Posted by oxtan on Fri 5 Aug 2005 at 16:32
Encryption is often a useful thing, but with the overhead its often common to forget do so. Previously we've covered using a loopback filesystem for encryption. An alternative is to use enc-fs which we will introduce here.
Thanks to Steve for explaining how to install fuse. We will use that, so make sure that the fuse module is loaded:
# modprobe fuse
As usual we need to install the software:
apt-get install encfs
(If we already have the fuse module installed, then the only dependency will be librlog1).
Once the package is installed we're all set. The only thing we need to do then is encrypt the data.
It is quite simple to setup: you need a source directory and a destination directory (although if the latter does not exist it will be created for us). The only thing to remember is that you must use full paths.
user@host:~$ encfs /home/user/test/ /home/user/temp/ The directory "/home/user/temp/" does not exist. Should it be created? (y,n) y Creating new encrypted volume. Please choose from one of the following options: enter "x" for expert configuration mode, enter "p" for pre-configured paranoia mode, anything else, or an empty line will select standard mode. Standard configuration selected. Configuration finished. The filesystem to be created has the following properties: Filesystem cipher: "ssl/blowfish", version 2:1:1 Filename encoding: "nameio/block", version 3:0:1 Key Size: 160 bits Block Size: 512 bytes Each file contains 8 byte header with unique IV data. Filenames encoded using IV chaining mode. Now you will need to enter a password for your filesystem. You will need to remember this password, as there is absolutely no recovery mechanism. However, the password can be changed later using encfsctl. New Encfs Password: Verify Encfs Password: user@host:~$
Now everything you copy to the destination folder will be automatically encrypted in the source folder.
user@host:~$ ls test user@host:~$ echo "This is a test" > temp/test.txt user@host:~$ ls test YxphRzdrfzsvfOlltIO1Rd8S user@host:~$ ls temp/ test.txt user@host:~$
The advantage of this encryption method is that you do not have to encrypt a whole partition of your hard disk and it is easy to back-up.
As disadvantage the meta-data remains visible. For a full explanation, go to extended intro to encfs, all is explained there.
Be warned that you need to keep the control file ".encfs5" at the top of the encrypted directory in a safe place. If disaster strikes and you do not have that file (or your password, doh) you will not be able to recover your data.
Once you are done, do not forget to unmount the fuse-fs with fusermount -u:
user@host:~$ fusermount -u temp
This article can be found online at the Debian Administration website at the following bookmarkable URL:
This article is copyright 2005 oxtan - please ask for permission to republish or translate.