HOWTO EncFS
From Gentoo Linux Wiki
Contents |
[edit] Introduction
Below I will shortly explain how to install and use EncFS on a Gentoo system. From EncFS webpage (if not resolvable webpage2), one reads "EncFS provides an encrypted filesystem in user-space. It runs without any special permissions and uses the FUSE library and Linux kernel module to provide the filesystem interface" . The major advantages of this method, for instance when compared to dmcrypt (see SECURITY dmcrypt), is that the space doesn't have to be allocated previously and the filesystem grows as new files are added. A clear disadvantage is that the number and size of the encrypted files are shown in clear (see below).
[edit] Installing EncFS
Start by emerging the necessary package
emerge encfs
if not already present on the system, the packages fuse (an interface for filesystems implemented in userspace) and rlog (a logging library) will be installed too. At this point it is probably necessary to load the newly created module using
modprobe fuse
Notice that you need to be root in order to perform this operation. Later (after the first reboot) this command should not be necessary any longer and the fuse module should be automatically loaded by the kernel when needed. If this is not the case for your system, and you intended to use EncFS on a regular basis, it is a good idea to add this module to the list of automatically loaded modules in /etc/modules.autoload.d/ (use the file associated with the kernel version you intend to use). For example, if you're on kernel 2.6, the following is needed
echo "fuse" >> /etc/modules.autoload.d/kernel-2.6
After this point, root permission is no longer required.
[edit] Using EncFS
You can create an encrypted virtual filesystem in your home using
encfs ~/private.enc ~/private
with this command, two directories are created (if they do not exist already): the first directory, ~/private.enc, is the important one and will contain the encrypted files (with encrypted filenames); the second directory ~/private simply provides a sort of mountpoint in which the file data and contents can be seen in clear. The command also asks for an encryption password.
Check that the new filesystem appears as regularly mounted using
cat /proc/mounts
if you see a line like
| File: /proc/mounts |
encfs /home/your_username/private fuse rw,nosuid,nodev,user_id=1000,group_id=100,default_permissions 0 0 |
everything went ok.
Now that the encrypted filesystem ~/private.enc is created and mounted in ~/private, you can start filling it with files as if it were a normal filesystem. A command like
cp ~/my_sensitive_file ~/private
will actually store an encrypted version of ~/my_sensitive_file in ~/private.enc. The file will appear in ~/private as a regular file.
When you have finished using it, you can unmount the encrypted filesystem using
fusermount -u ~/private
Notice that there's no particular relationship between ~/private.enc and ~/private. Indeed you can mount the former on any directory, for instance using
encfs ~/private.enc /mnt/cdrom
and unmounting with
fusermount -u /mnt/cdrom
[edit] A Bit More Secure Shell
Mount a remote directory on a computer you have ssh access to:
$ sshfs some-remote.host.com: mountpoint/
Now you can access your remote home directory at the mount point.
Use encfs on top of sshfs for security:
$ sshfs my-shell.provider.net: ~/myshell # mount remote directory $ mkdir ~/myshell/secret ~/secret_access # make directories for storage and access $ encfs ~/myshell/secret ~/secret_access # create/mount the encrypted directory
First, we mount our remote directory with sshfs. Then, we create two directories, one of them will be created on the remote side (~/myshell/secret) and will contain the encrypted information. The other directory (~/secret_access) will reside on the local home directory, and has the unencrypted data visible. Now we can simply:
$ cd ~/secret_access $ touch testfile $ ls testfile $ ls ~/myshell/secret 2CZx9g,6iJndZeFIp6OIcG9h
Any files you put in ~/secret_access gets encrypted and sent to the remote host.
Using an encrypted filesystem image for more privacy: encfs has some security issues. Since it works on top of another filesystem, the meta-data will be visible (read more from encfs website). It is reasonably secure though, and if you're worried about it you should reconsider putting your files on a remote host in the first place.
