How to Encrypt Your Personal Data on Linux

Privacy is hard to maintain these days. Given the recent spying debacle of Windows 10, it's no wonder why so many people are flocking to Linux instead. If you care about true privacy, Linux is your best bet.

And these days, true privacy is virtually impossible without using encryption, so you need to be encrypting your data whenever possible as is convenient for you.

Think it's more effort than it's worth? Don't believe those encryptions myths! Here are three easy ways to encrypt your data: by disk partitions, by individual directories, or by individual files.

Encrypt Disk Partitions With LUKS

You can think of LUKS (Linux Unified Key Setup) as an interface that sits between the operating system and a physical data partition. When you want to read or write a file, LUKS seamlessly handles the encryption and decryption.

Note that there are several downsides to encrypting a disk partition so proceed with care. At best it will impact overall performance, at worst it can make data recovery impossible. Before encrypting a partition, make sure you back up your data!

To install LUKS, you'll need the front-end utility:

sudo apt-get update

sudo apt-get install cryptsetup

Distros with YUM instead of APT can use:

yum install cryptsetup-luks

To set up LUKS, run these in the terminal:

dd if=/dev/random of=/home/<username>/basefile bs=1M count=128

cryptsetup -y luksFormat /home/<username>/basefile

cryptsetup luksOpen /home/<username>/basefile volume1

Remember to replace <username> with your own Linux account name!

With the LUKS container set up, you need to create a file system on top of it and mount it. In this case, we use EXT4:

mkfs.ext4 -j /dev/mapper/volume1

mkdir /mnt/files

mount /dev/mapper/volume1 /mnt/files

Every time you turn on your computer, you'll need to "unlock" and mount LUKS to make your encrypted partition available:

cryptsetup luksOpen /home/<username>/basefile volume1

mount /dev/mapper/volume1 /mnt/files

And every time you want to shut down, you'll have to safely unmount and "lock" LUKS to recrypt the partition:

umount /mnt/files

cryptsetup luksClose volume1

There's a lot going on behind-the-scenes with these commands, especially the ones that involve setting up LUKS, so we recommend reading this LUKS walkthrough by LinuxUser for a step-by-step breakdown of these instructions.

Also note that most modern Linux distros allow you to set up whole-disk encryption using LUKS during installation of the operating system. These days, that's the safest and easiest way to do whole-disk encryption.

Encrypt Directories With eCryptfs

For most home Linux users, whole-disk encryption and disk partition encryption are overkill. Why encrypt everything when you can just encrypt the directories that hold your sensitive data? It's faster and more convenient, after all.

You can do this using a utility called eCryptfs, an enterprise-class utility that lets you encrypt individual directories without having to worry about filesystems, partitions, mounting, etc.

Using eCryptfs, you can either encrypt your entire Home directory or you can encrypt any single directory on your system (though usually you'll pick a directory within your Home directory, such as

        /home/<username>/Secure

To get started, you'll have to install eCryptfs:

sudo apt-get update

sudo apt-get install ecryptfs-utils

Distros with YUM instead of APT can use:

yum install ecryptfs-utils

Once it's installed, go ahead and create the directory you want to use as the encrypted one. Do NOT use an existing directory as any files within will be inaccessible after the directory is encrypted:

mkdir /home/<username>/Secure

To encrypt the directory, mount the directory onto itself using the

ecryptfs

filesystem:

mount -t ecryptfs /home/<username>/Secure /home/<username>/Secure

The first time you do this, you'll be asked to configure the encryption. Choose the AES cipher, set the key bytes to 32, say No to plaintext passthrough, and say No to filename encryption (unless you want it).

When you unmount the directory, none of the contents will be readable:

sudo umount /home/<username>/Secure

Remount the directory to make its contents accessible.

If you want to encrypt the entire Home directory for a user, the process is actually even easier than this as eCryptfs comes with a built-in migration tool that walks you through it. Check out our guide to encrypting the Home folder for step-by-step details.

And on Ubuntu, you can even set up Home directory encryption right from the Live CD, which automatically decrypts and recrypts the Home directory upon login.

Encrypt Files With AESCrypt

Let's say you want even more granularity with your data encryptions. You don't need an entire disk partition or directory to be encrypted -- all you need is the ability to encrypt/decrypt single files on demand.

In that case, a free tool like AESCrypt will likely be more than enough for you. It comes with a graphical interface so you don't need to be a terminal master or Linux expert to use it. It's quick, easy, and painless.

To install AESCrypt, you can download either the installer script or the source code from the main site. However, for Ubuntu users, we recommend using the unofficial PPA repository:

sudo add-apt-repository ppa:aasche/aescrypt

sudo apt-get update

sudo apt-get install aescrypt

To encrypt a file, right-click on it and select Open with AESCrypt. You'll be asked to enter a password. This will be needed to decrypt the file later, so don't forget it.

Encrypting a file actually produces a separate file with the AES extension, while keeping the original file intact. Feel free to keep or delete the original. Just use the AES file when sending by email, uploading to cloud storage, etc.

To decrypt a file, right-click the AES version and select Open with AESCrypt. Enter the password that was used to encrypt the file, and it will produce a separate, identical copy.

You can also use the command line to encrypt:

sudo aescrypt -e -p <password> <original file>

And to decrypt:

sudo aescrypt -d -p <password> <AES file>

Warning: When AESCrypt produces a file after encrypting or decrypting, it will automatically overwrite any file with the same name. It's your responsibility to make sure accidental overwrites don't occur.

Encryption Is Important, Don't Neglect It!

At the end of the day, encryption really does work to protect your data from snoopers, sniffers, and other nosy intruders. It might seem like a pain in the butt right now, but the learning curve is small and the rewards are great.

Here's what we recommend to keep things simple: Create an encrypted directory under your Home directory (using eCryptfs) and use that to store your sensitive files. If you ever want to send a file over the Internet, encrypt it individually (using AESCrypt).

Are you obsessive about privacy and encryption? How far are you willing to go to preserve your data? What other methods do you use? Let us know in the comments!