encfs: transparent crypto overlay

January 16th, 2013

encfs is a cryptographic file system (encfs-website). The principle is very easy, you “bind-mount” one directory (containing the crypt stuff) to another directory (where it’s unencrypted). Thus, you can share the encrypted stuff and nobody but you can read your data. So this system is excellent applicable for cloud services like Dropbox, which trap you with some space in the cloud “for free”, but want you to share your private data with them. In some <p>’s we’ll see how to setup encfs for Dropbox, but let’s first take a look at encfs itself.

encfs

First of all you have to install encfs. Assuming you’re sitting in front of a Debian-based os:

root@abakus ~ # aptitude install encfs

Since encfs is fuse-based the user who wants to use encfs has to be member of the group fuse . You may use the groups command to make sure you belong to fuse :

martin@abakus ~ % groups
martin mail fuse

If you’re not yet member of that group edit the /etc/group file or use the useradd command (howto). To apply the changes you need to re-login or use newgrp (man newgrp).

That’s it, now the way to use encfs is parved. Let’s say we want to work with our data in /dir/clear , while the whole stuff is stored encrypted in /dir/crypt . It’s quite simple to setup this environment, just call encfs [crypt-dir] [decrypt-dir] :

martin@abakus ~ % encfs /dir/crypt /dir/clear
Creating new encrypted volume.
Please choose from one of the following options:
 enter "x" for expert configuration mode,
 enter "p" for pre-configured paranoia mode,
 anything else, or an empty line will select standard mode.
?>

Give it a p and choose a password. This command will install an encrypted container in /dir/crypt and immediately mount it to /dir/clear . Feel free to create some files in /dir/clear (you’re new working directory) and compare this directory with /dir/crypt . You’ll see that you are not able to understand the files in /dir/crypt , unless you’re a genius or the setup failed. Thus, it’s no issue if anyone might have access to the content in /dir/crypt .

To unmount the clear data use fusermount -u /dir/clear . To remount it just call again encfs /dir/crypt /dir/clear , it will just ask you for the password to decrypt the data.

Of course it’s not very convenient to mount the directory every time manually, hence there is a workaround to automount your encfs directories on login. You need to install libpam-mount and libpam-encfs :

root@abakus ~ # aptitude install libpam-mount libpam-encfs

To automatically mount an encfs on login the password for the crypt-fs has to be the same as the password for your user account! If that’s the case, add a line like the following to /etc/security/pam_mount.conf.xml :

<pam_mount>
    [...]
    <volume user="martin" fstype="fuse" path="encfs#/dir/crypt" mountpoint="/dir/clear" />
    [...]
</pam_mount>

On your next login this directory will automatically be mounted. Very smart!

Using encfs for the cloud

Ok, let’s get to the main reason for this article, winking towards Norway ;) . As you might have heard, there are some file hosting services out there, like Dropbox or Ubuntu One. They provide some space in the cloud which can be mounted to different devices, so that your data is sync’ed between your systems. Unfortunately, most of these services want to read your data. E.g. the Dropbox system wants to store a file used by multiple users only once. Even if they pretend to assure that nobody’s able to read your private data, you all know that this is ~~bullshit~~ nearly impossible! However, I strongly recommend to not push critical/private files to these kind of providers.

But, thada, you’ve just learned how to sync your files using the cloud while keeping them private! Let’s assume the directory /home/martin/Dropbox is monitored by Dropbox, you just need to create two more directories, like /home/martin/Dropbox/private (for encrypted files to be sync’ed) and /home/martin/Dropbox-decrypt (for decryption). Mount /home/martin/Dropbox/private to /home/martin/Dropbox-decrypt using encfs and work in /home/martin/Dropbox-decrypt . As explained above, feel free to setup an automount using pam ;-) Everything in /home/martin/Dropbox but not in the private directory will be sync’ed unencrypted, so you won’t loose the opportunity to share some open data with [whoever] e.g. via web browser.

Of course, this method comes with some drawbacks:

It is a bit more work to setup every client, before you can start working with your private data (fortunately the overhead is kept in reasonable limits)
You cannot access these files through the web browser, or using your mobile phone (unless your phone comes with encfs-support)

All in all, you need to decide on your own, how much you trust Dropbox (and alike) and which kind of data you commit to Dropbox unencrypted.

Martin Scharm

stuff. just for the records.

Do you like this page?
You can actively support me!

There are multiple options to leave a comment:

send me an email
submit a comment through the feedback page (anonymously via TOR)
Fork this repo at GitHub, add your comment to the _data/comments directory and send me a pull request
Fill the following form and Staticman will automagically create a pull request for you:

encfs: transparent crypto overlay

encfs

Using encfs for the cloud

Share Post

Martin Scharm

Leave a comment