Transparent Directory Encryption

In a previous article, I discussed sshfs, a user mode filesystem based on FUSE for accessing remote files. Another useful filesystem type is encfs which provides transparent encryption of directories. With encfs, files are stored encrypted in a special directory under encfs’ control. The encryption algorithm and password are specified during creation of this directory.

To use encfs, you have to be a member of the fuse group and the fuse kernel module has to be loaded. See the sshfs article for more information. If you’re using Ubuntu or some other Debian-based distribution, the encfs package itself can be installed using the following command.

  sudo apt-get install encfs

After this, you can create your first encrypted directory. A useful convention to follow is to use a mount point somewhere in your home directory (e.g. ~/secret) and a corresponding directory for the raw encrypted files, starting with a dot (e.g. ~/.secret).

Execute the following command for setting things up (no root privileges required):

  encfs ~/.secret ~/secret

Note that you have to use absolute file names. The program prompts you for various cryptographic parameters and a password. After that, the ~/secret directory is mounted and ready for use. Try to create a few files there and see how the corresponding encrypted files appear in ~/.secret.

As soon as you’re done, umount the directory:

  fusermount -u ~/secret

The next time you want to use the directory, issue the same command as above:

  encfs ~/.secret ~/secret

Encfs detects that the directory is initialized already, prompts for the password and mounts the directory.

In contrast to other approaches like dm-crypt, encfs directories grow and shrink on demand. After all, the files are encrypted individually. The downside of this approach is that attackers can draw conclusions based on the number and size of files in the encrypted directory. Filenames are encrypted, too, but depending on your use case, the amount of privacy encfs provides may or may not be enough.

This entry was posted in tools and tagged , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s