To be more precise, EncFS is a virtual

encrypted filesystem that protects files

and folders from unauthorized access.
As a virtual filesystem, EncFS resides on
an existing filesystem and relies on the
FUSE (Filesystem in Userspace) kernel
module [2] as a user process. These
properties offer a number of advantages
over other filesystems but also entail
some disadvantages.
Benefits
Because EncFS relies on other filesys-
tems to store data, it simply uses what-
ever you have in place, with no need to
configure a particular partition or con-
tainer for encrypted data [3]. As a result,
no space is wasted. EncFS requires only
a few bytes for metadata and encryption
purposes.
EncFS does not care where data re-
sides. Supported filesystems include
ext3/4, NFS, and Samba, so you can also
use EncFS in connection with cloud ser-
vices such as Dropbox, if you wish. And,
a backup of EncFS-encrypted data works
E
ncryption is an important pre-
caution that is nonetheless ne-
glected by many users. EncFS of-
fers a simple yet secure method
for protecting data against unauthor-
ized access with minimal configuration
overhead.
Encryption is like backup: Everyone
knows it is important, but any excuse will
do not to set it up (yet). EncFS puts an
end to excuses: With just one command,
a non-root user can set up a directory that
stores transparently encrypted data.
EncFS, which is released under the
GPL, has been around for 10 years, and
it is available for download from the re-
positories of all the popular distribu-
tions. As the name suggests, EncFS [1] is
a filesystem but not in the traditional
sense that ext4 or XFS, are filesystems.
Encrypting les and folders with EncFS
Protected
The EncFS virtual filesystem reduces the configuration
overhead for data encryption on Linux. By Thilo Uttendorfer
Thilo Uttendorfer is the head of the
development department at Linux
Information Systems AGin Munich. You
can reach him on Twitter @Sengaya.
AUTHOR
L
e
a
d

