Alessandro Dotti Contra

Linux/Unix DevOps


EncFS on the fly encrypted file system

EncFS provides an encrypted filesystem in user space, which means you don't need to encrypt a full disk partition, but rather you can create an encrypted filesystem on the fly.

Creating an EncFS filesystem

The creation of an encrypted volume is pretty straightforward:

$ mkdir /home/adotti/.work /home/adotti/work
$ encfs /home/adotti/.work /home/adotti/work
Creating new encrypted volume.
Please choose from one of the following options:
enter "x" for expert configuration mode,
enter "p" for pre-configured paranoia mode,
anything else, or an empty line will select standard mode.

Pre-configured paranoia mode is enough for most situations, as it provides some sane defaults - as you can see below.

Paranoia configuration selected.

Configuration finished.  The filesystem to be created has
the following properties:
Filesystem cipher: "ssl/aes", version 2:1:1
Filename encoding: "nameio/block", version 3:0:1
Key Size: 256 bits
Block Size: 512 bytes, including 8 byte MAC header
Each file contains 8 byte header with unique IV data.
Filenames encoded using IV chaining mode.
File data IV is chained to filename IV.

New Encfs Password: 
Verify Encfs Password:

Using the encrypted filesystem

To mount the encrypted volume, simply type:

$ encfs /home/adotti/.work /home/adotti/work
EncFS Password:

To unmount it, type:

$ fusermount -u /home/adotti/work

Remarks

Note that while files are encrypted, files metadata are not. File size, permissions and the overall number of files remain visible.