected] 2 points 1 year ago* (last edited 1 year ago)

I mostly just meant that it was easy to use and never lost or ate any of my data.

I switched over to cryptomator because it lines up better with my use case, but I've heard rumors of it losing data, so I'm keeping a close eye on it for now.

[–] [email protected] 2 points 1 year ago (1 children)

What's your threat model?

Personally I think full disk encryption with LUKS is the only worthwhile setup. Directory-based encryption software tends to be error-prone, and is much more vulnerable.

[–] [email protected] 1 points 1 year ago

One advantage of directory-based encryption is for online backups. I use SpiderOak to backup some stuff, and so I can tell it backup my encrypted data without it ever seeing the unencrypted data. I don't think that's so easy with full-disk encryption. (I suspect only a handful people in the world still use SpiderOak, but the idea applies to whatever cloud backup thing you might use.)

Similarly, it means I can lend a portable HDD to someone to share videos or something, but still have private stuff stored on there as well if I want to.

[–] [email protected] 1 points 1 year ago

I personally use cryptomator https://cryptomator.org/

Because I can use it regardless of the underlying file system and OS, you can set up different vaults and you can store these vaults in the cloud if you want so you can access your shit on any device