Simple encryption via encfs
Posted by oxtan on Fri 5 Aug 2005 at 16:32
Encryption is often a useful thing, but with the overhead its often common to forget do so. Previously we've covered using a loopback filesystem for encryption. An alternative is to use enc-fs which we will introduce here.
Thanks to Steve for explaining how to install fuse. We will use that, so make sure that the fuse module is loaded:
# modprobe fuse
As usual we need to install the software:
apt-get install encfs
(If we already have the fuse module installed, then the only dependency will be librlog1).
Once the package is installed we're all set. The only thing we need to do then is encrypt the data.
It is quite simple to setup: you need a source directory and a destination directory (although if the latter does not exist it will be created for us). The only thing to remember is that you must use full paths.
user@host:~$ encfs /home/user/test/ /home/user/temp/ The directory "/home/user/temp/" does not exist. Should it be created? (y,n) y Creating new encrypted volume. Please choose from one of the following options: enter "x" for expert configuration mode, enter "p" for pre-configured paranoia mode, anything else, or an empty line will select standard mode. Standard configuration selected. Configuration finished. The filesystem to be created has the following properties: Filesystem cipher: "ssl/blowfish", version 2:1:1 Filename encoding: "nameio/block", version 3:0:1 Key Size: 160 bits Block Size: 512 bytes Each file contains 8 byte header with unique IV data. Filenames encoded using IV chaining mode. Now you will need to enter a password for your filesystem. You will need to remember this password, as there is absolutely no recovery mechanism. However, the password can be changed later using encfsctl. New Encfs Password: Verify Encfs Password: user@host:~$
Now everything you copy to the destination folder will be automatically encrypted in the source folder.
user@host:~$ ls test user@host:~$ echo "This is a test" > temp/test.txt user@host:~$ ls test YxphRzdrfzsvfOlltIO1Rd8S user@host:~$ ls temp/ test.txt user@host:~$
The advantage of this encryption method is that you do not have to encrypt a whole partition of your hard disk and it is easy to back-up.
As disadvantage the meta-data remains visible. For a full explanation, go to extended intro to encfs, all is explained there.
Be warned that you need to keep the control file ".encfs5" at the top of the encrypted directory in a safe place. If disaster strikes and you do not have that file (or your password, doh) you will not be able to recover your data.
Once you are done, do not forget to unmount the fuse-fs with fusermount -u:
user@host:~$ fusermount -u temp
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
[ Send Message | View Steve's Scratchpad | View Weblogs ]
That seems likely, the whole purpose of grsec is to limit what you can do.
Should be obvious from your kernel logs though ..
Steve
-- Steve.org.uk
[ Parent | Reply to this comment ]
whilst the new version of fusermount were in /usr/local/bin
when I deleted /usr/bin/fusermount and symlinked the fusermount in /usr/local/bin to /usr/bin this error went away. unfortunately there are still some other issuses I have to deal with:-)
fusermount: failed to create device node: Operation not permitted
fusermount: fuse device not found, try 'modprobe fuse' first
fuse failed. Common problems:
- fuse kernel module not installed (modprobe fuse)
- invalid options -- see usage message
[ Parent | Reply to this comment ]
i havent been able to get this working since this article was published. )=
$ dpkg -l fuse-utils encfs fuse-source
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Installed/Config-files/Unpacked/Failed-config/Half-ins talled
|/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err:
uppercase=bad)
||/ Name Version Description
+++-==============-==============-=============================== =============
ii encfs 1.2.4.1-2 encrypted virtual filesystem
ii fuse-source 2.4.0-1 Filesystem in USErspace (source for kernel m
ii fuse-utils 2.4.0-1 Filesystem in USErspace (utilities)
$ !lsm
lsmod |grep fuse
fuse 42792 0
$ ls
a/ b/
$ encfs /tmp/fuse/a /tmp/fuse/b
Creating new encrypted volume.
Please choose from one of the following options:
enter "x" for expert configuration mode,
enter "p" for pre-configured paranoia mode,
anything else, or an empty line will select standard mode.
?>
Standard configuration selected.
Configuration finished. The filesystem to be created has
the following properties:
Filesystem cipher: "ssl/blowfish", version 2:1:1
Filename encoding: "nameio/block", version 3:0:1
Key Size: 160 bits
Block Size: 512 bytes
Each file contains 8 byte header with unique IV data.
Filenames encoded using IV chaining mode.
Now you will need to enter a password for your filesystem.
You will need to remember this password, as there is absolutely
no recovery mechanism. However, the password can be changed
later using encfsctl.
New Encfs Password:
Verify Encfs Password:
fusermount: failed to open /dev/fuse: No such file or directory
fuse failed. Common problems:
- fuse kernel module not installed (modprobe fuse)
- invalid options -- see usage message
$ ls -l /dev/fuse
ls: /dev/fuse: No such file or directory
$
[ Parent | Reply to this comment ]
fusermount: failed to open /dev/fuse: No such file or directory
You need to either modprobe fuse or use modconf to "turn on" this module. Once it is loaded -- check via lsmod looking for fuse, then you should be good to go.
John
[ Parent | Reply to this comment ]
May 5 17:33:16 localhost kernel: [4306069.837000] fuse init (API version 7.3)
But no /dev/fuse is created. A reboot didn't solve it. I'll rip through the source and see what's going on here.
[ Parent | Reply to this comment ]
The problem maybe is that I don't use it with an user in the fuse group (I can add user to this group because of a NIS system that I don't manage).
So I changed the permissions of fusermout to being able to use it by others.
Do you know if there are other things to do in order to be able to use fuse with "other" priviledges ?
# lsmod | grep fuse
fuse 40665 0
$ encfs ~/.crypt ~/crypt
Mot de passe :
fusermount: failed to open /dev/fuse: Permission denied
# ls /dev/fuse
/dev/fuse
Thanks by advance
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
When setting it up, i got the following message:
$ encfs /home/tom/enc /home/tom/clear
fusermount: failed to open /tmp/.fuse_devXXXX
It did not work as root either.
I found out that the device node /dev/fuse has not been created, either by modprob'ing fuse or by install.
So i had to create it manually to make the whole stuff work as expected:
# mknod /dev/fuse -m 0660 c 10 229
# chown root.fuse /dev/fuse
Et voila !
--
Tom
[ Parent | Reply to this comment ]
-- Erika
[ Parent | Reply to this comment ]
fusermount: failed to open /dev/fuse: Permission denied
I had to make sure that /dev/fuse was owned by root:fuse before I could get it to work. By default it was owned by root:root.
- Ian
[ Parent | Reply to this comment ]
Thanks.
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
root@user1:~# encfs ~/.crypt ~/crypt
EncFS Password:
fuse failed. Common problems:
- fuse kernel module not installed (modprobe fuse)
- invalid options -- see usage message
and i tried all things which are in these all comments. please tell me some other things....
[ Parent | Reply to this comment ]
You have fuse installed?
You have fuse module loaded?
You added yourself to the fuse group?
You logged out and logged in again to make the "added to the fuse group" effective?
[ Parent | Reply to this comment ]
New Encfs Password:
Verify Encfs Password:
fusermount: failed to create device node: Operation not permitted
fusermount: fuse device not found, try 'modprobe fuse' first
fuse failed. Common problems:
- fuse kernel module not installed (modprobe fuse)
- invalid options -- see usage message
i have the module loaded, i can do it with root, but not regular user, i set the FUSE_GROUP=staff and i am in staff.
this also scares me:
# if the following is set to true, the group will automatically be deleted
# when the package is removed.
FUSE_GROUPDELETE=true
[ Parent | Reply to this comment ]