Monday, December 19, 2011

Filesystem Encryption under Linux - EncFS

Customary disclaimer: The author takes absolutely no responsibility for any corruption or loss of data, especially those that might result out of application error, user error, or user negligence. Please also check your local laws pertaining to sharing encrypted data as it might be illegal in some countries. The author is not a lawyer and the contents of the article should not be perceived as legal advice under any circumstance. Please use at your own discretion.

In the previous article, I gave a quick introduction about FUSE and how ClamFS could be used to secure filesystem against malware. Another area where FUSE shines is in the field of encrypted filesystems. There are quite a few options available when it comes to setting up encrypted storage for safe keeping of important content. In this article, I'll discuss one such encrypted storage option that is built using FUSE functionality: EncFS.

EncFS is a simple to setup virtual filesystem that provides portable encrypted storage for your data. It is a pass-through filesystem, which means that while the files themselves exist on the filesystem encrypted, with EncFS loaded, they appear decrypted. Unlike many other encrypted filesystems which require you to dedicate entire partitions for encrypted storage, EncFS exists on top of existing filesystems. You don't need to pre-allocate fixed amounts of space for it, hence, there is no wastage of storage.

You can install EncFS easily from your software package manager. On Debian based distributions it is as simple as typing the following on the terminal window and providing the sudo user's password when prompted (exclude the $ sign):

$ sudo apt-get install encfs

Once it is installed, you can create your encrypted storage and a decrypted mount point with the following command:

$ encfs path-to-encrypted-storage path-to-decrypted-mount-point


$ encfs /tmp/encrypted /tmp/decrypted

You will be prompted if the folders should be created if they don't already exist. You will also be prompted to chose the level of encryption. Your choices are simple, paranoid, and expert.

Please choose from one of the following options:
enter "x" for expert configuration mode,
enter "p" for pre-configured paranoia mode,
anything else, or an empty line will select standard mode.

Once you have provided your choice, you will be prompted to enter and confirm a password to enable access to the encrypted storage. Do not forget this password or you will lose your encrypted data. You can now start using your encrypted storage. Anything that is saved under the decrypted mount point is actually encrypted and saved under the encrypted storage. The filenames as well as the content of the files will be encrypted. Do not save data directly under encrypted storage as data written directly there does not get encrypted.

Once you are done securing your data, you can unmount the decrypted mount point by using the fusermount command as follows:

$ fusermount -u path-to-decrypted-mount-point

To remount the encrypted storage, just reissue the encfs command and provide your password:

$ encfs path-to-encrypted-storage path-to-decrypted-mount-point


EncFS' simplicity to use makes it an ideal tool to help provide ad-hoc encryption capability on existing filesystems without having to spend any money on additional hardware. EncFS is also very flexible and portable, and allows you to store encrypted data along side with unencrypted data. It is however necessary to point out that, like any other encryption scenario, it is important to maintain secure unencrypted backup copies of critical data for emergencies like filesystem and hardware failures etc.

You may also like the series - ClamAV - Antivirus for Linux:
ClamAV - Antivirus for Linux
ClamFS - Antivirus Filesystem for Linux

No comments:

Post a Comment