Encryption is something everyone should take seriously on any platform. You might think you’re more secure on Linux than you are on Windows, or even macOS. But is Linux really as secure as you think?
Here we cover two methods for encrypting your information in Linux: one for encrypting files and one for encrypting an entire folder.
Encrypt and Decrypt Files Using GnuPG
GnuPG is a free implementation of the OpenPGP standard, also known as Pretty Good Privacy (PGP). It allows you to encrypt your files and sign them, allowing you to securely send files to others.
GnuPG can also be used to encrypt files for yourself to keep them away from prying eyes, and that’s what we’re concentrating on in this article.
GnuPG is a command line tool, but it’s fairly easy to use. It’s widely used, so it’s most likely already installed on your Ubuntu system.
Open a Terminal window by pressing Ctrl + Alt + T and run the following command to install GnuPG 2. If GnuPG 2 is already installed, the system will tell you. If not, GnuPG will be installed:
sudo apt install gnupg2
Set the Default Cipher Algorithm
GnuPG uses various cipher methods, or algorithms. The default cipher method in GnuPG 2.1 is AES128. In GnuPG 1.0 and 2.0, the default cipher algorithm is CAST5.
To see a list of available ciphers, run the following command.
The AES cipher algorithm in the list is AES128.
You can choose a different cipher algorithm as the default by adding a line to a configuration file GnuPG uses when it runs. The configuration file, called gpg.conf, is in a hidden directory, called .gnupg, in your Home directory. All hidden directories and files start with a period.
We’re going to edit the configuration file in gedit, so run the following command in a Terminal window.
Initially, the gpg.conf file doesn’t exist. But running the above command creates the file. You’ll see an empty file in gedit. We want to change the default cipher algorithm to AES256, so we add the following line to the file.
Save the file and close gedit.
Encrypt Files Using GnuPG
GnuPG allows you to use two of the most common encryption methods, Public key (asymmetric) encryption and Private key (symmetric) encryption. Both methods allow you to encrypt data to hide it from others and then decrypt it.
We’re encrypting files here for our own security, to keep them away from prying eyes. So, we will use symmetric key encryption, in which the same key is used for both the encryption and decryption stages. Symmetric key encryption is also known as block cipher-based encryption because the data is encrypted in chunks or blocks.
If we hadn’t set the default cipher method in the configuration file, as discussed in the previous section, we could specify the encryption method to use when encrypting the file using the following command. We added the –cipher-algo AES256 option.
gpg --symmetric --cipher-algo AES256 ~/Documents/PrivateFiles/MyPrivateFile.txt
You can also use –c in place of –symmetric.
Because we did set the default cipher algorithm in the configuration file, we can encrypt our file using the following command, leaving out the –cipher-algo option.
gpg --symmetric ~/Documents/PrivateFiles/MyPrivateFile.txt
Add a Passphrase
Now we have a file named MyPrivateFiles.txt.gpg containing the encrypted data. You should securely delete your original, non-encrypted file.
You can also change the name of the resulting file when encrypting it using the -o (or –output) option. We’ve added -o MyPrivateFile.enc to the command we ran earlier.
gpg -o MyPrivateFile.enc --symmetric ~/Documents/PrivateFiles/MyPrivateFile.txt
Decrypt Files Using GnuPG
To decrypt the file we just encrypted, we run the following command in a Terminal window.
gpg -o ~/Documents/PrivateFiles/DecryptedFile.txt -d ~/Documents/PrivateFiles/MyPrivateFile.txt.gpg
You can change ~/Documents/PrivateFiles/DecryptedFile.txt path and file name to whatever path and file name you want to use for your decrypted file.
Enter the passphrase you assigned to the encrypted file to unlock it.
Our file is decrypted in the location we specified.
If you don’t use the -o option to output the contents of the encrypted file to a new file, the decrypted data gets sent to standard output. So, your encrypted information will display on the screen. If you’re in a place where someone can look over your shoulder at the screen, you should send the contents of the encrypted file to a new file, as described above.
Encrypt and Decrypt Folders Using Gnome Encfs Manager
If you want to encrypt a bunch of files, and even some folders, you can create an encrypted folder using Gnome Encfs Manager, or GEncfsM for short.
GencfsM allows you to create an encrypted container, called a stash, like VeraCrypt on Windows. You can store all your sensitive file and folders in a stash. You can configure the options for each stash separately, and manage your stashes using a tray menu on the top panel.
If you create a stash in a cloud-synced folder, like Dropbox, you can access the encrypted folder on multiple Linux computers. You can also have GencfsM open at startup and have one or more stashes mount automatically mount at startup.
