Encrypting and Decrypting files under Ubuntu

This days we shouldn’t trust in anything. The Internet is full of worms, trojans, viruses and they are spreading more and more. Even if you have a firewall is not enough. The best security for your computer is to have it unplugged from power and network … and even then you cannot be 100% about security of your stored data. So today we will talk about encryption under Linux. I will show you how to do it from console and from KDE Windows manager. We have several possibilities to encrypt data on the hardrive. We can encrypt separated files or we can encrypt entire partitions, all is at your choice.

Encrypting files.

To encrypt a single file (or even multiple files) you can use 3 programs:
1. gpg – OpenPGP part of the GNU Privacy Guard
2. openssl – command line tool for using the various cryptography functions of OpenSSL’s crypto library from the shell.
3. mcrypt – replacement of the old crypt program from linux

Probably we have another choices but this three are the most used programs.

Today we will describe usage of mcrypt.

Using mcrypt

mcrypt is an replacement of the old crypt program from linux. When mcrypt is encrypting a file it will generate a new one with the .nc extension and with mode 0600. mcrypt is using just symmetric algorithms for encryption.

Installing mcrypt
To install mcrypt just run:

[root@randombugs]$ sudo apt-get install mcrypt
Reading package lists... Done                   
Building dependency tree                        
Reading state information... Done               
The following extra packages will be installed: 
  libmcrypt4 libmhash2                          
Suggested packages:                             
  libmcrypt-dev                                 
The following NEW packages will be installed:   
  libmcrypt4 libmhash2 mcrypt                   
0 upgraded, 3 newly installed, 0 to remove and 1 not upgraded.
Need to get 259kB of archives.                                
After this operation, 823kB of additional disk space will be used.
Do you want to continue [Y/n]? 

After that you should know what algorithms mcrypt knows:

[rb@randombugs]$ mcrypt --list
cast-128 (16): cbc cfb ctr ecb ncfb nofb ofb
gost (32): cbc cfb ctr ecb ncfb nofb ofb
rijndael-128 (32): cbc cfb ctr ecb ncfb nofb ofb
twofish (32): cbc cfb ctr ecb ncfb nofb ofb
arcfour (256): stream
cast-256 (32): cbc cfb ctr ecb ncfb nofb ofb
loki97 (32): cbc cfb ctr ecb ncfb nofb ofb
rijndael-192 (32): cbc cfb ctr ecb ncfb nofb ofb
saferplus (32): cbc cfb ctr ecb ncfb nofb ofb
wake (32): stream
blowfish-compat (56): cbc cfb ctr ecb ncfb nofb ofb
des (8): cbc cfb ctr ecb ncfb nofb ofb
rijndael-256 (32): cbc cfb ctr ecb ncfb nofb ofb
serpent (32): cbc cfb ctr ecb ncfb nofb ofb
xtea (16): cbc cfb ctr ecb ncfb nofb ofb
blowfish (56): cbc cfb ctr ecb ncfb nofb ofb
enigma (13): stream
rc2 (128): cbc cfb ctr ecb ncfb nofb ofb
tripledes (24): cbc cfb ctr ecb ncfb nofb ofb

What cbc, cfb, ctr, ecb, ncfb, etc flags means? Quoting from Linux manual:

ECB: The Electronic CodeBook mode. It is the simplest mode to use with a block cipher. Encrypts each block independently.

CBC: The Cipher Block Chaining mode. It is better than ECB since the plaintext is XOR’ed with the previous ciphertext. A random block is placed as the first block so the same block or messages always encrypt to something different. (This is the default mode)

CFB: The Cipher-Feedback Mode (in 8bit). This is a self-synchronizing stream cipher implemented from a block cipher.

OFB: The Output-Feedback Mode (in 8bit). This is a synchronous stream cipher implemented from a block cipher. It is intended for use in noisy lines, because corrupted ciphertext blocks do not corrupt the plaintext blocks that follow. Insecure (because used in 8bit mode) so I recommend against using it. Added just for completeness.

nOFB: The Output-Feedback Mode (in nbit). n Is the size of the block of the algorithm. This is a synchronous stream cipher implemented from a block cipher. It isintended for use in noisy lines, because corrupted ciphertext blocks do not corrupt the plaintext blocks that follow.

Encrypting a file with blowfish

[rb@randombugs]$ mcrypt -a blowfish myfilename
Enter the passphrase (maximum of 512 characters)
Please use a combination of upper and lower case letters and numbers.
Enter passphrase:
Enter passphrase:

File myfilename was encrypted.

Decrypting a file

[rb@randombugs]$ mcrypt -d myfilename
mcrypt: myfilename already exists; do you wish to overwrite (y or n)?y
Enter passphrase:
File myfilename was decrypted.

mcrypt usage

mcrypt [-dLFubhvrzp] [-f keyfile] [-k key1 key2 …] [-m mode] [-o keymode] [-a algorithm] [-c config_file] [filename …]

Also mcrypt support following environmental variables:

MCRYPT_KEY: to specify the key
MCRYPT_ALGO: to specify the algorithm
MCRYPT_MODE: to specify the algorithm’s mode
MCRYPT_KEY_MODE: to specify the key mode

If is possible use enviromental variables instead of command line. Is more secure.
Next time we will talk about GPG.

Good luck!