Encrypting files and folders with EncFS
Protected
The EncFS virtual filesystem reduces the configuration overhead for data encryption on Linux.
Encryption is an important precaution that is nonetheless neglected by many users. EncFS offers a simple yet secure method for protecting data against unauthorized access with minimal configuration overhead.
Encryption is like backup: Everyone knows it is important, but any excuse will do not to set it up (yet). EncFS puts an end to excuses: With just one command, a non-root user can set up a directory that stores transparently encrypted data.
EncFS, which is released under the GPL, has been around for 10 years, and it is available for download from the repositories of all the popular distributions. As the name suggests, EncFS [1] is a filesystem – but not in the traditional sense that ext4 or XFS, are filesystems.
To be more precise, EncFS is a virtual encrypted filesystem that protects files and folders from unauthorized access. As a virtual filesystem, EncFS resides on an existing filesystem and relies on the FUSE (Filesystem in Userspace) kernel module [2] as a user process. These properties offer a number of advantages over other filesystems but also entail some disadvantages.
Benefits
Because EncFS relies on other filesystems to store data, it simply uses whatever you have in place, with no need to configure a particular partition or container for encrypted data [3]. As a result, no space is wasted. EncFS requires only a few bytes for metadata and encryption purposes.
EncFS does not care where data resides. Supported filesystems include ext3/4, NFS, and Samba, so you can also use EncFS in connection with cloud services such as Dropbox, if you wish. And, a backup of EncFS-encrypted data works without additional configuration or special backup software. Because the encrypted data is just a file or a directory on the system, it can be treated just like its unencrypted counterpart in your backup. At the same time, the backed up data is protected against unauthorized access.
From the developer's perspective, a filesystem in userspace is also interesting, in that it is easier to set up than a kernel module, for example.
Additionally, if errors occur in the software, a crash does not take down the whole system. (See the "eCryptfs Alternative" box for a kernel space implementation.)
eCryptfs Alternative
eCryptfs [4] provides a very similar method to EncFS for encrypting data. The main difference is its implementation in kernel space: eCryptfs thus does not rely on FUSE and potentially works a little faster. Of course, this impairs portability; whereas EncFS is available for Mac OS X and Windows, eCryptfs is currently mainly limited to Linux.
Setting up eCryptfs is just as easy as setting up EncFS on most distributions. Make sure the ecryptfs
kernel module is loaded and the ecryptfs-utils
package is installed. To set up an encrypted folder, use the command-line program ecryptfs-setup-private
. You can also encrypt your complete home directory if needed with eCryptfs.
Additional utilities that convert existing unencrypted directories make it easy to get started with eCryptfs. Users of Ubuntu can stipulate during the install whether to encrypt their home directories fully with eCryptfs.
Drawbacks
The many benefits of EncFS are offset by some disadvantages, however. For one thing, a filesystem in userspace is usually slower than a kernel module.
Additionally, EncFS does not encrypt the file metadata, so everyone who has access can see the metadata. The corresponding data includes, for example, the number of encrypted files and directories, the associated file permissions, the size of the files, and the approximate length of the file or directory name.
Encrypted Folders
To create a folder named Data-Safe
in your home directory, in which you can save arbitrary files and directories, just type the command:
$ encfs ~/.Data-Safe ~/Data-Safe
Any data you store in ~/Data-Safe
is encrypted transparently by the software and deposited in a hidden directory named .Data-Safe
,
EncFS runs in interactive mode when creating the encrypted directory (Figure 1). Depending on your personal security needs, you can choose at this point between standard mode, paranoia mode, or expert configuration mode.
In expert mode, you can configure many additional settings, such as the algorithm to be used or the key and block length. If you select the default configuration, EncFS outputs the selected settings and prompts you for a password for the newly created directory (see Figure 2).
Caution: Choosing paranoia mode or enabling certain settings in expert configuration mode means you can no longer use hard links. As a result, applications that use hard links might not work properly. One example of this is the console-based mail client, Mutt.
EncFS does not just encrypt the data but also renames files and directories so that the resulting cryptic names allow no conclusions on the content of the files:
$ ls ~/.Data-Safe/ iyZS5h8HEbjyUjRGJqTHxBOrsAoE9,o8nOKSayDFyagPoEBl
To mount the data safe, you use the same command as for setting it up initially. To unmount it again, type:
$ fusermount -u ~/Data-Safe/
The encfsctl
command-line program lets you handle administrative tasks. Among other things, you can output information about an EncFS-encrypted folder or change the password. Such a password change does not mean EncFS encrypts all the data again in a resource-intensive process: EncFS does not use the password as the key during the initial setup. Instead, it generates a volume key. You only encrypt the volume key by entering your password. EncFS encrypts all the other data with the volume key, which does not change even with a new password.
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Juno Computers Launches Another Linux Laptop
If you're looking for a powerhouse laptop that runs Ubuntu, the Juno Computers Neptune 17 v6 should be on your radar.
-
ZorinOS 17.1 Released, Includes Improved Windows App Support
If you need or desire to run Windows applications on Linux, there's one distribution intent on making that easier for you and its new release further improves that feature.
-
Linux Market Share Surpasses 4% for the First Time
Look out Windows and macOS, Linux is on the rise and has even topped ChromeOS to become the fourth most widely used OS around the globe.
-
KDE’s Plasma 6 Officially Available
KDE’s Plasma 6.0 "Megarelease" has happened, and it's brimming with new features, polish, and performance.
-
Latest Version of Tails Unleashed
Tails 6.0 is based on Debian 12 and includes GNOME 43.
-
KDE Announces New Slimbook V with Plenty of Power and KDE’s Plasma 6
If you're a fan of KDE Plasma, you'll be thrilled to hear they've announced a new Slimbook with an AMD CPU and the latest version of KDE Plasma desktop.
-
Monthly Sponsorship Includes Early Access to elementary OS 8
If you want to get a glimpse of what's in the pipeline for elementary OS 8, just set up a monthly sponsorship to help fund its continued existence.
-
DebConf24 to be Held in South Korea
Busan will be the location of the latest DebConf running July 28 through August 4
-
Fedora Unleashes Atomic Desktops
Fedora has combined its solid distribution with rpm-ostree system to make it possible to deliver a new family of Fedora spins, called Fedora Atomic Desktops.
-
Bootloader Vulnerability Affects Nearly All Linux Distributions
The developers of shim have released a version to fix numerous security flaws, including one that could enable remote control execution of malicious code under certain circumstances.