Poor man's strongbox - and beyond

For ordinary (aka: non-nerdy) people, encryption of any kind is still something to be associated with intelligence agencies only. Talking about encryption to these ordinary people serves no purpose other than building up a solid reputation as a delusional paranoiac. Don't try to defuse the situation by explaining that yesterday's internet shopping by the ordinary guy's wife relied on the use of encryption. On the ordinary people's scale, you are just talking yourself right into the realm of strait jackets and funny farms. 😄

Personally, I'm an avid user of encryption. My communication (e-mail, irc, icq/jabber) is mostly encrypted, and connections to remote servers (ssh/vpn) always are. But what about local files? Don't they deserve a little security?

Well, when cryptoloop was published in 2003, I was probably among the first enthusiastic users. Unfortunately, cryptoloop was found to be severly flawed just two years later. Since then, dm-crypt/LUKS (aka cryptsetup) has emerged as the official successor. For me, however, cryptsetup represents the proverbial sledgehammer for cracking a nut. What I need is far more simple, and should operate preferably in user space and at the file level. The latter is particularly important to me: files I encrypt tend to be not entirely irrelevant, and thus should be included in the incremental backup I'm running every few hours. That's cumbersome if the encryption software leaves monolithic containers of megalithic size.

What alternatives exist? Well, if it's just about a secure way to store your various passwords, I'd recommend keepassx.

If all you consider to be "hideworthy" can be fit into a single file not larger than a few kB, try steghide:

steghide embed -e rijndael-256 -z 9 -cf $1 -ef $2
steghide extract -sf $1 -xf $2

A directory with several subfolders and files can be handled with gpg. However, this is an awkward and clumsy workaround at best, and I do not recommend it. One needs to fiddle around with tar and wipe to account for the fact that gpg itself doesn't handle folders directly. The performance of this often recommended "solution" is, well, mediocre.

A scalalable and fast way of encrypting files and folders is provided by encfs. I find it refreshingly simple and entirely satisfactory for my humble needs.

encfs -i 10 ~/.treasure ~/treasure
fusermount -u ~/treasure