19

I have a Lenovo pc and am running Ubuntu 20.04 LTS.

I would like to encrypt a file or directory on an external-HDD attached to the pc via USB port (to store data that should be VERY VERY SECURE).

How does one go about this?

muru
  • 197,895
  • 55
  • 485
  • 740
Duncan
  • 1,053
  • 4
    What does VERY VERY SECURE mean to you? – Thorbjørn Ravn Andersen May 16 '21 at 23:53
  • @Thorbjørn Ravn Andersen AES 256 is virtually impenetrable using brute-force methods. While a 56-bit DES key can be cracked in less than a day, AES would take billions of years to break using current computing technology. Hackers would be foolish to even attempt this type of attack .Jul 29, 2019 - Google – C.S.Cameron May 17 '21 at 01:49
  • 1
    @C.S.Cameron That is kind of irrelevant. You can't build proper security measures until you define exactly your threat model. So indeed VERY VERY SECURE must be defined first. – Patrick Mevzek May 17 '21 at 01:55
  • @Patrick Mevzek: Any encryption that can stop the FBI and is used by banks means VERY VERY SECURE to me. – C.S.Cameron May 17 '21 at 03:11
  • Additionally, if you will only ever need to access from your machine, you can us machine key encryption. Saves you from having to memorize/ store a key. Just know that if your machine breaks or becomes inaccessible for some reason, you will not be able to decrypt. – Nate T May 17 '21 at 03:13
  • 1
    A Big part of being "VERY VERY SECURE" means to me, being able to decrypt my files. (My computer is ten years old). – C.S.Cameron May 17 '21 at 03:33
  • 4
    @C.S.Cameron I understand what it means to you. Question was what it meant to OP as understanding the problem better might give a better solution. What if encryption mattered less than for instance not being able to use a file system without a password? – Thorbjørn Ravn Andersen May 17 '21 at 09:01
  • I had understood from the wording that the OP wanted secure encryption for data on an USB device and not a very very secure password. I admit that I could have been wrong. – C.S.Cameron May 17 '21 at 10:36
  • 1
    @C.S.Cameron "Any encryption that can stop the FBI and is used by banks means VERY VERY SECURE to me." That is a very peculiar definition indeed. So the thread model is "I don't want my files to be read by the FBI nor by banks?" . If so, just encrypting them with AES-256 - or something else - is really only a small part of the solution. – Patrick Mevzek May 17 '21 at 14:50
  • @Patrick Mevzek There is still room on this page, if you would like to explain the big part of making a USB drive more secure, beyond encrypting it. I would be interested. I guess locking it in a safety deposit box would help, but that is not what thumb drives are for. – C.S.Cameron May 18 '21 at 02:32
  • 1
    Apologies - I have been away for a day. "Very Very secure" to me, here, means that I would like to place the mnemonic / seed for my bitcoin on a USB stick. The value of the bitcoin is significant (i.e. a retirement free of state-dependency). There are potential bad-actors with access to my pc and who might find the USB stick. That is how secure I would like the solution to be. – Duncan May 18 '21 at 06:52
  • Perhaps locking the USB drive in a safety deposit box would be a good idea. I have had 8 USB drives fail and become unreadable in the past two years. At least buy the best rated USB drive you can find. https://www.tomsguide.com/best-picks/best-usb-drives – C.S.Cameron May 18 '21 at 10:25
  • Thank you - much appreciated. – Duncan May 19 '21 at 07:23

5 Answers5

16

How to Make an Encrypted File / Directory

  • Install p7zip-full from universe repository

  • Right click file or folder and select Compress.

  • Confirm archive name and select .7z, then Create.

  • Right click .7z archive select open with Archive Manager.

  • Select three line icon upper right, click Password to create AES-256 encrypted archive.

Notes

You will need to install 7Zip to open archive on a Windows machine.

Selecting and remembering a strong password is an important part of encryption security. There are many good articles about this topic on the internet.

HDD's, SSD's and flash drives can all brick without notice. SLC, (Single Level Cell) SSD's and flash drives have the longest life spans. It is a good idea to keep a backup drive and copy of the password in your safety deposit box.

A full tutorial on P7Zip-Desktop can be found at: https://www.how2shout.com/linux/how-to-install-p7zip-gui-on-ubuntu-20-04-lts/

C.S.Cameron
  • 19,519
15

(For a directory I would tar it to a file)

Encrypting can be done with ...

gpg -c {file}

Provide a decent password. To decrypt:

gpg {file}.gpg

and provide the password you used. If you want to decrypt using Windows you can use "gpg4win". Remove the original file after you are done.

rinzwind@schijfwereld:~$ ls -ltr test
-rwx------ 1 rinzwind rinzwind 418 mei 14 18:11 test
rinzwind@schijfwereld:~$ file test
test: POSIX shell script, ASCII text executable
rinzwind@schijfwereld:~$ gpg -c test
rinzwind@schijfwereld:~$ file test*
test:     POSIX shell script, ASCII text executable
test.gpg: GPG symmetrically encrypted data (AES256 cipher)
rinzwind@schijfwereld:~$ more test.gpg 
�
�KY+�7���S/?Gp��(�ր��z&ĥ��Ag�����)|�IT[���>e�:\#/����Xko��^�)��@��m�6�'�
                                                                        �vp;��؞
    �XX���&�>Uk�v���rY!��sD����A�
r��=���'Ug�G�|6&(�l���\����fc��Q�Xn \�k�^�
�-�����G*��J��E

I would then add some extra security:

  • sudo -i
  • chown root:root {file}
  • chmod 000 {file}
  • chattr +i {file}

The last one sets the immutable bit and to change anything you 1st need to do chattr -i {file}. It will look like this:

---------- 1 root     root       353 mei 16 09:05  test.gpg

An extra extra method could be to add a "." to the beginning of the file to make it hidden.

