There may be many reasons to password protect files and folders in a Linux environment. A common example is encrypting a file that itself contains a bunch of passwords. Since it’s impossible to remember a lot of complicated passwords, you just need to remember one and refer to it when you want. Linux has quite a few tools that offer various levels of security. In this article, we’ll take a look at two different approaches to protecting files and folders in Linux.
Approach One: User Based Permissions
The first approach is the simplest, and might suit your needs. In this, you simply assign the appropriate permissions to the file or folder, which prevents others from accessing them. Therefore, the only people who can read these documents are yourself, and anyone with admin privileges.
Denying Permissions to Others:
For example, let’s say I have a file called “testfile.txt” in a particular folder. I can deny permissions to other accounts by issuing the following command:
chmod og-rwx testfile.txt
In this example, I’ve executed this command as “root”. So if another user tries to open it – say by using a text editor – they’ll get a “Permission Denied” message that looks like this:
We can repeat the same thing with a folder as well. If I have a folder called testfolder, I can write:
chmod og-rwx testfolder
Now when I try and access it as another user, I get a permission denied message as expected:
Disadvantages of the Above Approach:
While easy to implement, this approach doesn’t provide hard security. At best, it makes it more difficult for someone to access and view your files. For one, any administrator can view your files. Or anyone capable of issuing the “sudo” command can gain access to your folder without any hassles. Moroever if you forget to log out of your account, your files are wide open to anyone passing by and they just need to sit down at your terminal and access them.
So while a permissions based protection system is easy, it’s not ideal for true security requirements. For that, we need to use encryption.
Encrypting Files and Folders
This is where security gets serious. In this section, I’ll show you how to encrypt a file using the OpenSSL tool. There are other of course, but I prefer to use programs that are already installed. Chances are that you already have the OpenSSL tool installed on your system. If not, just use apt-get or yum, or whatever package manager you use for your system.
Let’s say I have a file called “filetoencrypt”. I can encrypt it using OpenSSL like this:
openssl enc -AES-256-CBC -in filetoencrypt -out encryptedfile
Here, we use an encryption cipher called “AES-256-CBC”. The “in” parameter specifies the input file, and the “out” parameter specifies the output file. When you execute this command, it’ll ask you for a password and after verifying it, it’ll place the decrypted file with the “out” filename. Like this:
Now if I try and open the encrypted file using a text editor, I get rubbish:
When you protect files like this, it doesn’t matter whether the user is an administrator, or has sudo privileges. Nothing but a password is capable of breaking open this file.
Decrypting a File with OpenSSL:
To decrypt the above file, use the following command:
openssl enc -AES-256-CBC -d -in encryptedfile -out decryptedfile
The “-d” parameter means that we want to decrypt. We use the same encoding cipher as the last time and place the contents into a new file with the “-out” parameter like this. Now it’ll again ask you for the password and you have to specify the same one that was used to encrypt it in the first place:
And we can now view the decrypted file as usual:
Of course, you need to ensure that you clean up after using OpenSSL. After encryption, you should delete the original file to make sure that it’s not accessible. And after you’re done reading the decrypted file, you should delete that as well. It can get a bit tedious. But there are some tools to make your life easier. The text editor vim for example, has a user created script that allows you to encrypt and decrypt text files on the fly.
To encrypt entire folders and directories, it’s best to zip the contents into a single file and then encrypt it. You can read my earlier tutorial on how to zip files and folders.
So if you’re looking for strong security, encryption is the way to go. If however, you only need medium security and are the sole user with admin privileges, then user based permissions are much easier to implement.