Simple and de-facto way to encrypt files and directories in Linux

sapporo@sopuli.xyz to Programming@programming.dev – 22 points –

Namely, de-facto, or one of, in Linux. Mature. No GUI. Open-source and free.

What is it? GPG or anything else?

For a separate file(s), or directory(ies), and not for the entire disk or partition.

12

If you use ext4 or other filesystem that supports fscrypt, you can use fscrypt to encrypt specific directories.

There's also gocryptfs for a fuse-based userspace implementation.

ZFS has built-in encryption: https://klarasystems.com/articles/openzfs-native-encryption/

I don't want to encypt them in-place because I'll be uploading them onto a server, copying them on an external drive.

I've been using gocryptfs now for a few years and it works fine as you describe.

You initiate the encrypted folder, set up automatic backups for it. Then whenever you want to access it you mount it into another folder.

There is a distinction here between the permanently encrypted folder that you can upload backup whatever, and your temporary mount, unencrypted folder.

If you're alright with the rare conflicts to fix yourself something like syncthing works well for this setup even across computers.

If you want per-directory encryption, there are several options. This front-end project lists a bunch of them in its Supported Backends section.

(Full disk encryption does have a single conventional answer: LUKS. Many distros offer to set this up at install time.)

You're posting in a programming community, though, not a linux help community. Are you looking for a library for use in software you're writing?

"I don’t want to encypt them in-place because I’ll be uploading them onto a server, copying them on an external drive."

Describe your use case.

  1. backups, non-incremental ones
  2. prevent others from viewing information that may be sensitive
  3. encrypted files and directories will then be copied over to external drives and third-party servers

https://github.com/HACKERALERT/Picocrypt

re-read my question carefully

Sorry I'm not sure I understand what it is you think I'm missing. It's FOSS, works on Linux, has a CLI, works for both files and directories... please enlighten me what I got wrong?

It's got CLI too - alright. But is it any de-facto, mature, well-known, widely used? What gurantees that it's as secure as openssl or gpg? It might have plenty of bugs and vulnerabilies.