Learn about Linux
Download Linux
Get Linux helpSpecial Offers
Feature: Security
Enhance security with file encryption tools
Share
Print
CommentsMost of these tools are command-line only, but they are so simple that even the most CLI-challenged newbie should be able to use them with little effort. All are highly portable, small in size, and have few or no library dependencies.
Bcrypt
I always carry Bcrypt on my pendrive. It's a basic application that's dead simple to use. Once installed, all you need to do is type bcrypt at the command prompt, followed by the file(s) you want to encrypt. Bcrypt will ask you to supply a password. That's it. Upon encryption, Bcrypt adds the extension .bfe to the file. The same command is used to decrypt the file; it checks the extension of the file to see if it needs to be encrypted or decrypted.
Bcrypt uses the Blowfish algorithm. Passphrases, as usual, must be between 8 and 56 characters, and are hashed internally to a 448-bit key for added security. By default, when encrypting a file, the original will be deleted and overwritten three times, to foil any recovery attempts. You can increase or decrease that number.
Its lack of flexibility and options might make this program an improbable first choice in one's encryption arsenal, but its simplicity is a virtue. According to the project's Web site, Bcrypt compiles on Linux and *BSD, and there's also a Windows version; but the site hasn't been updated, it seems, for years.
Ncrypt
Ncrypt is another simple file encryptor/decryptor. You can choose to work with one of the three algorithms that made it as the final candidates for AES (Advanced Encryption Standard): Rijndael, Twofish, and Serpent. The developers have paid special attention to password-generation security: among other things, when a plaintext password is created for encrypting a file, it's converted to a SHA-1 hash, and immediately wiped from memory. The hash is then used to make a key, and is also wiped from memory.
Ncrypt has versions available for Unix and Windows. Using it is straightforward: issue the ncrypt command at the command prompt, with options specifying the encryption algorithm, whether you want to encrypt, decrypt, or wipe a file, and the input and output files. The original file is wiped from the disk; Ncrypt also has a useful wipe-only function that allows you to securely delete any file.
Pad
Pad differs from Bcrypt and Ncrypt in that it uses one-time pad encryption. A file is broken into two or more separate "pads," "each indistinguishable from white noise." The two files, apparently just filled with harmless random data, can then be reassembled whenever the user wishes to.
OTP has a lot of history behind it. It is said to be, theoretically, the only really unbreakable encryption method there is. But it has several practical weaknesses: each pad can only be used once, pads must be generated with truly random data (a much more difficult task than it seems), and it is susceptible to man-in-the-middle attacks. As such, it isn't recommended for general day-to-day encryption tasks. However, there is a public field of action where it can prove valuable: free speech enforcement. For instance, if someone wants to freely distribute a file that might land him in trouble with authorities, he can break the file with Pad, store the two (or more) parts on different systems, and tell users where to get them and how to reassemble the original file.
GnuPG
For most folks, GnuPG will be the obvious choice for open source file encryption. Some distros even come with it pre-installed. Quoting its FAQ, "GnuPG stands for GNU Privacy Guard and is GNU's tool for secure communication and data storage. It can be used to encrypt data and to create digital signatures. It includes an advanced key management facility and is compliant with the proposed OpenPGP Internet standard as described in RFC 2440. As such, it is aimed to be compatible with PGP from NAI, Inc."
To encrypt files, Bcrypt, Ncrypt, and many other encryption programs use symmetrical ciphers. GnuPG, like PGP, uses public key ciphers, although it supports symmetrical encryption as well. Public key encryption makes it easier to encrypt and sign multiple files on a regular basis, and exchange them with other users, among other advantages. For a good overview of what symmetrical and public key ciphers are and how they work, consult chapter 2 of the GnuPG Handbook, and section 7.1 of its FAQ
GnuPG can be used exclusively as a command-line tool; it has a wealth of features and can satisfy even demanding users. But it also has some very good front ends available. The one I use is KGpg, which integrates with KDE, making some of my routine encryption tasks much easier. For instance, the other tools I've mentioned can encrypt files, but not directories. You can encrypt all the files inside a directory, or create a .tar.gz or .zip file containing the contents of the directory, and then encrypt it. With KGpg, I just double-click on a folder and tell the program to archive and encrypt it in one go. KGpg also allows you to create a "shredder" on the desktop that securely deletes any file that you drop on it (but not directories). It's very handy, although I advise you to read the authors' security note about shredding. KGpg's ease of use is excellent; the learning curve will be short even for computer-challenged users.
