- Published on
Laptop Data Security
- Authors
- Name
- Martin Andrews
- @mdda123
This should be a no-brainer for anyone carrying anything important around on a laptop.
IMHO, relying on a user password (like a login password) is not a great idea, since anyone with physical access to the disk can get to your data easily. OTOH, using disk encryption seems like overkill - since if you want to hand your laptop to someone for a little web browsing, you shouldn't have to reveal all the 'secrets' to do so.
EncFS (available on Linux) is a great way to secure files - and has the advantage (over using a Truecrypt volume, for instance) that the files are stored as files on a regular - meaning :
that the secure files can be backed up using rsync (i.e. the whole volume image doesn't need to be backed up - although I recognize that Truecrypt backs up fairly cleanly)
the diskspace allocated to the secure files doesn't have to be guessed ahead of time : the secure files simply take the disk space necessary
Packages required (and a fix-up):
yum install fuse-encfs
echo "user_allow_other" > /etc/fuse.conf
The fix-up above is required so that other users are able to read the 'plain' files (useful if you're running a webserver serving files within the plain files, where the webserver is running as a non-user).
To set up encrypted folders, simply create two directories (under ~, for simplicity) the hidden one being the secret files encrypted, the plain one being created on-demand when the password is Ok. Use the following command (standard usage is a 'blank line' for the options, and a fairly non-intuitive password) :
encfs ~/.Secure ~/Secure
To make it easy to use, the following 'mount' script can be saved to ~/Desktop/S-mount :
#!/bin/bash
DIALOGTEXT="Enter the Secure EncFS Password"
if [ -e ~/Secure/.exists ]; then
zenity --error --text='EncFS directory is already mounted'
exit
fi
encfs \
-o allow_other \
--extpass="zenity --title 'EncFS Password' --entry --hide-text --text '$DIALOGTEXT'" \
~/.Secure/ ~/Secure/
if [ -e ~/Secure/.exists ]; then
A='A' # Do nothing
zenity --info --text='Directory Mounted'
else
zenity --error --text='Incorrect password'
fi
And the following 'un-mount' script can be saved to ~/Desktop/S-umount :
#!/bin/bash
if [ -e ~/Secure/.exists ]; then
fusermount -u ~/Secure
zenity --info --text='EncFS directory un-mounted successfully'
else
zenity --error --text='EncFS directory not mounted'
fi
PS: There's an attractive alternative to this 'cryptkeeper', which is a tray-icon system that can manage encfs volumes. I tried it, and preferred to do it 'long hand'. But then I'm also trying to get things consistent across several different machines... YMMV.