EncFS

EncFS is a userspace stackable cryptographic file-system similar to eCryptfs, and aims to secure data with the minimum hassle. It uses FUSE to mount an encrypted directory onto another directory specified by the user. It does not use a loopback system like some other comparable systems such as TrueCrypt and dm-crypt.

Warning: A security review (February 2014) of encfs discovered a number of security issues (in the stable release 1.7.4 of 2014). Please consider the report and the references in it for updated information before using the release, since the development has halted and not all issues are fixed.

EncFS is definitely the simplest software if you want to try disk encryption on Linux.

Advantages of EncFS: Firstly, it does not require any root privileges to implement; any user can create a repository of encrypted files. Secondly, one does not need to create a single file and create a file-system within that; it works on existing file-system without modifications.

Disadvantages: The encrypted files are not stored in their own file, someone who obtains access to the system can still see the underlying directory structure, the number of files, their sizes and when they were modified. They cannot see the contents, however.

This particular method of securing data is obviously not perfect, but there are situations in which it is useful.

For more details on how EncFS compares to other disk encryption solution, see Data-at-rest encryption#Comparison table.

Comparison to eCryptFS

eCryptFS is implemented in kernelspace and therefore a little bit harder to configure. You have to remember various encryption options (used cyphers, key type, etc...). With EncFS this is not the case, because it stores the encryption metadata information in a per-directory configuration file (.encfs6.xml). So you do not have to remember anything (except the passphrase).

The performance of both depends on the type of disk activity. While eCryptFS can perform faster in some cases because there is less overhead by context switching (between kernel and userspace), EncFS has advantages in other cases because the encryption metadata is centralized and not stored in the individual files' headers. For more information benchmark examples are provided by the EncFS project.

Installation

Install the encfs package.

Usage

To create a secured repository, type:

$ encfs ~/.encrypted ~/origin

Note that absolute paths must be used. This will be followed by a prompt about whether you want to go with the default options, expert configuration or a paranoid preset. The first is a fairly secure default setup. The second allows specifying algorithms and other options. After entering a key for the encryption, the encoded file-system will be created and mounted. The encoded files are stored, in this example, at ~/.encrypted, and their unencrypted versions in ~/origin.

Tip: Using EncFS on a FUSE file system, e.g. NTFS-3G, might end up with slow performance. Consider changing the file system if possible.

To unmount the file-system, type:

$ fusermount -u ~/name

To remount the file-system, issue the first command, and enter the key used to encode it. Once this has been entered, the file-system will be mounted again.

Changing the password

To change the password of a directory encrypted by EncFS, the following command can be used:

$ encfsctl passwd ~/.name

In this example, ~/.name is the path to the directory which contains the encoded files. The tool will ask for your current password and afterwards, you will be able to set a new one.

User friendly mounting

Gnome Encfs Manager

The Gnome Encfs Manager is an easy to use manager and mounter for encfs stashes featuring per-stash configuration, Gnome Keyring support, a tray menu inspired by Cryptkeeper but using the AppIndicator API and lots of unique features.

Both gnome-encfs-manager-binAUR and a slightly more up to date are available.

Mount using encfsui

A bash script encfsui provides a simple gui around the EncFS command line utility to mount and unmount an encrypted directory. It includes a desktop launcher. Install it from .

Mount via fstab

Adding an entry in will allow you to mount the encfs volume with a simple mount /target/path and you will be prompted for your password.

/etc/fstab
encfs#/path/to/encfs/data  /mnt/decrypted  fuse  noauto,user  0  0

The option prevents an attempt to mount the volume at boot, which could delay the boot process while it waits for a password to be entered. can be omitted if only the user should be able to mount the volume.

Mount at login using pam_encfs

Install . See also:

/etc/pam.d/

Note that when you are using try_first_pass parameter to pam_unix.so then you will have to set EncFS to use same password as you are using to login (or vice-versa) and you will be entering just single password. Without this parameter you will need to enter two passwords.

setup pam_encfs for all login methods

Put encfs line to /etc/pam.d/system-login as follows:

login

This section tells how to make encfs automount when you are logging in by virtual terminal.

Edit the file :

#%PAM-1.0

auth		required	pam_securetty.so
auth		requisite	pam_nologin.so
auth		sufficient	pam_encfs.so
auth		required	pam_unix.so nullok try_first_pass
#auth		required	pam_unix.so nullok
auth		required	pam_tally.so onerr=succeed file=/var/log/faillog
# use this to lockout accounts for 10 minutes after 3 failed attempts
#auth		required	pam_tally.so deny=2 unlock_time=600 onerr=succeed file=/var/log/faillog
account		required	pam_access.so
account		required	pam_time.so
account		required	pam_unix.so
#password	required	pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
#password	required	pam_unix.so md5 shadow use_authtok
session		required	pam_unix.so
session		required	pam_env.so
session		required	pam_motd.so
session		required	pam_limits.so
session		optional	pam_mail.so dir=/var/spool/mail standard
session		optional	pam_lastlog.so
session		optional	pam_loginuid.so
-session	optional	pam_ck_connector.so nox11
#Automatic unmount (optional):
#session	required	pam_encfs.so
Warning: Note that automatic unmount will process even when there is another session. eg.: logout on VC can unmount encfs mounted by GDM session that is still active.
gdm

This section explains how to make encfs automount when you are logging in by GDM.

