Learn about Linux
Download Linux
Get Linux helpSpecial Offers
Feature
CLI Magic: EncFS
Share
Print
CommentsUser Level: Intermediate
EncFS is included with the distribution I'm using on the desktop, Ubuntu Dapper, so all I needed to do to install it was a few clicks in Synaptic. Look for the encfs package, and select if for installation. It should pull down all of the dependencies for the system.
If you're not so lucky, and your distro doesn't include EncFS packages, you can download the latest tarball from here and build it from the source. See the EncFS site for dependencies.
In addition, you'll need to load the fuse kernel module in order to use EncFS. To do this, run modprobe fuse, which should take care of loading the fuse kernel module. You also need to add your user ID to the fuse group before you can use EncFS. To add the user ID to the fuse group, run usermod -a -G fuse username -- this will add username to the fuse group, without removing the user from other groups.
Here's how it works. When you start EncFS at the command line, you tell it where to keep the encrypted and decrypted versions of your "filesystem." The encrypted version stays put, right where you tell it to stay, but the plain-text version disappears when you want it to; either by use of an unmount command or by reaching a predetermined period of inactivity. Let's take a hypothetical case to illustrate the process.
I'm planning a surprise birthday party for someone near and dear to me, someone who occasionally uses my desktop computer, so I decide to use EncFS to hide the evidence. To get started, I simply enter the following at the CLI:
encfs ~/.partyplans ~/partyplans
Since this is the first time EncFS has heard about partyplans, it double-checks to make sure I haven't made a typo before proceeding to create the directories, set the options, and get a password to use with them:
The directory "/home/warthawg/.partyplans/" does not exist. Should it be created? (y,n) y The directory "/home/warthawg/partyplans" does not exist. Should it be created? (y,n) y Creating new encrypted volume. Please choose from one of the following options: enter "x" for expert configuration mode, enter "p" for pre-configured paranoia mode, anything else, or an empty line will select standard mode. ?
Standard configuration selected.
Configuration finished. The filesystem to be created has the following properties: Filesystem cipher: "ssl/blowfish", version 2:1:1 Filename encoding: "nameio/block", version 3:0:1 Key Size: 160 bits Block Size: 512 bytes Each file contains 8 byte header with unique IV data. Filenames encoded using IV chaining mode.
Now you will need to enter a password for your filesystem. You will need to remember this password, as there is absolutely no recovery mechanism. However, the password can be changed later using encfsctl.
New Encfs Password: Verify Encfs Password: warthawg@wartslair:~$
| Encrypted file systems and other users |
|---|
|
We wondered -- in the event there were multiple users on a system -- who could see the unencrypted versions of EncFS? So we asked Valient Gough, the program's author. Linux.com: If there are multiple users on a system, and one of them is using EncFS to view/edit secret data, will that data be exposed by the 'mounted' filesystem be visible to others on the system?" Gough: Nope. By default, other users are not able to see FUSE filesystems, which is handled at the kernel level before encfs gets control. Even root can't view files there by default - although if someone has root access they can get around any restrictions by a number of ways. There are a couple of options to FUSE to change this behavior if desired (and encfs can help here as well). FUSE has an option to allow root access, and to allow all users. Allowing all users requires the filesystem to be run by root (for security -- see FUSE mailing list archives for older discussions when allow_* flags were added). Encfs has a command line option "--public" which will pass the appropriate flags to FUSE to allow all-user access, but that means encfs must be run as root. The standard Unix permissions still apply - users can only read files that they have permission to access. When run in this way, files which are created by a user will be owned by that user (which is why it has to be run by root). |
Then I can plot and scheme and plan for the surprise party to my heart's content, and remember to save the evidence in the secure ~/partyplans directory. As soon as I do so, the secret data is available in both encrypted form -- in the hidden ~/.partyplans directory -- and in plain-text in the visible directory. Test that by entering ls -al and looking for the .partyplans and partyplans entries. It's all there, in plain sight, and that's not good.
