encfs: transparent crypto overlay
encfs is a cryptographic file system (encfs-website). The principle is very easy, you “bind-mount” one directory (containing the crypt stuff) to another directory (where it’s unencrypted). Thus, you can share the encrypted stuff and nobody but you can read your data. So this system is excellent applicable for cloud services like Dropbox, which trap you with some space in the cloud “for free”, but want you to share your private data with them. In some <p>’s we’ll see how to setup
encfs for Dropbox, but let’s first take a look at
First of all you have to install encfs. Assuming you’re sitting in front of a Debian-based os:
encfs is fuse-based the user who wants to use
encfs has to be member of the group
fuse . You may use the
groups command to make sure you belong to
That’s it, now the way to use encfs is parved. Let’s say we want to work with our data in
/dir/clear , while the whole stuff is stored encrypted in
/dir/crypt . It’s quite simple to setup this environment, just call
encfs [crypt-dir] [decrypt-dir] :
Give it a
p and choose a password. This command will install an encrypted container in
/dir/crypt and immediately mount it to
/dir/clear . Feel free to create some files in
/dir/clear (you’re new working directory) and compare this directory with
/dir/crypt . You’ll see that you are not able to understand the files in
/dir/crypt , unless you’re a genius or the setup failed. Thus, it’s no issue if anyone might have access to the content in
To unmount the clear data use
fusermount -u /dir/clear . To remount it just call again
encfs /dir/crypt /dir/clear , it will just ask you for the password to decrypt the data.
Of course it’s not very convenient to mount the directory every time manually, hence there is a workaround to automount your
encfs directories on login. You need to install
To automatically mount an
encfs on login the password for the crypt-fs has to be the same as the password for your user account! If that’s the case, add a line like the following to
On your next login this directory will automatically be mounted. Very smart!
Using encfs for the cloud
Ok, let’s get to the main reason for this article, winking towards Norway ;) .
As you might have heard, there are some file hosting services out there, like Dropbox or Ubuntu One. They provide some space in the cloud which can be mounted to different devices, so that your data is sync’ed between your systems.
Unfortunately, most of these services want to read your data. E.g. the Dropbox system wants to store a file used by multiple users only once. Even if they pretend to assure that nobody’s able to read your private data, you all know that this is
bullshit nearly impossible! However, I strongly recommend to not push critical/private files to these kind of providers.
But, thada, you’ve just learned how to sync your files using the cloud while keeping them private! Let’s assume the directory
/home/martin/Dropbox is monitored by Dropbox, you just need to create two more directories, like
/home/martin/Dropbox/private (for encrypted files to be sync’ed) and
/home/martin/Dropbox-decrypt (for decryption). Mount
encfs and work in
/home/martin/Dropbox-decrypt . As explained above, feel free to setup an automount using pam ;-)
/home/martin/Dropbox but not in the
private directory will be sync’ed unencrypted, so you won’t loose the opportunity to share some open data with [whoever] e.g. via web browser.
Of course, this method comes with some drawbacks:
- It is a bit more work to setup every client, before you can start working with your private data (fortunately the overhead is kept in reasonable limits)
- You cannot access these files through the web browser, or using your mobile phone (unless your phone comes with encfs-support)
All in all, you need to decide on your own, how much you trust Dropbox (and alike) and which kind of data you commit to Dropbox unencrypted.
- cloud (3) ,
- crypt (4) ,
- debian (38) ,
- explained (41) ,
- media (60) ,
- pam (2) ,
- security (31) ,
- share (1) ,
- sync (4)