Gentoo Wiki ArchivesGentoo Wiki

EncFS

Contents

Introduction

Below I will shortly explain how to install and use EncFS on a Gentoo system. From EncFS webpage (if not resolvable webpage2), one reads "EncFS provides an encrypted filesystem in user-space. It runs without any special permissions and uses the FUSE library and Linux kernel module to provide the filesystem interface" . The major advantages of this method, for instance when compared to dmcrypt (see Dm-crypt), is that the space doesn't have to be allocated previously and the filesystem grows as new files are added. A clear disadvantage is that the number and size of the encrypted files are shown in clear (see below).

Subpage

Installing EncFS

Start by emerging the necessary package

emerge encfs 

if not already present on the system, the packages fuse (an interface for filesystems implemented in userspace) and rlog (a logging library) will be installed too. At this point it is probably necessary to load the newly created module using

modprobe fuse

Notice that you need to be root in order to perform this operation. Later (after the first reboot) this command should not be necessary any longer and the fuse module should be automatically loaded by the kernel when needed. If this is not the case for your system, and you intended to use EncFS on a regular basis, it is a good idea to add this module to the list of automatically loaded modules in /etc/modules.autoload.d/ (use the file associated with the kernel version you intend to use). For example, if you're on kernel 2.6, the following is needed

echo "fuse" >> /etc/modules.autoload.d/kernel-2.6

After this point, root permission is no longer required.

Using EncFS

You can create an encrypted virtual filesystem in your home using

encfs ~/private.enc ~/private

with this command, two directories are created (if they do not exist already): the first directory, ~/private.enc, is the important one and will contain the encrypted files (with encrypted filenames); the second directory ~/private simply provides a sort of mountpoint in which the file data and contents can be seen in clear. The command also asks for an encryption password.

Check that the new filesystem appears as regularly mounted using

cat /proc/mounts

if you see a line like

File: /proc/mounts
 
   encfs /home/your_username/private fuse rw,nosuid,nodev,user_id=1000,group_id=100,default_permissions 0 0
  

everything went ok.

Now that the encrypted filesystem ~/private.enc is created and mounted in ~/private, you can start filling it with files as if it were a normal filesystem. A command like

cp ~/my_sensitive_file ~/private

will actually store an encrypted version of ~/my_sensitive_file in ~/private.enc. The file will appear in ~/private as a regular file.

When you have finished using it, you can unmount the encrypted filesystem using

fusermount -u ~/private

Notice that there's no particular relationship between ~/private.enc and ~/private. Indeed you can mount the former on any directory, for instance using

encfs ~/private.enc /mnt/cdrom

and unmounting with

fusermount -u /mnt/cdrom

A Bit More Secure Shell

Mount a remote directory on a computer you have ssh access to:

$ sshfs some-remote.host.com: mountpoint/

Now you can access your remote home directory at the mount point.

Use encfs on top of sshfs for security:

$ sshfs my-shell.provider.net: ~/myshell	# mount remote directory
$ mkdir ~/myshell/secret ~/secret_access	# make directories for storage and access
$ encfs ~/myshell/secret ~/secret_access	# create/mount the encrypted directory

First, we mount our remote directory with sshfs. Then, we create two directories, one of them will be created on the remote side (~/myshell/secret) and will contain the encrypted information. The other directory (~/secret_access) will reside on the local home directory, and has the unencrypted data visible. Now we can simply:

$ cd ~/secret_access
$ touch testfile
$ ls testfile
$ ls ~/myshell/secret
2CZx9g,6iJndZeFIp6OIcG9h

Any files you put in ~/secret_access gets encrypted and sent to the remote host.

Using an encrypted filesystem image for more privacy: encfs has some security issues. Since it works on top of another filesystem, the meta-data will be visible (read more from encfs website). It is reasonably secure though, and if you're worried about it you should reconsider putting your files on a remote host in the first place.

Assuming you already have googled for dm-crypt (or even better, LUKS: http://luks.endorphin.org/ ), become root and: (Note: if you want to use LUKS, do these steps like described in the home page)

$ dd if=/dev/urandom of=my_secret_filesystem bs=1M count=50	# creates a 50MB file filled with reasonably random data
$ losetup /dev/loop0 my_secret_filesystem			# attaches the file to the loop device so we can access it like a block device
$ cryptsetup -c twofish create my_crypt /dev/loop0		# creates a device mapper node "my_crypt" to which all data goes via 256 bit twofish
Enter passphrase:						# enter your secret passphrase
$ mke2fs /dev/mapper/my_crypt					# format the file as an ext2 filesystem

Now we have an encrypted filesystem inside the 50MB file. Note that we access the file through the device mapper to achieve encryption. You can mount the filesystem and access it:

