Encrypt Your Data

Before, when I have written about encrypting data, it didn’t generate a great deal of long-term interest. Rightly or wrongly, Edward Snowden has brought the issue of data and data transmission security to the forefront. I argue that this topic always should be under discussion because data security, including encryption, is an important topic for everyone, even if it’s just your laptop. Now, many people are concerned about the US government getting access to their data and want to prevent this – or at the very least slow it down.

Personally, I don’t want the US government or anyone else learning that I like funny videos on YouTube and really old and really bad science fiction movies, or that my musical tastes run all over the map, or that I do all sorts of technical writing and have some definite opinions about things. No one should have access to that information unless I want to give it to them. I do not have a “cabin-in-the-woods” type of paranoia, but I see no reason for anyone to have access to this information unless I control when and whom.

Regardless of why you don’t want your digital life violated, I think that paying attention to your data and even encrypting it is important. Therefore, in this article, I want to review and update some ways to encrypt data. I’ll primarily be sticking to Linux filesystems, but some of these techniques can be used on Windows systems as well.

Encryption/Decryption

The whole concept of cryptology (hiding information or encrypting and decrypting it) is a very ancient concept. The battle continues between people who send data or information securely to the intended recipient versus people who get access that information and try to break the encryption (decrypt it). There are literally hundreds of books on the subject (a quick Amazon search turned up 3,998 results), and it is under constant research. Although not an authoritative source of information, one possible place to start reading is Wikipedia’s overview of cryptography and very brief article on encryption. Otherwise, Google is your friend.

If you want to learn about encryption a little more, there is a reasonable introduction that talks at a very high level about how encryption works. For a very simple introduction it shows how to do what is called a substitution cipher. The classic example for people reading this article and who remember usenet is called ROT13. This is a really simple example of encryption (but it is not strong encryption).

Software, Hardware, or Both?

Fundamentally, you really have two options for encrypting data: (1) hardware based and (2) software based. Although you could use both options in combination, that might be considered overkill (then again, in the current climate, maybe not).

Among the hardware options available, the one I want to mention is the Self-Encrypting Drive (SED). The concept is simple: Take an ordinary drive, add an encryption/decryption processor to it, add authentication to the firmware, and you have a SED. This approach has several benefits:

  • Encryption is always on, so it will affect data at rest (i.e., data stored on the drive).
  • Authentication is independent of the operating system (OS).
  • There are no encryption keys to manage (vendors use standard interfaces such as the BIOS or a software-based component that happens before the OS boots).
  • The encryption keys never have to leave the drive.
  • Relative to a non-SED, you will see no loss in performance with a SED

Typically the encryption keys are 128- or 256-bit Advanced Encryption Standard (AES) keys, which evidently is fairly strong encryption. (My apologies, but I’m not in a position to judge the quality of an encryption algorithm.)

Managing SEDs can be a little more difficult than non-SEDs because, when the system boots, you need to authenticate so the drives can then be used. In the case of a large distributed system, this can be a little cumbersome if the systems restart or boot regularly. Some vendors keep the keys on an out-of-band device so the drives can contact the device for them. Then, however, you have to ensure the keys on the device are encrypted as well.

SEDs have some vulnerabilities, but most involve having physical access to the drives. Again, I’m not a security person, so I cannot judge the level of protection – I can only state what technologies are available.

Software-based approaches basically have three options for encrypting your data on a Linux system. The options are (1) encrypting a single file, (2) encrypting a directory (with or without a virtual disk), or (3) encrypting a physical block device.

Encrypting files is fairly straightforward and various tools are available to do this. For example, bcrypt, NCrypt, and 7-Zip compress and encrypt files using 256-bit AES. The most popular tool is probably GnuPG, which comes with just about every Linux distribution. Note that all of these tools encrypt data once the system has booted and the OS is operating. If the system has been compromised, then your encryption may be pointless because the attacker can “sniff,” or log, your passcodes and decrypt your files.

In this article, I focus on encrypting directories and filesystems. Several ways to encrypt filesystems or partitions are at hand; consequently, this article isn’t intended to be an exhaustive listing of options or a how-to on the various options. Rather, it’s intended to whet your appetite, so you can explore the details of the various options yourself. As with all new topics around data and storage, be sure to back up your data before trying something new.

Encrypting Directories or Filesystems

The process of encrypting a directory tree or a filesystem does not focus on the underlying block device(s). This approach is good if you only want to encrypt certain portions of your tree, such as everything in /home or /home/laytonjb/Music (so no one can see my David Hasselhoff music files). This means you also don’t encrypt the OS filesystem, which is a reasonable place to start with data encryption.

Wikipedia is perhaps not the most authoritative source of information about cryptography or encrypted filesystems, but you can find a simple list of encryption filesystems there that, although incomplete, provides a starting point.

I divide filesystem encryption options into two parts. First, I discuss “stacked” filesystems, sometimes also called meta-filesystems. Stacked filesystems are the typical target for software encryption of directories or filesystems.

Related content

  • Safe Files

    Encrypting your data is becoming increasingly important, but you don’t always have to use an encrypted filesystem. Sometimes just encrypting files is enough.

  • Sharing Data with SSHFS

    Sharing data saves space, reduces data skew, and improves data management. We look at the SSHFS shared filesystem, put it through some performance tests, and show you how to tune it.

  • Shared Storage with NFS and SSHFS
    HPC systems require shared filesystems to function effectively. Two really good choices for both small and large systems are NFS and SSHFS.
  • Shared Storage with NFS and SSHFS

    HPC systems require shared filesystems to function effectively. Two really good choices for both small and large systems are NFS and SSHFS.

  • Combining Directories on a Single Mountpoint

    With some simple tuning, SSHFS performance is comparable to NFS almost across the board. In an effort to get even more performance from SSHFS, we examine SSHFS-MUX, which allows you to combine directories from multiple servers into a single mountpoint.

comments powered by Disqus