Added EncFS encryption to Dropbox folder. Gnome Encfs Manager makes it hassle free (autostart, mount on startup, save password in keyring)
— Miroslav Stampar (@stamparm) September 11, 2016
Install Gnome Encfs Manager
To install GencfsM, press Ctrl + Alt + T to open a Terminal window. Then, run the following command to add the GencfsM PPA.
sudo add-apt-repository ppa:gencfsm
Update the packages in the PPA with the following command.
sudo apt-get update
Then, run the following command to install Gnome Encfs Manager.
sudo apt-get install -y gnome-encfs-manager
The following dialog box displays with a warning about security in Encfs. A security audit in 2014 found some vulnerabilities in Encfs. These vulnerabilities are not easily exploitable, but they do cause Encfs to be not “military grade” secure.
The OK button on the dialog box is automatically selected. Press Enter to “click” the button and continue installing Gnome Encfs Manager.
Create an Encrypted Directory
You may have to log out of your Ubuntu account and log back in to be able to run Gnome Encfs Manager.
To run the program, click the Search your computer button on the Unity bar and type encfs. When you see the Gnome Encfs Manager icon under Applications, click it.
The main Gnome Encfs Manager window appears. To create a new stash, click the plus icon on the toolbar.
You can create multiple stashes using Gnome Encfs Manager. Maybe you want one for work files and one for personal files.
On the Create or import a stash dialog box, select the location for the encrypted directory under Directory or drive to encrypt or import. If the selected directory does not yet contain a stash, then a new one is created. If there is a stash in the selected directory, it is imported into Gnome Encfs Manager.
Mounting a Directory
The Mount directory must be different from the directory being encrypted. Mounting a directory refers to a process that allows you to access files on different devices, such as USB flash drives or external hard disk drives. In this case, think of the encrypted directory as a device. When mounted it will show up in the File Manager as a drive.
You can accept the default values for either or both the directory to encrypt and the mount directory. To use a custom directory for either, select the option next to the blank edit box and click the folder icon on the right side of the edit box. Navigate to the directory you want to use on the dialog box and click Open.
Note: If you select an existing directory to encrypt, any files currently in the directory will not be encrypted. If you want to encrypt files in an existing folder, create a new stash and then move those files to the mounted stash.
When you create an encrypted folder, it’s automatically mounted. You’ll see it in a list of locations in the left panel of File Manager. Create files in or copy or move files and folders to this location to protect them.
Unmount an Encrypted Folder
Once you’ve copied all the files and folders you want to protect into the encrypted folder, unmount it to encrypt it and prevent anyone else from accessing the contents.
The encrypted directory will be visible and accessible to anyone who has access to your PC. But its contents are not in readable format when unmounted and encrypted, not even the file names.
To unmount the encrypted folder, uncheck the Mounted box for that folder in the Gnome Encfs Manager window.
Mount and Unmount an Encrypted Folder Using the Tray Menu
You can also access Gnome Encfs Manager in the tray on the top panel. The Show Manager option opens the main GencfsM window. The tray menu also allows you to mount and unmount existing stashes.
To mount a stash using the menu, select the name of the encrypted folder from the menu.
Enter the password for the stash on the Mount stash dialog box and click Mount.
When a stash, or encrypted folder, is mounted, a check mark is shown next to the name of the stash on the tray menu. To unmount the stash, simply select the name of the stash.
You can configure settings for each stash and for the Gnome Encfs Manager program itself.
Each stash can be configured separately. To configure a stash, select it in the list on the main Gnome Encfs Manager and click the Configure the selected stash (gear) button on the toolbar.
On the Configure stash dialog box, change any settings you want. For information about the options, click Help at the bottom of the dialog box.
You can also set options for the program itself. Go to Manager > Preferences. Change any settings you want on the Preferences dialog box. For information about the options, click Help at the bottom of the dialog box.
Delete Your Encrypted Folder
If you’re done using a stash, you can delete it. Open the Gnome Encfs Manager main window and select the stash you want to delete. Then, click the minus icon on the toolbar.
To delete the stash from the manager but keep the encrypted folder, select Only remove the stash from the manager on the Remove stash dialog box. Choosing this option allows you to import the encrypted folder as a stash again using the steps described in the Create an Encrypted Directory section earlier.
If you know you will not need your encrypted folder at all, you can remove it from the manager and delete the encrypted folder from the disk, permanently deleting the stash. If you choose to do this, mount the encrypted folder and make sure you retrieve any data you’ll need from it before deleting.
To permanently delete a stash, select Delete the stash from disk. You can’t click OK to delete the stash until you check the Yes, I am sure and aware that I could lose my data box.
Protect Your Data in Ubuntu Linux
There are many methods for encrypting your data on Linux. While the methods we discussed will protect your private information from prying eyes, they will not protect you from ransomware.
In addition to encrypting your Ubuntu files, you should also seriously consider buying antivirus and antimalware software to protect your computer.
What methods do you use to encrypt files and folders on Linux? Have you found any other tools we didn’t mention?