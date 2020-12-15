Submitted by Roy Schestowitz on Wednesday 16th of December 2020 09:47:33 PM

Not long ago, I made the case that for most users file-level encryption is adequately secure and much higher-performing than full-disk encryption. I received a lot less pushback than anticipated for expressing this heterodox view — by which I mean I actually got none. Quite to the contrary, some readers sent messages and comments expressing curiosity and eagerness to try file-level encryption.

This came as a surprise. I wasn’t sure how many people would want to put file-level encryption into practice, and I imagined those who did would take the less arduous route of installing a distribution like Linux Mint that offers this as a checkbox in a menu.

Fscrypt is a tool that presents a simple command line interface for configuring the encryption built into the extension 4 (more commonly “ext4”) filesystem. It is not an encryption algorithm in its own right, but an intermediary between the user and ext4’s native encryption. The intent behind fscrypt is to decipher the otherwise arcane incantations of ext4 encryption into something comprehensible to intermediate Linux.

While simple, fscrypt offers multiple configuration modes. First, it can encrypt any directory, protecting all the files and subdirectories within. This protection obscures both the filenames and data of all its contents when it’s locked

Second, and most appealing for those seeking unobtrusive security, is that users can set the decryption to occur automatically upon entering their user password. Instead of getting a second, separate decryption prompt along with the login prompt, the act of logging in itself performs the decryption.