391. encfs on debian testing

Truecrypt is nice and all, but the way it's managed is a bit un-linux like. It IS open source though, but because it isn't completely clear who the maintainers are, and while the source code is probably safe to use, most people use pre-built binaries -- just because it's open source doesn't mean that the binaries are built from that source. I'm happy with truecrypt, but if we're going to be paranoid, we might as well go all the way. Also, it would be nice with an encryption tool which can be installed from the repos, and as a binary built by a trusted party (i.e. the debian maintainers).

Note that truecrypt wins hands down on features -- as always, pick the tool that does the job.

encfs is a well-established encryption tool for linux systems and is available in most distro repos -- it does encryption of files, and while it lacks many of the options of truecrypt, it is useful for encrypting directory structures.

Installation

sudo apt-get install encfs

Yes, that's it. If you're having issues, make sure that fuse is installed, and that you belong to the group fuse (too add, do sudo usermod -a -G fuse $USER . To check do cat /etc/group|grep fuse)

---

Set-up
Set-up is equally easy.

 encfs ~/.secret ~/encrypted

The directory "/home/me/encrypted" does not exist. Should it be created? (y,n) Y
Creating new encrypted volume.
Please choose from one of the following options:
 enter "x" for expert configuration mode,
 enter "p" for pre-configured paranoia mode,
 anything else, or an empty line will select standard mode.
?> 

Standard configuration selected.

Configuration finished. The filesystem to be created has
the following properties:
Filesystem cipher: "ssl/aes", version 3:0:2
Filename encoding: "nameio/block", version 3:0:1
Key Size: 192 bits
Block Size: 1024 bytes
Each file contains 8 byte header with unique IV data.
Filenames encoded using IV chaining mode.
File holes passed through to ciphertext.

Now you will need to enter a password for your filesystem.
You will need to remember this password, as there is absolutely
no recovery mechanism. However, the password can be changed
later using encfsctl.

New Encfs Password: 
Verify Encfs Password: 

At the end of this your encryption folder will be mounted.

---

How it works:
A (to me) nice way of illustrating how it works is the following:

ls ~/encrypted/ -lah

total 24K
drwxr-xr-x   2 me me 4.0K Apr 18 14:29 .
drwxr-xr-x 212 me me  20K Apr 18 14:29 ..

ls ~/.secret/ -lah

total 32K
drwxr-xr-x   2 me me 4.0K Apr 18 14:29 .
drwxr-xr-x 212 me me  20K Apr 18 14:29 ..
-rw-r--r--   1 me me 1.1K Apr 18 14:29 .encfs6.xml
-rw-r--r--   1 me me  411 Nov 14  2011 .passwd.gpg
touch ~/encrypted/test
ls ~/encrypted/ -lah

total 24K
drwxr-xr-x   2 me me 4.0K Apr 18 14:32 .
drwxr-xr-x 212 me me  20K Apr 18 14:29 ..
-rw-r--r--   1 me me    0 Apr 18 14:32 test

ls ~/.secret/ -lah

total 32K
drwxr-xr-x   2 me me 4.0K Apr 18 14:32 .
drwxr-xr-x 212 me me  20K Apr 18 14:29 ..
-rw-r--r--   1 me me 1.1K Apr 18 14:29 .encfs6.xml
-rw-r--r--   1 me me    0 Apr 18 14:32 IfSGAzSkFsuN2A,SpPmnKSYu
-rw-r--r--   1 me me  411 Nov 14  2011 .passwd.gpg

df -h

encfs                                                   734G  525G  172G  76% /home/me/encrypted

In other words, anything that is put into ~/encrypted ends up as an encrypted file in ~/.secret. It's a little bit different from truecrypt, which uses a filesystem container -- this is more similar to encrypting each file with gpg/pgp, just with a good way of managing it from a filesystem pov.

Also, this means that you don't have to dedicate a certain amount of space to the encrypted file system as you would have to with truecrypt.

Anyway, unmount ~/encrypted and no-one will have access to the decrypted forms of the files.

sudo umount ~/encrypted

To mount it again, just do

encfs ~/.secret ~/encrypted

You can change the name of the directory you want to mount it in.

It is also possible to mount automatically on boot, but this would defeat most purposes of encrypting in the first place.