June 26, 2006

CLI Magic: EncFS

Author: Joe Barr

EncFS is an easy-to-use, command-line tool for storing information in encrypted form. It's not really a filesystem, but it pretends to be one at the CLI. If you've been searching for a means of encrypting and decrypting your sensitive data easily, here it is.

User Level: Intermediate

EncFS is included with the distribution I'm using on the desktop, Ubuntu Dapper, so all I needed to do to install it was a few clicks in Synaptic. Look for the encfs package, and select if for installation. It should pull down all of the dependencies for the system.

If you're not so lucky, and your distro doesn't include EncFS packages, you can download the latest tarball from here and build it from the source. See the EncFS site for dependencies.

In addition, you'll need to load the fuse kernel module in order to use EncFS. To do this, run modprobe fuse, which should take care of loading the fuse kernel module. You also need to add your user ID to the fuse group before you can use EncFS. To add the user ID to the fuse group, run usermod -a -G fuse username -- this will add username to the fuse group, without removing the user from other groups.

Here's how it works. When you start EncFS at the command line, you tell it where to keep the encrypted and decrypted versions of your "filesystem." The encrypted version stays put, right where you tell it to stay, but the plain-text version disappears when you want it to; either by use of an unmount command or by reaching a predetermined period of inactivity. Let's take a hypothetical case to illustrate the process.

I'm planning a surprise birthday party for someone near and dear to me, someone who occasionally uses my desktop computer, so I decide to use EncFS to hide the evidence. To get started, I simply enter the following at the CLI:

encfs ~/.partyplans ~/partyplans

Since this is the first time EncFS has heard about partyplans, it double-checks to make sure I haven't made a typo before proceeding to create the directories, set the options, and get a password to use with them:

The directory "/home/warthawg/.partyplans/" does not exist. Should it be created? (y,n) y
The directory "/home/warthawg/partyplans" does not exist. Should it be created? (y,n) y
Creating new encrypted volume.
Please choose from one of the following options:
 enter "x" for expert configuration mode,
 enter "p" for pre-configured paranoia mode,
 anything else, or an empty line will select standard mode.
?

Standard configuration selected.
Configuration finished. The filesystem to be created has the following properties: Filesystem cipher: "ssl/blowfish", version 2:1:1 Filename encoding: "nameio/block", version 3:0:1 Key Size: 160 bits Block Size: 512 bytes Each file contains 8 byte header with unique IV data. Filenames encoded using IV chaining mode.
Now you will need to enter a password for your filesystem. You will need to remember this password, as there is absolutely no recovery mechanism. However, the password can be changed later using encfsctl.
New Encfs Password: Verify Encfs Password: warthawg@wartslair:~$
Encrypted file systems and other users

We wondered -- in the event there were multiple users on a system -- who could see the unencrypted versions of EncFS? So we asked Valient Gough, the program's author.

Linux.com: If there are multiple users on a system, and one of them is using EncFS to view/edit secret data, will that data be exposed by the 'mounted' filesystem be visible to others on the system?"

Gough: Nope. By default, other users are not able to see FUSE filesystems, which is handled at the kernel level before encfs gets control. Even root can't view files there by default - although if someone has root access they can get around any restrictions by a number of ways.

There are a couple of options to FUSE to change this behavior if desired (and encfs can help here as well). FUSE has an option to allow root access, and to allow all users. Allowing all users requires the filesystem to be run by root (for security -- see FUSE mailing list archives for older discussions when allow_* flags were added).

Encfs has a command line option "--public" which will pass the appropriate flags to FUSE to allow all-user access, but that means encfs must be run as root. The standard Unix permissions still apply - users can only read files that they have permission to access. When run in this way, files which are created by a user will be owned by that user (which is why it has to be run by root).

Then I can plot and scheme and plan for the surprise party to my heart's content, and remember to save the evidence in the secure ~/partyplans directory. As soon as I do so, the secret data is available in both encrypted form -- in the hidden ~/.partyplans directory -- and in plain-text in the visible directory. Test that by entering ls -al and looking for the .partyplans and partyplans entries. It's all there, in plain sight, and that's not good.

We need to use a related tool to make the plain-text version disappear until it's needed again. Like this:

fusermount -u ~/partyplans

That unmounts the files in the partyplans directory. The directories are still there, the encrypted versions of any files are still there. But the human-readable data files are gone. Pretty neat, huh? To make them reappear, simply enter the original EncFS command specifying the directories to be used, and after it checks the password, the invisible becomes visible again.

EncFS also has an option which creates the "filesystem" which allows you to set a predetermined period of inactivity, which will automatically unmount the plain-text "filesystem" after the specified number of minutes of inactivity is reached. To set a one hour period, for example, you would enter this when creating the "filesystem:"


encfs -i=60 ~/.autohide ~/autohide

But what if...

You know what the say about the best laid plans. So what do you do if you need to change the password for, or the location of, your super-sekrit (TM) party plans appear? You use the encfsctl command, that's what. Just like this, if you need to change the password:

encfsctl passwd ~/.partyplans

That triggers the following dialog, which asks for the current password, then the new one, then for verification of the new one.

Enter current Encfs password
EncFS Password:
Enter new Encfs password
New Encfs Password:
Verify Encfs Password:
Volume Key successfully updated.

There you have it, basic usage for EncFS and friends, more than enough to keep your own party plans safe from prying eyes. Of course, there's more to EncFS, so be sure to read the man pages for encfs, encfsctl, and fusermount.

Click Here!