Assuming you already have googled for dm-crypt (or even better, LUKS: http://luks.endorphin.org/ ), become root and: (Note: if you want to use LUKS, do these steps like described in the home page)
$ dd if=/dev/urandom of=my_secret_filesystem bs=1M count=50 # creates a 50MB file filled with reasonably random data $ losetup /dev/loop0 my_secret_filesystem # attaches the file to the loop device so we can access it like a block device $ cryptsetup -c twofish create my_crypt /dev/loop0 # creates a device mapper node "my_crypt" to which all data goes via 256 bit twofish Enter passphrase: # enter your secret passphrase $ mke2fs /dev/mapper/my_crypt # format the file as an ext2 filesystem
Now we have an encrypted filesystem inside the 50MB file. Note that we access the file through the device mapper to achieve encryption. You can mount the filesystem and access it:
$ mount /dev/loop0 /mnt/secret_mnt $ umount /mnt/secret_mnt
Finally, you can remove the device mapper node and detach the loop device:
$ cryptsetup remove mycrypt $ losetup -d /dev/loop0
Now you might want to move the secret filesystem image to the remote host and mount it from there (assuming you already have your sshfs mounted with -o allow_root):
$ mv my_secret_filesystem ~/myshell
To mount it:
$ losetup /dev/loop0 ~/myshell/my_secret_filesystem $ cryptsetup -c twofish create my_crypt /dev/loop0 Enter passphrase: # enter the passphrase you gave earlier $ mount /dev/loop0 ~/secret_access $ ls ~/secret_access lost+found
Now, anything you put in the ~/secret_access directory gets encrypted and stored in the ext2 filesystem inside your secret file.
To unmount it:
$ umount ~/secret_access $ cryptsetup remove my_crypt # remove the mapping $ losetup -d /dev/loop0 # detach the file from loop device
Now just make scripts to do it for you.
[edit] Using encFS with KDE & Kdialog
After a while I became bored with opening a terminal and manually mounting my encFS path. So I decided to write a nifty little script, that does all the work for me with a single click on my desktop. You will find a KDE Servie Menu at http://www.kde-apps.org/content/show.php/show.php?content=57086
- First save the script below somewhere in your home directory (e.g. $HOME/bin/)
- Second thing is to create a desktop symbol (e.g. with the name of your encFS path)
- On the Programs tab enter $HOME/bin/mountsafe.sh ~/my.enc ~/Desktop/my_safe and set the working directory to ~/
- Now just simply click the icon
| File: mountsafe.sh |
#!/bin/sh
# Mounts/unmounts encFS path
# @author: Kevin Wennemuth (kevin.wennemuth@mni.fh-giessen.de)
# @lastmod: 27.05.2007
# modified by xushi: It's a pain to upgrade the kdialog path with every KDE
# update. So just get it automatically and store the path into a variable instead.
# Source (encFS encrypted path)
SRC=$1
# Destination (mount point for encrypted path)
DST=$2
# assign kdialog binary to a variable.
KDIALOG="$(which kdialog)"
if [ "$(cat /proc/mounts | grep fuse | grep $DST)" != "" ];
then
$KDIALOG --title "encFS: unmount $DST..." --warningyesno "encFS: should $DST be unmounted?"
if [ $? == 0 ]
then
/usr/bin/fusermount -u $DST &
else
konqueror $DST &
fi
else
$KDIALOG --title "encFS: mount $DST..." --warningyesno "encFS: should $DST be mounted?"
if [ $? == 0 ]
then
$KDIALOG --title "encFS: Enter passphase..." --password "Enter passphrase for [$DST]" | /usr/bin/encfs $SRC $DST && konqueror $DST
fi
fi
|
[edit] KDE Service Menu
On KDE-APPS you will find a Service Menu: http://www.kde-apps.org/content/show.php/show.php?content=57086
[edit] Using encFS with XWindows & Xdialog
I run a stripped down desktop environment, so I modified Kevin's script to be more generic.
- First save the script below somewhere in your home directory (e.g. $HOME/bin/)
- Second thing is to create a desktop symbol (e.g. with the name of your encFS path)
- On the Programs tab enter $HOME/bin/encFS_mount.sh ~/my.enc ~/Desktop/my_safe and set the working directory to ~/
- Now just simply click the icon
emerge net-misc/x11-ssh-askpass x11-misc/xdialog
| File: encFS_mount.sh |
#!/bin/sh
# Mount/unmount encFS folder via XWindows
# Inspired by Kevin Wennemuth's mountsafe.sh
# @author: Roy Adams (roy.adams@roytoo.org)
# @lastmod: 05.10.2005
# Source (encFS encrypted path)
ENC=$1
# Destination (mount point for encrypted path)
MNT=$2
# Your favorite filebrowser
VIEWER=nautilus
if [ "$(cat /proc/mounts | grep encfs | grep $MNT)" != "" ];
then
$(Xdialog --screen-center --left --wrap --title "encFS: unmount $MNT..." --yesno "Should $MNT be unmounted?" 0x0)
if [ $? == 0 ]
then
fusermount -u $MNT &
Xdialog --title "encFS: $MNT unmounted" --msgbox "The unmount of $MNT succeeded" 0x0
else
$VIEWER $MNT &
fi
else
$(Xdialog --title "encFS: mount $MNT..." --yesno "Should $MNT be mounted?" 0x0)
if [ $? == 0 ]
then
$(encfs -i 5 --extpass=/usr/bin/x11-ssh-askpass $ENC $MNT)
if [ $? == 0 ]
then
$VIEWER $MNT &
else
Xdialog --title "encFS: mount failed" --msgbox "The mount of $MNT failed" 0x0
fi
fi
fi
|
[edit] Using encFS with GNOME and Zenity
I'm a Gnome man, so I hacked together this script based on the previous two to do it in GTK with Zenity. You need to have emerged zenity for this to work. The fastest way to get it to work with Zenity was to create a second, very simple shell script with the password dialog, hence the second file.