$ mount /dev/loop0 /mnt/secret_mnt
$ umount /mnt/secret_mnt

Finally, you can remove the device mapper node and detach the loop device:

$ cryptsetup remove my_crypt
$ losetup -d /dev/loop0

Now you might want to move the secret filesystem image to the remote host and mount it from there (assuming you already have your sshfs mounted with -o allow_root):

$ mv my_secret_filesystem ~/myshell

To mount it:

$ losetup /dev/loop0 ~/myshell/my_secret_filesystem
$ cryptsetup -c twofish create my_crypt /dev/loop0
Enter passphrase:						# enter the passphrase you gave earlier
$ mount /dev/loop0 ~/secret_access
$ ls ~/secret_access
lost+found

Now, anything you put in the ~/secret_access directory gets encrypted and stored in the ext2 filesystem inside your secret file.

To unmount it:

$ umount ~/secret_access
$ cryptsetup remove my_crypt					# remove the mapping
$ losetup -d /dev/loop0						# detach the file from loop device

Now just make scripts to do it for you.

Using encFS with KDE & Kdialog

After a while I became bored with opening a terminal and manually mounting my encFS path. So I decided to write a nifty little script, that does all the work for me with a single click on my desktop. You will find a KDE Servie Menu at http://www.kde-apps.org/content/show.php/show.php?content=57086

  • First save the script below somewhere in your home directory (e.g. $HOME/bin/)
  • Second thing is to create a desktop symbol (e.g. with the name of your encFS path)
  • On the Programs tab enter $HOME/bin/mountsafe.sh ~/my.enc ~/Desktop/my_safe and set the working directory to ~/
  • Now just simply click the icon
File: mountsafe.sh
#!/bin/sh
# Mounts/unmounts encFS path
# @author: Kevin Wennemuth (kevin.wennemuth@mni.fh-giessen.de)
# @lastmod: 27.05.2007
# modified by xushi: It's a pain to upgrade the kdialog path with every KDE
# update. So just get it automatically and store the path into a variable instead.
# Source (encFS encrypted path)
SRC=$1
# Destination (mount point for encrypted path)
DST=$2

# assign kdialog binary to a variable.
KDIALOG="$(which kdialog)"

if [ "$(cat /proc/mounts | grep fuse | grep $DST)" != "" ];
then
  $KDIALOG --title "encFS: unmount $DST..." --warningyesno "encFS: should $DST be unmounted?"
  if [ $? == 0 ]
  then
    /usr/bin/fusermount -u $DST &
  else
    konqueror $DST &
  fi
else
  $KDIALOG --title "encFS: mount $DST..." --warningyesno "encFS: should $DST be mounted?"
  if [ $? == 0 ]
  then
    $KDIALOG --title "encFS: Enter passphase..." --password "Enter passphrase for [$DST]" | /usr/bin/encfs -S $SRC $DST && konqueror $DST
  fi
fi

KDE Service Menu

On KDE-APPS you will find a Service Menu: http://www.kde-apps.org/content/show.php/show.php?content=57086

Using encFS with XWindows & Xdialog

I run a stripped down desktop environment, so I modified Kevin's script to be more generic.

  • First save the script below somewhere in your home directory (e.g. $HOME/bin/)
  • Second thing is to create a desktop symbol (e.g. with the name of your encFS path)
  • On the Programs tab enter $HOME/bin/encFS_mount.sh ~/my.enc ~/Desktop/my_safe and set the working directory to ~/
  • Now just simply click the icon
emerge net-misc/x11-ssh-askpass x11-misc/xdialog
File: encFS_mount.sh
#!/bin/sh
# Mount/unmount encFS folder via XWindows
# Inspired by Kevin Wennemuth's mountsafe.sh
# @author: Roy Adams (roy.adams@roytoo.org)
# @lastmod: 05.10.2005

# Source (encFS encrypted path)
ENC=$1

# Destination (mount point for encrypted path)
MNT=$2

# Your favorite filebrowser
VIEWER=nautilus

if [ "$(cat /proc/mounts | grep encfs | grep $MNT)" != "" ];
then
  $(Xdialog --screen-center --left --wrap --title "encFS: unmount $MNT..." --yesno "Should $MNT be unmounted?" 0x0)
  if [ $? == 0 ]
  then
    fusermount -u $MNT &
    Xdialog --title "encFS: $MNT unmounted" --msgbox "The unmount of $MNT succeeded" 0x0
  else
    $VIEWER $MNT &
  fi
else
  $(Xdialog --title "encFS: mount $MNT..." --yesno "Should $MNT be mounted?" 0x0)
  if [ $? == 0 ]
  then
    $(encfs -i 5 --extpass=/usr/bin/x11-ssh-askpass $ENC $MNT)
    if [ $? == 0 ]
    then
    	$VIEWER $MNT &
    else
    	Xdialog --title "encFS: mount failed" --msgbox "The mount of $MNT failed" 0x0
    fi 
  fi
fi

Using encFS with GNOME and Zenity

I'm a Gnome man, so I hacked together this script based on the previous two to do it in GTK with Zenity. You need to have emerged zenity for this to work. The fastest way to get it to work with Zenity was to create a second, very simple shell script with the password dialog, hence the second file.

