18 April 2013

391. encfs on debian testing

Truecrypt is nice and all, but the way it's managed is a bit un-linux like. It IS open source though, but because it isn't completely clear who the maintainers are, and while the source code is probably safe to use, most people use pre-built binaries -- just because it's open source doesn't mean that the binaries are built from that source. I'm happy with truecrypt, but if we're going to be paranoid, we might as well go all the way. Also, it would be nice with an encryption tool which can be installed from the repos, and as a binary built by a trusted party (i.e. the debian maintainers).

Note that truecrypt wins hands down on features -- as always, pick the tool that does the job.

encfs is a well-established encryption tool for linux systems and is available in most distro repos -- it does encryption of files, and while it lacks many of the options of truecrypt, it is useful for encrypting directory structures.

Installation
sudo apt-get install encfs

Yes, that's it. If you're having issues, make sure that fuse is installed, and that you belong to the group fuse (too add, do sudo usermod -a -G fuse $USER . To check do cat /etc/group|grep fuse)

Set-up
Set-up is equally easy.
 encfs ~/.secret ~/encrypted
The directory "/home/me/encrypted" does not exist. Should it be created? (y,n) Y Creating new encrypted volume. Please choose from one of the following options: enter "x" for expert configuration mode, enter "p" for pre-configured paranoia mode, anything else, or an empty line will select standard mode. ?> Standard configuration selected. Configuration finished. The filesystem to be created has the following properties: Filesystem cipher: "ssl/aes", version 3:0:2 Filename encoding: "nameio/block", version 3:0:1 Key Size: 192 bits Block Size: 1024 bytes Each file contains 8 byte header with unique IV data. Filenames encoded using IV chaining mode. File holes passed through to ciphertext. Now you will need to enter a password for your filesystem. You will need to remember this password, as there is absolutely no recovery mechanism. However, the password can be changed later using encfsctl. New Encfs Password: Verify Encfs Password:

At the end of this your encryption folder will be mounted.

How it works:
A (to me) nice way of illustrating how it works is the following:
ls ~/encrypted/ -lah
total 24K drwxr-xr-x 2 me me 4.0K Apr 18 14:29 . drwxr-xr-x 212 me me 20K Apr 18 14:29 ..
ls ~/.secret/ -lah
total 32K drwxr-xr-x 2 me me 4.0K Apr 18 14:29 . drwxr-xr-x 212 me me 20K Apr 18 14:29 .. -rw-r--r-- 1 me me 1.1K Apr 18 14:29 .encfs6.xml -rw-r--r-- 1 me me 411 Nov 14 2011 .passwd.gpg
touch ~/encrypted/test ls ~/encrypted/ -lah
total 24K drwxr-xr-x 2 me me 4.0K Apr 18 14:32 . drwxr-xr-x 212 me me 20K Apr 18 14:29 .. -rw-r--r-- 1 me me 0 Apr 18 14:32 test
ls ~/.secret/ -lah
total 32K drwxr-xr-x 2 me me 4.0K Apr 18 14:32 . drwxr-xr-x 212 me me 20K Apr 18 14:29 .. -rw-r--r-- 1 me me 1.1K Apr 18 14:29 .encfs6.xml -rw-r--r-- 1 me me 0 Apr 18 14:32 IfSGAzSkFsuN2A,SpPmnKSYu -rw-r--r-- 1 me me 411 Nov 14 2011 .passwd.gpg
df -h
encfs 734G 525G 172G 76% /home/me/encrypted

In other words, anything that is put into ~/encrypted ends up as an encrypted file in ~/.secret. It's a little bit different from truecrypt, which uses a filesystem container -- this is more similar to encrypting each file with gpg/pgp, just with a good way of managing it from a filesystem pov.

Also, this means that you don't have to dedicate a certain amount of space to the encrypted file system as you would have to with truecrypt.

Anyway, unmount ~/encrypted and no-one will have access to the decrypted forms of the files.
sudo umount ~/encrypted

To mount it again, just do
encfs ~/.secret ~/encrypted

You can change the name of the directory you want to mount it in.

It is also possible to mount automatically on boot, but this would defeat most purposes of encrypting in the first place.

No comments:

Post a Comment