Hardened Choice

Many Linux users are wary of encrypting their data – primarily because most of the available tools don't offer a graphical user interface, and also – but less often – because of a perceived lack of flexibility in handling encrypted data files. But in the modern era, when high-capacity USB media are easy to find, encryption is becoming more important. Tools such as TrueCrypt or its successor VeraCrypt have a graphical user interface but create containers of a fixed size, without the flexibility to deal with growing volumes. If you store only a few files, you are wasting storage space with a big container. On the other hand, if you create a container that is too small, running out of space will mean a time-consuming overhaul.

SiriKali [1] is an encryption tool that avoids fixed sizes for containers. By encrypting at the directory and file level, you only use as much storage space as the data actually takes up. SiriKali relies on various encryption back ends, with support for fscrypt, SecureFS, eCryptFS, CryFS, EncFS, gocryptfs, and SSHFS. (If you're considering EncFS, keep in mind that security vulnerabilities were discovered in an audit in 2014.)

In SiriKali, you deploy encrypted filesystems in user space – with the help of the FUSE kernel module, which means that you can work with the tools without needing admin privileges. SiriKali recognizes the back ends installed in the system and lets you use them without having to enter any parameters.

Installation

SiriKali is based on the Qt libraries and is included in the repositories of several popular distributions. You can use your default package manager for the install. If you don't have a back end in place, you'll need to drag in one of the back ends to handle the actual data encryption work.

You could also integrate your own repository for the application with a standard package management system. The developers provide detailed documentation on the project's GitHub [2]. The setup creates a launcher in the desktop menu.

Operation

When you launch SiriKali for the first time, it hides itself away in the system tray on the desktop, featuring a blue icon with a stylized padlock by default. The icon gives you direct access to the tool's most important options without having to take a detour via the menus.

After the first launch, a window opens up with a large vacant space for displaying the files. At the bottom is a buttonbar, but there is no extensive menubar. The software lets you change the locale under Menu | Settings | Select Language; the current version 1.4.8 supports English, French, and Russian.

First, use Create Volume to create a volume, to which you will later back up the data you wish to encrypt. In the selection box, first choose the target filesystem. Only the options installed in the operating system are available; all other options are not active (Figure 1).

Figure 1: SiriKali's main window appears sparse at first glance, but beginners will have no trouble learning the intuitive interface.

After selecting the filesystem, the software opens a small window where you can enter the required data. In the Volume Name box, type the name of the volume; below that you need to define the path for the digital container. By default, the tool uses your home directory. A click on the folder icon to the right lets you enter a different directory if necessary.

Below the box with the path, you need to choose the authentication method. Clicking on the small triangle on the right opens a pop-up menu; by default, the program uses password input. But keys, which you can specify manually, or existing key files are more elegant. Alternatively, you can include Gnome and KDE wallets in SiriKali for authentication. The selection menu also supports the use of a Yubikey token.

Depending on the chosen method, enter the desired password in the next field. In the Options field, you can also specify whether SiriKali will also encrypt the file names.

Depending on the selection, the program prompts you in another dialog for the algorithm you will use to encrypt the data. You will find a list at the top of the window that shows the available algorithms (Figure 2).

Figure 2: SiriKali lets you select the algorithm for some encryption methods.

After completing the settings, close the window by pressing OK, and then create the volume in the Create window. SiriKali mounts the volume like a conventional drive. You can create multiple drives with different back ends for encryption, and SiriKali lists them in a table in the main window, along with the back end and path (Figure 3).

Figure 3: SiriKali supports simultaneous work with multiple containers.

Precautions

To move files or directories to one of the encrypted volumes, click on the entry in the main window and select Open Folder from the context menu. The software opens the volume in the file manager, where it behaves like a normal, unencrypted directory. You can drag and drop the data into the encrypted volume from another open instance of the file manager in the usual way.

The data is encrypted in real time. After finishing the transfers, it makes sense to unmount the encrypted drive by clicking again on the entry in the main SiriKali window and selecting Unmount from the context menu. The entry for the drive will now disappear from the table.