Linux Security

How to Encrypt Your Personal Data on Linux

Joel Lee 05-08-2016

Privacy is hard to maintain these days. Given the recent spying debacle of Windows 10, it’s no wonder why so many people are flocking to Linux instead 5 Reasons Why Windows 10 Might Make You Switch to Linux Despite Windows 10's huge takeup, there has been plenty of criticism for Microsoft's new everlasting operating system. Here are five top reasons why Windows 10 might irk you enough to make the switch to Linux. Read More . If you care about true privacy, Linux is your best bet.


And these days, true privacy is virtually impossible without using encryption Not Just For Paranoids: 4 Reasons To Encrypt Your Digital Life Encryption isn’t only for paranoid conspiracy theorists, nor is it just for tech geeks. Encryption is something every computer user can benefit from. Tech websites write about how you can encrypt your digital life, but... Read More , so you need to be encrypting your data whenever possible as is convenient for you.

Think it’s more effort than it’s worth? Don’t believe those encryptions myths Don't Believe These 5 Myths About Encryption! Encryption sounds complex, but is far more straightforward than most think. Nonetheless, you might feel a little too in-the-dark to make use of encryption, so let's bust some encryption myths! Read More ! Here are three easy ways to encrypt your data: by disk partitions, by individual directories, or by individual files.

Encrypt Disk Partitions With LUKS

You can think of LUKS (Linux Unified Key Setup) as an interface that sits between the operating system and a physical data partition. When you want to read or write a file, LUKS seamlessly handles the encryption and decryption.

Note that there are several downsides to encrypting a disk partition 4 Reasons to Encrypt Your Linux Partitions Thinking about encrypting your Linux disk? It's a wise move, but wait until you've considered arguments for and against. Read More so proceed with care. At best it will impact overall performance, at worst it can make data recovery impossible. Before encrypting a partition, make sure you back up your data How to Make Data Backups on Ubuntu & Other Distros How much sensitive data would you lose if your disk drive died? Naturally, you need a backup solution, but making backups in Linux can be tricky if you don't know what you're doing... Read More !

To install LUKS, you’ll need the front-end utility:

sudo apt-get update
sudo apt-get install cryptsetup

Distros with YUM instead of APT can use:

yum install cryptsetup-luks

To set up LUKS, run these in the terminal:

dd if=/dev/random of=/home/<username>/basefile bs=1M count=128
cryptsetup -y luksFormat /home/<username>/basefile
cryptsetup luksOpen /home/<username>/basefile volume1

Remember to replace <username> with your own Linux account name!

With the LUKS container set up, you need to create a file system on top of it and mount it. In this case, we use EXT4:

mkfs.ext4 -j /dev/mapper/volume1
mkdir /mnt/files
mount /dev/mapper/volume1 /mnt/files

Every time you turn on your computer, you’ll need to “unlock” and mount LUKS to make your encrypted partition available:

cryptsetup luksOpen /home/<username>/basefile volume1
mount /dev/mapper/volume1 /mnt/files

And every time you want to shut down, you’ll have to safely unmount and “lock” LUKS to recrypt the partition:

umount /mnt/files
cryptsetup luksClose volume1

There’s a lot going on behind-the-scenes with these commands, especially the ones that involve setting up LUKS, so we recommend reading this LUKS walkthrough by LinuxUser for a step-by-step breakdown of these instructions.

Also note that most modern Linux distros allow you to set up whole-disk encryption using LUKS during installation of the operating system. These days, that’s the safest and easiest way to do whole-disk encryption.


Encrypt Directories With eCryptfs

For most home Linux users, whole-disk encryption and disk partition encryption are overkill. Why encrypt everything when you can just encrypt the directories that hold your sensitive data? It’s faster and more convenient, after all.

You can do this using a utility called eCryptfs, an enterprise-class utility that lets you encrypt individual directories without having to worry about filesystems, partitions, mounting, etc.

Using eCryptfs, you can either encrypt your entire Home directory or you can encrypt any single directory on your system (though usually you’ll pick a directory within your Home directory, such as /home/<username>/Secure).

