June 11

Linux: How to use encfs

Encrypt Your Data With EncFS (Debian Squeeze/Ubuntu 11.10)

EncFS provides an encrypted filesystem in user-space. It runs without any special permissions and uses the FUSE library and Linux kernel module to provide the filesystem interface. It is a pass-through filesystem, not an encrypted block device, which means it is created on top of an existing filesystem. This tutorial shows how you can use EncFS on Debian Squeeze/Ubuntu 11.10 to encrypt your data.

1. Preliminary Note

I’m using the username “test” on my Debian Squeeze/Ubuntu 11.10 system in this tutorial.

2. Installing EncFS

EncFS can be installed as follows (we need root privileges, therefore we use sudo):

sudo apt-get install encfs

You should now take a look at the EncFS man page to familiarize yourself with its options:

man encfs

3. Using EncFS

I will now create the directories encrypted and decrypted in my home directory:

mkdir -p ~/encrypted
mkdir -p ~/decrypted

The decrypted directory acts as the mount point for the encrypted directory. To mount ~/encrypted to ~/decrypted, simply run:

encfs ~/encrypted ~/decrypted

If you run this command for the first time, the EncFS setup is started, and you must define a password for the encrypted volume:

test@test-desktop:~$ encfs ~/encrypted ~/decrypted
Creating new encrypted volume.
Please choose from one of the following options:
enter “x” for expert configuration mode,
enter “p” for pre-configured paranoia mode,
anything else, or an empty line will select standard mode.
?> <– p

Paranoia configuration selected.

Configuration finished. The filesystem to be created has
the following properties:
Filesystem cipher: “ssl/aes”, version 3:0:2
Filename encoding: “nameio/block”, version 3:0:1
Key Size: 256 bits
Block Size: 1024 bytes, including 8 byte MAC header
Each file contains 8 byte header with unique IV data.
Filenames encoded using IV chaining mode.
File data IV is chained to filename IV.
File holes passed through to ciphertext.

————————– WARNING ————————–
The external initialization-vector chaining option has been
enabled. This option disables the use of hard links on the
filesystem. Without hard links, some programs may not work.
The programs ‘mutt’ and ‘procmail’ are known to fail. For
more information, please see the encfs mailing list.
If you would like to choose another configuration setting,
please press CTRL-C now to abort and start over.

Now you will need to enter a password for your filesystem.
You will need to remember this password, as there is absolutely
no recovery mechanism. However, the password can be changed
later using encfsctl.

New Encfs Password: <– yoursecretpassword
Verify Encfs Password: <– yoursecretpassword
test@test-desktop:~$

Make sure you remember the password because there’s no way to recover your encrypted data if you forget the password!

You should now find the EncFS volume in the outputs of

mount

test@test-desktop:~$ mount
/dev/mapper/server1-root on / type ext4 (rw,errors=remount-ro,usrjquota=quota.user,grpjquota=quota.group,jqfmt=vfsv0)
proc on /proc type proc (rw,noexec,nosuid,nodev)
sysfs on /sys type sysfs (rw,noexec,nosuid,nodev)
fusectl on /sys/fs/fuse/connections type fusectl (rw)
none on /sys/kernel/debug type debugfs (rw)
none on /sys/kernel/security type securityfs (rw)
udev on /dev type devtmpfs (rw,mode=0755)
devpts on /dev/pts type devpts (rw,noexec,nosuid,gid=5,mode=0620)
tmpfs on /run type tmpfs (rw,noexec,nosuid,size=10%,mode=0755)
none on /run/lock type tmpfs (rw,noexec,nosuid,nodev,size=5242880)
none on /run/shm type tmpfs (rw,nosuid,nodev)
/dev/sda1 on /boot type ext2 (rw)
encfs on /home/test/decrypted type fuse.encfs (rw,nosuid,nodev,default_permissions,user=test)
test@test-desktop:~$

and

df -h

test@test-desktop:~$ df -h
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/server1-root
29G 1.7G 26G 6% /
udev 238M 4.0K 238M 1% /dev
tmpfs 99M 272K 99M 1% /run
none 5.0M 4.0K 5.0M 1% /run/lock
none 247M 0 247M 0% /run/shm
/dev/sda1 228M 24M 193M 11% /boot
encfs 29G 1.7G 26G 6% /home/test/decrypted
test@test-desktop:~$

To save your data in encrypted form, put your data into the decrypted directory, just as you would do with a normal directory:

cd ~/decrypted
echo “hello foo” > foo
echo “hello bar” > bar
ln -s foo foo2

If you check the contents of the directory, you will see that you can see it in unencrypted form…

ls -l

test@test-desktop:~/decrypted$ ls -l
total 8
-rw-rw-r– 1 test test 10 2012-04-17 17:47 bar
-rw-rw-r– 1 test test 10 2012-04-17 17:47 foo
lrwxrwxrwx 1 test test 3 2012-04-17 17:47 foo2 -> foo
test@test-desktop:~/decrypted$

… while in the encrypted directory, it’s encrypted:

cd ~/encrypted
ls -l

test@test-desktop:~/encrypted$ ls -l
total 8
-rw-rw-r– 1 test test 26 2012-04-17 17:47 ,JeO9RDJUL7FBY25KG0zt4uL
-rw-rw-r– 1 test test 26 2012-04-17 17:47 KaS26yvbb8Th-J8lUCO8TBwq
lrwxrwxrwx 1 test test 24 2012-04-17 17:47 ZYBiCw5dUfsaIQmW8RQ9pTGZ -> KaS26yvbb8Th-J8lUCO8TBwq
test@test-desktop:~/encrypted$

To unmount the encrypted volume, run:

cd
fusermount -u ~/decrypted

Check the outputs of…

mount

… and…

df -h

… and you will see that the EncFS volume isn’t listed anymore.

To mount it again, run

encfs ~/encrypted ~/decrypted

You will be asked for the password you defined earlier:

test@test-desktop:~$ encfs ~/encrypted ~/decrypted
EncFS Password: <– yoursecretpassword
test@test-desktop:~$

If you specify the correct password, this will mount the ~/encrypted directory to ~/decrypted from where you can access your encrypted data in unencrypted form. If you forget the password, your encrypted data is lost!

If you want to change the password, you can do this with the

encfsctl passwd ~/encrypted

command.

test@test-desktop:~$ encfsctl passwd ~/encrypted
Enter current Encfs password
EncFS Password: <– yoursecretpassword
Enter new Encfs password
New Encfs Password: <– newsecretpassword
Verify Encfs Password: <– newsecretpassword
Volume Key successfully updated.
test@test-desktop:~$

By: Falko Timme


Copyright 2021. All rights reserved.

Posted June 11, 2012 by Timothy Conrad in category "Linux

About the Author

If I were to describe myself with one word it would be, creative. I am interested in almost everything which keeps me rather busy. Here you will find some of my technical musings. Securely email me using - PGP: 4CB8 91EB 0C0A A530 3BE9 6D76 B076 96F1 6135 0A1B