We need to use a related tool to make the plain-text version disappear until it's needed again. Like this:
fusermount -u ~/partyplans
That unmounts the files in the partyplans directory. The directories are still there, the encrypted versions of any files are still there. But the human-readable data files are gone. Pretty neat, huh? To make them reappear, simply enter the original EncFS command specifying the directories to be used, and after it checks the password, the invisible becomes visible again.
EncFS also has an option which creates the "filesystem" which allows you to set a predetermined period of inactivity, which will automatically unmount the plain-text "filesystem" after the specified number of minutes of inactivity is reached. To set a one hour period, for example, you would enter this when creating the "filesystem:"
encfs -i=60 ~/.autohide ~/autohide
But what if...
You know what the say about the best laid plans. So what do you do if you need to change the password for, or the location of, your super-sekrit (TM) party plans appear? You use the encfsctl command, that's what. Just like this, if you need to change the password:
encfsctl passwd ~/.partyplans
That triggers the following dialog, which asks for the current password, then the new one, then for verification of the new one.
Enter current Encfs password EncFS Password: Enter new Encfs password New Encfs Password: Verify Encfs Password: Volume Key successfully updated.
There you have it, basic usage for EncFS and friends, more than enough to keep your own party plans safe from prying eyes. Of course, there's more to EncFS, so be sure to read the man pages for encfs, encfsctl, and fusermount.
Comments
on CLI Magic: EncFSNote: Comments are owned by the poster. We are not responsible for their content.
-rwsr-xr-- 1 root fuse 19160 2006-05-21 17:23<nobr> <wbr></nobr>/usr/bin/fusermount
modprobe fuse?
It has the advantage that the key is stored inside the encrypted file itself, instead of in a seperate file (as with encfs), so encrypted files can be transfered from one PC to another without any extra files and decrypted there (as long as you have the the passphrase).
Even though ecryptfs is still in development, it already has all the functionality encfs can offer and a roadmap of pretty exciting features. One disadvantage (or maybe you see it as an advantage) of ecryptfs is though that it doesn't work with fuse, but requires a seperate kernel module (which is already in the -mm kernel tree though).
quote with my emphasis > 'so all I needed to do to install it was a FEW CLICKS in Synaptic'
how about $>apt-get install encfs ???
very bad form Joe Barr...tsk tsk
It has never been my position that the choice of a GUI or the CLI is a binary one. From the very beginning, I've argued that you should use the right tool for the task at hand. Sometimes that's the GUI, sometimes the CLI.
With Ubuntu, I can use Synaptic or apt-get as the spirit moves me. Just as Baud intended.
Joe Barr
then make sure that your using is added to the fuse group.
Then you need to log out and log back in for the change in groups to take effect.
> in comparison with encrypting a file with gpg and then removing the
> original?
Um... well, to start with, you have to actually go through the manual
steps of encrypting and decrypting it by hand. I would imagine that
this gets a bit tiresome after a while.
And then, when you ``remove'' the original, your unencrypted data is
still on the device until it is overwritten by later writes.
> still on the device until it is overwritten by later writes.
Ah, this makes sense providing (in the case of using encfs) an unencrypted file completely fits into RAM. This seems to be quite likely for text files and big amounts of RAM available nowadays. Thank you!
just wanted to post this hint regarding "encfs" on Novell/SUSE 10.0:
- make sure you got everything you need for kernel development, e.g. gcc, kernel-sources, etc.
- install "openssl" from the CD
- install "openssl-devel" from the CD
- do an online-update to make sure the SSL libraries are up-to-date
- get the "fuse" and "fuse-devel" packages (I used "apt-get" for this: "apt-get install fuse fuse-devel"<nobr> <wbr></nobr>... your mileage may vary!)
- get the Source RPM for "rlog": rlog-1.3.7-1.src.rpm (you should find it on the encfs homepage)
- get the Source RPM for "encfs": encfs-1.3.1-1.src.rpm (you should find it on the encfs homepage)
Then, as superuser "root", go to the directory into which you downloaded the two *.rpm files and issue these commands :
rpmbuild --rebuild rlog-1.3.7-1.src.rpm
rpmbuild --rebuild encfs-1.3.1-1.src.rpm
The above commands should produce tons of output. As long as it doesn't say anything like "error" everything should be fine.
