Encfs

I’m still working on different solution to safely transfer files between different systems, without compromising the safety. Really, it doesn’t matter what the files contain, but as long it’s about my files, I’m paranoid. Just asking myself what would happen if I loose access to the machine or somebody else might get full access to it keeps me awake.

We all have things to hide. If you disagree, please send me your credit-card information and a list of your passwords via email. Thanks.

Beside solutions like truecrypt which works with containers and encrypting the whole filesystem you can also encrypt just a folder and the files in there. When talking about synchronisation you usually want to sync as little data as possible. Syncing a whole Truecrypt container is easy, but with a more and more growing number of files, the container will become to small one day (unless you’ve chosen it big enough right from the beginning). If you’ve chosen it big enough for your demands, you always have some overhead you need to sync without actually using it. That’s just how Truecrypt works and it’s fine that way.

But especially with asynchronous Internet connections the upload takes a bit longer than the download (and you have to upload it in order to keep it in sync).

As mentioned above you can encrypt a folder containing your files and base on the algorithm you’re using to sync just sync the changed files. Dropbox will work just fine here, even if it’s not storing the data encrypted without leaving the key on the vendor side.

EncFS (short for encrypted filesystem) gives you a hand to do that. Using the FUSE library and Linux Kernel you get an interface to the filesystem. It’s completely open-source and free to use GPL.

Due to the design and compromises coming along with ENCFS it has some disadvantages, but also advantages you might want to consider before using it. If you’re seriously concerned about safety: don’t use it.


Technical Stuff

These are the requisites of ENCFS:

  • FUSE : 2.6 or newer for the latest ENCFS

  • rlog : a C++ logging library

  • OpenSSL – versions 0.9.6 through 0.9.8 have been tested

  • boost : C++ utility library 1.34 or later

Most of the stuff is probably installed on your system anyway:

$ sudo apt-get install encfs

The following NEW packages will be installed:

   encfs libboost-filesystem1.46.1{a} libboost-serialization1.46.1{a} libboost-system1.46.1{a} librlog5{a}
 0 packages upgraded, 5 newly installed, 0 to remove and 9 not upgraded.
 Need to get 659 kB of archives. After unpacking 3,109 kB will be used.

Basic Usage

  1. Create a folder in the file-system that you want to use. The encrypted files will be stored here. If you’re planning to sync the folder you want to create it somewhere from where you can sync.

    $ mkdir ~/encrypted
    
  2. Create a mountpoint

    You’ll need a second directory which you use to access the files of the encrypted directory. You basically mount the encfs-folder into the second directory. Similar to mounting an ISO-file, e.g.

    $ mkdir ~/temp_encr
    
  3. Create the encrypted system and mount it

    For the first time mounting the directory, encfs will realise that the folder isn’t encrypted yet and ask you to setup the directory and specify a password. Below you’ll see the setup with the standard options. It works like a regular mount:

    $ encfs "folder to mount" "mount point"
    

    So for this example:

    jt@pc:~# encfs /home/jt/encrypted /home/jt/temp_encr
    Creating new encrypted volume.
    Please choose from one of the following options:
     enter "x" for expert configuration mode,
     enter "p" for pre-configured paranoia mode,
     anything else, or an empty line will select standard mode.
    ?>
    
    Standard configuration selected.
    
    Configuration finished.  The filesystem to be created has
    the following properties:
    Filesystem cipher: "ssl/aes", version 3:0:2
    Filename encoding: "nameio/block", version 3:0:1
    Key Size: 192 bits
    Block Size: 1024 bytes
    Each file contains 8 byte header with unique IV data.
    Filenames encoded using IV chaining mode.
    File holes passed through to ciphertext.
    
    Now you will need to enter a password for your filesystem.
    You will need to remember this password, as there is absolutely
    no recovery mechanism.  However, the password can be changed
    later using encfsctl.
    
    New Encfs Password:
    Verify Encfs Password:
    

    Note that encfs wants absolute paths, i.e. starting with a /

  4. Encrypt your files

    Now that you’ve got setup and mounted the encrypted folder you can start putting your stuff into ~/temp_encr. As soon as you do so some new files will show up in the encfs-folder as well, only encrypted.

    $ echo "Hello World." > temp_encr/testfile
    $ ls -l ~/temp_encr/testfile
    -rw-rw-r-- 1 linuxaria linuxaria 22 2011-12-14 00:08 \
        /home/linuxaria/temp_encr/test.txt
    $ cat ~/temp_encr/testfile
    Hello World
    

As soon as you’re done you can unmount the folder with fusermount (normal umount will not work).

$ fusermount -u /home/jt/temp_encr

Now the directory ~/temp_encr is empty but the directory encrypted still contains all the files - only encrypted (plus some metadata as XML files).

$  ls -la encrypted/
total 16
drwxrwxr-x   2 linuxaria linuxaria 4096 2011-12-14 00:08 .
drwx------ 109 linuxaria linuxaria 4096 2011-12-13 23:55 ..
-rw-rw-r--   1 linuxaria linuxaria 1076 2011-12-13 23:56 .encfs6.xml
-rw-rw-r--   1 linuxaria linuxaria   30 2011-12-14 00:08 NOQUHJDpKw4XkS,THEb5OF,8
$ cat encrypted/NOQUHJDpKw4XkS,THEb5OF,8
�͒���< ��_B|"?��G��-./t+�

Limitations

I have problems from saving emails and attachments out of mutt into the encrypted folder structure. However: If I put it outside first and move it into the folder it works just fine.

Some postings on the net intend some correlations to the paranoia-mode of encfs (which you can choose during setup) and that one will disable hard links as well. However: this comes out of the encfs setup (paranoia-mode) itself:

The external initialization-vector chaining option has been enabled. This option disables the use of hard links on the filesystem. Without hard links, some programs may not work. The programs ‘mutt’ and ‘procmail’ are known to fail. For more information, please see the encfs mailing list.