I am looking for good encryption local-only folder tool.
I took a look on VeraCrypt but… I tried to find Linux install guide, but I can’t find it.
Official one for Microsoft (evil corp): https://www.veracrypt.fr/en/Beginner%27s%20Tutorial.html
I run Linux Mint 22 Xia
Secondly, how really secure VC? I need to store some really important information (journalism) and in my situation it MUST be encrypted and treated as highly classified information. It is really important.
I am journalist, so this is highly important n
Also… I read somewhere that VC supports chipper cascading. Is it true?
I really don’t have time to try everything myself, as if I will mess something up, I will be in whole ocean of trouble.
I would encrypt the entire disk using LUKS. This prevents an attacker from accessing files in the say /tmp folder as well as the folder you originally wanted to encrypt. Many programs use the /tmp (or other folder outside of you encrypted folder) folder to temporarily write a file, then when you save it the file in /tmp is deleted (but can be recovered).
A guide to LUKS Disk Encryption in a Linux Environment
Ive found no performance degradation from using this on my laptop. Just choose a strong password you can remember
The Arch Linux: VeraCrypt wiki page is comprehensive, and most of the information is relevant for all Linux distributions, not just Arch.
You basically have two options - block level or file level encryption, and software comes down to those two options.
Before giving options or recommending anything, I’d ask you what threat vectors you want to prevent or mitigate by using encryption?
Examples:
Theft / loss of a device - Is it likely that the entire device or the HDD/SDD from the device may be stolen or lost? Perhaps you might need to RMA the entire device or storage if it breaks.
Unattended attack / Evil maid attack - You leave your device unattended in your home, place of work, coffee shop, in a car, and someone is able to attach a hardware keylogger, dump the memory with a PCIe DMA device, and/or clone the SSD.
Remote access - You accidently have file sharing running open to the network and someone can connect, or brute-force an account password to access.
Local malware - A program running as your user account runs in the background unnoticed, can access any file that your user can access, and access any network services that your user can access (to upload your files and activity).
Local rootkit - Like local malware, except for the entire system, and it can hide itself by modifying the kernel. Potentially can modify the kernel on disk before it loads so detection from the running kernel is impossible without secure boot/attestation.
As the OP is a journalist, this is the most likely situation. The local government may wish to gain access to the computer. Sometimes they will clone the device, others they may install (probably ) a UEFI trojan as that will be all they have access to (possibly the EFI partition as its fat32 as well) , then give it back , with the intention of seizing it again at a later point.
Any device in this situation should be treated as tainted, and all drives should be securely wiped. Do not using the bios option (remember possible UEFI trojan can fake this) to wipe the drive; use a linux live cd to do that . The device should then be discarded.
Use something along the lines of nwipe or shred to do the job.
Edit:
i am not an expert in this field , someone else may have a better idea.
It is moounted it into RAM. In fstab it shows as “tmpfs”
Thanks!
That’s one thing… But you see, firstly, system already set up. And I have no time these weeks to reset everything from scratch.
Secondly, I think I will have whole new pile of trouble if something will go wrong in FDE system as there will be no way to copy data using for example Live disk.
Another option that’s quick and easy relative to disk based encryption is 7-zip. Encrypted 7-zip archives use 256 bit AES so the weak point will likely be your password.
If data being encrypted is important then FDE is the way.
It doesn’t matter if you don’t have time to convert your install, the answer is still FDE.
If something does go wrong with a FDE system you can generally mount it from a live disk and copy the data out. It is possible that you hosed something making the encrypted data unreadable, but that’s also true of any dir encryption.
You could opt to encrypt only parts of the system (/home, /var, swap), but it’s easy to miss places where your data can end up (eg: /opt, /root).
Tools like 7zip (if the encryption is robust) don’t really help either. If I have my sensitive/ folder and turn it into encrypted_sensitive.7zip it’s too late, the sensitive files were already written to disk.
People may try to mitigate this with tools like shred(1) but as the man page says it has uncertain effectiveness on log-structured or journaled file systems. To make this worse is the ubiquity of flash storage and the flash translation layer, which further erodes the premise of tools like shred - that overwrites are in place.
If you want to leave your current install alone, you have other options:
Install your distro with FDE to a USB /external drive and use that
Boot off a live USB and persist data between sessions manually to some other encrypted media
Lastly, don’t bother with veracrypt’s cipher cascades. Just use regular old cryptsetup/LUKS with AES like all the major distros do.