I have some financial files (like old tax returns) on my computer that I seldom access and would like to have an extra layer of confidentiality for, so i was looking into how I could easily have an effective separately-encrypted folder for those on my #LinuxMint system.
Obviously I could create a separate dm-crypt partition, but since it's probably a small number of files and the total volume I want long term is not very well known (e.g. I might also want to add things like images of important official documents), that doesn't seem like the ideal solution. It seemed like maybe ecryptfs could be the way to go, but I know the use of that for encrypted home directories was deprecated by #Ubuntu a while ago and looking at Launchpad it sort of seems abandoned (the last recent revision listed is from 2017). Does anybody know the status or have a better suggestion?
@frankie That's true. I was aware of Cryptomator but had it in my mind as "for cloud storage" so it didn't come to mind as an option here. I'll have to consider it.
@internic
Consider Tomb: https://mastodon.online/@blueghost/112478242520016365
Encrypted file can be expanded if more space is needed.
@internic
I'm very happy with gocryptfs.
Functions like encfs but is under active developement, as far as I know.
@dexternemrod Looks interesting, but maybe also pretty new (just based on a quick glance at Gitlab). Sounds technically promising, with the standard use of authenticated encryption. Is it widely used?
@internic
100% of my computers use it 😄
Nah serious, can't tell if the general usage already counts as battle tested. What I like is that it is compatible with DroidFS so I can sync the encrypted folders and use them also on my phone.
@internic
Easiest might be to put them all in a folder, then in Nemo right-click the folder and select Compress... Select a compression type of .7z and you get options for a password, and also an option to encrypt the enclosed index. I don't think you can hide the file sizes though.
@internic Another option would be to use good old gnupg. It uses standardized algorithms and protocols, has been thoroughly reviewed and is battle tested. You can be sure to be able to decrypt the files in ten or twenty years.
@taak Yeah, gnupg is what I've used for individual files, but it would be better to have something that operates on a directory hierarchy rather that individual files (and I'd prefer not having to involve tarballs or zip archives).
I think so long as the tool is open source and relatively widely used I'm not too worried about being able to open the files later. But that's a good general point.
@internic I see. You could create a separate encrypted partition and set it up so, that it's not automatically mounted on boot. Mount it, enter the passphrase, add your files, unmount - done. You could then even backup it using dd into an image file.
A couple of addenda:
1. It does seem like Synology actively uses eCryptFS for encrypted folders, so maybe it is not as abandoned as it looked.
2. I also saw discussion of EncFS, but there also seemed to be indications that that was abandoned.
3. I I'm viewing this as separate from the issue of encrypting the entire partition with all my files, because the point is to have these files encrypted with a separate passphrase. Since they seldom need to be accessed, this will hopefully add a bit more confidentiality. For the same reason, performance isn't much of a concern.
4. I realize that the data may still sometimes be present in swap, but again if the assumption is that access is infrequent this is at least only rarely the case.
5. I know that for specific file types the files or certain applications there may be a mechanism for password protection or similar measures, but I figured it made sense to just have a generic solution for arbitrary files.