EncFS is used to encrypt individual directories or sections of the filesystem. When decrypted these stores are mounted as virtual filesystem. It does this through a virtual filesystem (FUSE) in a way that is transparent to the underlying filesystem. Consequently, to all other systems the decrypted store acts like a normal directory in the filesystem.
As everything is done in user-space it is easy to set-up and maintain. It's particularly useful if you want to have multiple encrypted stores with different keys. For example, if you had two directories that stores two separate customers information you could store each one with a different key.
The primary protection EncFS provides is to protect data off-line, when your system has unmounted the virtual volume. If you use it on a laptop you should bear in mind the impact of suspend/resume.
The primary downside to EncFS is that because it's a virtual store that is transparent to your normal filesystem some things are revealed when the files are in an encrypted state: individual files are encrypted, but the number of files and the structure of the store are revealed (file metadata). For more information see the extensive man page.
It's fairly cross-platform with ports available for Mac and Windows.
Some common use-cases for EncFS are:
A common situation is to keep files encrypted on a laptop. With EncFS you can encrypt some sections of the drive while leaving others to natively use the filesystem. The user can also have multiple encrypted volumes (e.g project1, project2).
Whether as a back-up to files or as a separate file store. USB sticks or portable drives are easily lost, EncFS can protect the files when the USB stick is disconnected.
EncFS can be used to keep a volume on-line encrypted, when it is accessed you temporarily decrypt it. The common use-case is something like DropBox or an SSHFS. Have a look at the security review of EncFS before doing this. EncFS has some clever tricks for inspecting files that are encrypted but are transparent on the local system.
Probably not, there are better systems like duplicity for this.
There are ports available so it's pretty cross-platform, and it's open source and based on a well-understood system (FUSE).
Encryption is a complex area with a variety of options. Common alternatives are:
eCryptFS is integrated into Ubuntu to encrypt the whole of the home directory filesystem. It's easy to use, but has a kernel module element. I don't use it because it wasn't around when I started using EncFS.
If cross-platform is a significant consideration then a variant of TrueCrypt is an option.
These are complete disk encryption (block device encryption) where you want all filesystems transparently encrypted.
Install fuse and then install encfs:
$ apt-get install fuse $ apt-get install encfs
This section on source installation was done in 2006 so is wildly out of date.
a. Install fuse:
$ sudo apt-get install fuse-utils $ sudo apt-get install fuse-source $ sudo apt-get install module-assistant $ sudo apt-get install linux-headers-$(uname -r) $ sudo apt-get install libfuse2 $ sudo apt-get install libfuse-dev
b. Setup fuse
To build the kernel module for fuse you use the module-assistant command which is a nice commandline utility put together by Debian. You launch it from the commandline and then just run through each menu from top to bottom.:
$ sudo module-assistant prepare $ sudo module-assistant build fuse $ sudo module-assistant install fuse
After module assistant has run through and installed fuse you can load it into the kernel:
$ sudo modprobe fuse $ sudo lsmod | grep fuse # You should see fuse running
c. Add your user to the fuse group
In order that your user can use the fusermount command you need to add them into the fuser group:
$ sudo adduser <youruserid> fuse
d. Add fuse into /etc/modules
To tell the kernel to load the fuse module everytime it boots you add it into the /etc/modules file:
$ sudo cp /etc/modules /etc/modules.bak ; echo fuse >> /etc/modules
e. Install supporting software:
$ sudo apt-get install openssl $ sudo apt-get install libssl-dev
f. Install Rlog
Download it from http://arg0.net/users/vgough/rlog/ - the version I got was 1.3. You can unzip it with the GNOME Archive Manager, or on the command line do:
$ gunzip -c <tgz_file> | tar -xvf -
By default it will install in /usr/local, but because I move my home directory on movable media between two machines I decided to install it into /home/steve. In order to get it to compile into /home/steve/bin I provide the --prefix switch:
$ ./configure --prefix=/home/steve $ make $ make install
If you are installing into /usr/local you don't need the prefix and should be done. In my case I needed to tell my environment where to find it so in .bashrc I added:
LD_LIBRARY_PATH=$LD_LIBRARY_PATH;/home/steve/lib PKG_CONFIG_PATH=$PKG_CONFIG_PATH;/home/steve/lib/pkgconfig export LD_LIBRARY_PATH, PKG_CONFIG_PATH
g. Get encfs and install it
Download it from http://arg0.net/wiki/encfs - the version I got was 1.2.3. Again unzip it with the GNOME Archive Manager, or on the command line do:
$ gunzip -c encfs-1.2.2-2.tgz | tar -xvf - $ ./configure --prefix=/home/steve $ make ; make install
h. Test it all works:
mkdir ~/tmp/crypt-raw mkdir ~/tmp/crypt-safe encfs ~/tmp/crypt-raw ~/tmp/crypt-safe vi ~/tmp/crypt-safe fusermount -u ~/tmp/crypt-safe
The file details are kept in a .encfs file
At this point you are done as you can now make encrypted volumes without a problem.
a. Create mount directories for the raw and unencrypted files:
$ mkdir ~/tmp/crypt-raw $ mkdir ~/tmp/crypt-safe
The crypt-raw directory will have the encrypted files in it, they appear as long strings. The crypt-safe directory is the mount point you change directory into to access the unencrypted files.
b. Create the Encfs:
$ encfs ~/tmp/crypt-raw ~/tmp/crypt-safe
The command gives you the option of configuring with standard or paranoid configurations.
c. Inspect the configuration file:
$ view ~/tmp/crypt-raw/.encfs6.xml
This is the configuration file for the EncFS volume, where you can see the encryption level used, keysize, block size and so forth.
d. Unencrypt the volume and mount it:
$ encfs --verbose ~/tmp/crypt-raw ~/tmp/crypt-safe
e. Use the volume:
$ cd ~/tmp/crypt-safe $ touch test.txt
Create files in the volume, you can also see it is mounted as a volume with the 'mount' command.
a. Find the mounted volume you want:
b. Use fusermount:
$ fusermount -u ~/tmp/crypt-safe
You can confirm the volume is unmounted by running the mount command again.
The man page for encfs is pretty extensive. The most useful switches to the encfs command are:
|--idle=MINS||Unmount the encrypted filesystem if it is idle for the specified number of minutes. EncFS will not unmount if there are files open withing the filesystem.|
|--verbose||Give verbose output.|
|--ondemand||Mount the filesystem on-demand only. This should be used with --idle and --extpass according to the manual.|
|Set an external program to ask the user for their password.|
How do I umount a mount point?:
$ fusermount -u /home/steve/secretstore
Fusermount is the easiest command to use.
The most common problem is that an application is still using the mounted filesystem. Use lsof or fuser to find out which one:
$ lsof /home/steve/secretstore $ fuser -c /home/steve/secretstore
You then need to kill or kill -HUP the process that is accessing the files. This old Sun document is worth reading for filesystem management generally.
You have to do it manually. So create a new one and then copy the files manually.
You have to do it manually. Create a new encrypted filestore, and then copy the files across manually.
How do I change passwords?
$ encfsctl passwd /location/encrypteddir
How do I inspect the encryption type?
$ encfsctl info /location/encrypteddir
Valient Gough's (creator of EncFS) main project page.
Comprehensive Wiki page on EncFS, also worth reading the pages on alternatives.
Good overview of EncFS and covers some detail of the security audit. If the security audit attracts your attention then you should read the Debian bug.
Encrypting a remote filesystem and then accessing it through SSHFS. The filesystem remains encrypted on the remote system at all times.