EncFS

From Gentoo Linux Wiki
Jump to: navigation, search
Please format this article according to the Style Guidelines and Wikification suggestions, then remove this notice {{Wikify}} from the article.

Reason(s):

  • fix PoV (me/we/I vs you) and remove self-references
  • add to relevant category
  • condense information
  • link to related articles

EncFS provides an encrypted filesystem in user-space. It runs without any special permissions and uses the FUSE library and Linux kernel module to provide the filesystem interface.

It works on files at a time, not an entire block device and it allows you to change the passphrase later! You can use any standard filesystem you like underneath it, you don't have to change your partitions or filesystems.

This text describes an easy method to encrypt your home directory using EncFS. You may also use any other directory, e.g. you can encrypt your files on a fileserver, mount it via NFS on your client machine and decrypt it there. You will have a directory with your encrypted data and you will have a mountpoint where this directory can be accessed unencrypted, until you umount it.

Warning: You should backup your data before trying this howto!

Contents

[edit] Preparing your system

Lets assume you are user john with home directory /home/john using bash as shell and console login.

Login as root and emerge some needed packages for encfs and for secure deletion of our yet unencrypted data

emerge -av sys-fs/fuse sys-fs/encfs app-misc/srm

If fuse refuses to build because "your kernel is too new", goto /usr/src/linux, type

cd /usr/src/linux && make menuconfig

and check for the following setting:

Linux Kernel Configuration: enable FUSE 
File systems  --->
<M> Filesystem in Userspace support

If it isn't enabled, change to <M> or <*>, save and enter

make && make modules_install

Finally, load the FUSE kernel module

modprobe fuse

Your system is now ready for encfs.

[edit] Move your unencrypted data through encfs

Create a directory where the crypted data will be stored and a temporal mount point for it. I personally use /home/.john for my encrypted files (I don't want to see the encrypted directory) But to avoid confusion I will use john-crypt to make sure you know which directory contains what. Change the names to whatever you like.

mkdir /home/john-crypt /home/john-mnt chown john /home/john-crypt /home/john-mnt chgroup john /home/john-crypt /home/john-mnt

Login as user john and create a new crypted directory in /home/john-crypt and mount it to /home/john-mnt:

encfs /home/john-crypt /home/john-mnt

You are being asked for expert mode (x) or a predefined paranoia mode (p). p should be enough for now (but if you want to define how encfs really works, you should use x and read the encfs documentation and the wikipedia article about encfs). Then you will be asked for the password/passphrase. Use a safe and long passphrase. Good news is, that you can change the password with encfsctl if you want to do so. Other cryptosystems don't have the possibility to change the password.

Copy all files from your unencrypted home directory to the new crypted directory and securely delete the remaining unencrypted files. This may take some time, secure deletion is IO itensive.

cp -R /home/john/.[a-zA-Z0-9]* /home/john-mnt cp -R /home/john/* /home/john-mnt srm -r /home/john/.[a-zA-Z0-9]* /home/john/*

Now unmount the crypted directory.

fusermount -u /home/john-mnt

Login as root and remove the temporal mount point.

rmdir /home/john-mnt

[edit] Some optional comfort

Be aware of the fact that nobody, not even root and especially no demons like samba or NFS can access your encrypted data in your mountpoint because of FUSE. All they see are files named ??????. If you want to change this, you must use the encfs switch --public and have to mount your directory as root!

In this case you cannot do the following optional steps, because for them you have to mount the encrypted data as john:

If you want to have your home unmounted after logout, append this line to the file /home/john-mnt/.bash_logout (create it if it does not exist).

File: /home/john-mnt/.bash_logout
cd / && fusermount -u /home/john

If you want to be prompted for the encfs passphrase after login, login as john and create .bash_profile in /home/john

File: /home/john-mnt/.bash_profile
encfs /home/john-crypt /home/john -- -o nonempty,allow_other && cd /home/john
[[ -f ~/.bashrc ]] && . ~/.bashrc
Alternatively, using the package pam_mount, i.e. emerge pam_mount, you are able to realize an encfs mapping at login. Therefore you have to edit
File: /etc/security/pam_mount.conf.xml
<!-- Volume definitions -->
<volume user="YOUR_USER_HERE" fstype="fuse" path="encfs#/path/folder" mountpoint="/path/mntpoint" option="nonempty,allow_other" />

accordingly. This however only works, if your login and encfs passwords match.

You must also make sure that the pam_mount.so module is loaded in order for pam_mount.conf to be parsed

File: /etc/pam.d/system-auth
#below the "auth            required        pam_unix.so" line
auth            optional        pam_mount.so
#below the "session         required        pam_unix.so" line
session         optional        pam_mount.so
Note: Using pam_mount to auto mount the home directory on login through gdm only worked after upgrading gdm to 2.32

When logging-in using gnome-base/gdm-2.32, an error message appears, because the file ~/.ICEauthority is being created before the home directory is mounted. To create the file in /tmp instead, edit:

File: /etc/security/pan_env.conf
ICEAUTHORITY DEFAULT=/tmp/.ICEauthority_@{PAM_USER}

[edit] Backups

You can backup your data in any form you like and now you have the additional and preferable choice to backup your encrypted folder instead of your unencrypted folder/mountpoint -- why encrypt all data if the one hour old backup isn't? ;-) The only thing you have to remember is your passphrase or your current and backupped data is toast ;-)

Retrieved from "http://en.gentoo-wiki.com/wiki/EncFS"
Personal tools