Marc Andreu

I have been a front end, backend and quality testing software engineer now I am following the path towards cybersecurity.

Virtual Safe Box

How to keep important documents and confidential data safe at runtime?

Running the operating system on an encrypted disk only protects my data when the computer is at rest, but what happens while I am using the system? Why all my essential documents should always be available?

I want to have my essential data encrypted most of the time, in the same way, that I would have my safe box closed at home. I only need to open that safe box for a few minutes to manage the content and then close it as soon as possible. In this way, I feel safer. Maybe I am too paranoid, but it is not practical to start thinking about all the possible ways an attacker could get into my computer. And from what I have seen, this could quickly happen much more frequently than I would like it. So I would instead use some defence in depth strategy to make finding and stealing my sensitive data harder.

To feel safer while working on my computer, I have been using different strategies for the last decade or so. I have been using encrypted virtual disks like TrueCrypt, VeraCrypt and the like. I have been using a LUKS encrypted disk on the Ubuntu system, which was helpful for a long time. However, I had to manage that disk as root, and I never had the time to refine how to mount it.

Until now, I finally found an efficient and straightforward way to have a local virtual safe box on my system. I use CryFS encrypted folders to keep the data encrypted most of the time, and I only decrypt the folder when I need to manage the files. The encrypted folder is also being synchronised to my personal NAS using SyncThing. So my confidential data is available to me only when necessary and is automatically backed up when I close the box.

I use Ubuntu, and installing the CryFs is very straightforward with this simple tutorial.

To create the safe box, I just have to run the command

cryfs basedir mountdir

The ‘basedir’ is the folder with all the encrypted files, and the ‘mountdir’ is the working folder, which I can use as a regular user to manage my confidential files. The first time this command will ask a few questions to create the folders and provide the passphrase of the vault.

In my case, I have created the safe box with the command.

cryfs /home/{userhome}/Sync/backups/safearchived /home/{userhome}/safebox

The vital detail is to set up the encrypted folder inside the Sync folder configured with SyncThing to synchronise all the encrypted content to the NAS server and the other devices. The working folder, the unencrypted content, is just a regular folder on my user home directory. In this way, when I open the vault, I am not synchronising the classified data to all other devices. This point is essential because I am not leaking unencrypted content to the other devices. I could also sync the encrypted folder to any cloud drive like google, ubuntu, apple, dropbox. I do not use those drives, but I could keep another backup copy of my encrypted safe box on the cloud.

After that, I have just prepared two simple scripts. One to open the vault and the other to close it. I use shell scripts to make it easier to open and close the safe while I hide the details about the location of the folders.

The open script is the file /home/{userhome}/osb.sh, with the content:

# Open the safe archived folder from the Synced backups folder.
cryfs /home/{userhome}/Sync/backups/safearchived /home/{userhome}/safebox

And the closing script is the /home/{userhome}/csb.sh, with the content:

# Close the safe box.
cryfs-unmount /home/{userhome}/safebox

I just need to thank the CryFs community for this excellent tool. I will definitely be donating and collaborating on this project.

That is a simple and easy way to manage my essential data.

Thanks for reading.

I hope it helps.

Image by Free-Photos from Pixabay