How to Encrypt your Data with EncFS on Debian 8 (Jessie)

EncFS provides an encrypted filesystem in user-space. It runs without any special permissions and uses the FUSE library and Linux kernel module to provide the filesystem interface. It is a pass-through filesystem, not an encrypted block device, which means it is created on top of an existing filesystem. This tutorial shows how you can use EncFS on Debian Jessie to encrypt your data.

 

1 Preliminary Note

I'm using the username till on my Debian Jessie system in this tutorial.

 

2 Installing EncFS

Login as root user on your Server or Desktop, when you use a remote server then you can e.g. login by SSH. EncFS can be installed with apt as follows (we need root privileges):

apt-get -y install encfs

You will get the following warning:

Encfs security warning.

Encfs security information

According to a security audit by Taylor Hornby (Defuse Security), the current implementation of Encfs is vulnerable or potentially vulnerable to multiple types of attacks. For example, an attacker with read/write access to encrypted data might lower the decryption complexity for subsequently encrypted data without this being noticed by a legitimate user, or might use timing analysis to deduce information.

Until these issues are resolved, encfs should not be considered a safe home for sensitive data in scenarios where such attacks are possible.

While encfs might not be a solution to encrypt data for larger organizations or governments or to be used on servers where third parties have write-access to your data in the way that is described above, it should still be secure enough for personal use on your desktop. Please take this in account when you decide to use encfs.

You might want to take a look at the EncFS man page to familiarize yourself with its options now:

man encfs

 

3 Using EncFS

I will now create the directories encrypted and decrypted in my home directory:

mkdir -p ~/encrypted
mkdir -p ~/decrypted

The decrypted directory acts as the mount point for the encrypted directory. To mount ~/encrypted to ~/decrypted, simply run:

encfs ~/encrypted ~/decrypted

If you run this command for the first time, the EncFS setup is started, and you must define a password for the encrypted volume:

till@desktop1:~$ encfs ~/encrypted ~/decrypted
Creating new encrypted volume.
Please choose from one of the following options:
enter "x" for expert configuration mode,
enter "p" for pre-configured paranoia mode,
anything else, or an empty line will select standard mode.
?> <-- p
Paranoia configuration selected.
Configuration finished. The filesystem to be created has
the following properties:
Filesystem cipher: "ssl/aes", version 3:0:2
Filename encoding: "nameio/block", version 3:0:1
Key Size: 256 bits
Block Size: 1024 bytes, including 8 byte MAC header
Each file contains 8 byte header with unique IV data.
Filenames encoded using IV chaining mode.
File data IV is chained to filename IV.
File holes passed through to ciphertext.
-------------------------- WARNING --------------------------
The external initialization-vector chaining option has been
enabled. This option disables the use of hard links on the
filesystem. Without hard links, some programs may not work.
The programs 'mutt' and 'procmail' are known to fail. For
more information, please see the encfs mailing list.
If you would like to choose another configuration setting,
please press CTRL-C now to abort and start over.
Now you will need to enter a password for your filesystem.
You will need to remember this password, as there is absolutely
no recovery mechanism. However, the password can be changed
later using encfsctl.
New Encfs Password: <-- enter a secure password
Verify Encfs Password: <-- enter a secure password
till@desktop1:~$

Make sure you remember the password because there's no way to recover your encrypted data if you forget the password!

