1. Overview

In this tutorial, we’ll take a look at the different tools we can use to encrypt and decrypt directories and their contents in Linux.

2. gpgtar

gpgtar is a tool that offers encryption and decryption of a directory in Linux. It encrypts a directory by first archiving it. Then, it encrypts the archive using the gpg command.

2.1. Installation

To get the gpgtar binary, we can install gnupg-utils in Debian based Linux such as Ubuntu with apt-get:

$ apt-get install -y gnupg-utils

Then, we can verify that the gpgtar command has been installed successfully:

$ gpgtar --version
gpgtar (GnuPG) 2.2.19

2.2. General Syntax

Let’s look at the general syntax for the gpgtar command:

gpgtar [options] directory

The options are a list of flags, which we can specify to change the gpgtar command’s behavior. Then, the command accepts one or more directory paths for encryption.

2.3. Encrypting Directory Using Symmetric Key

To ease our demonstration, let’s create a directory top-secret:

$ mkdir top-secret

In that directory, we’ll create a text file secret.txt:

$ echo "this is a secret" > top-secret/secret.txt

Then, let’s encrypt the directory top-secret with gpgtar using a symmetric key:

$ gpgtar --encrypt --symmetric --output top-secret.gpg --gpg-args="--passphrase=top-secret-passphrase --batch" top-secret

Let’s breakdown the command and look at the functionality of each flag.

Firstly, the flag –encrypt instructs gpgtar to encrypts the directory top-secret. Then, the flag –symmetric specifies that the encryption should be carried out using the symmetric key algorithm.

By default, the underlying gpg command will prompt for a passphrase for symmetric key encryptions. To specify the passphrase inline, we pass it using the flag –passphrase. Additionally, the flag –batch is needed to suppress the prompts. Since both –passphrase and –batch flags are actually gpg options, we’ll need to put it into the flag –gpg-args.

Finally, we save the encrypted archive as top-secret.gpg with the flag –output.

2.4. Listing Encrypted Directory

To list an encrypted directory, we can use gpgtar with the flag –list-archive:

$ gpgtar --list-archive --gpg-args "--passphrase=top-secret-passphrase --batch" top-secret.gpg
gpgtar: gpg: AES256 encrypted data
gpgtar: gpg: encrypted with 1 passphrase
drwxrwxr-x 0 1000/1000            0 2021-01-16 07:11:55 top-secret
-rw-rw-r-- 0 1000/1000            9 2021-01-16 07:11:55 top-secret/secret.txt

As we can see from the output, the command simply lists the directory structure of the encrypted archive. This is a convenient feature when we want to peek at an archive without decrypting it explicitly.

Similarly, we’ve supplied the same set of gpg options using the flag –gpg-args to prevent the interactive prompt.

2.5. Decrypting an Encrypted Directory

Using the same tool, we can decrypt an archive:

$ mkdir decrypted
$ gpgtar --decrypt --directory decrypted --gpg-args "--passphrase=top-secret-passphrase --batch" top-secret.gpg
gpgtar: gpg: AES256 encrypted data
gpgtar: gpg: encrypted with 1 passphrase

Firstly, we’ll need to create a directory to put the decrypted contents. Then, we invoke the gpgtar command with the flag –decrypt to decrypt the archive.

3. encfs

encfs is a tool that provides directory encryption on a filesystem level through an encrypted virtual filesystem. It creates an encrypted filesystem using a pair of directories: an unencrypted directory and an encrypted directory. The unencrypted directory serves as the virtual mount to the encrypted directory.

Behind the scene, encfs encrypt any files in the unencrypted directory. Then, it stores the encrypted files into the encrypted directory. This process happens continuously until the directory has been unmounted.

3.1. Installation

We can install encfs using apt-get:

$ apt-get install -y encfs

Similarly, the same installation can be performed using yum:

$ yum install -y encfs

3.2. General Syntax

Let’s look at the general syntax of encfs:

encfs [options] rootdir mountPoint [-- [Fuse Mount Options]]

The rootdir argument refers to the directory that contains the encrypted files. On the other hand, mountPoint is the directory that contains the unencrypted files. Following our terminology, the rootdir is referring to the encrypted directory, whereas mountPoint is the unencrypted directory.

Additionally, encfs also accepts a list of Fuse Mount Options. These are the options that will be passed to the underlying FUSE command during the mount creation.

3.3. Creating Encrypted Virtual Filesystem

Firstly, we’ll create 2 directories, unencrypted and encrypted.

$ mkdir -p ~/unencrypted
$ mkdir -p ~/encrypted

Then, we can create an encrypted virtual filesystem using encfs:

$ echo "password" | encfs --standard --stdinpass ~/encrypted ~/unencrypted

The command above creates a virtual encrypted filesystem using the encrypted and unencrypted directories pair. Additionally, the flag –standard has been specified to select the standard configuration. To prevent the interactive prompt for the password, the flag –stdinpass has been applied to accept the piped string “password” as the passphrase to this encrypted filesystem.

After executing the command, the encrypted virtual filesystem will be created and mounted onto the path ~/unencrypted.

To demonstrate the capability of encfs, let’s create a file top-secret.txt in the unencrypted folder:

$ cd unencrypted
$ echo "this is a top secret" > top-secret.txt

Then, we can see in the encrypted directory. There’s now a new file with a scrambled name:

$ cd ../encrypted
$ ls
P2DASe2BjMlRWzPBc-XrtKoQ
$ cat P2DASe2BjMlRWzPBc-XrtKoQ
O?+?3?

As expected, the filename and the content of top-secret.txt in the folder unencrypted has been encrypted.

As we can see, encfs automatically encrypt the file and store it in the other directory. This is a convenient feature when we are handling a directory with active updates.  Once mounted, any subsequent writes do not require another command invocation to encrypt the new contents.

3.4. Unmounting

Once we’re done interacting, we’ll need to unmount it. This step is important to prevent users without the password from accessing the unencrypted files.

Let’s unmount the encrypted directory with fusermount:

$ fusermount -u ~/unencrypted

After running the command, we can check that the folder unencrypted is now empty:

$ ls -l ~/unencrypted
total 0

Whereas the encrypted folder still contains the encrypted file:

$ ls -l encrypted
total 4
-rw-r--r-- 1 root root 29 Jan 16 13:17 P2DASe2BjMlRWzPBc-XrtKoQ

3.5. Remounting

To decrypt the files in the encrypted folder, we’ll need to remount the encrypted directory using encfs:

$ echo "password" | encfs --stdinpass ~/encrypted ~/unencrypted

When we remount the encrypted directory, we’ll be prompted for a password by default. This password is the one we’ve entered when we create the encrypted filesystem. Using the flag –stdinpass, we can make encfs to read the password from the standard input stream.

After we’ve remounted the directory, we’ll now see the unencrypted file in the unencrypted folder:

$ ls -l unencrypted
total 4
-rw-r--r-- 1 root root 21 Jan 16 13:17 top-secret.txt

4. Conclusion

In this article, we’ve looked at the different command-line tools to encrypt and decrypt directories in Linux.

We’ve started out with the gpgtar. It is a tool that first archives a directory and then encrypts it.

Finally, we’ve also looked at encfs, which creates a virtual encrypted filesystem. Contrary to gpgtarencfs mount a virtual filesystem on top of the encrypted folder. Then, it performs the encryption transparently.