ENCFS - mount the encrypted directory

It's a modul of FUSE system 1), which transparently encrypt and decrypt data and names of files.

This guide is dedicated to OS Linux users or the other UNIX-like OS (with a few changes). Another platforms will be tested in the future.

In data storage it is possible to combine ENCFS with systems for connecting remote directory and by this it is possible to achieve a secured data archives with encryption on client - that means, that unecrypted data (plain text) will not leave the user's computer.

Because neither plain text, passwords nor cypher keys leave the user's computer, a loss of keys/passwords is not recoverable by the data storage. The data cannot be decrypted without key/passwords, not even by the data storage administrator.

Needed SW

  • package fuse
  • package encfs
  • for NFS or SSHFS see the instructions - NFS and SSHFS

Local use

Basically, you can also use ENCFS locally (without a network connection of the remote directory), only to acces the encrypted data.
This option is not applicable with the data storage, but it is the simplest one as a way to test the right configuration of ENCFS's layer.

Preparing of the directories (.private for encrypted data and mnt for mounting the data in decrypted form)

$ mkdir .private mnt

First running of the command encfs initialises an encrypted space, all the other runnings of the command just ask for the password (always only one time).

  • the directories have to be stated as a full path - which can be simplified by stating $PWD the variable (it should contain an actual directory as a full path)
  • destination directory, if existing, it has to be empty

Program will ask for a configuration variant - we recommend a „standard mode“ (enter the empty line):

It's also possible to use an „expert mode“ - for example to enlarge a lenght of cypher key or block (see further instructions)
Warning: the option „Add random bytes to each block header“ used in „paranoia mode“ within an „expert mode“ causes (with nonzero value) a large decrease of speed of the writing process.
$ encfs $PWD/.private $PWD/mnt
Creating new encrypted volume.
Please choose from one of the following options:
 enter "x" for expert configuration mode,
 enter "p" for pre-configured paranoia mode,
 anything else, or an empty line will select standard mode.

Standard configuration selected.

Configuration finished.  The filesystem to be created has
the following properties:
Filesystem cipher: "ssl/aes", version 3:0:2
Filename encoding: "nameio/block", version 3:0:1
Key Size: 192 bits
Block Size: 1024 bytes
Each file contains 8 byte header with unique IV data.
Filenames encoded using IV chaining mode.
File holes passed through to ciphertext.

Now you will need to enter a password for your filesystem.
You will need to remember this password, as there is absolutely
no recovery mechanism.  However, the password can be changed
later using encfsctl.

After that it is necessary to enter an access password twice (the password should be strong enough to protect the data):

New Encfs Password: secretPassword
Verify Encfs Password: secretPassword

The directory should be already mounted - we can check it by command mount:

$ mount | grep encfs
encfs on /home/user/mnt type fuse.encfs (rw,nosuid,nodev,default_permissions,user=user)

The directories are empty for now:

$ tree mnt/

0 directories, 0 files
$ tree .private/

0 directories, 0 files

Now we can make directories and save files into the unecrypted part - for example:

$ mkdir -p mnt/d1/d11 mnt/d2 mnt/d3
$ echo "data" > mnt/d1/d11/file11.txt

The data appear in the both directories, in the .private part there are the encrypted ones:

$ tree mnt/
|-- d1
|   `-- d11
|       `-- file11.txt
|-- d2
`-- d3
4 directories, 1 file
$ tree .private/
|-- qRGNFVqtAMcA0aOAWTkn0h1I
|   `-- 7sJ78NEr5Phv5eRvE2bm-VCN
|       `-- cJHbtOnV7nSy9tMf6iWkgh9t
|-- ,Wjp3Cup0wLEOv-pvn6rY-hz
`-- HiRnQGsyjn1LM-cN5z9G4nkV
4 directories, 1 file

Unmounting the directory:

$ fusermount -u mnt

The unecrypted part is unmounted, the data in the encrypted part are staying:

$ tree mnt/

0 directories, 0 files
$ tree .private/
|-- qRGNFVqtAMcA0aOAWTkn0h1I
|   `-- 7sJ78NEr5Phv5eRvE2bm-VCN
|       `-- cJHbtOnV7nSy9tMf6iWkgh9t
|-- ,Wjp3Cup0wLEOv-pvn6rY-hz
`-- HiRnQGsyjn1LM-cN5z9G4nkV
4 directories, 1 file

The example of reconnection (without configuration queries):

$ encfs $PWD/.private $PWD/mnt
EncFS Password: secretPassword

Usage over NFS directory

Let's assume nfs-mnt like a point, where a remote NFS directory is mounted (see NFS guide).

The ENCFS is used alike in local use:

$ encfs $PWD/nfs-mnt/.private $PWD/mnt

Warning: connecting point mnt must be local - it shouldn't be in the remote space mounted via NFS.

Whole process (fusermount etc.) is analogical like in Local use variant.

The encrypted directory (in example .private) must be on the local system and owned by the user with the same username like the user who makes the ENCFS connection. Otherwise it won't have to be allowed to enter the directory and read or write the data (it depends on settings of the ecnrypted directory).

For example, if you see the user nobody like an owner of .private directory, it is possible to read ENCFS mounted data only by this user.

For right mapping and showing usernames see the instructions in section idmap.conf.

If it's not possible to fullfil this condition, rather use ENCFS over SSHFS directory.

Usage over SSHFS directory

Let's assume the sshfs-mnt as a point, where we mount the remote directory by SSHFS (see The SSHFS guide).

Example of SSHFS connection:

$ sshfs -o idmap=user username@ssh.du1.cesnet.cz:/VO_storage/home/username sshfs-mnt

We use ENCFS similary like in previous variants:

$ encfs $PWD/sshfs-mnt/.private $PWD/mnt

Warning: the mount point mnt must be local - it shouldn't be on the remote space mounted via SSHFS.

Whole process (fusermount etc.) is analogical to Local use variant.

Filesystem in Userspace
Poslední úprava: 29.02.2016 15:15