← Back to Linux Admin SCRIPT HOUSE — LINUX ADMIN
CHAPTER 11 — PRESENTATION

Encryption in Linux

Master GPG for file and email encryption, LUKS/cryptsetup for full disk encryption, openssl for file-level crypto, and SSH key management. Understand when to use file-level vs disk-level encryption.

Slide 1 — Symmetric vs Asymmetric Encryption

Symmetric Encryption

  • One key encrypts AND decrypts
  • Fast — suitable for bulk data (files, disks)
  • Problem: how to securely share the key?
  • Examples: AES-256, 3DES, Blowfish
  • Used in: LUKS, gzip -e, openssl enc

Asymmetric Encryption

  • Key pair: public key encrypts, private key decrypts
  • Slower — used for key exchange and signatures
  • Anyone can encrypt; only key owner can decrypt
  • Examples: RSA, ECC, ElGamal
  • Used in: GPG, SSH keys, TLS/HTTPS

Linux Encryption Tools Overview

ToolTypeScopePrimary Use
gpgAsymmetric + SymmetricFile / EmailEncrypt/sign files and communications
opensslSymmetric + AsymmetricFileFile encryption, certificate management, TLS
cryptsetup / LUKSSymmetric (AES)Block device / DiskFull disk or partition encryption
ecryptfsSymmetricDirectoryEncrypt home directories transparently
ssh-keygenAsymmetric (RSA/Ed25519)AuthenticationPasswordless SSH, key-based auth
Slide 2 — GPG: GNU Privacy Guard

GPG Key Generation and Management

# Generate a new GPG key pair (interactive) gpg --full-generate-key # Choose: RSA and RSA, key size 4096, expiry 1y, name/email/passphrase # List your keys gpg --list-keys # public keys gpg --list-secret-keys # private keys # Export your public key (share this with others) gpg --export --armor user@example.com > pubkey.asc # Import someone else's public key gpg --import their-pubkey.asc # Delete a key gpg --delete-key keyid

GPG Encrypt, Decrypt, and Sign

# SYMMETRIC encryption (password-based, no key pair needed) gpg -c secrets.txt # creates secrets.txt.gpg gpg secrets.txt.gpg # decrypt (prompts for passphrase) # ASYMMETRIC encryption (encrypt for a recipient) gpg --encrypt --recipient user@example.com document.txt # Creates document.txt.gpg — only recipient can decrypt # Decrypt an asymmetrically encrypted file gpg --decrypt document.txt.gpg > document.txt # SIGN a file (prove authenticity without encryption) gpg --sign document.txt # creates document.txt.gpg (signed) gpg --clearsign document.txt # inline signature (human-readable) gpg --detach-sign document.txt # separate .sig file # VERIFY a signature gpg --verify document.txt.sig document.txt # Encrypt AND sign (most secure: authenticity + confidentiality) gpg --encrypt --sign --recipient user@example.com document.txt
Slide 3 — LUKS: Full Disk Encryption

LUKS — Linux Unified Key Setup

LUKS is the standard for Linux disk encryption. It operates at the block device level — the entire partition or disk appears as random data to anyone without the passphrase. The kernel's dm-crypt subsystem handles on-the-fly encryption/decryption transparently.

# SETUP: Format a partition with LUKS (DESTROYS ALL DATA) sudo cryptsetup luksFormat /dev/sdb1 # Type YES (uppercase) to confirm, then set passphrase # OPEN: Unlock the encrypted partition sudo cryptsetup luksOpen /dev/sdb1 mydata # Creates /dev/mapper/mydata — the decrypted view of the device # Format the decrypted device with a filesystem sudo mkfs.ext4 /dev/mapper/mydata # Mount the decrypted device sudo mount /dev/mapper/mydata /mnt/secure # CLOSE: Unmount and lock the device sudo umount /mnt/secure sudo cryptsetup luksClose mydata # View LUKS header info (key slots, cipher, etc.) sudo cryptsetup luksDump /dev/sdb1 # Add a backup passphrase (LUKS supports up to 8 key slots) sudo cryptsetup luksAddKey /dev/sdb1
FILE-LEVEL vs DISK-LEVEL ENCRYPTION

File-level (GPG, ecryptfs): Encrypts individual files. Metadata (filenames, sizes, access times) may still be visible. Easier to use selectively.
Disk-level (LUKS): Encrypts the entire block device. Nothing — not even filenames — is readable without the key. Best for protecting entire systems or drives from physical theft.

Slide 4 — openssl for File Encryption

openssl enc — Command-Line File Encryption

# Encrypt a file with AES-256-CBC (symmetric) openssl enc -aes-256-cbc -pbkdf2 -in plaintext.txt -out encrypted.bin # -pbkdf2: use modern key derivation (required in newer openssl) # Decrypt openssl enc -d -aes-256-cbc -pbkdf2 -in encrypted.bin -out decrypted.txt # Generate a random strong password openssl rand -base64 32 # Hash a file (SHA256) openssl dgst -sha256 myfile.txt # Create a self-signed certificate (TLS/HTTPS) openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes # View certificate details openssl x509 -in cert.pem -text -noout
Slide 5 — SSH Keys: Passwordless Authentication

Generating and Deploying SSH Key Pairs

# Generate an Ed25519 SSH key pair (modern, preferred) ssh-keygen -t ed25519 -C "user@hostname" # Saves private key to ~/.ssh/id_ed25519 # Saves public key to ~/.ssh/id_ed25519.pub # Or generate RSA (4096-bit, widely compatible) ssh-keygen -t rsa -b 4096 -C "user@hostname" # Copy public key to remote server (sets up authorized_keys) ssh-copy-id user@remote-server # Or manually append to remote ~/.ssh/authorized_keys: cat ~/.ssh/id_ed25519.pub | ssh user@remote "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys" # Test passwordless login ssh user@remote-server # Use a specific key file ssh -i ~/.ssh/id_ed25519 user@remote-server # Add key to ssh-agent (avoid re-entering passphrase) eval $(ssh-agent) ssh-add ~/.ssh/id_ed25519 # View SSH fingerprint of a public key ssh-keygen -lf ~/.ssh/id_ed25519.pub
SECURITY RULES

Never share your private key (~/.ssh/id_ed25519). Only the public key (.pub) goes on remote servers. Private key files must be mode 600. The ~/.ssh directory must be mode 700. SSH will refuse to use keys with wrong permissions.

Slide 6 — Choosing the Right Encryption Tool

Decision Matrix

ScenarioToolReason
Encrypt a file to email to someonegpg --encryptAsymmetric: only recipient can decrypt
Encrypt a file for yourself onlygpg -c or openssl encSymmetric passphrase — simpler workflow
Prove a file is from you (no secrecy)gpg --signDigital signature — authenticity only
Encrypt an entire hard drivecryptsetup / LUKSFull disk: nothing readable without key
Passwordless server loginssh-keygen + ssh-copy-idKey-based auth — more secure than passwords
Hash/checksum a fileopenssl dgst -sha256Verify integrity, not encryption
Encrypt home directoryecryptfsTransparent directory-level encryption

Chapter 11 Complete

Mark this presentation complete to record your progress and unlock the quiz.

Progress saved. Head to the quiz to test your knowledge.