SFTP can be used to encrypt a file in transit, but what if file-encryption-at-rest is required?
To encrypt a file “at rest” (i.e. on the file system), two things are required:
- the encryption algorithm must be chosen;
- an encryption “key” must be generated (or provided by a third party) – this is used to encrypt, and subsequently decrypt, the file.
In this example, a random key is generated in a 3DES format, using the dd utility:
dd if=/dev/urandom of=$HOME/key.3des.24 bs=24 count=1
…where:
- if = file indicates a random key, using the /dev/urandom file
- of = keyfile is the output file that holds the generated key
- bs = n is the key size in bytes. For the length in bytes, divide the key length in bits by 8.
- count = n is the count of the input blocks. The number for n should be 1.
The maximum and minimum key sizes (in bits, not bytes) can be determined using:
encrypt -l
…which gives:
Algorithm Keysize: Min Max (bits)
------------------------------------------
aes 128 256
arcfour 8 2048
des 64 64
3des 128 192
camellia 128 256
The newly-generated key file, $HOME/key.3des.24, can then be used to encrypt a TEST.csv file (using the 3DES algorithm), using:
encrypt -a 3des -k $HOME/key.3des.24 -i ./TEST.csv -o ./e.TEST.csv
…and decrypted using:
decrypt -a 3des -k $HOME/key.3des.24 -i ./e.TEST.csv -o ./u.TEST.csv
