Hardened Choice

Many Linux users are wary of encrypting their data – primarily because most of the available tools don't offer a graphical user interface, and also – but less often – because of a perceived lack of flexibility in handling encrypted data files. But in the modern era, when high-capacity USB media are easy to find, encryption is becoming more important. Tools such as TrueCrypt or its successor VeraCrypt have a graphical user interface but create containers of a fixed size, without the flexibility to deal with growing volumes. If you store only a few files, you are wasting storage space with a big container. On the other hand, if you create a container that is too small, running out of space will mean a time-consuming overhaul.

SiriKali [1] is an encryption tool that avoids fixed sizes for containers. By encrypting at the directory and file level, you only use as much storage space as the data actually takes up. SiriKali relies on various encryption back ends, with support for fscrypt, SecureFS, eCryptFS, CryFS, EncFS, gocryptfs, and SSHFS. (If you're considering EncFS, keep in mind that security vulnerabilities were discovered in an audit in 2014.)

In SiriKali, you deploy encrypted filesystems in user space – with the help of the FUSE kernel module, which means that you can work with the tools without needing admin privileges. SiriKali recognizes the back ends installed in the system and lets you use them without having to enter any parameters.

Installation

SiriKali is based on the Qt libraries and is included in the repositories of several popular distributions. You can use your default package manager for the install. If you don't have a back end in place, you'll need to drag in one of the back ends to handle the actual data encryption work.

You could also integrate your own repository for the application with a standard package management system. The developers provide detailed documentation on the project's GitHub [2]. The setup creates a launcher in the desktop menu.

Operation

When you launch SiriKali for the first time, it hides itself away in the system tray on the desktop, featuring a blue icon with a stylized padlock by default. The icon gives you direct access to the tool's most important options without having to take a detour via the menus.

After the first launch, a window opens up with a large vacant space for displaying the files. At the bottom is a buttonbar, but there is no extensive menubar. The software lets you change the locale under Menu | Settings | Select Language; the current version 1.4.8 supports English, French, and Russian.

First, use Create Volume to create a volume, to which you will later back up the data you wish to encrypt. In the selection box, first choose the target filesystem. Only the options installed in the operating system are available; all other options are not active (Figure 1).

Figure 1: SiriKali's main window appears sparse at first glance, but beginners will have no trouble learning the intuitive interface.

After selecting the filesystem, the software opens a small window where you can enter the required data. In the Volume Name box, type the name of the volume; below that you need to define the path for the digital container. By default, the tool uses your home directory. A click on the folder icon to the right lets you enter a different directory if necessary.

Below the box with the path, you need to choose the authentication method. Clicking on the small triangle on the right opens a pop-up menu; by default, the program uses password input. But keys, which you can specify manually, or existing key files are more elegant. Alternatively, you can include Gnome and KDE wallets in SiriKali for authentication. The selection menu also supports the use of a Yubikey token.

Depending on the chosen method, enter the desired password in the next field. In the Options field, you can also specify whether SiriKali will also encrypt the file names.

Depending on the selection, the program prompts you in another dialog for the algorithm you will use to encrypt the data. You will find a list at the top of the window that shows the available algorithms (Figure 2).

Figure 2: SiriKali lets you select the algorithm for some encryption methods.

After completing the settings, close the window by pressing OK, and then create the volume in the Create window. SiriKali mounts the volume like a conventional drive. You can create multiple drives with different back ends for encryption, and SiriKali lists them in a table in the main window, along with the back end and path (Figure 3).

Figure 3: SiriKali supports simultaneous work with multiple containers.

Precautions

To move files or directories to one of the encrypted volumes, click on the entry in the main window and select Open Folder from the context menu. The software opens the volume in the file manager, where it behaves like a normal, unencrypted directory. You can drag and drop the data into the encrypted volume from another open instance of the file manager in the usual way.

The data is encrypted in real time. After finishing the transfers, it makes sense to unmount the encrypted drive by clicking again on the entry in the main SiriKali window and selecting Unmount from the context menu. The entry for the drive will now disappear from the table.

Open Up!

When opening a new session, SiriKali starts with an empty list. To mount one of the encrypted drives, click the Mount Volume button in the main window. The application will now open a file manager view where you select the desired drive.

Depending on the authentication method, a modal dialog appears where you can enter the password to open the volume. Then the file manager launches again with the decrypted contents of the drive, and the matching entry appears in the list in the main SiriKali window.

You can work with the contents in an unlocked state as you would with any conventional, unencrypted directory. If you call the volume directly from the file manager without the detour via SiriKali, you will see numerous files, all of them encrypted. If you also encrypt the file names, the displayed names will not give you any clues as to the files' contents (Figure 4).

Figure 4: If so desired SiriKali will encrypt the file names and prevent any conclusions about the content.

Select Menu | Unmount all in the program window to unmount all the existing drives with a single click when you are done with your work. If you want to terminate the session at the same time, select Unmount All And Quit.

In the System Tray

SiriKali creates a launcher in the system tray of your working environment when you open a session. When you exit the software using the Close button in the titlebar, only the window disappears; the software continues to run in the background.

Pressing the blue button in the system tray opens a menu where you can open or close the program window by clicking on Show/Hide. In this way, if you temporarily stop working with encrypted volumes, you do not need to close the application completely every time.

Conclusions

SiriKali makes encrypting files and directories far easier for users without root privileges. Integration with various desktop environments lets you handle encrypted data just as easily as working with conventional drives. The program encrypts the contents in near real time, so you won't experience any significant latency.

SiriKali is a very useful choice for users who want to encrypt files and directories quickly and efficiently, without having to delve into the depths of a more complex application.