Rinzwind
  • 299,756
  • Thank you very much - greatly appreciated! – Duncan May 16 '21 at 09:10
  • Both answers are so helpful I can't give the green tick! – Duncan May 16 '21 at 20:43
  • 3
    Changing owner or permissions on an USB attached HDD does not bring any security as plugging it on another host can trivially bypass that. Changing the name for an extra dot is kind of security through obscurity also. – Patrick Mevzek May 17 '21 at 01:51
7

You can use cryptsetup on a sparse file to create an auto-growing, encrypted container.

If you don't have cryptsetup installed yet, run:

$ sudo apt update && sudo apt install cryptsetup

Note: This will not work on FAT32 or exFAT volumes because they don't support sparse files. You need to use NTFS or ext4, or preallocate the disk space ahead of time.

Root required because cryptsetup creates devices in /dev.

  1. Create a sparse file which will be used to store the encrypted data. Sparse files don't take all the space upfront, but grow as you add data to them. 10G here means that you'll be able to store up to 10 GB of data in the container (actually slightly less due to filesystem overhead).

    $ truncate -s 10G encrypted.luks

    (some tools will report this file as 10 GB in size from the very beginning - that's fine)

  2. Create an encrypted container inside the file.

    $ sudo cryptsetup luksFormat encrypted.luks

    WARNING!
    

    This will overwrite data on encrypted.luks irrevocably.
    

    Are you sure? (Type uppercase yes): YES
Enter passphrase for encrypted.luks:
Verify passphrase:

  3. Open the encrypted container.

    $ sudo cryptsetup open encrypted.luks encrypted
Enter passphrase for encrypted.luks:

  4. Create a filesystem inside the container. (Choose any - it doesn't have to match drive's filesystem.)

    $ sudo mkfs.ext2 -m0 -Lencrypted /dev/mapper/encrypted
mke2fs 1.45.5 (07-Jan-2020)
Creating filesystem with 2617344 4k blocks and 655360 inodes
Filesystem UUID: d61f80bc-e3aa-41c8-91ca-97b8302d8bc0
Superblock backups stored on blocks:
        32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632

    Allocating group tables: done
Writing inode tables: done
Writing superblocks and filesystem accounting information: done

  5. You can now mount the filesystem.

    $ sudo mount /dev/mapper/encrypted /mnt
$ ls /mnt
lost+found

The container file should be much less than 10 GB if checked with the right tool:

$ du -h encrypted.luks
249M    encrypted.luks
$ du -h --apparent-size encrypted.luks
10G     encrypted.luks

To "eject" or remove the container:

  1. Unmount it.

    $ sudo umount /mnt

  2. Close the container.

    $ sudo cryptsetup close encrypted

  3. Optionally remove the file if you want to destroy the container.

    $ sudo rm encrypted.luks

Note that the container won't shrink when you remove files from it. You can try to open it with --allow-discards and then fstrim -v /mnt to punch holes in the sparse file again. It worked for me on local disks, but not on an USB drive. Maybe it depends on the "parent" filesystem, I don't know.

gronostaj
  • 720
2

I suggest using gocryptfs or something similar, so you don't waste your CPU time on compressing files.

To install:

$ sudo apt install gocryptfs

To start working, create an empty folder:

$ mkdir user-secret-stuff

Initialize encrypted filesystem:

$ gocryptfs -init user-secret-stuff

It asks your for a password. Give it a secure long password/passphrase that you can remember. Then it gives you a "master key"; save it in a safe place.

Now to open the encrypted directory and save/access files in there, use:

$ mkdir /tmp/files
$ gocryptfs user-secret-stuff /tmp/files

Give it your password and your files are available at /tmp/files.

To clean-up:

$ fusermount -u /tmp/files
$ rm -d /tmp/files
Ravexina
  • 55,668
  • 25
  • 164
  • 183
2

Another great tool to create an encrypted file container is VeraCrypt:

https://www.veracrypt.fr/en/Home.html

Cryptsetup and LUKS are better in terms of Linux integration and security while VeraCrypt main advantage is portability, ie. you can mount the same container both in Linux and MS-Windows and multiple other systems.

Daily use of VeraCrypt in Linux has its own disadvantages that are discussed in other questions.

Please note that no encryption could save you from the lack of daily security hygiene, but that's a very broad topic worth of multivolume doctoral thesis.

Pawel Debski
  • 2,704
  • 8
  • 28
  • 40