Encrypting Files Using EncFS

Whether you're a business with sensitive client information to protect, or whether you just want to stop people looking at your holiday pictures without permission, you probably have something that you should be encrypting!

Full-disk encryption is usually considered to be the most secure option, as it stops people from knowing anything about your files - the number, sizes, etc!  However, if you want to backup your files elsewhere - either to the cloud, or even just to another computer you own - the files are no longer encrypted!  Of course if the files are transferred through an encrypted connection such as SSH, and stored on an encrypted drive, then it's OK... but especially with cloud backups, this is unlikely.

Therefore we can use per-file encryption.  The two options I know for Linux of are EncFS and EcryptFS.  EcryptFS is regularly maintained, so I tend to use this choice (see here for instructions), however EncFS has the benefit of a Windows port - which is important for my wife! *DISCLAIMER: I make no assertions as to the security of either EncFS or EcryptFS, nor the options I am just about to provide, I am simply giving instructions as to how I use EncFS*


Linux

Install EncFS using (or an appropriate package manager for your distribution):

sudo apt-get install encfs


To create a new "encrypted directory", I use the following (after creating the two directories - "encrypted" and "decrypted"):

encfs "/path/to/encrypted" "/path/to/decrypted"

Then provide the following choices:

Configuration option: p (paranoia)
New Encfs Password: [a randomly generated 64-character password, stored in KeePass]

Now, before I use the directory I prefer to change some of the settings.  I would use the "expert configuration mode", except that it does not provide a way to change the number of iterations used - only by selecting Paranoia can a 3 second target be chosen!

So, to change this edit the file /path/to/encrypted/.encfs6.xml with a text editor and change the relevant values accordingly (unmount the filesystem first).  For example, I would change:

<externalIVChaining>0</externalIVChaining>
<blockMACBytes>0</blockMACBytes>

Note: Don't change any of this information after you've encrypted any files... if you do so, they may not be able to be decrypted!

Anyway, now you're done!  Mount the filesystem again, and any files you create or modify inside "decrypted" will show up inside "encrypted", but with a non-sensical name and unintelligible contents!


In order to mount an existing directory, use:

encfs "/path/to/encrypted" "/path/to/decrypted"

Remember this might take some time, if you've used "paranoia" mode (or if you're mounting the directory on a slower computer!) - once it's mounted, it'll work at the normal speed.


In order to unmount a directory, use:

fusermount -u /path/to/decrypted


Windows (I'm using Win7, but it shouldn't matter)

To install EncFS for Windows, download and install Dokan (version 0.6.0) and then download and extract EncFS4Win.


To create a new "encrypted directory", I use the command line - so I can choose the security parameters.

Open a command window (cmd.exe) and navigate to where you extracted EncFS4Win (e.g. cd C:\Users\Name\encfs4win).

Run (substitute C:\ with the relevant drive letter, and G:\ with a free drive to mount your decrypted files):

encfs.exe C:\path\to\encrypted G:\

and answer the questions, I use:

Configuration option: p (paranoia)
New Encfs Password: [a randomly generated 64-character password, stored in KeePass]

At this point I find that the mount has worked... but taken over the command line windows.  So press CTRL+C to close EncFS (and unmount the decrypted drive).

Now, before I use the directory I prefer to change some of the settings.  I would use the "expert configuration mode", except that it does not provide a way to change the number of iterations used - only by selecting Paranoia can a 3 second target be chosen!

So, to change this edit the file C:\path\to\encrypted\.encfs6.xml with a text editor and change the relevant values accordingly.  For example, I would change:

<externalIVChaining>0</externalIVChaining>
<blockMACBytes>0</blockMACBytes>

Note: Don't change any of this information after you've encrypted any files... if you do so, they may not be able to be decrypted!

When it's mounted, any files you create or modify inside the "decrypted" drive will show up inside "encrypted", but with a non-sensical name and unintelligible contents!


In order to mount an existing directory, I use the GUI - run encfsw.exe and a key will appear in the tray next to the clock.

Simply right-click on it, and select the encrypted directory you want to mount... type in your password and you're done!


In order to unmount a directory, right-click on the icon again, and select unmount!