When completed successfully, you should have two new RPM's in this directory:<nobr> <wbr></nobr>/usr/src/packages/RPMS/i586/
There you should find "encfs-1.3.1-1.i586.rpm" and the file "rlog-1.3.7-1.i586.rpm"
Now you can install the two with the "rpm" command:
cd<nobr> <wbr></nobr>/usr/src/packages/RPMS/i586/
rpm -ivh rlog-1.3.7-1.i586.rpm
rpm -ivh encfs-1.3.1-1.i586.rpm
Voila, "encfs" is installed and works.
Regards,
"scorp123"
The encrypted drive can be automatically mounted as you log in and umounted on logoff.
For more details see libpam_encfs.
(Just don't use 'paranoid' encryption as hardlinks don't work and cause problems with libxauth)
Simon.
fuse: failed to exec fusermount: Permission denied
Posted by: Anonymous Coward on August 22, 2006 09:45 AMNot working here<nobr> <wbr></nobr>:-( (Neutral)
By Anonymous Reader on 2006.06.26 4:17 (#89787)
-
when I try to run encfs to open my secure folder, I get:
fuse: failed to exec fusermount: Permission denied
fuse failed. Common problems:
- fuse kernel module not installed (modprobe fuse)
- invalid options -- see usage message
I am using Ubuntu 5.10. I have already added myself to the fuse user group, and checked that fusermount has permissions -rwsr-xr--
Sometimes when I fiddle with the fuse group e.g.remove my user then re-add it, then log out and back in - it works! Next time I boot the machine, I'm back where I started.
Grateful for any guidance.
Re:fuse: failed to exec fusermount: Permission den
Posted by: Administrator on August 23, 2006 02:07 AMsudo encfs ~/.test ~/test
Enter password for sysadmin
Enter password for Encfs
sudo fusermount -u<nobr> <wbr></nobr>/test
encfs ~/.test ~/test
Enter password for Encfs
I guess that the sysadmin privilege carries over when I run encfs. I seem to have a permission problem, but do not know where to look to solve it.
Re:fuse: failed to exec fusermount: Permission den
Posted by: Anonymous Coward on September 06, 2006 09:24 PMThere is no need to sudo(8). Also if you don't specify --public to encfs you will not be able to view your files as they will be accessible only to root.
Do you have fuse utils installed at all? Check whether fusermount is available on your system. If it is not then check which package in Ubuntu provides them and install it. In Debian etch the program is located in fuse-utils package.
At least on debian etch (currently the testing branch)<nobr> <wbr></nobr>/usr/bin/fusermount is owned by root:fuse and has permissions 4750, which means that you have to be a member of the fuse group to be able to execute it. I guess on Ubuntu the situation is pretty much the same. What you can do is
as root. Where <group of fusermount> is the result of<tt>adduser <your username> <group of fusermount></tt>
on your system.<tt>stat -c %G<nobr> <wbr></nobr>/usr/bin/fusermount</tt>
Note that the in-kernel list of group memberships is initialised at login time. That means you have to either login again or su <your username> in order for the change to take effect.
Good Luck,
Hristo
Re:fuse: failed to exec fusermount: Permission den
Posted by: Anonymous Coward on September 07, 2006 03:44 AMMy usercode is a member of the fuse group.
The following sequence works fine:
sudo modprobe fuse
Enter su password
encfs ~/.test ~/test
Enter Encfs password
I can live with that. I imagine that I'm having a problem because only a superuser can mount a file system.
Re:fuse: failed to exec fusermount: Permission den
Posted by: Anonymous Coward on February 19, 2007 08:44 AMchown root:fuse<nobr> <wbr></nobr>/usr/bin/fusermount
addgroup fuse
Not working here :-(
Posted by: Anonymous Coward on June 26, 2006 04:17 PM#