:date: 2012-04-05 10:03 .. index:: tech, linux Encfs ===== I'm still working on different solution to safely transfer files between different systems, without compromising the safety. Really, it doesn't matter what the files contain, but as long it's about my files, I'm paranoid. Just asking myself what would happen if I loose access to the machine or somebody else might get full access to it keeps me awake. We all have things to hide. If you disagree, please send me your credit-card information and a list of your passwords via email. Thanks. Beside solutions like `truecrypt `__ which works with containers and encrypting the whole filesystem you can also encrypt just a folder and the files in there. When talking about synchronisation you usually want to sync as little data as possible. Syncing a whole :program:`Truecrypt` container is easy, but with a more and more growing number of files, the container will become to small one day (unless you've chosen it big enough right from the beginning). If you've chosen it big enough for your demands, you always have some overhead you need to sync without actually using it. That's just how :program:`Truecrypt` works and it's fine that way. But especially with asynchronous Internet connections the upload takes a bit longer than the download (and you have to upload it in order to keep it in sync). As mentioned above you can encrypt a folder containing your files and base on the algorithm you're using to sync just sync the changed files. :program:`Dropbox` will work just fine here, even if it's not storing the data encrypted without leaving the key on the vendor side. `EncFS `__ (short for *encrypted filesystem*) gives you a hand to do that. Using the FUSE library and Linux Kernel you get an interface to the filesystem. It's completely open-source and free to use `GPL `__. Due to the design and compromises coming along with ENCFS it has some `disadvantages `__, but also `advantages `__ you might want to consider before using it. If you're seriously concerned about safety: don't use it. -------- Technical Stuff --------------- These are the requisites of ENCFS: * FUSE : 2.6 or newer for the latest ENCFS * :program:`rlog` : a C++ logging library * :program:`OpenSSL` – versions 0.9.6 through 0.9.8 have been tested * :program:`boost` : C++ utility library 1.34 or later Most of the stuff is probably installed on your system anyway: .. code:: bash $ sudo apt-get install encfs The following NEW packages will be installed: encfs libboost-filesystem1.46.1{a} libboost-serialization1.46.1{a} libboost-system1.46.1{a} librlog5{a} 0 packages upgraded, 5 newly installed, 0 to remove and 9 not upgraded. Need to get 659 kB of archives. After unpacking 3,109 kB will be used. -------- Basic Usage ----------- #. Create a folder in the file-system that you want to use. The encrypted files will be stored here. If you're planning to sync the folder you want to create it somewhere from where you can sync. .. code:: bash $ mkdir ~/encrypted #. Create a mountpoint You'll need a second directory which you use to access the files of the encrypted directory. You basically mount the encfs-folder into the second directory. Similar to mounting an ISO-file, e.g. .. code:: bash $ mkdir ~/temp_encr #. Create the encrypted system and mount it For the first time mounting the directory, encfs will realise that the folder isn't encrypted yet and ask you to setup the directory and specify a password. Below you'll see the setup with the standard options. It works like a regular mount: .. code:: bash $ encfs "folder to mount" "mount point" So for this example: .. code:: bash jt@pc:~# encfs /home/jt/encrypted /home/jt/temp_encr Creating new encrypted volume. Please choose from one of the following options: enter "x" for expert configuration mode, enter "p" for pre-configured paranoia mode, anything else, or an empty line will select standard mode. ?> Standard configuration selected. Configuration finished. The filesystem to be created has the following properties: Filesystem cipher: "ssl/aes", version 3:0:2 Filename encoding: "nameio/block", version 3:0:1 Key Size: 192 bits Block Size: 1024 bytes Each file contains 8 byte header with unique IV data. Filenames encoded using IV chaining mode. File holes passed through to ciphertext. Now you will need to enter a password for your filesystem. You will need to remember this password, as there is absolutely no recovery mechanism. However, the password can be changed later using encfsctl. New Encfs Password: Verify Encfs Password: Note that encfs wants absolute paths, i.e. starting with a :samp:`/` #. Encrypt your files Now that you've got setup and mounted the encrypted folder you can start putting your stuff into :file:`~/temp_encr`. As soon as you do so some new files will show up in the encfs-folder as well, only encrypted. .. code:: bash $ echo "Hello World." > temp_encr/testfile $ ls -l ~/temp_encr/testfile -rw-rw-r-- 1 linuxaria linuxaria 22 2011-12-14 00:08 \ /home/linuxaria/temp_encr/test.txt $ cat ~/temp_encr/testfile Hello World As soon as you're done you can unmount the folder with :command:`fusermount` (normal :command:`umount` will not work). .. code:: bash $ fusermount -u /home/jt/temp_encr Now the directory :file:`~/temp_encr` is empty but the directory :file:`encrypted` still contains all the files - only encrypted (plus some metadata as XML files). .. code:: bash $ ls -la encrypted/ total 16 drwxrwxr-x 2 linuxaria linuxaria 4096 2011-12-14 00:08 . drwx------ 109 linuxaria linuxaria 4096 2011-12-13 23:55 .. -rw-rw-r-- 1 linuxaria linuxaria 1076 2011-12-13 23:56 .encfs6.xml -rw-rw-r-- 1 linuxaria linuxaria 30 2011-12-14 00:08 NOQUHJDpKw4XkS,THEb5OF,8 $ cat encrypted/NOQUHJDpKw4XkS,THEb5OF,8 �͒���< ��_B|�"?��G��-./t+� -------- Limitations ----------- I have problems from saving emails and attachments out of mutt into the encrypted folder structure. However: If I put it outside first and move it into the folder it works just fine. Some postings on the net intend some correlations to the *paranoia*-mode of encfs (which you can choose during setup) and that one will disable hard links as well. However: this comes out of the encfs setup (paranoia-mode) itself: The external initialization-vector chaining option has been enabled. This option disables the use of hard links on the filesystem. Without hard links, some programs may not work. The programs 'mutt' and 'procmail' are known to fail. For more information, please see the encfs mailing list.