March 20, 2006

Encrypt filesystems with EncFS and Loop-AES

Author: Tom Haddon

Encrypted filesystems may be overkill for family photos or your résumé, but they make sense for network-accessible servers that hold sensitive business documents, databases that contain credit-card information, offline backups, and laptops. EncFS and Loop-AES, which are both released under the GNU General Public License (GPL), are two approaches to encrypting Linux filesystems. I'll compare the two and then look at other alternatives.


EncFS provides an encrypted filesystem in userspace and runs without any special permissions. In fact, it's not so much a filesystem as a program that translates requests (encrypting or decrypting them as appropriate) and passes them to the underlying filesystem. It uses the Filesystem in Userspace (FUSE) library and kernel module to provide the filesystem interface, and it uses a pass-through filesystem as opposed to an encrypted block device. With a block device you have to preallocate the size of the data space that you want to encrypt, whereas a pass-through filesystem allows the size of the encrypted data to grow or shrink without being reformatted (because it's being allocated "on the fly"). In contrast to a block device, pass-through encryption exposes metadata about the encrypted files to the regular filesystem on top of which it sits. This means that anyone can see the number of encrypted files, the permissions on the files, the size of each file, and the approximate length of the filenames. With a pass-through system, you can perform backups on a file-by-file basis and, in the case of incremental or differential backups, the backup program will know which files have changed since the last backup, even if the program can't decipher what each file contains.

How you install EncFS depends on which distribution you run. I use Ubuntu Breezy, so installation was as simple as:

sudo apt-get install encfs

This installed all dependencies, including the FUSE library. I needed to add myself to the fuse user group and then log out and back in to be able to run the fusermount command. I also added fuse to /etc/modules so the appropriate kernel module loads on startup. Issue the following command to create an encrypted filesystem:

encfs ~/.crypt/ ~/crypt

When prompted for what options you want to use when creating the filesystem, choose between a default (paranoid) option and an expert option. Choosing expert gives you a number of options, including the encryption algorithm (AES, Blowfish, and blowfish-compat) and the specific key size and block size you want to use (depending on which encryption algorithm you've selected). Choosing expert also prompts you for the password used to determine access to the encrypted filesystem. You can use the encfsctl program to change the password at a later date. The filesystem is then mounted automatically; you can unmount it with this command:

fusermount -u ~/crypt

I threw together the following quick script to allow you to mount and unmount the EncFS encrypted filesystem easily:


    echo "crypt [m|mount|u|unmount]"
    echo " either mounts or unmounts encrypted file system"

    if [ -z $1 ]

    case "$1" in
            "m" | "mount" )
                    /usr/bin/encfs ~/.crypt ~/crypt
                    echo "Encrypted filesystem now mounted"
            "u" | "unmount" )
                    /usr/bin/fusermount -u ~/crypt
                    echo "Encrypted filesystem has been unmounted"
            * )

Examining Loop-AES

I next tried Loop-AES. Loop devices are block devices that don't store any data directly, but rather redirect all reads and writes to an underlying block device or file, possibly encrypting or decrypting data in the process. I chose to write to a file rather than a partition, so you need to modify my Look-AES example slightly if you want to encrypt an entire partition.

First, I installed the kernel-headers Debian package for my kernel, as well as loop-aes-source and the handy module-assistant package. This package does pretty much what you'd expect it to do -- it assists in building kernel modules. Using Loop-AES doesn't require any modification to the kernel, but it does require you to build a kernel module. To do so, as root, type the command:

module-assistant prepare module-assistant build loop-aes

If the module-assistant fails to build the appropriate module for you, you're most likely missing the appropriate kernel configuration files to allow it to do so. You can remedy this by determining which kernel you're using (uname –a) and copying the appropriate /boot/config-xxx file to /usr/src. This file is simply a list of the configuration options for your current kernel in plain text, and you can review it in any text editor.

From /usr/src/linux, type make menuconfig to bring up the text menu for choosing kernel options. Scroll to the bottom and choose "Load an Alternate Configuration File." Type in the path of the copied /boot/config-xxx file, and then save your changes and exit. Module-assistant should now be able to prepare the module correctly. Install it with this command:

apt-get install loop-aes-utils module-assistant install loop-aes

Next, create the filesystem-within-a-file that you want to encrypt using the dd command:

dd if=/dev/zero of=/location/of/file bs=4k count=2560

This creates a filesystem of 10MB, which illustrates one of the major differences between the Loop-AES approach and EncFS: With Loop-AES, you must preallocate the size of the filesystem before usage. This may mean that you end up with a significant amount of unused file space, or that you risk running out of space on your encrypted filesystem. If disk space is at a premium, this trade-off may be unacceptable.

