EncFS

These are the requisites of EncFS:

  • FUSE : 2.6 or newer for the latest EncFS
  • rlog : a C++ logging library
  • OpenSSL – versions 0.9.6 through 0.9.8 have been tested
  • boost : C++ utility library 1.34 or later

Most of the stuff is probably installed on your system anyway:

user@localhost:~# sudo apt-get install encfs

The following NEW packages will be installed:
 encfs libboost-filesystem1.46.1{a} libboost-serialization1.46.1{a} libboost-system1.46.1{a} librlog5{a}
0 packages upgraded, 5 newly installed, 0 to remove and 9 not upgraded.
Need to get 659 kB of archives. After unpacking 3,109 kB will be used.

Basic Usage

Create a folder in the file-system that you want to use. The encrypted files will be stored here. If you're planning to sync the folder you want to create it somewhere from where you can sync.

mkdir ~/encrypted

You'll need a second directory which you use to access the files of the encrypted directory. You basically mount the encfs-folder into the second directory. Similar to mounting an ISO-file, e.g.

mkdir ~/temp_encr

Create the encrypted system and mount it. For the first time mounting the directory, encfs will realise that the folder isn't encrypted yet and ask you to setup the directory and specify a password. Below you'll see the setup with the standard options. It works like a regular mount:

encfs "folder to mount" "mount point"

So for this example:

$ encfs /home/user/encrypted /home/user/temp_encr
Creating new encrypted volume.
Please choose from one of the following options:
 enter "x" for expert configuration mode,
 enter "p" for pre-configured paranoia mode,
 anything else, or an empty line will select standard mode.
?>

Standard configuration selected.

Configuration finished.  The filesystem to be created has
the following properties:
Filesystem cipher: "ssl/aes", version 3:0:2
Filename encoding: "nameio/block", version 3:0:1
Key Size: 192 bits
Block Size: 1024 bytes
Each file contains 8 byte header with unique IV data.
Filenames encoded using IV chaining mode.
File holes passed through to ciphertext.

Now you will need to enter a password for your filesystem.
You will need to remember this password, as there is absolutely
no recovery mechanism.  However, the password can be changed
later using encfsctl.

New Encfs Password:
Verify Encfs Password:

Note that encfs wants absolute paths, i.e. starting with a /.

Now that you've got setup and mounted the encrypted folder you can start putting your stuff into *~/temp_encr*. As soon as you do so some new files will show up in the encfs-folder as well, only encrypted.

$ echo "Hello World." > temp_encr/testfile
$ ls -l ~/temp_encr/testfile
-rw-rw-r-- 1 linuxaria linuxaria 22 2011-12-14 00:08 \
    /home/linuxaria/temp_encr/test.txt
$ cat ~/temp_encr/testfile
Hello World

As soon as you're done you can umount the folder with fusermount (normal umount will not work).

fusermount -u /home/jt/temp_encr

Now the directory ~/temp_encr is empty but the directory encrypted still contains all the files - only encrypted (plus some metadata as xml files).

$ ls -la encrypted/
total 16
drwxrwxr-x   2 linuxaria linuxaria 4096 2011-12-14 00:08 .
drwx------ 109 linuxaria linuxaria 4096 2011-12-13 23:55 ..
-rw-rw-r--   1 linuxaria linuxaria 1076 2011-12-13 23:56 .encfs6.xml
-rw-rw-r--   1 linuxaria linuxaria   30 2011-12-14 00:08 NOQUHJDpKw4XkS,THEb5OF,8
$ cat encrypted/NOQUHJDpKw4XkS,THEb5OF,8
�͒���< ��_B|�"?��G��-./t+�

Limitations

I have problems from saving emails and attachments out of mutt into the encrypted folder structure. However: If I put it outside first and move it into the folder it works just fine.

Some postings on the net intend some correlations to the paranoia-mode of encfs (which you can choose during setup) and that one will disable hard links as well. However: this comes out of the encfs setup (paranoia-mode) itself:

The external initialization-vector chaining option has been
enabled.  This option disables the use of hard links on the
filesystem. Without hard links, some programs may not work.
The programs 'mutt' and 'procmail' are known to fail.  For
more information, please see the encfs mailing list.