Kevin Hatfield's Blog

Kevin's blurry train of thought……

Encrypt Your Filesystem in 3 Simple Steps…

How to get started with EncFS in three easy steps

This is a quick and easy tutorial that will teach you how to make use of EncFS in no more than 3 very simple steps.


1. What is EncFS?

EncFS is an encrypted filesystem
solution. What does it mean? It means it allows you to encrypt the
files on your harddisk very easily, with minimal headache, to protect
them from snooping eyes.

EncFS is a must have for your backup DVD’s, for the USB stick you carry around or for the sensitive data on your laptop’s HDD.

It gets better.


1.1. EncFS advantages

  • It works for a simple user, without the need for
    superuser powers. As long as the machine you’re working on has FUSE and
    the EncFS utilities installed, you’re ready to go.
  • It
    works transparently on top of various regular filesystems. You can
    encrypt your CD backup, a network share, files found on FAT, your daily
    work files or just your email.
  • It works with simple
    directories and files, so you don’t have to allocate a partition,
    shuffle data around, and go crazy when that partition fills up. The
    encrypted files grow and shrink just like normal files, as you create
    or delete them.
  • While mounted, the clear files cannot be
    accessed by any program who’s not working for you, the user that
    mounted them. (Of course, remember that the super user can become you
    very easily.)
  • It’s easy to use, even easier with my helper script.


1.2. EncFS disadvantages

If you’re already familiar with encrypted filesystems, you need to
know that EncFS lacks some of the finer features you may find
elsewhere. (See TrueCrypt for an alternative.)

  • The encryption and decryption is done on the fly, using CPU power. This will both consume CPU during intensive file activity (such as copying a big file) and almost half the transfer rate to/from the filesystem.
  • There’s only one key and one password for each encrypted filesystem. It doesn’t offer multiple keys, so if you forget the password you’re toast. Also, there’s no way for an admin to recover your files, for instance.
  • It only protects the names of the files and dirs and their contents.
    The timestamps, the size and other attributes are still in the clear,
    as is the fact that the files are there. There’s no plausible
    deniability.
  • For now it’s only available under Linux.
    There’s an utility for Windows, I’ve tried it and it mostly works, but
    it only does decryption, it’s buggy and pretty rudimentary.


2. The quick and dirty way to start using EncFS


2.1. Make sure your kernel has FUSE support

EncFS is based on a Linux kernel feature called “FUSE”. It needs to be activated in order for EncFS to work.

You can check whether FUSE is active by running the following
command in a command line console (there’s no need to do it as root):

cat /proc/filesystems | grep fuse

You should get something like this in response:

nodev   fusenodev   fusectl

Most modern Linux distributions should have FUSE activated in the kernel by default.

Note: If your kernel doesn’t support FUSE,
it’s somewhat unfortunate. You can get around this by compiling your
own kernel, but it’s not something a beginner should be doing, and it’s
definitely not “3 easy steps” anymore. Regardless, if you’re willing to
attempt it, here’s a starter: look for CONFIG_FUSE_FS in the config, or “File systems/Filesystem in Userspace support” in menuconfig.

An alternative is to download the FUSE source package and install it manually (./configure && make && make install).
If you have the kernel headers available it should compile and install
the kernel module without the need to recompile the kernel.


2.2. Install EncFS

Next, you need the EncFS and FUSE command line utilities installed.
This should be as easy as firing up your distribution’s package
manager, looking up “encfs” and “fuse-utils” (or the equivalent for
your distribution) and installing them. That’s it!


2.3. Start using it


2.3.1. Use my helper Bash script

In order to make it as easy to use EncFS as possible I’ve written a Bash script I’ve called enc. You can download it here.

Once you’ve downloaded it, place it in a directory that’s in your
PATH and set the executable bit on its properties. You’re all set to
start enjoying EncFS.


2.3.2. Create an encrypted directory

Create two empty directories. Then open up a terminal and call enc with their names as parameters:

enc crypted_dir mountpoint_dir

It will ask you how badly you want to encrypt it and the password. It will create the encrypted filesystem in crypted_dir and mount it for regular use under mountpoint_dir. That’s all!


2.3.3. Mount an already created encrypted directory

Let’s say you already have an encrypted dir around you have made
earlier, and you want to mount it so you can access the files. Simply
run enc just like above. Since the encrypted filesystem
is already in place, it will ask just for the password and, provided
you can remember it, will mount the filesystem for you.


2.3.4. Umount a mounted encrypted directory

When you’re done fiddling with your files you will want to umount
the encrypted dir so it’s out of reach. This is done simply calling enc and passing it the name of the mountpoint dir.

Warning: The EncFS filesystem mounts and
umounts like any other filesystem. This means that if your doing
something with a file under it (even if it’s just Midnight Commander
sitting in a dir doing nothing) it won’t let you umount it! So be
warned that you can’t just yank the filesystem off in a split second.


3. How does EncFS work?

Some of you may want to understand more about how EncFS works. I’ll
try to explain it in simple terms so it’s accesible to gurus and
beginners alike.

FUSE is a kernel trick that allows programs that work with
filesystems to think they’re doing normal stuff, while actually
something more is happening with those files in the background.

The NTFS-3g project is one example of a project that uses FUSE. It
mounts an NTFS filesystem and all the regular file utilities can work
with it just like with native files, while in the background the
NTFS-3g “driver” uses FUSE to silently “translate” to and from NTFS.

EncFS works on a similar principle, except it encrypts and decrypts
the file names and contents on the fly, while the programs think
they’re dealing with regular files and directories.

The encrypted files and directories are actually kept in “regular”
files and directories, in a directory of your choice, on whatever
support or filesystem you want: HDD (ext3, FAT), CD/DVD, network share
and so on. If you take a look inside such a directory you’ll see the
actual dirs and files, but their names and contents are completely
jumbled. You’ll also see a file called .encfs5, which is the key used to access that filesystem (don’t worry, it’s encrypted with your password).

Every time you want to use those files and dirs, EncFS uses FUSE to
mount the encrypted dir over another, empty, directory. Once you do
this, the empty dir is magically populated with the actual files and
dirs, this time with the clear names and contents.

You can then proceed to do your stuff with them, while in the
background EncFS will silently do the actual operations on the
encrypted filesystem.

When you’re done you umount the dir and it becomes empty once more.

For more details please use common sense and also visit the EncFS website which has more info.

Original Source: Here

This entry was posted on Tuesday, February 20th, 2007 at 9:56 pm and is filed under Daily Blog, Tech Blog. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

«
»

One Response to “Encrypt Your Filesystem in 3 Simple Steps…”

  • zean.no-ip.info » How to get started with EncFS in three easy steps says:
    February 21, 2007 at 9:58 pm

    [...] (more…)   [...]

    • Leave a Reply

    You must be logged in to post a comment.