Use encfs (available as a package on most distributions). To set up:
mkdir ~/.encrypted ~/encrypted
encfs ~/.encrypted ~/encrypted
# enter a passphrase
mv existing-directory ~/encrypted
The initial call to encfs
sets up an encrypted filesystem. After that point, every file that you write under ~/encrypted
is not stored directly on the disk, it is encrypted and the encrypted data is stored under ~/.encrypted
. The encfs
command leaves a daemon running, and this daemon handles the encryption (and decryption when you read a file from under ~/encrypted
).
In other words, for files under ~/encrypted
, actions such as reads and writes do not translate directly to reading or writing from the disk. They are performed by the encfs
process, which encrypts and decrypts the data and uses the ~/.encrypted
directory to store the ciphertext.
When you've finished working with your files for the time being, unmount the filesystem so that the data can't be accessed until you type your passphrase again:
fusermount -u ~/encrypted
After that point, ~/encrypted
will be an empty directory again.
When you later want to work on these files again, mount the encrypted filesystem:
encfs ~/.encrypted ~/encrypted
# enter your passphrase
This, again, makes the encrypted files in ~/.encrypted
accessible under the directory ~/encrypted
.
You can change the mount point ~/encrypted
as you like: encfs ~/.encrypted /somewhere/else
(but mount the encrypted directory only once at a time). You can copy or move the ciphertext (but not while it's mounted) to a different location or even to a different machine; all you need to do to work on the files is pass the location of the ciphertext as the first argument to encfs
and the location of an empty directory as the second argument.
Another method of leaving offlineimap running with knowledge of your password, but without putting the password on disk, is to leave offlineimap running in tmux/screen with the autorefresh
setting enabled in your ~/.offlineimaprc
You need to add autorefresh = 10
to the [Account X]
section of the offlineimaprc file, to get it to check every 10 minutes. Also delete any config line with password
or passwordeval
.
Then run offlineimap - it will ask for your password and cache it in memory. It will not exit after the first run, but will sleep for 10 minutes. Then it will wake up and run again, but it will still remember your password.
So you can leave a tmux session running with offlineimap, enter your password once, and offlineimap will be fine there after.
Best Answer
Well, the trivial (perhaps cheating) way would be to run:
This will produce a password using whatever password hashing scheme your version of mysql uses. [EDIT: added -NB, which gets rid of the column names and ascii table art.]