Encrypting files and folders with symmetric Password-Based-Encryption (PBE) on Linux

Posted on by admin

In this guide we will cover what encryption is, how to encrypt and decrypt files on Linux, and how to securely delete files.

What is encryption?

Encryption is the process of converting text, files, or folders into ciphertext. Ciphertext data is unreadable without decrypting the data first. Encryption is a fundamental aspect of data security, and is utilized every day in things like HTTPS/SSL connections to websites, and credit card payment processing inside of stores.

What are the different types of encryption?

  • Symmetric encryption
    • The same “key” is used for both encryption and decryption
    • It is fast and efficient
    • Examples: AES (Advances Encryption Standard), Blowfish, Twofish
  • Asymmetric encryption
    • A pair of keys are used: a public key for encryption and a private key for decryption
    • Enhanced security as only the private key can decrypt the data
    • Examples: RSA (Rivest-Shamir-Adleman), ECC (Elliptic Curve Cryptography)
  • Hash functions
    • Ensures data integrity, producing a fixed-size string (hash)
    • Not “decrypted”, but instead a correctly entered password matches the hash
    • Examples: SHA-256 (Secure Hash Algorithm 256-bit), MD5 (Message Digest Algorithm 5)

How to encrypt/decrypt files and folders with GPG

SHA-1 has been found to have vulnerabilities in the form of collision attacks. A collision occurs when two different inputs produce the same hash output. This would allow a file to be decrypted even without the correct password. Despite being deprecated by NIST since 2010, GPG version 2.0 and older still uses SHA-1 as it’s default hash function.

SHA-256 is a newer and more secure hash function. It uses larger bit sizes to prevent collisions. SHA-256 is the default of GPG since version 2.1 and later. We will be explicitly declaring our encryption cipher in this guide, to ensure stronger protection against attacks and better overall security for your encrypted data.

In each of the following command examples, replace the italic placeholders with the appropriate filenames and/or password.

Installing GPG:

Debian/Ubuntu:

sudo apt install gnupg

RHEL/CentOS/Rocky/Alma:

sudo dnf install gnupg

Encrypting with AES-256:

gpg --batch --passphrase yourpassword --symmetric --cipher-algo AES256 --s2k-digest-algo SHA256 -o file.aes.gpg file.txt

Encrypting with Blowfish:

gpg --batch --passphrase yourpassword --symmetric --cipher-algo BLOWFISH --s2k-digest-algo SHA256 -o file.blowfish.gpg file.txt

Encrypting with Twofish:

gpg --batch --passphrase yourpassword --symmetric --cipher-algo TWOFISH --s2k-digest-algo SHA256 -o file.twofish.gpg file.txt

Decrypting files:

gpg --batch --passphrase yourpassword --decrypt -o file.txt file.aes.gpg

Replace file.aes.gpg with the appropriate encrypted file name for your encrypted AES, Blowfish, or Twofish file.

How to encrypt/decrypt files and folders with EncFS

EncFS uses PBKDF2 (Password-Based Key Derivation Function 2) for encrypting files with an AES cipher. PBKDF2 uses an internal pseudorandom function (PRF) and iterates it many times over a password and salt.

Installing EncFS

Debian/Ubuntu:

sudo apt install encfs

RHEL/CentOS/Rocky/Alma:

sudo dnf install encfs

Encrypting files

Create your encrypted directory:

mkdir ~/encrypted

Create your directory to mount the unencrypted data:

mkdir ~/decrypted

Initialize EncFS:

encfs ~/encrypted ~/decrypted

The directories must be empty. If they are not, EncFS will exit with an error. If the force flag is given, the files that existed in either directory will be lost.

Follow the prompts:

Standard mode uses an AES Key Size of 192 bits, and PBKDFS2 with a .5 second runtime and 160 bit salt.

Paranoia mode uses an AES Key Size of 256 bits, and PBKDFS2 with a 3 second runtime. Paranoia will be more secure, but will take much longer for encrypting and decrypting larger files.

Copy your files into the decrypted directory:

cp file.blowfish.gpg ~/decrypted

💡 Yes, you can encrypt an already-encrypted file for extra security!

Unmount the encrypted filesystem:

fusermount -u ~/decrypted

Now the decrypted directory will show as empty, and the files within the encrypted directory can not be read.

Decrypting files:

encfs ~/encrypted ~/decrypted

The encrypted files are once again seen in the decrypted folder after entering the correct password.

Securely deleting files with Shred and SRM

If you want to prevent the original (unencrypted) file/folder can not be recovered on the machine with data-recovery software, then it’s important to securely delete the file. Using rm wouldn’t be enough as the metadata (data blocks and inodes) still exist on the disk until they are overwritten by new data.

Shred and SRM are two common tools for securely removing files from a Linux system, preventing them from being recovered. Shred is faster, but less secure, and can only remove individual files (not directories). SRM is more comprehensive and secure, and in return, slower.

Deleting a file with Shred

Install Shred:

Debian/Ubuntu:

sudo apt install coreutils

RHEL/CentOS/Rocky/Alma:

sudo dnf install coreutils

Shred a file:

shred -uzn 5 file.txt

  • -u removes the file after overwriting
  • -z overwrites with zeroes to hide shredding
  • -n 5 overwrites the file 5 times

Deleting a file with SRM

Install SRM:

Debian/Ubuntu:

sudo apt install secure-delete

RHEL/CentOS/Rocky/Alma:

sudo dnf install secure-delete

Security remove a file:

srm -z file.txt

Securely remove a directory:

srm -rz folder/