Next, set up the loop device and specify that you want to use AES128 encryption (you can also use AES192 or AES256 for greater security, but with a higher performance hit):

losetup -e AES128 /dev/loop1 /location/of/file

If you don't have /dev/loop1, you can create one with this command:

cd /dev; MAKEDEV loop1

The losetup command prompts you for a password with a minimum of 20 characters. You could create a long, secure password simply with a random sequence of characters, but chances are something this long will require a photographic memory or (more likely) writing it down somewhere, which has its own security implications. Another alternative is to think of a memorable phrase/quote/song lyric and choose the first/last characters from each word. Choosing secure passwords is another article in itself and one that's been covered well elsewhere.

Next, make the filesystem and detach the loop device from it:

mkfs -t ext2 /dev/loop1 losetup -d /dev/loop1

Now, simply create your directory and mount the new encrypted filesystem on it:

mkdir /location/of/mount mount /location/of/file -o loop=/dev/loop1,encryption=AES128 /location/of/mount -t ext2

You'll be prompted again for the password because you're mounting the filesystem. To unmount it, simply type unmount /location/of/mount. You may need to unload your existing loop kernel module and load the new loop module. Also, add loop to /etc/modules to ensure it loads on startup.

Exploring alternatives

Two other programs worth mentioning are dm-crypt and TrueCrypt. dm-crypt leverages the new device-mapper infrastructure that the Linux 2.6 kernel introduced. This infrastructure provides a generic way to create virtual layers on top of real block devices and enables functions such as striping, concatenation, mirroring, and, in this case, encryption, using the new Linux 2.6 Crypto API. Write operations to the device are encrypted while reads from it are decrypted. It allows for filesystem mounting, but you can't access your data without the appropriate key. The cryptsetup package eases the administration of dm-crypt devices, with simple commands such as create, remove, reload, resize, and status. dm-crypt defaults to AES with a 256-bit key.

TrueCrypt holds future promise for Linux filesystem encryption. It can provide a virtual encrypted disk within a file and mount it as a real disk, or you can use it to encrypt an entire disk partition or device, such as a USB flash drive. In other words, it provides an encrypted block device rather than pass-through encryption.

TrueCrypt provides two levels of plausible deniability. First, hidden volumes are essentially composed of an encrypted filesystem hidden within another encrypted filesystem. Second, no TrueCrypt volume can be identified, as the data cannot be distinguished from random data. Furthermore, TrueCrypt offers numerous encryption algorithms, including AES-256, Blowfish (448-bit key), CAST5, Serpent, Triple DES, and Twofish.

TrueCrypt offers binaries for Windows 2000/XP/2003, for a number of Linux distributions, and in source format. However, TrueCrypt's current version (4.1) has a big disadvantage for the Linux platform -- you cannot use it to create a TrueCrypt volume on Linux. The program is open source and the source code is available, but TrueCrypt was written originally for Windows, and the porting process only provides command-line options to manage a TrueCrypt volume. The volume creation portion is tied into the Windows GUI, and the TrueCrypt team is working on bringing this to Linux as well. Currently you have a number of options to create your TrueCrypt volume, including using a dual boot, another machine, QEMU, or VMware, but each option involves getting yourself to a Windows machine. Additionally, I had problems mounting a TrueCrypt volume that I'd created on Windows, and the Linux documentation is a little scarce. I look forward to the release of Linux TrueCrypt volume-creation utilities and the general polishing up of this program for Linux. It will provide a valuable addition to filesystem encryption.

Finally, David Zeuthen of Red Hat mentions on his blog that he's been working to integrate Linux Unified Key Setup (LUKS), which is the basis for dm-crypt, into the GNOME desktop. This promises to simplify encrypting volumes within GNOME, although the final details of how this will be integrated with existing partition management tools are still being finalized.

In summary, you can find a number of options for filesystem encryption in Linux exist, depending on your needs. The most important thing when choosing which one to use is to be clear about your needs. Will the size of the files you need to encrypt grow or stay static? Do you need to encrypt certain files or entire partitions? What level of security do you need? Answers to these questions will help determine the most appropriate program to use.


  • Security