Sunday, September 21, 2014

How to Encrypt Files and Directories in Ubuntu - EncFS

After the went down recebtly and visitors were informed that Truecrypt contains vulnerabilities and it is discontinued I had to search for an alternative. I have known about EncFS for a good while, however the convenience of Truecrypt's cross-platform property has won me. Now however, I have moved to use EncFS on my linux machine.


There are some advantages of using EncFS as per explained at Just to sum it up:
  • Size grows without need of reformatting
  • Backing up is easier (with e.g. rsync or GUI version grsync) as files can be individually backed up
  • Can be layered on other file systems
SO in general, one doesn't need to specify a fixed size for the encrypted file system, which simply means there will be no "unused encrypted space". Also, the fact that files are individually available, allows backing them up one-by-one, which makes it, well possible at least to say. With Truecrypt previously, if one wanted to back up a container, the entire encrypted volume had to be uploaded and re-uploaded any time something was changed in the original document. At the cost of some "anonymity" (described below) this is no linger an issue.


Again as per explained in the above mentioned link:
  • Meta Data is available in the encrypted directory
    • File size
    • Permissions
    • Number of files
    • Approximate name length (but not the name itself)
Unfortunately, this allows some guessing what the files might be. Not their actual name, or content but definitely what they are. Even though file types are not shown, a couple KB document is probably some sort of text file, whereas a few MB one might be a picture, pdf and so on. Modification dates are also shown in plain text, in some scenarios this might be an issue.

Everyone has t decide, whether or not leaking this kind of information is acceptable or not. It is definitely better than not encrypting the file sin the first place, however it might not be enough in other cases. 

How Does it Work?

Check out the code below. This would create en encrypted directory and mount it to another directory, effectively a mount point.

$ mkdir /tmp/crypt-raw
$ mkdir /tmp/crypt
$ encfs /tmp/crypt-raw /tmp/crypt
Volume key not found, creating new encrypted volume.
Password: [password entered here]
Verify: [password entered here]

This would  do the following

mkdir /tmp/crypt-raw - Create a directory at the specified location. This will be the actual directory holding the encrypted files.

mkdir /tmp/crypt - Create a directory at the specified location. This will be the mount point for your encrypted directory. This directory will not contain any actual file, it will simply link to the encrypted directory. If you have it at /tmp it will be deleted on every restart. You can choose it to be at any other location too, of course.

encfs /tmp/crypt-raw /tmp/crypt - Command to mount the encrypted directory (crypt-raw) to the location of the directory crypt. If running the command for the first time it will ask you to give a password and specify the type of encryption.


How to use this

You are technically done. Any files you put in the crypt directory will actually be stored in crypt-raw (encrypted). As long as the directory crypt is mounted, the encrypted files are visible. If you unmount it, the files are only visible in crypt-raw and if you check them you only see scrambled text/data, that is ciphertext.

Example of some files stored in the encrypted directory
As you can see in the example above, file size and modification date is shown as clear text, but file names are encrypted.


To unmount the directory run
$ fusermount -u /tmp/crypt

After this the both the mount point and encrypted directories will still be present, but crypt will be "empty" while crypt-raw will only contain unreadable ciphertext.

Note: /tmp is flushed on restart hence crypt directory will be removed. This is, however no problem, running the code will recreate and mount this directory again upon new reboot.


Create a small script that will mount, unmount and open the encrypted directory you use the most! Take a look at for what I am using. This way is much faster and more convenient to use encryption, it only takes a few seconds to open and close the container.