I
m
a
g
e
s

S
t
e
v
e

B
y
l
a
n
d

&

M
a
r
k

D
i
e
t
r
i
c
h
,

1
2
3
R
F
.
c
o
m
42
FEATURES
EncFS
APRIL 2014 ISSUE 161 LINUX-MAGAZINE.COM | LINUXPROMAGAZINE.COM
without additional configuration or spe-
cial backup software. Because the en-
crypted data is just a file or a directory
on the system, it can be treated just like
its unencrypted counterpart in your
backup. At the same time, the backed up
data is protected against unauthorized
access.
From the developers perspective, a
filesystem in userspace is also interest-
ing, in that it is
easier to set up
than a kernel
module, for exam-
ple.
Additionally, if
errors occur in the
software, a crash
does not take
down the whole
system. (See the
eCryptfs Alterna-
tive box for a
kernel space im-
plementation.)
Drawbacks
The many benefits
of EncFS are offset
by some disadvan-
tages, however.
For one thing, a
filesystem in user-
space is usually slower than a kernel
module.
Additionally, EncFS does not encrypt
the file metadata, so everyone who has
access can see the metadata. The corre-
sponding data includes, for example,
the number of encrypted files and direc-
tories, the associated file permissions,
the size of the files, and the approxi-
mate length of the file or directory
name.
Encrypted Folders
To create a folder named Data-Safe in
your home directory, in which you can
save arbitrary files and directories, just
type the command:
$ encfs ~/.Data-Safe ~/Data-Safe
Any data you store in ~/Data-Safe is en-
crypted transparently by the software
and deposited in a hidden directory
named .Data-Safe,
EncFS runs in interactive mode when
creating the encrypted directory (Figure
1). Depending on your personal security
needs, you can choose at this point be-
tween standard mode, paranoia mode,
or expert configuration mode.
In expert mode, you can configure
many additional settings, such as the
algorithm to be used or the key and
block length. If you select the default
configuration, EncFS outputs the se-
lected settings and prompts you for a
password for the newly created direc-
tory (see Figure 2).
Caution: Choosing paranoia mode or
enabling certain settings in expert con-
figuration mode means you can no lon-
ger use hard links. As a result, applica-
tions that use hard links might not work
properly. One example of this is the con-
sole-based mail client, Mutt.
EncFS does not just encrypt the data
but also renames files and directories so
that the resulting cryptic names allow no
conclusions on the content of the files:
$ ls ~/.Data-Safe/ U
iyZS5h8HEbjyUjRGJqTHxBOr U
sAoE9,o8nOKSayDFyagPoEBl
To mount the data safe, you use the
same command as for setting it up ini-
tially. To unmount it again, type:
$ fusermount -u ~/Data-Safe/
The encfsctl command-line program
lets you handle administrative tasks.
Among other things, you can output in-
formation about an EncFS-encrypted
folder or change the password. Such a
password change does not mean EncFS
encrypts all the data again in a resource-
intensive process: EncFS does not use
the password as the key during the ini-
tial setup. Instead, it generates a volume
key. You only encrypt the volume key by
entering your password. EncFS encrypts
all the other data with the volume key,
which does not change even with a new
password.
Unmaintained?
The EncFS version 1.7.4 available with
all the major distributions is now more
than three years old. Although no newer
versions have been released, maintainer
Valient Gough does continuously update
the source code of EncFS in the Subver-
sion repository [5]. When asked, Gough
confirmed the arrival of a new 1.7.5 ver-
eCryptfs [4] provides a very similar
method to EncFS for encrypting data.
The main difference is its implementa-
tion in kernel space: eCryptfs thus does
not rely on FUSE and potentially works a
little faster. Of course, this impairs porta-
bility; whereas EncFS is available for
Mac OS X and Windows, eCryptfs is cur-
rently mainly limited to Linux.
Setting up eCryptfs is just as easy as set-
ting up EncFS on most distributions.
Make sure the ecryptfs kernel module is
loaded and the ecryptfs-utils package
is installed. To set up an encrypted
folder, use the command-line program
ecryptfs-setup-private. You can also en-
crypt your complete home directory if
needed with eCryptfs.
Additional utilities that convert existing
unencrypted directories make it easy to
get started with eCryptfs. Users of
Ubuntu can stipulate during the install
whether to encrypt their home directo-
ries fully with eCryptfs.
ECRYPTFS ALTERNATIVE
Figure 1: One command is all it takes to create and mount an
encrypted directory in EncFS.
Figure 2: If you select the default settings, the configuration dialog
shows a summary of the parameters used.
Figure 3: The Cryptkeeper system tray applet
helps you manage EncFS volumes.
FEATURES
EncFS
43
LINUX-MAGAZINE.COM | LINUXPROMAGAZINE.COM ISSUE 161 APRIL 2014
A tool for PAM (Pluggable Authentica-
tion Module), called pam-encfs [9], al-
lows you to mount an EncFS directory
automatically at login, saving you the
bother of entering a password at the
expense of security. The password used
to encrypt a directory with EncFS must
be the same as the system login pass-
word.
A better alternative to pam-encfs ex-
ists for Gnome users at least: gnome-
encfs [10] stores EncFS passwords in the
Gnome keyring and thus (optionally)
lets you mount EncFS directories at
login.
Future
EncFS is available not only for Linux but
for Windows and Mac OS X, too. Thus, it
is no trouble to exchange encrypted data
across operating system boundaries. You
can encrypt, say, your Dropbox folder or
a directory on your external hard drive
using EncFS and still use it on another
platform.
The encfs4win [11] project supports
the use of EncFS under Windows. To in-
stall the encryption software on Mac OS
X, you need the homebrew package
manager (brew install encfs). Apple
fans also have the option of using EncFS-
Vault [12] to replace the original Apple
FileVault.
sion of EncFS soon, but it will only con-
tain minor bugfixes and, particularly for
Linux users, introduce hardly noticeable
changes.
In the meantime, however, work on
the next major version is in full swing.
EncFS 2.0 will include many improve-
ments under the hood, such as moving
the build system to cmake and introduc-
ing unit tests. In the future, it also
will be possible to
use other security
back ends besides
OpenSSL.
Additional
Software
A number of addi-
tional programs
related to EncFS
simplify the task
of managing en-
crypted directo-
ries, thanks to a
graphical user in-
terface, or better integrate EncFS into the
system. For example, Cryptkeeper [6],
which is a system tray applet (Figure 3),
provides the main functions of EncFS.
The simple KDE application KEncFS
[7] can integrate and unmount EncFS di-
rectories (Figure 4). However, it does not
seem to be under active development
currently and thus has been missing
from the repositories of almost all distri-
butions for some time. If you still want
to use the tool, you will need to compile
it from the source code.
Gnome
EncFS
Manager
[8] is an-
other pro-
gram with a
tray applet
for managing
EncFS under
Gnome (Figure
5).
This tool also
attempts to auto-
mate typical pro-
cesses, such as un-
mounting EncFS di-
rectories on logout.
Figure 4: Although the KEncFS graphical interface does a good job in principle, it has not been
under active development for a long time and is only available as source code.
Figure 5: The Gnome EncFS Manager provides a rich graphical
interface for the Gnome desktop.
1] EncFS: http://www.arg0.net/encfs/
[2] FUSE: http://fuse.sourceforge.net
[3] Disc encryption comparison:
https://wiki.archlinux.org/index.php/
Disk_Encryption#Comparison_table
[4] eCryptfs: http://ecryptfs.org
[5] EncFS SVN:
http://code.google.com/p/encfs/
[6] Cryptkeeper: http://tom.noflag.org.
uk/cryptkeeper.html
[7] KEncFS: http://kde-apps.org/content/
show.php/?content=134003
[8] Gnome Encfs Manager: http://www.
libertyzero.com/GEncfsM/
[9] pam-encfs: https://code.google.com/
p/pam-encfs/
[10] gnome-encfs: https://bitbucket.org/
obensonne/gnome-encfs/
[11] encfs4win: http://members.ferrara.
linux.it/freddy77/encfs.html
[12] EncFSVault:
http://code.google.com/p/encfsvault/
INFO
44
EncFS
APRIL 2014 ISSUE 161 LINUX-MAGAZINE.COM | LINUXPROMAGAZINE.COM
FEATURES