On Fri, Jan 11, 2019 at 04:27:13PM +0000, Robert Venczel wrote:
> Thank you for your suggestions, Dianne and JN.
>
> Scott, I would like to encrypt only the files I'm backing up to the
> external hard drive, the rest of the latter would remain unencrypted.
Don't do manual encryption using GPG, ccrypt, scrypt, or whatever you
want unless you have a small number of files. You'll probably forget
once and accidentally put things in the clear on the disk, and you may
tire of it unless you find such toys interesting. Instead, if doing a
mirror rather than an archive (tar, cpio, wahtever), you're better off
with an stacked cryptographic filesystem.
eCryptFS is in the kernel and upstream since 2006.
237fead61998 ([PATCH] ecryptfs: fs/Makefile and fs/Kconfig)
I use it, manually. It's been battle tested with Ubuntu's encrypted home
IIRC. encfs was also mentioned. Use it if and only if you have technical
reasons to do so instead of eCryptFS.
https://github.com/vgough/encfs/blob/master/DESIGN.md
It's FUSE based. If you're copying a massive directory tree, you will
likely appreciate something that is *not* FUSE. See similar previous
thread with NTFS a few days ago on this same list.
There is fscrypt in ext4, ubifs, and f2fs only for now, which can avoid the
overhead of the stacking. I can't vouch for or criticise the feature, so
do your own research. See nconfig quote at end.
If the tradeoffs of a stacked cryptographic filesystem (either encfs,
eCryptFS, or other) do not appeal to you, try using a loopback block
device with LUKS, and your choice of favourite simple filesystem. See
losetup(8) and cryptsetup(8).
Here's the ecryptfs nconfig help.
┌── eCrypt filesystem layer support ───────────────────────────────
│
│ CONFIG_ECRYPT_FS:
│
│ Encrypted filesystem that operates on the VFS layer. See
│ <file:Documentation/filesystems/ecryptfs.txt> to learn more about
│ eCryptfs. Userspace components are required and can be
│ obtained from <http://ecryptfs.sf.net>.
[…]
Here's the fscrypt nconfig help.
┌── FS Encryption (Per-file encryption) ─────────────────────────────────────┐
│ │
│ CONFIG_FS_ENCRYPTION: │
│ │
│ Enable encryption of files and directories. This │
│ feature is similar to ecryptfs, but it is more memory │
│ efficient since it avoids caching the encrypted and │
│ decrypted pages in the page cache. │
│ │
│ Symbol: FS_ENCRYPTION [=n] │
│ Type : tristate │
│ Prompt: FS Encryption (Per-file encryption) │
│ Location: │
│ -> File systems │
│ Defined at fs/crypto/Kconfig:1 │
│ Selects: CRYPTO [=y] && CRYPTO_AES [=y] && CRYPTO_CBC [=m] && CRYPTO_ECB │
│ Selected by [n]: │
│ - EXT4_ENCRYPTION [=n] && BLOCK [=y] && EXT4_FS [=n] │
│ - F2FS_FS_ENCRYPTION [=n] && BLOCK [=y] && F2FS_FS [=n] && F2FS_FS_XATTR │
│ - UBIFS_FS_ENCRYPTION [=n] && MISC_FILESYSTEMS [=y] && UBIFS_FS [=n] && U│
│ │
└────────────────────────────────────────────────────────────────────────────┘
The use of ECB above is… interesting.
Cheers,
Alex Pilon
To unsubscribe send a blank message to linux+unsubscribe [ at ] linux-ottawa [ dot ] org
To get help send a blank message to linux+help [ at ] linux-ottawa [ dot ] org
To visit the archives: https://lists.linux-ottawa.org