Encrypting data on an always-on server

If you have a server that you keep private data on, but it is always on and internet connected, you might want to encrypt that data while you are away. The basic need is to mount data as needed and unmount on timer or log-off.

There are several ways to do it:

  • ext4 built in encryption. It matured to a good state with linux kernel 4.4, but it does have a limitation - you can not move files into it from within the same files system. Move, unlike copy
  • eCryptfs - very similar to EncFS and might have simpler tools to manage, when using Ubuntu. No known security flaws. Assumes that it’s the only system accessing the encrypted files, which may cause

conflicts with backup. It also encrypts file and directory names which makes them internally longer (average one third). This lowers the maximum usable byte name length of the original file system entry. Downsides are that the directory structure, some file metadata and approximate sizes are transparent. Encryption implemented in kernel space, so it’s a bit faster. Setting it in any form different from the default Ubuntu setup (one encrypted home folder per user) is a bit tedious.

  • EncFS - there is a security audit from 2014 that attests that EncFS deviates from established security standards and also finds some vulnerabilities in the current EncFS implementation. You should wait for EncFS 2.0. Encryption implemented in userspace (FUSE)
  • Stacked block encryption. https://www.cryfs.org/ - LGPL still in Beta. It does split files into equal size blocks so it’s between a true file and a true block size. It’s a good compromise. It’s also designed for the client side encryption cloud. no need to worry about reserving space ahead of time. Can do incremental backups. Can be used without pre-allocating a fixed amount of space
  • Block device encryption - dm-crypt/LUKS, VeraCrypt, loop-AES. You will need to pre-reserve the space and manage it.

https://wiki.archlinux.org/index.php/Disk_encryption#Comparison_table