GnuPG's development pace is steady, and it supports many operating systems. It compiles on most Unices, and Gpg4Win provides a port for Windows. Support for mail encryption on Unix systems is also solid: consult section 4.15 of the GnuPG FAQ for a list of mail clients that provide integration with GnuPG (sadly, you'll notice that full support for the OpenPGP standard in Windows is scarce). For more email tools, check project Aegypten
For more information about encryption, two good starting points are the corresponding Wikipedia article and the Cryptography FAQ.
Rui Lopes is a Portuguese Web designer and independent filmmaker, with a wide range of interests in the technology field.
Rui Lopes is a Portuguese Web designer and filmmaker who has a wide range of interests in the technology field.
Comments
on Enhance security with file encryption toolsNote: Comments are owned by the poster. We are not responsible for their content.
<a href="http://feraga.com/node/51" title="feraga.com">http://feraga.com/node/51</a feraga.com>
<a href="http://www.debian-administration.org/articles/506" title="debian-adm...ration.org">http://www.debian-administration.org/articles/506</a debian-adm...ration.org>
The tools install support for kernels up to 2.6.19 as of 2007-03-13. The install is pretty impressive:
# truecrypt-dpkg --auto --install
<nobr> <wbr></nobr>... and truecrypt gets installed. That's what I call some piece of software packaging.
Um, not quite. Overwriting a file (using the same data blocks) isn't the same as truncating that file, then appending to it (using possibly different data blocks).
Depending on the type of journaling used, multiple overwrites will result in redundant journal records. By the time the JBD or equivalent kernel thread commits the journal records, any redundant records (multiple writes to the same data block) are coalesced into a single write, with only the last record being the one actually committed. However, if the inode is unlinked before its journal records are committed, then the records are simply ignored (esp. with out-of-order journaling, as in "data=writeback" for Ext3). Freeing a data block suggests discarding from the journal any pending writes for that block.
But you are right to say it's a total waste of time. Garbage data intended to overwrite file data ends up in the bit bucket instead.
<a href="http://luks.endorphin.org/" title="endorphin.org">http://luks.endorphin.org/</a endorphin.org>
Why encrypt files individually, when you can encrypt a whole volume?
Full-disk encryption and file-system with built-in encryption sounds interesting too.
The working is the same.
Try it.
<a href="http://ccrypt.sourceforge.net/" title="sourceforge.net">http://ccrypt.sourceforge.net/</a sourceforge.net>
You should study more so you won't mislead others.
Enhance security with file encryption tools
Posted by: Anonymous [ip: 66.195.137.2] on October 23, 2007 10:34 PMEnhance security with file encryption tools
Posted by: Anonymous [ip: 76.189.219.239] on December 17, 2007 10:19 PMCyberscrub is good for Windows. Not sure what is a good linux equivalent. It doesn't matter if it is a journaling fs or not. Some trace evidence about the file MAY be left behind, depending on the efficacy of the software you use, but the file and its contents will be gone for good.
What About...
Posted by: Anonymous Coward on February 08, 2007 11:35 PMI find it strange that there is no mention of <a href="http://www.truecrypt.org/" title="truecrypt.org">TrueCrypt</a truecrypt.org>. While not intended for email use (TrueCrypt files could still be emailed), TrueCrypt is one of the best tools for portable encryption. It supports a ridiculous amount of encryption schemes including AES, Blowfish, CAST5, Serpent, Triple DES, Twofish, Cascades and possibly more. It is supported on most platforms including Linux and Windows and works really well.
I'm suprised that it wasn't mentioned in the article, at least for comparison purposes.
Also, a note on the "wiping" of files that was mentioned as a feature of some of the programs in the article. It should be noted that on most modern file systems, this technique does not work! File systems where wiping and scrubbing of individual files and directories WILL NOT WORK include NTFS, NSS, ext3, JFS, ReiserFS, XFS and probably more. On these file systems, a triple wipe will simply result in an unlinked original file and three more unlinked files containing garbage. A total waste of time.
#