Edit the file .

Insert (do not overwrite) the following into the bottom of gdm-password:

Save and exit.

Configuration

Edit  :

Recommended: comment out the line

encfs_default --idle=1

This flag will unmount your encrypted folder after 1 minute of inactivity. If you are automounting this on login, you probably would like to keep this mounted for as long as you are logged in.

At the bottom, comment any existing demo entries and add:

Also, if you see the following line, remove from the options. Otherwise, it will be in conflict with defined above.

fuse_default allow_root,nonempty

Next, edit : Uncomment:

user_allow_other

To test your config, open a new virtual terminal (e.g. ) and login. You should see pam successfuly mount your EncFS folder.

Mount at login using pam_mount

Install and configure pam_mount as explained on its wiki page. EncFS mounts can be specified in pam_mount's configuration file as follows:

The EncFS mounts need to have the same password than your user account. The nonempty option makes it possible to mount the encrypted file system even when the mount point is non-empty. You may remove this option if this is not the desired behaviour.

It is possible to mount multiple EncFS folders at login specifying multiple consecutive entries in the configuration file.

Mount when USB drive with EncFS folders is inserted using fsniper

Simple method to automount (asking for password) encfs when USB drive with EncFS one or more folders in root is inserted. We will use (filesystem watching daemon using inotify) and (for askpass binary).

See more at https://github.com/Harvie/Programs/tree/master/bash/encfs/automount (latest version of files used in the How to).

How to

1. You need USB automount working for this - like Thunar or Gnome Files does.
2. Make encrypted folder on your drive, eg.: (and then unmount everything).
3. Create a ~/.config/fsniper/config file: 4. install helper script: 5. Make sure that /usr/lib/git-core/git-gui--askpass is working for you (that is why you need git package - but you can adjust the helper script).
6. Try in terminal (askpass should appear when USB drive is inserted).
7. Add to your session.
8. Do not forget to unmount encfs before removing drive.

Encrypted backup

Backup encrypted directory

An encrypted directory may be backed up and restored to another location like it is. This is possible, because the configuration file for the encryption options/metadata is actually stored in the directory itself in plaintext in the hidden .encfs6.xml file. This poses no direct problem, because the password is not in it.

However, if you - for example - store the backup on a remote location (e.g. in the cloud) or a portable device, you might feel uncomfortable about it. In this case it also is no problem to manually move the file out of the directory before creating the backup. You can even move it permanently and still mount and access the files, if you pass its location to encfs via the environment variable. For the #Usage example above:

$ mv ~/.name/.encfs6.xml ~/.
$ ENCFS6_CONFIG=~/.encfs6.xml encfs ~/.name ~/name

Backup plaintext directory

The following example assumes you want to create an encrypted backup of an existing plaintext directory which contains the file thesis.txt.

First, we create the encrypted backup of the existing plaintext directory:

$ encfs --reverse ~/mythesis /tmp/thesisbackup 

Note the directory order is reversed to normal usage in this case. Using the option has two effects: Firstly, the configuration file is now stored in the plaintext directory and only contains it in encrypted form. Secondly, the files in are not persistent. They will vanish once it is unmounted (no, this is not due to usage of the /tmp mountpoint).

For the second reason, now is the time to copy the encrypted files to the desired backup location, before unmounting the temporary encfs directory again:

$ cp -R /tmp/thesisbackup/* /mnt/usbstick/
$ fusermount -u /tmp/thesisbackup 

and done.

To restore (or view) the backup, we need access to the encryption options in plaintext, which has to be passed to encfs with the environment variable (we use a different directory in order not to mess up the existing ):

$ ENCFS6_CONFIG=~/mythesis/.encfs6.xml encfs ~/mnt/usbstick/thesisbackup ~/restoremythesis 

If you now list the restore location, it will contain two files:

$ ls -la ~/restoremythesis
... 
-rw-r--r--  1 student student    1078  3. Jan 12:33 .encfs6.xml
-rw-r--r--  1 student student      42  3. Jan 12:33 thesis.txt
...
gollark: Authright bad.
gollark: There's a nice one with a cultural axis.
gollark: It says that for everyone. Try better tests.
gollark: εæε
gollark: How much do they pay you?

See also

This article is issued from Archlinux. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.