Simple encryption via encfs

Posted by oxtan on Fri 5 Aug 2005 at 16:32

Encryption is often a useful thing, but with the overhead its often common to forget do so. Previously we've covered using a loopback filesystem for encryption. An alternative is to use enc-fs which we will introduce here.

Thanks to Steve for explaining how to install fuse. We will use that, so make sure that the fuse module is loaded:

# modprobe fuse 

As usual we need to install the software:

apt-get install encfs

(If we already have the fuse module installed, then the only dependency will be librlog1).

Once the package is installed we're all set. The only thing we need to do then is encrypt the data.

It is quite simple to setup: you need a source directory and a destination directory (although if the latter does not exist it will be created for us). The only thing to remember is that you must use full paths.

user@host:~$ encfs /home/user/test/ /home/user/temp/
The directory "/home/user/temp/" does not exist. Should it be created? (y,n)
y
Creating new encrypted volume. 
Please choose from one of the following options: 
 enter "x" for expert configuration mode,
 enter "p" for pre-configured paranoia mode,
 anything else, or an empty line will select standard mode.

Standard configuration selected.

Configuration finished.  The filesystem to be created has
the following properties:
Filesystem cipher: "ssl/blowfish", version 2:1:1
Filename encoding: "nameio/block", version 3:0:1
Key Size: 160 bits
Block Size: 512 bytes
Each file contains 8 byte header with unique IV data.
Filenames encoded using IV chaining mode.

Now you will need to enter a password for your filesystem.
You will need to remember this password, as there is absolutely
no recovery mechanism.  However, the password can be changed
later using encfsctl.

New Encfs Password:
Verify Encfs Password:
user@host:~$

Now everything you copy to the destination folder will be automatically encrypted in the source folder.

 user@host:~$ ls test
user@host:~$ echo "This is a test" > temp/test.txt
user@host:~$ ls test
YxphRzdrfzsvfOlltIO1Rd8S
user@host:~$ ls temp/
test.txt
user@host:~$ 

The advantage of this encryption method is that you do not have to encrypt a whole partition of your hard disk and it is easy to back-up.

As disadvantage the meta-data remains visible. For a full explanation, go to extended intro to encfs, all is explained there.

Be warned that you need to keep the control file ".encfs5" at the top of the encrypted directory in a safe place. If disaster strikes and you do not have that file (or your password, doh) you will not be able to recover your data.

Once you are done, do not forget to unmount the fuse-fs with fusermount -u:

user@host:~$ fusermount -u temp

 

 


Posted by Anonymous (64.166.xx.xx) on Fri 5 Aug 2005 at 19:04
weird. i cant mount it as regular user:

New Encfs Password:
Verify Encfs Password:
fusermount: failed to create device node: Operation not permitted
fusermount: fuse device not found, try 'modprobe fuse' first
fuse failed. Common problems:
- fuse kernel module not installed (modprobe fuse)
- invalid options -- see usage message

i have the module loaded, i can do it with root, but not regular user, i set the FUSE_GROUP=staff and i am in staff.
this also scares me:
# if the following is set to true, the group will automatically be deleted
# when the package is removed.
FUSE_GROUPDELETE=true

[ Parent | Reply to this comment ]

Posted by oxtan (80.126.xx.xx) on Fri 5 Aug 2005 at 20:15
[ View Weblogs ]
I think that you need to become member of the group fuse because fusermount owns it.

[ Parent | Reply to this comment ]

Posted by Anonymous (66.245.xx.xx) on Fri 5 Aug 2005 at 22:11
just dpkg-reconfigure'ed fuse-utils and added the fuse group and myself to the group. no luck. maybe its grsec thats stopping me...

[ Parent | Reply to this comment ]

Posted by Steve (82.41.xx.xx) on Sat 6 Aug 2005 at 01:09
[ View Steve's Scratchpad | View Weblogs ]

That seems likely, the whole purpose of grsec is to limit what you can do.

Should be obvious from your kernel logs though ..

Steve
-- Steve.org.uk

[ Parent | Reply to this comment ]

Posted by Anonymous (193.11.xx.xx) on Mon 26 Sep 2005 at 22:52
The error for me was, that I had an old version of fusermount in the directory /usr/bin
whilst the new version of fusermount were in /usr/local/bin

when I deleted /usr/bin/fusermount and symlinked the fusermount in /usr/local/bin to /usr/bin this error went away. unfortunately there are still some other issuses I have to deal with:-)

fusermount: failed to create device node: Operation not permitted
fusermount: fuse device not found, try 'modprobe fuse' first
fuse failed. Common problems:
- fuse kernel module not installed (modprobe fuse)
- invalid options -- see usage message

[ Parent | Reply to this comment ]

Posted by Anonymous (66.245.xx.xx) on Tue 15 Nov 2005 at 19:11
is encfs or fuse broken in sid or just me?
i havent been able to get this working since this article was published. )=

$ dpkg -l fuse-utils encfs fuse-source
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Installed/Config-files/Unpacked/Failed-config/Half-ins talled
|/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err:
uppercase=bad)
||/ Name Version Description
+++-==============-==============-=============================== =============
ii encfs 1.2.4.1-2 encrypted virtual filesystem
ii fuse-source 2.4.0-1 Filesystem in USErspace (source for kernel m
ii fuse-utils 2.4.0-1 Filesystem in USErspace (utilities)
$ !lsm
lsmod |grep fuse
fuse 42792 0
$ ls
a/ b/
$ encfs /tmp/fuse/a /tmp/fuse/b
Creating new encrypted volume.
Please choose from one of the following options:
enter "x" for expert configuration mode,
enter "p" for pre-configured paranoia mode,
anything else, or an empty line will select standard mode.
?>

Standard configuration selected.

