encfs – encrypted filesystem in user-space

Quoting from Wikipedia:
EncFS is a Free (GPL’ed) FUSE-based cryptographic filesystem that transparently encrypts files, using an arbitrary directory as storage for the encrypted files.

Two directories are involved in mounting an EncFS filesystem: the source directory, and the mountpoint. Each file in the mountpoint has a specific file in the source directory that corresponds to it. The file in the mountpoint provides the unencrypted view of the one in the source directory. Filenames are encrypted in the source directory.

Files are encrypted using a volume key, which is stored encrypted in the source directory. A password is used to decrypt this key.

Sounds complicated, but it’s really not. Basically what we are going to accomplish here is creating Directory that has all the files in it encrypted.
This will work on any system, this requires 3 applications if they are not already installed. fuse rlog encfs For me, it’s simply a matter of using pacman and installing them. You can use whatever package manager your distro provides or you can install from source.

[root@localhost ~]# pacman -S fuse encfs rlog
resolving dependencies… done.
looking for inter-conflicts… done.

Targets: fuse-2.7.1-1 rlog-1.3.7-4 encfs-1.3.2-1

Total Package Size: 0.44 MB
Total Installed Size: 0.86 MB

Proceed with installation? [Y/n] y
:: Retrieving packages from core…
fuse 142.5K 144.3K/s 00:00:01 [#########] 100%
:: Retrieving packages from community…
rlog 34.8K 100.2K/s 00:00:00 [#########] 100%
encfs 270.9K 148.4K/s 00:00:02 [#########] 100%
checking package integrity… done.
cleaning up… done.
(3/3) checking for file conflicts [#########] 100%
(1/3) installing fuse [#########] 100%
==> You must load the fuse kernel module to use FUSE.
-> Run ‘modprobe fuse’ to load the module now.
-> Add fuse to $MODULES in /etc/rc.conf to load on every boot.
==> You will need a /dev/fuse device node to use FUSE.
-> If you use udev, nothing needs to be done
-> For a static /dev, run: mknod /dev/fuse -m 0666 c 10 229
(2/3) installing rlog [#########] 100%
(3/3) installing encfs [#########] 100%
[root@localhost ~]#

Once you have all 3 packages installed, you have to modprobe fuse.

[root@localhost ~]# modprobe fuse
[root@localhost ~]#

NOTE: Edit the /etc/rc.conf file and put “fuse” into the modules section to have it loaded on next boot automatically……. saves modprobing every time ;) That of course is for my Arch system, I leave it up to you to edit the appropriate file for your distro.

Now as a normal user enter the full paths to the hidden/encrypted directory and the directory you will use for temp storage.

encfs /home/crouse/.ENCRYPTED /home/crouse/ENCRYPTED

[10:48:57 crouse]$ encfs /home/crouse/.ENCRYPTED /home/crouse/ENCRYPTED
The directory “/home/crouse/.ENCRYPTED/” does not exist. Should it be created? (y,n) y
The directory “/home/crouse/ENCRYPTED” does not exist. Should it be created? (y,n) y
Creating new encrypted volume.
Please choose from one of the following options:
enter “x” for expert configuration mode,
enter “p” for pre-configured paranoia mode,
anything else, or an empty line will select standard mode.
?> p

Paranoia configuration selected.

Configuration finished. The filesystem to be created has
the following properties:
Filesystem cipher: “ssl/aes”, version 2:1:1
Filename encoding: “nameio/block”, version 3:0:1
Key Size: 256 bits
Block Size: 512 bytes, including 8 byte MAC header
Each file contains 8 byte header with unique IV data.
Filenames encoded using IV chaining mode.
File data IV is chained to filename IV.

————————– WARNING ————————–
The external initialization-vector chaining option has been
enabled. This option disables the use of hard links on the
filesystem. Without hard links, some programs may not work.
The programs ‘mutt’ and ‘procmail’ are known to fail. For
more information, please see the encfs mailing list.
If you would like to choose another configuration setting,
please press CTRL-C now to abort and start over.

Now you will need to enter a password for your filesystem.
You will need to remember this password, as there is absolutely
no recovery mechanism. However, the password can be changed
later using encfsctl.

New Encfs Password:
Verify Encfs Password:
[~]
[10:50:18 crouse]$

Ok, now we have the programs installed and the directories mounted, it’s working ;) The command above “started” the encfs working. To STOP it from working you can use the command fusermount -u /home/crouse/ENCRYPTED replacing my path with the path of your “viewable/temp” directory.

I usually open konqueror and in the above example, I browse to “/home/crouse/ENCRYPTED” and split my window into two parts and then drag-n-drop files into /home/crouse/ENCRYPTED Once I’m done, using the unmount command above, the files in ENCRYPTED are now encrypted in the (on my system) hidden file .ENCRYPTED please notice the period before the filename !! (I used a hidden file by using the period in front of the filename, you don’t have to do it that way if you don’t want too).

Since typing those LONG commands into a terminal window is a pain, I created a bash script to do that for me.

#!/bin/sh
# Written by Crouse. 11-2-2007
# Mounts/UNmounts encFS dir.
# Edit the dir paths below to suit your needs.
# Paths MUST be full paths – the use of ~/ or partial path will not work.
ENCRYPTED_DIRECTORY=”/home/crouse/private.enc”
VIEWABLE_DIRECTORY=”/home/crouse/private”

echo “”
if [ "$(cat /proc/mounts | grep fuse | grep $VIEWABLE_DIRECTORY)" != "" ];
then
echo “Encrypted Filesystem status: MOUNTED.”
read -p “encFS: should $VIEWABLE_DIRECTORY be unmounted? (y/n) ” answer
if [ $answer == "y" ]
then
fusermount -u $VIEWABLE_DIRECTORY &
echo “$VIEWABLE_DIRECTORY was unmounted”
else
echo “$VIEWABLE_DIRECTORY still mounted.”
fi
else
echo “Encrypted Filesystem status: UNMOUNTED.”
read -p “encFS: should $VIEWABLE_DIRECTORY be mounted? (y/n) ” answer
if [ $answer == "y" ]
then
encfs $ENCRYPTED_DIRECTORY $VIEWABLE_DIRECTORY
echo “$VIEWABLE_DIRECTORY mounted for use.”
else
echo “Ok, exiting, doing nothing”
fi
fi
echo “”
sleep 3
exit 0

So at this point now, you can edit the two lines in the script above to represent YOUR directories and you can run the script to start/stop encfs.

I took this one step further…… since I’m REALLY lazy, I created an icon on my kde desktop and linked it to

`/usr/bin/xterm -fn 6×13 -bg LightSlateGray -fg black -e /home/crouse/scripts/encfscntrl.sh &`

Now, to start/stop the encrypted file system I can just click my icon on my desktop and an xterm window opens up, asks if you want it on or off, and for the password, then gracefully closes after a couple seconds.

encfs is a very cool tool for keeping data private in a directory. It has many options that i haven’t covered, but this should get you started.

Comments are closed.