Product SiteDocumentation Site

3.4. Encrypt Your Data With EncFS

EncFS provides an encrypted filesystem in user-space. It runs without any special permissions and uses the FUSE library and Linux kernel module to provide the filesystem interface. It is a pass-through filesystem, not an encrypted block device, which means it is created on top of an existing filesystem.

3.4.1. Practice

  1. Run VirtualBox and virtual machine Debian, login as root/password
  2. Install encfs 
    $ apt-get update
$ apt-get install encfs
  3. You should now take a look at the EncFS man page to familiarize yourself with its options: 
    $ man encfs
  4. I will now create the directories encrypted and decrypted in my home directory: 
    $ mkdir -p ~/encrypted

    $ mkdir -p ~/decrypted
  5. The decrypted directory acts as the mount point for the encrypted directory. To mount ~/encrypted to ~/decrypted, simply run: 
    $ encfs ~/encrypted ~/decrypted
    If you run this command for the first time, the EncFS setup is started, and you must define a password for the encrypted volume: 
    Creating new encrypted volume.
Please choose from one of the following options:
 enter "x" for expert configuration mode,
 enter "p" for pre-configured paranoia mode,
 anything else, or an empty line will select standard mode.
?> <-- p

Paranoia configuration selected.

Configuration finished.  The filesystem to be created has
the following properties:
Filesystem cipher: "ssl/aes", version 3:0:2
Filename encoding: "nameio/block", version 3:0:1
Key Size: 256 bits
Block Size: 1024 bytes, including 8 byte MAC header
Each file contains 8 byte header with unique IV data.
Filenames encoded using IV chaining mode.
File data IV is chained to filename IV.
File holes passed through to ciphertext.

....
    Make sure you remember the password because there's no way to recover your encrypted data if you forget the password!
  6. You should now find the EncFS volume in the outputs of 
    $ mount
    and 
    $ df
  7. To save your data in encrypted form, put your data into the decrypted directory, just as you would do with a normal directory: 
    $ cd ~/decrypted
$ echo "hello foo" > foo
$ echo "hello bar" > bar
$ ln -s foo foo2
  8. If you check the contents of the directory, you will see that you can see it in unencrypted form... 
    $ ls -l
  9. ... while in the encrypted directory, it's encrypted: 
    $ cd ~/encrypted
$ ls -l
  10. To unmount the encrypted volume, run: 
    $ cd
$ fusermount -u ~/decrypted
  11. To mount it again, run 
    $ encfs ~/encrypted ~/decrypted
  12. If you want to change the password, you can do this with the 
    $ encfsctl passwd ~/encrypted