Configuration finished. The filesystem to be created has
the following properties:
Filesystem cipher: "ssl/blowfish", version 2:1:1
Filename encoding: "nameio/block", version 3:0:1
Key Size: 160 bits
Block Size: 512 bytes
Each file contains 8 byte header with unique IV data.
Filenames encoded using IV chaining mode.

Now you will need to enter a password for your filesystem.
You will need to remember this password, as there is absolutely
no recovery mechanism. However, the password can be changed
later using encfsctl.

New Encfs Password:
Verify Encfs Password:
fusermount: failed to open /dev/fuse: No such file or directory
fuse failed. Common problems:
- fuse kernel module not installed (modprobe fuse)
- invalid options -- see usage message
$ ls -l /dev/fuse
ls: /dev/fuse: No such file or directory
$

[ Parent | Reply to this comment ]

Posted by jaschmidt (155.98.xx.xx) on Fri 3 Feb 2006 at 16:30
To fix this:

fusermount: failed to open /dev/fuse: No such file or directory

You need to either modprobe fuse or use modconf to "turn on" this module. Once it is loaded -- check via lsmod looking for fuse, then you should be good to go.

John

[ Parent | Reply to this comment ]

Posted by Anonymous (65.172.xx.xx) on Fri 5 May 2006 at 22:44
Unfortunately, this does not work with Ubuntu Dapper at all. I'm seeing the same results as the OP, and fuse is definitely loaded. Loading fuse shows:

May 5 17:33:16 localhost kernel: [4306069.837000] fuse init (API version 7.3)

But no /dev/fuse is created. A reboot didn't solve it. I'll rip through the source and see what's going on here.

[ Parent | Reply to this comment ]

Posted by Anonymous (62.23.xx.xx) on Thu 13 Jul 2006 at 10:14
I'm trying to use it with Fedore Core 5 and it doesn't work yet.

The problem maybe is that I don't use it with an user in the fuse group (I can add user to this group because of a NIS system that I don't manage).
So I changed the permissions of fusermout to being able to use it by others.
Do you know if there are other things to do in order to be able to use fuse with "other" priviledges ?

# lsmod | grep fuse
fuse 40665 0

$ encfs ~/.crypt ~/crypt
Mot de passe :
fusermount: failed to open /dev/fuse: Permission denied

# ls /dev/fuse
/dev/fuse

Thanks by advance

[ Parent | Reply to this comment ]

Posted by Anonymous (24.7.xx.xx) on Sun 12 Nov 2006 at 04:23
A temporary solution is to "chown root:fuse /dev/fuse" after "addgroup fuse" and adding your user to the group.

[ Parent | Reply to this comment ]

Posted by Anonymous (189.101.xx.xx) on Sun 2 Oct 2011 at 21:01
I get access denied from nautilus even after having ran 'sudo addgroup fuse', then 'sudo adduser deltrem fuse', then 'sudo chown root:fuse /dev/fuse'.

[ Parent | Reply to this comment ]

Posted by ranDom (82.67.xx.xx) on Thu 21 Dec 2006 at 09:37
I have just installed it on a Debian Stable.

When setting it up, i got the following message:
$ encfs /home/tom/enc /home/tom/clear
fusermount: failed to open /tmp/.fuse_devXXXX

It did not work as root either.

I found out that the device node /dev/fuse has not been created, either by modprob'ing fuse or by install.

So i had to create it manually to make the whole stuff work as expected:

# mknod /dev/fuse -m 0660 c 10 229
# chown root.fuse /dev/fuse


Et voila !


--
Tom

[ Parent | Reply to this comment ]

Posted by Anonymous (150.65.xx.xx) on Thu 8 Mar 2007 at 09:33
I was trying to install sshfs in Ubuntu. I had the same problem with the device node /dev/fuse was not created some how :S... but thanks for the tip, Now it is working :D

-- Erika

[ Parent | Reply to this comment ]

Posted by Anonymous (24.80.xx.xx) on Fri 30 Mar 2007 at 04:46
For anyone searching on Google like I was, I was getting this error:

fusermount: failed to open /dev/fuse: Permission denied

I had to make sure that /dev/fuse was owned by root:fuse before I could get it to work. By default it was owned by root:root.

- Ian

[ Parent | Reply to this comment ]

Posted by Anonymous (90.162.xx.xx) on Tue 9 Aug 2011 at 11:08
Do you know if it is possible to use a keyring manager like gnome-keyring or else to mount automatically when you log in?

Thanks.

[ Parent | Reply to this comment ]

Posted by vpablos (90.162.xx.xx) on Tue 9 Aug 2011 at 11:41
Maybe using pam-encfs?
http://code.google.com/p/pam-encfs/

[ Parent | Reply to this comment ]

Posted by Anonymous (111.93.xx.xx) on Fri 30 Mar 2012 at 06:09
I was trying this thing but when i was again mount it it is giving error like

root@user1:~# encfs ~/.crypt ~/crypt
EncFS Password:
fuse failed. Common problems:
- fuse kernel module not installed (modprobe fuse)
- invalid options -- see usage message

and i tried all things which are in these all comments. please tell me some other things....

[ Parent | Reply to this comment ]

Posted by Anonymous (90.162.xx.xx) on Fri 30 Mar 2012 at 08:12
Could you be a little bit more especific?
You have fuse installed?
You have fuse module loaded?
You added yourself to the fuse group?
You logged out and logged in again to make the "added to the fuse group" effective?

[ Parent | Reply to this comment ]

Sign In

Username:

Password:

[Register|Advanced]

 

Flattr

 

Current Poll

What do you use for configuration management?








( 59 votes ~ 0 comments )