You should now find the EncFS volume in the outputs of

mount
till@desktop1:~$ mount
sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime)
proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
udev on /dev type devtmpfs (rw,relatime,size=10240k,nr_inodes=125548,mode=755)
devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000)
tmpfs on /run type tmpfs (rw,nosuid,relatime,size=204216k,mode=755)
/dev/sda1 on / type ext4 (rw,relatime,errors=remount-ro,data=ordered,jqfmt=vfsv0,usrjquota=aquota.user,grpjquota=aquota.group)
securityfs on /sys/kernel/security type securityfs (rw,nosuid,nodev,noexec,relatime)
tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev)
tmpfs on /run/lock type tmpfs (rw,nosuid,nodev,noexec,relatime,size=5120k)
tmpfs on /sys/fs/cgroup type tmpfs (ro,nosuid,nodev,noexec,mode=755)
cgroup on /sys/fs/cgroup/systemd type cgroup (rw,nosuid,nodev,noexec,relatime,xattr,release_agent=/lib/systemd/systemd-cgroups-agent,name=systemd)
pstore on /sys/fs/pstore type pstore (rw,nosuid,nodev,noexec,relatime)
cgroup on /sys/fs/cgroup/cpuset type cgroup (rw,nosuid,nodev,noexec,relatime,cpuset)
cgroup on /sys/fs/cgroup/cpu,cpuacct type cgroup (rw,nosuid,nodev,noexec,relatime,cpu,cpuacct)
cgroup on /sys/fs/cgroup/devices type cgroup (rw,nosuid,nodev,noexec,relatime,devices)
cgroup on /sys/fs/cgroup/freezer type cgroup (rw,nosuid,nodev,noexec,relatime,freezer)
cgroup on /sys/fs/cgroup/net_cls,net_prio type cgroup (rw,nosuid,nodev,noexec,relatime,net_cls,net_prio)
cgroup on /sys/fs/cgroup/blkio type cgroup (rw,nosuid,nodev,noexec,relatime,blkio)
cgroup on /sys/fs/cgroup/perf_event type cgroup (rw,nosuid,nodev,noexec,relatime,perf_event)
systemd-1 on /proc/sys/fs/binfmt_misc type autofs (rw,relatime,fd=23,pgrp=1,timeout=300,minproto=5,maxproto=5,direct)
mqueue on /dev/mqueue type mqueue (rw,relatime)
debugfs on /sys/kernel/debug type debugfs (rw,relatime)
fusectl on /sys/fs/fuse/connections type fusectl (rw,relatime)
hugetlbfs on /dev/hugepages type hugetlbfs (rw,relatime)
rpc_pipefs on /run/rpc_pipefs type rpc_pipefs (rw,relatime)
encfs on /home/till/decrypted type fuse.encfs (rw,nosuid,nodev,relatime,user_id=5004,group_id=5005,default_permissions)

and

df -h
till@desktop11:~$ df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda1 57G 2.2G 52G 5% /
udev 10M 0 10M 0% /dev
tmpfs 200M 4.7M 195M 3% /run
tmpfs 499M 0 499M 0% /dev/shm
tmpfs 5.0M 0 5.0M 0% /run/lock
tmpfs 499M 0 499M 0% /sys/fs/cgroup
encfs 57G 2.2G 52G 5% /home/till/decrypted

To save your data in encrypted form, put your data into the decrypted directory, just as you would do with a normal directory:

cd ~/decrypted
echo "hello foo" > foo
echo "hello bar" > bar
ln -s foo foo2

If you check the contents of the directory, you will see that you can see it in unencrypted form...

ls -l
till@desktop1:~/decrypted$ ls -l
total 8
-rw-r--r-- 1 till till 10 Jan 14 10:38 bar
-rw-r--r-- 1 till till 10 Jan 14 10:38 foo
lrwxrwxrwx 1 till till 3 Jan 14 10:38 foo2 -> foo
till@desktop1:~/decrypted$

... while in the encrypted directory, it's encrypted:

cd ~/encrypted
ls -l
till@desktop1:~/encrypted$ ls -l
total 8
lrwxrwxrwx 1 till till 24 Jan 14 10:38 ewoacflDuTvKLjSZxXsipVZh -> nwekRkg2xWwmUW-P3YgCFNzI
-rw-r--r-- 1 till till 26 Jan 14 10:38 nwekRkg2xWwmUW-P3YgCFNzI
-rw-r--r-- 1 till till 26 Jan 14 10:38 r7sj2xc9OJEHk,nETdYAtMZu
till@desktop1:~/encrypted$

4 Mount and unmount encfs volumes

To unmount the encrypted volume, run:

cd
fusermount -u ~/decrypted

Check the outputs of...

mount

... and...

df -h

... and you will see that the EncFS volume isn't listed anymore.

To mount it again, run

encfs ~/encrypted ~/decrypted

You will be asked for the password you defined earlier:

till@desktop1:~$ encfs ~/encrypted ~/decrypted
EncFS Password:
<-- yoursecretpassword
till@desktop1:~$

If you specify the correct password, this will mount the ~/encrypted directory to ~/decrypted from where you can access your encrypted data in unencrypted form. If you forget the password, your encrypted data is lost!

5 Change encfs password

If you want to change the password, you can do this with the

encfsctl passwd ~/encrypted

command.

till@desktop1:~$ encfsctl passwd ~/encrypted
Enter current Encfs password
EncFS Password:
<-- yoursecretpassword
Enter new Encfs password
New Encfs Password:
<-- newsecretpassword
Verify Encfs Password: <-- newsecretpassword
Volume Key successfully updated.

 

Share this page:

4 Comment(s)