Difference between revisions of "Encfs"
Views
Actions
Namespaces
Variants
Tools
m (added languages and translate tags) |
(Marked this version for translation) |
||
(3 intermediate revisions by 2 users not shown) | |||
Line 2: | Line 2: | ||
__TOC__ | __TOC__ | ||
<translate> | <translate> | ||
==Introduction== | ==Introduction== <!--T:1--> | ||
<!--T:2--> | |||
Encfs is an encryption program that is suitable for encrypting content on an already installed system. It can be used for encrypting your /home or you can make smaller private directories that can hold your encrypted data. | Encfs is an encryption program that is suitable for encrypting content on an already installed system. It can be used for encrypting your /home or you can make smaller private directories that can hold your encrypted data. | ||
You can encrypt Dropbox with it and that has the advantage over Truecrypt that it does not require reserved valuable space that Truecrypt does (as of 05 2014 [http://truecrypt.sourceforge.net/index.html| Truecrypt is considered unsafe]). | You can encrypt Dropbox with it and that has the advantage over Truecrypt that it does not require reserved valuable space that Truecrypt does (as of 05 2014 [http://truecrypt.sourceforge.net/index.html| Truecrypt is considered unsafe]). | ||
<!--T:3--> | |||
Encfs does not reserve a space on your HD and simply grows and shrinks with the files you put in there. | Encfs does not reserve a space on your HD and simply grows and shrinks with the files you put in there. | ||
<!--T:4--> | |||
The one thing that can seem a bit confusing about it is that you need to make two directories (folders) to make it work: one encrypted and one un-encrypted. | The one thing that can seem a bit confusing about it is that you need to make two directories (folders) to make it work: one encrypted and one un-encrypted. | ||
<!--T:5--> | |||
''Why would we need an un-encrypted folder that contains the data we want to encrypt; is that not the mother of all security flaws?'' | ''Why would we need an un-encrypted folder that contains the data we want to encrypt; is that not the mother of all security flaws?'' | ||
<!--T:6--> | |||
''The entire point with encryption is that the encrypted data should not be accessible in an un-encrypted form; right?'' | ''The entire point with encryption is that the encrypted data should not be accessible in an un-encrypted form; right?'' | ||
<!--T:7--> | |||
The way Encfs works is that the un-encrypted directory is the mount point for the encrypted content. | The way Encfs works is that the un-encrypted directory is the mount point for the encrypted content. | ||
<!--T:8--> | |||
If you do not mount it ''nothing'' will be visible. And to mount it; you need to enter a given password. | If you do not mount it ''nothing'' will be visible. And to mount it; you need to enter a given password. | ||
<!--T:28--> | |||
{{BoxWarning|Warning: [https://wiki.archlinux.org/title/EncFS#Installation EncFS - ArchWiki] says:| | |||
A [https://defuse.ca/audits/encfs.htm security review (February 2014)] of encfs discovered a number of security issues in the stable release 1.7.4 (June 2014). Please consider the report and the references in it for updated information before using the release. [https://forum.manjaro.org/t/encfs-is-not-so-safe/84983/2 see@forum] }} | |||
==Installing== | ==Installing== <!--T:9--> | ||
Encfs is in the community repo so you can simply install it with your favorite package manager or by using: | Encfs is in the community repo so you can simply install it with your favorite package manager or by using: | ||
pamac install encfs | pamac install encfs | ||
==Using it - encrypting== | ==Using it - encrypting== <!--T:10--> | ||
<!--T:11--> | |||
We want to make a directory that we would call | We want to make a directory that we would call | ||
.secret | .secret | ||
Line 36: | Line 47: | ||
===First time run=== | ===First time run=== <!--T:12--> | ||
This will create the hidden directory '''.secret''' and the mount point '''secret''' the first time you run it. Just answer yes to the prompts - twice. You need to use the full path. | This will create the hidden directory '''.secret''' and the mount point '''secret''' the first time you run it. Just answer yes to the prompts - twice. You need to use the full path. | ||
During first time run you will also be prompted for the encryption mode; '''x''' for expert or '''p''' for paranoia mode. We will pick '''p''' which is a good mode. | During first time run you will also be prompted for the encryption mode; '''x''' for expert or '''p''' for paranoia mode. We will pick '''p''' which is a good mode. | ||
<!--T:13--> | |||
Next you will be prompted for your password. Make it long and hard to crack but don't forget it - if you do; there is no way of recovering your data. | Next you will be prompted for your password. Make it long and hard to crack but don't forget it - if you do; there is no way of recovering your data. | ||