- Save the two files locally (preferably somewhere in your home folder, such as $HOME/bin/)
- Customize encmount.sh for your needs (locations, file manager; remember to use absolute paths for the locations)
- Run the programs.
To be able to run the script directly from your filemanager, you should place encmount.sh in the proper script directory. For nautilus this could be: $HOME/.gnome2/nautilus-scripts/; now the script is found in the context menu under "Scripts".
| File: encmount.sh |
#!/bin/sh
# Mount/unmount encFS folder via Zenity
# Inspired by Kevin Wennemuth's mountsafe.sh and Roy Adams' encFS_mount.sh
# Source (encFS encrypted path)
ENC=$1
# Destination (mount point for encrypted path)
MNT=$2
# Your favorite filebrowser
VIEWER=thunar
if [ "$(grep encfs /proc/mounts | grep $MNT)" != "" ];
then
$(zenity --title="encFS: Unmount $MNT?" --question --text="Should it be unmounted?")
if [ $? == 0 ]
then
fusermount -u $MNT &
zenity --title="encFS: $MNT unmounted" --info --text="The unmount succeeded." 0x0
else
$VIEWER $MNT &
fi
else
$(zenity --title="encFS: mount $MNT..." --question --text="Should $MNT be mounted?" 0x0)
if [ $? == 0 ]
then
$(encfs --extpass=/usr/bin/zenity-encfs $ENC $MNT)
if [ $? == 0 ]
then
$VIEWER $MNT &
else
zenity --title="encFS: mount failed" --info --text="The mount of $MNT failed" 0x0
fi
fi
fi
|
| File: zenity_encfs.sh |
#!/bin/sh zenity --entry --hide-text --title="Password" --text="Please enter your password." |
[edit] Automount encFS with a Program
In my personal experience I've the need for the encFS folder to automount without password prompt, it could look weird but I'm sure someone out there will find this usefull, in my case I have and encrypted USB Flash Disk that only decripts itself in my computer so I make a program that get some data from my system (Mac Address and other hardware data) and use it as a password, I'm not gonna post this program here but I will post a simple example of how to make a custom password program to take care of the password.
encFS have a command line option for getting the password from external program, it requires that the program write the data in simple std out format what I did was make a simple c++ program that excecutes an std out with the password and pass this program to the encFS command line.
| File: pass.cc |
#include <iostream>
int main()
{
//Put your password retreival functions here
std::cout << "my password" << std::endl;
return 0;
//PD: All cout will be interpreted as password that mean u can't make any cout other than password, not even to ask for a password.
}
|
To compile use
g++ pass.cc -o Pass
To execute use
encfs ~/.forbidden ~/Forbidden --extpass=~/Pass
This will automount you Forbidden folder using pass from Pass program we just make.
[edit] Using encFS within your autostart
I have 2 encfs file systems that I mount within my users home directory. They have all been encoded with the same passphrase, so I just want to be asked for the single passphrase, then mount all of them. This script, simple as it is, will do just that. You'll want to modify the locations to fit your needs. I then just put this into my .kde/Autostart directory.
emerge net-misc/x11-ssh-askpass x11-misc/xdialog
| File: encFS_mountall.sh |
#!/bin/sh # Ask for the pass phrase PASS=`x11-ssh-askpass "Enter Pass Phrase"` # mount data echo "$PASS" | encfs -S ~/.crypt/data ~/data if [ $? != 0 ]; then Xdialog --title "Mount Failed" --msgbox "The mount of ~/data failed" 0x0 fi # mount devel echo "$PASS" | encfs -S ~/.crypt/devel ~/devel if [ $? != 0 ]; then Xdialog --title "Mount Failed" --msgbox "The mount of ~/devel failed" 0x0 fi |
