SFTP can be used to encrypt a file in transit, but what if file-encryption-at-rest is required?

To encrypt a file “at rest” (i.e. on the file system), two things are required:

- the encryption algorithm must be chosen;
- an encryption “key” must be generated (or provided by a third party) – this is used to encrypt, and subsequently decrypt, the file.

In this example, a random key is generated in a 3DES format, using the **dd** utility:

dd if=/dev/urandom of=$HOME/key.3des.24 bs=24 count=1

…where:

- if = file indicates a random key, using the /dev/urandom file
- of = keyfile is the output file that holds the generated key
- bs = n is the key size in bytes. For the length in bytes, divide the key length in bits by 8.
- count = n is the count of the input blocks. The number for n should be 1.

The maximum and minimum key sizes (in bits, not bytes) can be determined using:

encrypt -l

…which gives:

Algorithm Keysize: Min Max (bits)
------------------------------------------
aes 128 256
arcfour 8 2048
des 64 64
3des 128 192
camellia 128 256

The newly-generated key file, **$HOME/key.3des.24**, can then be used to encrypt a **TEST.csv** file (using the 3DES algorithm), using:

encrypt -a 3des -k $HOME/key.3des.24 -i ./TEST.csv -o ./e.TEST.csv

…and decrypted using:

decrypt -a 3des -k $HOME/key.3des.24 -i ./e.TEST.csv -o ./u.TEST.csv