Published on

Laptop Data Security


This should be a no-brainer for anyone carrying anything important around on a laptop.

IMHO, relying on a user password (like a login password) is not a great idea, since anyone with physical access to the disk can get to your data easily. OTOH, using disk encryption seems like overkill - since if you want to hand your laptop to someone for a little web browsing, you shouldn't have to reveal all the 'secrets' to do so.

EncFS (available on Linux) is a great way to secure files - and has the advantage (over using a Truecrypt volume, for instance) that the files are stored as files on a regular - meaning :

that the secure files can be backed up using rsync (i.e. the whole volume image doesn't need to be backed up - although I recognize that Truecrypt backs up fairly cleanly)

the diskspace allocated to the secure files doesn't have to be guessed ahead of time : the secure files simply take the disk space necessary

Packages required (and a fix-up):

yum install fuse-encfs
echo "user_allow_other" > /etc/fuse.conf

The fix-up above is required so that other users are able to read the 'plain' files (useful if you're running a webserver serving files within the plain files, where the webserver is running as a non-user).

To set up encrypted folders, simply create two directories (under ~, for simplicity) the hidden one being the secret files encrypted, the plain one being created on-demand when the password is Ok. Use the following command (standard usage is a 'blank line' for the options, and a fairly non-intuitive password) :

encfs ~/.Secure ~/Secure

To make it easy to use, the following 'mount' script can be saved to ~/Desktop/S-mount :

DIALOGTEXT="Enter the Secure EncFS Password"

if [ -e ~/Secure/.exists ]; then
 zenity --error --text='EncFS directory is already mounted'

encfs \
 -o allow_other \
 --extpass="zenity --title 'EncFS Password' --entry --hide-text --text '$DIALOGTEXT'" \
 ~/.Secure/ ~/Secure/

if [ -e ~/Secure/.exists ]; then
 A='A' # Do nothing
 zenity --info --text='Directory Mounted'
 zenity --error --text='Incorrect password'

And the following 'un-mount' script can be saved to ~/Desktop/S-umount :


if [ -e ~/Secure/.exists ]; then
 fusermount -u ~/Secure
 zenity --info --text='EncFS directory un-mounted successfully'
 zenity --error --text='EncFS directory not mounted'

PS: There's an attractive alternative to this 'cryptkeeper', which is a tray-icon system that can manage encfs volumes. I tried it, and preferred to do it 'long hand'. But then I'm also trying to get things consistent across several different machines... YMMV.