Since I’ve been spending more time with Linux, and even covered whether you might want to switch to it in a post, I thought I’d write down some of the basics about encryption with Linux. My thought was to cover a few key aspects:
- Whole disk encryption for your system disk
- Encrypting an SD card or USB thumb drive
- Encrypting a single file
If you are not familiar with these topics or if you think encryption is overkill, then maybe I can sell you on the opposing viewpoint of that too!
Perhaps you think “I’m not some secret spy or hacker, why should I bother?” My short answer to that is that electronically, just about nothing is safe, and you – and innocent person, have a lot of valuable data and access.
Nothing is safe: what I’ve learned in my career is just about nothing in the computing world is truly secure. There is always SOME way to get to the data. You likely feel safe with your data because no one has gone-after it. If someone ever did try though, that’s when you’d find out: nothing is safe!
Valuable data: let’s say you come home from work one day and your house was burglarized. You see your laptop has been stolen. Your laptop had your finances.xls file, your tax returns (which included your name, address, DOB, and SSN), and maybe a splash of something awkward or embarrassing. If you did not use encryption, someone out there has unfettered access to your data.
Valuable access: in that same scenario where your unencrypted laptop was stolen, chances are your e-mail is probably set up too, right? What can you do with an e-mail address? This person can first, go change the password of your e-mail account. Then, they can systematically do a “password reset” with every bank and credit card company. As you know, those companies send you a password reset e-mail; an e-mail that you won’t have access to, and the thief does. Now this person has unfettered access to ALL of your bank and credit card sites. They can order a replacement card, add an authorized user, transfer money, etc.
This is just one scenario, where your simple, innocent laptop was stolen. Hopefully though, you see the significance – the life-changing impact – of encrypting your hard drive. If you just take this one step, that will make it significantly more difficult for an attacker to glean any of your data or access.
Even beyond that though, for those who are American, this is defined in our Bill of Rights! The Founders thought that it was a basic, inherent, human right to be secure in your “papers and effects”. In modern day, that means your electronic data. So arguably, your default stance should be that everything is encrypted all the time, everywhere. This is in the same way that you protect physical things like your wallet or purse, or your money, right? This is the same concept, except electronically. In fact, thinking about it from this perspective, it almost seems crazy that MOST people’s default stance is: everything is UNencrypted all the time, everywhere!
Hopefully you are now sold on the idea of encrypting your data. On Linux, how do you do that? The first place to start is by encrypting your hard drive. By far, the easiest way to set up disk encryption for your hard drive, is during the installation of the operating system. Just about every modern distributions of Linux as the same for this. Here is the screen during the installation of Ubuntu:
and on the next screen you set the password:
Now, it bears underscoring that this should be a VERY good password. See this post for more details. I mean a password like Hwh4$%^p!15 which I remember with the phrase “Houston, we have a damn problem! (20)15”. The first letter of each word corresponds to a character in the password, and a curse word is replaced with special characters. Above, I replaced the “a” from “a problem” with a leetspeak “4” too. You can come up with your own scheme, but this password is the single biggest vulnerability of this security scheme. If your password can be guessed or cracked, then the encryption can be bypassed.
OK, so meanwhile, you install the operating system. When you reboot, you’ll see that the grub loader can’t read the drive until you unlock it with your super-secure password, so it prompts you:
Only then will the operating system continue to boot and you can then log in. Now, the test here would be what if your laptop was stolen, like the scenario above? Well, someone could try a bunch of passwords – which would never work. Next, they might pull the drive from the computer and load it into a 2nd computer; this way that you just attempt to read the drive data. However, the same problem exists – they must guess the password to get access to anything on the drive. Because this technique uses LUKS, they will be prompted for a password, just like before – there is no way around.
This sort of disk encryption uses AES-256, which is state-of-the-art at the moment. It should be completely impossible to break the algorithm, which means the only way in is via the password/key. So, as you can see – it’s all about the strength of that really-good password you picked before.
Encrypting an SD card or USB thumb drive:
SD cards and USB drives are easy, portable solutions for carrying your data. However, think of how vulnerable they are. What if you lost or dropped one of them while out walking to your car? What if someone steals one of these storage devices? If the data is unencrypted, it’s been completely compromised. Wouldn’t it be great if there was a nice simple way to make your SD card or USB thumb drive (or any other kind of storage device) encrypted?
Since there is this LUKS standard, there are a few utilities for this. In Ubuntu, I’m using the gnome-disks utility. Let’s start with an SD card. I plug it into the slot and it shows up in the utility:
I can now click the little “+” sign to create a new partition:
I choose to use LUKS and encrypt it – and again, I use a strong password. It will take a few minutes to format. Now, whenever you pop the SD card in, you will see a prompt like this:
even better, because this is at the Linux level (not something specific to Ubuntu), you can bring it to any other Linux machine that supports LUKS and it works similarly. So, you have an encrypted device that works and is unlockable on any Linux machine. If there is a downside, it’s that neither MacOS X nor Windows can read this file system though, never mind decrypt it – so it is for Linux-only.
Before you get outraged about this – both MacOS and Windows did the same thing. In Windows for example, they have their own proprietary technology called BitLocker, which only works on Windows.
Next, encrypting and using a USB thumb drive works exactly the same way! I plug it into a USB port and it shows up in the Disks utility:
I click the “+” to encrypt it:
and whenever I insert the USB thumb drive, I’m prompted for a password:
One little nice feature in Ubuntu is that in the main Unity dock on the left, it will show the icons for those devices – and a lock or unlock icon so you can tell at a glance if it’s locked or not:
Oh, and because these are portable storage devices, you really should “eject” them to ensure that all of the data has been written to the device. Notice the little up-arrow icon next to the “SD128GB” storage device – click that to “eject” it from the operating system:
Aside from that though, there isn’t anything else you need to do – the encryption and decryption is done automagically!
Encrypting a single file:
OK, so we now have our main hard drive encrypted, and all of our external/portable storage devices are encrypted now too. Those solve the problem of creating a secure container for files. What if you don’t have a secure container? What if you want to be able to encrypt a file – which you might e-mail to someone (who doesn’t use e-mail encryption), or burn to a DVD? How do you easily encrypt a single file?
In short, you can use “gpg” from the command-line. Now, gpg is a VERY involved application, so I am just going to stick to the basics here. To keep things as simple as possible, let’s say we want to encrypt a file with AES-256, here’s how you do that:
$ gpg -c --cipher-algo aes256 ./test.txt
that is assuming you wanted to encrypt “test.txt” in the current directory. You will be prompted for a password. The result will be the same file, but a a .gpg extension. So, you should now have a “test.txt.gpg” file – which is the encrypted version of your source file. The “-c” says to encrypt using a symmetric algorithm, and the “–cipher-algo” obviously sets the algorithm to be AES-256.
To decrypt, it’s even easier, you just pass it the file name and it figures out the rest:
$ gpg ./test.txt.gpg
You will be prompted for that same password. When you do, it will create (or prompt to overwrite) the original file name.
For example, I could encrypt a test.txt file on my computer with the password “apple123”, send you the resultant test.txt.pgp file – on your end, you would run the decrypt command and use “apple123” as the password and you would be able to access the contents of the file.
Hopefully this gives you an idea of the significance of encrypting everything, all of the time – and how to do it in Linux. As you can see, they’ve made it pretty simple and painless to use whole-disk encryption, to easily encrypt portable drives and storage media, and even to encrypt individual files.
As you might imagine, you could come up with all sorts of schemes and really leverage GPG for example, but just having encrypted drives does quite a bit to slow down your would-be attacker.