<!--T:14--> | |||
Confirm the password and that's it you are finished. | Confirm the password and that's it you are finished. | ||
===Regular use=== | ===Regular use=== <!--T:15--> | ||
<!--T:16--> | |||
We have created the directory '''~/.secret''' that will contain the encrypted data and we have made it a hidden directory because we will never enter anything in it and the content will all be unreadable. | We have created the directory '''~/.secret''' that will contain the encrypted data and we have made it a hidden directory because we will never enter anything in it and the content will all be unreadable. | ||
<!--T:17--> | |||
The content of '''~/.secret''' will only be readable when mounted in the other directory we created: '''~/secret''' | The content of '''~/.secret''' will only be readable when mounted in the other directory we created: '''~/secret''' | ||
The only difference between the two is the "." | The only difference between the two is the "." | ||
Line 56: | Line 71: | ||
You may call your directories something completely different than .secret and secret; it is up to you. Enter the password and start entering content into ~/secret. | You may call your directories something completely different than .secret and secret; it is up to you. Enter the password and start entering content into ~/secret. | ||
<!--T:18--> | |||
''We never enter data into ~/.secret - that is why we have hidden it with a "."'' | ''We never enter data into ~/.secret - that is why we have hidden it with a "."'' | ||
<!--T:19--> | |||
To unmount ~/secret we enter the command: | To unmount ~/secret we enter the command: | ||
fusermount -u ~/secret | <!--T:20--> | ||
fusermount -u ~/secret | |||
<!--T:21--> | |||
If you check the content of ~/secret now; it will be completely empty. In order to see the content again you need to mount again with | If you check the content of ~/secret now; it will be completely empty. In order to see the content again you need to mount again with | ||
encfs ~/.secret ~/secret | <!--T:22--> | ||
encfs ~/.secret ~/secret | |||
and enter the password. | and enter the password. | ||
This will mount secret as a disk you can do a simple | This will mount secret as a disk you can do a simple | ||
Line 71: | Line 91: | ||
==Encrypting Dropbox== | ==Encrypting Dropbox== <!--T:23--> | ||
One of the strong points of Encfs is that it does not reserve a lot of valuable space. This makes it suitable for encrypting Dropbox content. | One of the strong points of Encfs is that it does not reserve a lot of valuable space. This makes it suitable for encrypting Dropbox content. | ||
There is no such thing as 100% security in the cloud, so remember that some things simply do not belong there.<br> | There is no such thing as 100% security in the cloud, so remember that some things simply do not belong there.<br> | ||
Line 80: | Line 100: | ||
Then you enter the password. | Then you enter the password. | ||
<!--T:24--> | |||
To access the Dropbox from another computer repeat the exact same procedure there and enter exactly the same password. | To access the Dropbox from another computer repeat the exact same procedure there and enter exactly the same password. | ||
<!--T:25--> | |||
That is all there is to it - your jiberish unreadable data will now be on the web (in the cloud) in the Dropbox/encrypted folder.<br> | That is all there is to it - your jiberish unreadable data will now be on the web (in the cloud) in the Dropbox/encrypted folder.<br> | ||
It will only be readable to you after you have mounted '''~/Dropbox_unencrypted''' on your local computer. | It will only be readable to you after you have mounted '''~/Dropbox_unencrypted''' on your local computer. | ||
Line 95: | Line 117: | ||
==GUI helpers== | ==GUI helpers== <!--T:26--> | ||
To mount and un-mount there are helpers in AUR that can make the handling easier. | To mount and un-mount there are helpers in AUR that can make the handling easier. | ||
<!--T:27--> | |||
* cryptkeeper - A Linux system tray applet that manages EncFS encrypted folders | * cryptkeeper - A Linux system tray applet that manages EncFS encrypted folders | ||
* kencfs - GUI frontend for encfs. Create, mount, umount and delete your encrypted fs | * kencfs - GUI frontend for encfs. Create, mount, umount and delete your encrypted fs |
Latest revision as of 09:08, 25 December 2021
Introduction
Encfs is an encryption program that is suitable for encrypting content on an already installed system. It can be used for encrypting your /home or you can make smaller private directories that can hold your encrypted data. You can encrypt Dropbox with it and that has the advantage over Truecrypt that it does not require reserved valuable space that Truecrypt does (as of 05 2014 Truecrypt is considered unsafe).
