File and Folder Encryption

2 min read Infrastructure & DevOps Security

File and Folder Encryption

File-level encryption provides granular protection for specific data without encrypting entire disks. This approach suits scenarios requiring selective encryption, shared systems, or cloud storage protection. Both Windows and Linux offer native file encryption capabilities with different implementation approaches.

Windows Encrypting File System (EFS) configuration:

# Enable EFS on folder
cipher /e /s:C:\SensitiveData

# Encrypt specific files
cipher /e "C:\Documents\confidential.docx"

# Add additional users to encrypted files
cipher /adduser /certhash:$UserCertHash C:\SensitiveData\shared.xlsx

# Backup EFS certificates
cipher /x:C:\Backup\EFSCertificate.pfx

# Configure EFS recovery agent via Group Policy
# Computer Configuration > Windows Settings > Security Settings > Public Key Policies > Encrypting File System
# Add Data Recovery Agent certificate

# PowerShell EFS management
$Files = Get-ChildItem -Path "C:\SensitiveData" -Recurse -File
foreach ($File in $Files) {
    (Get-Item $File.FullName).Encrypt()
}

# Check encryption status
Get-ChildItem -Path "C:\SensitiveData" -Recurse | Select-Object Name, @{n='Encrypted';e={$_.Attributes -band [System.IO.FileAttributes]::Encrypted}}

Linux file encryption with eCryptfs:

# Install eCryptfs
apt-get install ecryptfs-utils

# Mount encrypted directory
mount -t ecryptfs /home/user/Private /home/user/Private
# Select cipher: aes
# Key bytes: 32
# Plaintext passthrough: n
# Filename encryption: y

# Automate mounting with configuration
echo "/home/user/Private /home/user/Private ecryptfs key=passphrase,ecryptfs_cipher=aes,ecryptfs_key_bytes=32,ecryptfs_passthrough=n,ecryptfs_enable_filename_crypto=y,no_sig_cache 0 0" >> /etc/fstab

# Per-user encrypted home directories
ecryptfs-setup-private
# Creates ~/Private and ~/.Private directories

# Migrate existing home directory
ecryptfs-migrate-home -u username

Implement GnuPG for cross-platform file encryption:

# Generate GPG key pair
gpg --full-generate-key

# Encrypt file for recipient
gpg --encrypt --recipient [email protected] sensitive.doc

# Encrypt with symmetric key
gpg --symmetric --cipher-algo AES256 sensitive.doc

# Decrypt file
gpg --decrypt sensitive.doc.gpg > sensitive.doc

# Batch encryption script
#!/bin/bash
find /data -name "*.pdf" -type f | while read file; do
    gpg --encrypt --recipient [email protected] "$file"
    shred -vfz -n 3 "$file"  # Securely delete original
done