opensour.cc developers' network - quick start guides to bootstrap examples

(Perfect for people with a short attention span, needing to get work done!)

Please note: this entry is incomplete, and somewhere between a preliminary draft and a stub.

Introduction

EncFS is a Free (LGPL) FUSE-based cryptographic filesystem. It transparently encrypts files, using an arbitrary directory as storage for the encrypted files.

Two directories are involved in mounting an EncFS filesystem: the source directory, and the mountpoint. Each file in the mountpoint has a specific file in the source directory that corresponds to it. The file in the mountpoint provides the unencrypted view of the one in the source directory. Filenames are encrypted in the source directory.

Files are encrypted using a volume key, which is stored encrypted in the source directory. A password is used to decrypt this key.

"Encfs", 2015-07-31 02:49:49 UTC

Installation

Usage

  • encfs /PATH/TO/ENCRYPTED-DIRECTORY/ /PATH/TO/UNENCRYPTED-DIRECTORY/
    • When running daemon mode (default behavior, you can use -f to run in foreground), you must use absolute paths (typically beginning with '/')
    • You can use ~/ to set a path relative to the user's home path. Example:
      • encfs ~/ENCRYPTED-DIRECTORY/ ~/UNENCRYPTED-DIRECTORY/
    • You can use the $PWD environment variable or pwd command for directories located in your current operating directory. Examples:
      • cd /PATH/TO/
        • encfs "$PWD/ENCRYPTED-DIRECTORY/" "$PWD/UNENCRYPTED-DIRECTORY/"
        • encfs "`pwd`/ENCRYPTED-DIRECTORY/" "`pwd`/UNENCRYPTED-DIRECTORY/"

First-time use

When running EncFS on an encrypted path that hasn't been used before, you will be guided through an interactive process. Example:

[user@localhost ~$] encfs "$PWD/ENCRYPTED-DIRECTORY/" "$PWD/UNENCRYPTED-DIRECTORY/"
Creating new encrypted volume.
Please choose from one of the following options:
 enter "x" for expert configuration mode,
 enter "p" for pre-configured paranoia mode,
 anything else, or an empty line will select standard mode.
?> <MODE>

Standard Mode

At the aforementioned prompt, you can hit the [[Return Key]] and EncFS will proceed to ask you for a password:

Standard configuration selected.

Configuration finished.  The filesystem to be created has
the following properties:
Filesystem cipher: "ssl/aes", version 3:0:2
Filename encoding: "nameio/block", version 3:0:1
Key Size: 192 bits
Block Size: 1024 bytes
Each file contains 8 byte header with unique IV data.
Filenames encoded using IV chaining mode.
File holes passed through to ciphertext.

Now you will need to enter a password for your filesystem.
You will need to remember this password, as there is absolutely
no recovery mechanism.  However, the password can be changed
later using encfsctl.

New Encfs Password: <PASSWORD>
Verify Encfs Password: <PASSWORD, AGAIN.>

Expert Configuration Mode

At the aforementioned prompt, you can hit x followed by the [[Return Key]] and EncFS will proceed to ask you a series of questions:

Manual configuration mode selected.
The following cipher algorithms are available:
1. AES : 16 byte block cipher
 -- Supports key lengths of 128 to 256 bits
 -- Supports block sizes of 64 to 4096 bytes
2. Blowfish : 8 byte block cipher
 -- Supports key lengths of 128 to 256 bits
 -- Supports block sizes of 64 to 4096 bytes

Enter the number corresponding to your choice: <ALGORITHM CHOICE>

AES

Selected algorithm "AES"

Please select a key size in bits.  The cipher you have chosen
supports sizes from 128 to 256 bits in increments of 64 bits.
For example:
128, 192, 256
Selected key size: <KEYSIZE>
Using key size of <KEYSIZE> bits

Select a block size in bytes.  The cipher you have chosen
supports sizes from 64 to 4096 bytes in increments of 16.
Or just hit enter for the default (1024 bytes)

filesystem block size: <BLOCKSIZE>

FIXME

Blowfish

Selected algorithm "Blowfish"

Please select a key size in bits.  The cipher you have chosen
supports sizes from 128 to 256 bits in increments of 32 bits.
For example:
128, 160, 192, 224, 256
Selected key size: <KEYSIZE>
Using key size of <KEYSIZE> bits

Select a block size in bytes.  The cipher you have chosen
supports sizes from 64 to 4096 bytes in increments of 8.
Or just hit enter for the default (1024 bytes)

filesystem block size: <BLOCKSIZE>

FIXME

Pre-configured paranoia mode

At the aforementioned prompt, you can hit p followed by the [[Return Key]] and EncFS will proceed to ask you for a password:

Paranoia configuration selected.

Configuration finished.  The filesystem to be created has
the following properties:
Filesystem cipher: "ssl/aes", version 3:0:2
Filename encoding: "nameio/block", version 3:0:1
Key Size: 256 bits
Block Size: 1024 bytes, including 8 byte MAC header
Each file contains 8 byte header with unique IV data.
Filenames encoded using IV chaining mode.
File data IV is chained to filename IV.
File holes passed through to ciphertext.

-------------------------- WARNING --------------------------
The external initialization-vector chaining option has been
enabled.  This option disables the use of hard links on the
filesystem. Without hard links, some programs may not work.
The programs 'mutt' and 'procmail' are known to fail.  For
more information, please see the encfs mailing list.
If you would like to choose another configuration setting,
please press CTRL-C now to abort and start over.

Now you will need to enter a password for your filesystem.
You will need to remember this password, as there is absolutely
no recovery mechanism.  However, the password can be changed
later using encfsctl.

New Encfs Password: <PASSWORD>
Verify Encfs Password: <PASSWORD, AGAIN.>

Recurring use

  • encfs /PATH/TO/ENCRYPTED-DIRECTORY/ /PATH/TO/UNENCRYPTED-DIRECTORY/ will result in a single prompt:
EncFS Password: <PASSWORD>

Refer to the Debugging / Verbosity section of this article for checking mount status.

Unmounting

  • fusermount -u <UNENCRYPTED-DIRECTORY>

Configuration

After the aforementioned initial setup, an XML file named .encfs6.xml is created at the base of /PATH/TO/ENCRYPTED-DIRECTORY/.

The reciprocal utility encfsctl provides additional information/configuration options for EncFS. Examples:

  • Display information: encfsctl info /PATH/TO/ENCRYPTED-DIRECTORY/

Debugging / Verbosity

Checking mount

There are several ways to check mount points on -nix systems 1) 2), but the most conducive and platform agnostic method seems to be:

if grep -iqs '^encfs /PATH/TO/UNENCRYPTED-DIRECTORY\s' /proc/mounts; then
    echo "It's mounted."
else
    echo "It's not mounted."
fi

See also

External links

References

Navigation
Print/export