Encfs does not reserve a space on your HD and simply grows and shrinks with the files you put in there.
The one thing that can seem a bit confusing about it is that you need to make two directories (folders) to make it work: one encrypted and one un-encrypted.
Why would we need an un-encrypted folder that contains the data we want to encrypt; is that not the mother of all security flaws?
The entire point with encryption is that the encrypted data should not be accessible in an un-encrypted form; right?
The way Encfs works is that the un-encrypted directory is the mount point for the encrypted content.
If you do not mount it nothing will be visible. And to mount it; you need to enter a given password.
Installing
Encfs is in the community repo so you can simply install it with your favorite package manager or by using:
pamac install encfs
Using it - encrypting
We want to make a directory that we would call
.secret
to keep our encrypted stuff, and we would make the mount point
secret
To achieve this, we run the following command in a terminal:
encfs ~/.secret ~/secret
You may also create the directories ~/.secret and ~/secret manually.
First time run
This will create the hidden directory .secret and the mount point secret the first time you run it. Just answer yes to the prompts - twice. You need to use the full path. During first time run you will also be prompted for the encryption mode; x for expert or p for paranoia mode. We will pick p which is a good mode.
Next you will be prompted for your password. Make it long and hard to crack but don't forget it - if you do; there is no way of recovering your data.
Confirm the password and that's it you are finished.
Regular use
We have created the directory ~/.secret that will contain the encrypted data and we have made it a hidden directory because we will never enter anything in it and the content will all be unreadable.
The content of ~/.secret will only be readable when mounted in the other directory we created: ~/secret The only difference between the two is the "." ~/secret will be the working directory where you put the files you want encrypted. To mount the directory we enter the command:
encfs ~/.secret ~/secret
You may call your directories something completely different than .secret and secret; it is up to you. Enter the password and start entering content into ~/secret.
We never enter data into ~/.secret - that is why we have hidden it with a "."
To unmount ~/secret we enter the command:
fusermount -u ~/secret
If you check the content of ~/secret now; it will be completely empty. In order to see the content again you need to mount again with
encfs ~/.secret ~/secret
and enter the password. This will mount secret as a disk you can do a simple
df
to check if secret is mounted
Encrypting Dropbox
One of the strong points of Encfs is that it does not reserve a lot of valuable space. This makes it suitable for encrypting Dropbox content.
There is no such thing as 100% security in the cloud, so remember that some things simply do not belong there.
Keeping that in mind - we create a folder under ~/Dropbox that we call encrypted and we create a mount point that we call Dropbox_unencrypted.
We can create the directories manually or let enfcs auto generate them:
encfs ~/Dropbox/encrypted ~/Dropbox_unencrypted
Just like under any first time run you accept the creation of the directories with a "y" -twice and pick "p" for paranoid mode. Then you enter the password.
To access the Dropbox from another computer repeat the exact same procedure there and enter exactly the same password.
That is all there is to it - your jiberish unreadable data will now be on the web (in the cloud) in the Dropbox/encrypted folder.
It will only be readable to you after you have mounted ~/Dropbox_unencrypted on your local computer.
You will also have the synced ~/Dropbox/encrypted folder on your computer , and that will be as unreadable as the content on the web.
As we have seen above; this content will only be visible when you mount it in ~/Dropbox_unencrypted.
Again; do not put any content in ~/Dropbox/encrypted: All the content there will be added after you have mounted the working directory - ~/Dropbox_unencrypted.
To test it you can unmount it with
fusermount -u ~/Dropbox_unencrypted
and re-mount it with
encfs ~/Dropbox/encrypted ~/Dropbox_unencrypted
at wich time you will be prompted for the password.
GUI helpers
To mount and un-mount there are helpers in AUR that can make the handling easier.
- cryptkeeper - A Linux system tray applet that manages EncFS encrypted folders
- kencfs - GUI frontend for encfs. Create, mount, umount and delete your encrypted fs
- encfsui - Encrypted filesystem encfs GUI wrapper