To get started, you’ll have to install eCryptfs:

sudo apt-get update
sudo apt-get install ecryptfs-utils

Distros with YUM instead of APT can use:

yum install ecryptfs-utils

Once it’s installed, go ahead and create the directory you want to use as the encrypted one. Do NOT use an existing directory as any files within will be inaccessible after the directory is encrypted:

mkdir /home/<username>/Secure

To encrypt the directory, mount the directory onto itself using the



mount -t ecryptfs /home/<username>/Secure /home/<username>/Secure

The first time you do this, you’ll be asked to configure the encryption. Choose the AES cipher, set the key bytes to 32, say No to plaintext passthrough, and say No to filename encryption (unless you want it).

When you unmount the directory, none of the contents will be readable:

sudo umount /home/<username>/Secure

Remount the directory to make its contents accessible.

If you want to encrypt the entire Home directory for a user, the process is actually even easier than this as eCryptfs comes with a built-in migration tool that walks you through it. Check out our guide to encrypting the Home folder How To Encrypt Your Home Folder After Ubuntu Installation [Linux] Imagine this: it's a great day, you're busy working on your computer at some event, and everything seems fine. After a while you get tired and decide to get something to eat and shut down... Read More for step-by-step details.

And on Ubuntu, you can even set up Home directory encryption right from the Live CD, which automatically decrypts and recrypts the Home directory upon login.

Encrypt Files With AESCrypt

Let’s say you want even more granularity with your data encryptions. You don’t need an entire disk partition or directory to be encrypted — all you need is the ability to encrypt/decrypt single files on demand.

In that case, a free tool like AESCrypt will likely be more than enough for you. It comes with a graphical interface so you don’t need to be a terminal master or Linux expert to use it. It’s quick, easy, and painless.

To install AESCrypt, you can download either the installer script or the source code from the main site. However, for Ubuntu users, we recommend using the unofficial PPA repository:

sudo add-apt-repository ppa:aasche/aescrypt
sudo apt-get update
sudo apt-get install aescrypt

To encrypt a file, right-click on it and select Open with AESCrypt. You’ll be asked to enter a password. This will be needed to decrypt the file later, so don’t forget it.

Encrypting a file actually produces a separate file with the AES extension, while keeping the original file intact. Feel free to keep or delete the original. Just use the AES file when sending by email, uploading to cloud storage, etc.

To decrypt a file, right-click the AES version and select Open with AESCrypt. Enter the password that was used to encrypt the file, and it will produce a separate, identical copy.

You can also use the command line to encrypt:

sudo aescrypt -e -p <password> <original file>

And to decrypt:

sudo aescrypt -d -p <password> <AES file>

Warning: When AESCrypt produces a file after encrypting or decrypting, it will automatically overwrite any file with the same name. It’s your responsibility to make sure accidental overwrites don’t occur.

Encryption Is Important, Don’t Neglect It!

At the end of the day, encryption really does work How Does Encryption Work, and Is It Really Safe? Read More to protect your data from snoopers, sniffers, and other nosy intruders. It might seem like a pain in the butt right now, but the learning curve is small and the rewards are great.

Here’s what we recommend to keep things simple: Create an encrypted directory under your Home directory (using eCryptfs) and use that to store your sensitive files. If you ever want to send a file over the Internet, encrypt it individually (using AESCrypt).

Are you obsessive about privacy and encryption? How far are you willing to go to preserve your data? What other methods do you use? Let us know in the comments!

Related topics: Computer Security, Encryption, Linux.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Anonymous
    August 21, 2016 at 2:45 am

    I would also add encfs to the list. Very popular. There are Windows and Mac ports too.

    • Joel Lee
      August 29, 2016 at 8:59 pm

      Thanks John. Love it when ports exist! I'll check it out when I can.

  2. Anonymous
    August 6, 2016 at 12:06 pm

    This article looks fine in my browser, but is entirely unreadable in my MAKEUSEOF app on my Android phone. Every quoted or indented line acts as a permanent indent, so that a little way down the article it looks like a ton of nested frames with a single column of individual charcters.

    We need to either improve the app, or format these articles to be compatible!

    • Joel Lee
      August 6, 2016 at 12:38 pm

      Thanks William, I had no idea. I'll forward that to our app development team. Much appreciated!

    • Anonymous
      August 22, 2016 at 8:30 am

      Hey William!
      Please check if the problem still exists

  3. Rajib Ghosh
    August 5, 2016 at 6:15 pm

    Also try VeraCrypt - The alternative to now defunct TrueCrypt which itself was a free alternative to the commercial BestCrypt.

    • Joel Lee
      August 6, 2016 at 12:38 pm

      Thanks Rajib, I will check it out. If it's easier to use than the methods above, then that would be great news!