How to encrypt a directory

Some time ago I started wondering what would happen if somebody would steal my notebook. Well, apart from the fact that I would lose all the data I got really scared when I thought about the email client (I am using evolution). The new "owner" of the notebook would be able to see all my emails and with the "I forgot my password"-functionality of many sites, he could request new passwords and afterwards easily log into all the sites I usually access (e.g. online shops, forums, etc...) and be able to send emails using my ID. You can easily imagine the mess that would happen. So, the first thing I did was to remove the login password which was stored in the email client. But was that enough? I still didn't like the idea of somebody being able to read my private emails.

In order to protect my private emails and contacts I came to the conclusion that I had to somehow encrypt the directory that evolution was using to store them. This is very simple to do and this is how I did it.

I had a look at eCryptFS and encFS and decided to use encFS as it looked like to be the easiest & fastest one to install and use. This guide is based on this howto.

  • Download and install x11-ssh-askpass and xdialog.
localhost# emerge x11-ssh-askpass xdialog
  • Do a backup of the existing evolution-directory: 
localhost# mkdir ~/evolution_bck
localhost# cd ~/.evolution
localhost# cp -Rv * ~/evolution_bck
  • Check first that all the contents have been copied and empty now the original evolution directory: 
localhost# cd ~/.evolution
rm -R *
  • Now create a central repository for all the directories you want to encrypt, plus a directory for evolution: 
localhost# mkdir /home/encrypted_dirs
localhost# mkdir /home/encrypted_dirs/_YOURUSERPATH_evolution
  • Almost done. It's time to mount the encrypted directory to the target:
localhost# encfs /home/encrypted_dirs/_YOURUSERPATH_evolution /YOURUSERPATH/.evolution
  • The fist time you mount it you will be prompted for options and a password. You can just press enter for the options and accept the defaults and choose a password you won't forget but difficult to guess. YOU WILL LOSE ALL YOUR DATA IF YOU FORGET THE PASSWORD!!! NO CHANCE OF RECOVERING IT!!!
Once you have confirmed the password the filesystem will be mounted (eventually check for error messages) and you'll be ready to transfer your data into the encrypted folder: 
localhost# cd ~/evolution_bck
localhost# cp -Rv * /YOURUSERPATH/.evolution/
  • That's it! If you now unmount the encrypted folder with...
localhost# fusermount -u /YOURUSERPATH/.evolution
...you should see an empty folder and the encrypted folder should contain a lot of weird files (encrypted). The files will re-apper after you mount again the folder:
localhost# encfs /home/encrypted_dirs/_YOURUSERPATH_evolution /YOURUSERPATH/.evolution
  • I wrote (actually modified it from the example contained in the site mentioned above) the following script zo automate the whole thing each time I start evolution (or any other email client). The script will mount the directory asking you for the password and unmount it after you exit the email client: 
# Mount/unmount encFS folder via XWindows
# Inspired by Kevin Wennemuth's mountsafe.sh
# @author: Roy Adams (roy.adams@roytoo.org)
# @lastmod: 05.10.2005

# Source (encFS encrypted path)
ENC="/home/encrypted_dirs/_YOURUSERPATH_evolution"

# Destination (mount point for encrypted path)
MNT="/YOURUSERPATH/.evolution"

if [ "$(cat /proc/mounts | grep fuse | grep $MNT)" != "" ];
then
        evolution
        fusermount -u $MNT
else
  $(Xdialog --title "encFS: mount $MNT..." --yesno "Should $MNT be mounted?" 0x0)
  if [ $? == 0 ]
  then
    $(encfs --extpass=/usr/bin/x11-ssh-askpass $ENC $MNT)
    if [ $? == 0 ]
    then
        evolution
        fusermount -u $MNT
    else
        Xdialog --title "encFS: mount failed" --msgbox "The mount of $MNT failed" 0x0
    fi 
  fi
fi