Použijeme kombinaci mírně vyšší bezpečnosti i výkonu - zvětšíme délku klíče a velikost bloku,
ale nepovolíme přidávání náhodných bytů do hlaviček datových bloků (na rozdíl od překonfigurovaného paranoidního módu).
Spuštění encfs:
encfs $PWD/.private $PWD/mnt Creating new encrypted volume. Please choose from one of the following options: enter "x" for expert configuration mode, enter "p" for pre-configured paranoia mode, anything else, or an empty line will select standard mode. ?> x
Zvolili jsme „expert mode“. a dále volíme šifrovací algoritmus - např. AES:
Manual configuration mode selected. The following cipher algorithms are available: 1. AES : 16 byte block cipher -- Supports key lengths of 128 to 256 bits -- Supports block sizes of 64 to 4096 bytes 2. Blowfish : 8 byte block cipher -- Supports key lengths of 128 to 256 bits -- Supports block sizes of 64 to 4096 bytes Enter the number corresponding to your choice: 1 Selected algorithm "AES"
Délku klíče zvětšujeme na 256 bitů:
Please select a key size in bits. The cipher you have chosen supports sizes from 128 to 256 bits in increments of 64 bits. For example: 128, 192, 256 Selected key size: 256 Using key size of 256 bits
Velikost bloku zvětšujeme na 4096 bytů:
Select a block size in bytes. The cipher you have chosen supports sizes from 64 to 4096 bytes in increments of 16. Or just hit enter for the default (1024 bytes) filesystem block size: 4096 Using filesystem block size of 4096 bytes
Variantu šifrování názvů souborů raději ponecháme 1.:
The following filename encoding algorithms are available: 1. Block : Block encoding, hides file name size somewhat 2. Null : No encryption of filenames 3. Stream : Stream encoding, keeps filenames as short as possible Enter the number corresponding to your choice: 1 Selected algorithm "Block""
Nastavení inicializačních vektorů doporučujeme ponechat na výchozích hodnotách:
Enable filename initialization vector chaining? This makes filename encoding dependent on the complete path, rather then encoding each path element individually. The default here is Yes. Any response that does not begin with 'n' will mean Yes: Enable per-file initialization vectors? This adds about 8 bytes per file to the storage requirements. It should not affect performance except possibly with applications which rely on block-aligned file io for performance. The default here is Yes. Any response that does not begin with 'n' will mean Yes: Enable filename to IV header chaining? This makes file data encoding dependent on the complete file path. If a file is renamed, it will not decode sucessfully unless it was renamed by encfs with the proper key. If this option is enabled, then hard links will not be supported in the filesystem. The default here is No. Any response that does not begin with 'y' will mean No: Enable block authentication code headers on every block in a file? This adds about 12 bytes per block to the storage requirements for a file, and significantly affects performance but it also means [almost] any modifications or errors within a block will be caught and will cause a read error. The default here is No. Any response that does not begin with 'y' will mean No:
Tato volba je důležitá - nastavení na nenulovou hodnotu zvyšuje bezpečnost dat, ale velmi snižuje rychlost především zápisu:
Add random bytes to each block header? This adds a performance penalty, but ensures that blocks have different authentication codes. Note that you can have the same benefits by enabling per-file initialization vectors, which does not come with as great of performance penalty. Select a number of bytes, from 0 (no random bytes) to 8: 0
Další volby můžeme ponechat ve výchozím nastavení:
Enable file-hole pass-through? This avoids writing encrypted blocks when file holes are created. The default here is Yes. Any response that does not begin with 'n' will mean Yes:
Následuje rekapitulace nastavení a zadání hesla:
Configuration finished. The filesystem to be created has the following properties: Filesystem cipher: "ssl/aes", version 3:0:2 Filename encoding: "nameio/block", version 3:0:1 Key Size: 256 bits Block Size: 4096 bytes Each file contains 8 byte header with unique IV data. Filenames encoded using IV chaining mode. File holes passed through to ciphertext. Now you will need to enter a password for your filesystem. You will need to remember this password, as there is absolutely no recovery mechanism. However, the password can be changed later using encfsctl. New Encfs Password: Verify Encfs Password:
Konfigurace je tímto ukončena a adresář by měl být v tuto chvíli již připojen.