  • Save the two files locally (preferably somewhere in your home folder, such as $HOME/bin/)
  • Customize encmount.sh for your needs (locations, file manager; remember to use absolute paths for the locations)
  • Run the programs.

To be able to run the script directly from your filemanager, you should place encmount.sh in the proper script directory. For nautilus this could be: $HOME/.gnome2/nautilus-scripts/; now the script is found in the context menu under "Scripts".

File: encmount.sh
#!/bin/sh
# Mount/unmount encFS folder via Zenity
# Inspired by Kevin Wennemuth's mountsafe.sh and Roy Adams' encFS_mount.sh

# Source (encFS encrypted path)
ENC=$1

# Destination (mount point for encrypted path)
MNT=$2

# Your favorite filebrowser
VIEWER=thunar

if [ "$(grep encfs /proc/mounts | grep $MNT)" != "" ];
then
  $(zenity --title="encFS: Unmount $MNT?" --question --text="Should it be unmounted?")
  if [ $? == 0 ]
  then
    fusermount -u $MNT &
    zenity --title="encFS: $MNT unmounted" --info --text="The unmount succeeded." 0x0
  else
    $VIEWER $MNT &
  fi
else
  $(zenity --title="encFS: mount $MNT..." --question --text="Should $MNT be mounted?" 0x0)
  if [ $? == 0 ]
  then
    $(encfs --extpass=/usr/bin/zenity-encfs $ENC $MNT)
    if [ $? == 0 ]
    then
    	$VIEWER $MNT &
    else
    	zenity --title="encFS: mount failed" --info --text="The mount of $MNT failed" 0x0
    fi 
  fi
fi
File: zenity_encfs.sh
#!/bin/sh

zenity --entry --hide-text --title="Password" --text="Please enter your password."

Automount encFS with a Program

In my personal experience I've the need for the encFS folder to automount without password prompt, it could look weird but I'm sure someone out there will find this usefull, in my case I have and encrypted USB Flash Disk that only decripts itself in my computer so I make a program that get some data from my system (Mac Address and other hardware data) and use it as a password, I'm not gonna post this program here but I will post a simple example of how to make a custom password program to take care of the password.

encFS have a command line option for getting the password from external program, it requires that the program write the data in simple std out format what I did was make a simple c++ program that excecutes an std out with the password and pass this program to the encFS command line.

File: pass.cc
#include <iostream>

int main()
{
        //Put your password retreival functions here
        std::cout << "my password" << std::endl;
        return 0;
        //PD: All cout will be interpreted as password that mean u can't make any cout other than password, not even to ask for a password.
}

To compile use

g++ pass.cc -o Pass

To execute use

encfs ~/.forbidden ~/Forbidden --extpass=~/Pass

This will automount you Forbidden folder using pass from Pass program we just make.

Using encFS within your autostart

I have 2 encfs file systems that I mount within my users home directory. They have all been encoded with the same passphrase, so I just want to be asked for the single passphrase, then mount all of them. This script, simple as it is, will do just that. You'll want to modify the locations to fit your needs. I then just put this into my .kde/Autostart directory.

emerge net-misc/x11-ssh-askpass x11-misc/xdialog
File: encFS_mountall.sh
#!/bin/sh

# Ask for the pass phrase
PASS=`x11-ssh-askpass "Enter Pass Phrase"`

# mount data
echo "$PASS" | encfs -S ~/.crypt/data ~/data
if [ $? != 0 ]; then
  Xdialog --title "Mount Failed" --msgbox "The mount of ~/data failed" 0x0
fi

# mount devel
echo "$PASS" | encfs -S ~/.crypt/devel ~/devel
if [ $? != 0 ]; then
  Xdialog --title "Mount Failed" --msgbox "The mount of ~/devel failed" 0x0
fi

Retrieved from "http://www.gentoo-wiki.info/EncFS"

Last modified: Sun, 24 Aug 2008 16:43:00 +1000 Hits: 34,553

Created by NickStallman.net, Luxury Homes Australia
Real estate agents should list their apartments, townhouses and units in Australia.