Last updated $Date: 2008-05-06 09:19:08 $
Martti Kuparinen <martti.kuparinen@iki.fi>
http://www.iki.fi/kuparine/comp/ubuntu/en/encfs.html
This document describes how I installed EncFS on my Ubuntu laptop and how I use it to encrypt all my work related, confidential files. With this setup all my confidential files are kept safe even if my laptop gets stolen.
This document has been tested on Ubuntu 8.04 LTS. In
addition to the standard EncFS utilities, I have written a small
helper script called secdir (secure directory) to
start and stop the decryption. Now whenever I need to access my
encrypted files I first execute secdir -e, do my work in
the ~/private directory and finally stop decryption with
secdir -d.
First we need to install the encfs and fuse-utils
packages, activate the fuse kernel module and add our user account
to the fuse group. Start a terminal (Applications >
Accessories > Terminal) and execute the following commands.
# sudo aptitude install encfs fuse-utils
# sudo modprobe fuse
# sudo adduser ${USER} fuse
After performing these commands we should logout and login so that the
login shell will be part of the fuse group. This should be
verified with the id command before going any further.
# id uid=1000(martti) gid=100(users) groups=4(adm),20(dialout),21(fax),24(cdrom), 25(floppy),26(tape),29(audio),30(dip),44(video),46(plugdev),100(users), 109(lpadmin),111(scanner),114(admin),118(fuse)
Next we need to create two directories, ~/.private and
~/private. As an additional security measure, both these
directories should be made accessible only by the user.
# mkdir -p ~/.private ~/private # chmod 700 ~/.private ~/private
~/private is the directory where the decrypted files will be
made available after giving the correct passphrase. This can be seen as
a normal filesystem mount so e.g. the mount and
df -h commands show if the decryption is active. The decryption
is made at run-time so the files stored on the harddrive are always encrypted.
~/.private contains the encrypted files and this directory is
always visible in the user's home directory. However, as the files, filenames
and also directory names are encrypted, all data here is safe even if the
computer is stolen. The data is even protected if an online cracker gets
access to the PC and the decryption is not active at that time, in other
words the ~/private is not mounted and is therefore empty.
The final preparative step is to install the secdir script. This can be done with the following commands.
# cd /tmp # wget http://www.iki.fi/kuparine/comp/ubuntu/en/secdir # sudo cp secdir /usr/bin/ # sudo chmod 755 /usr/bin/secdir
All the previously listed installation steps can be seen by executing
secdir -g (g = guide). List of available options are shown by
executing secdir -h (h = help).
Before we activate decryption secdir -l (l = list) does not
show anything and the ~/private directory is empty. The
~/.private containing the encrypted files seems to have
one file (filename and its content is encrypted).
# secdir -l # ls -al ~/private total 8K drwx------ 2 martti users 4096 Dec 7 07:34 . drwx------ 56 martti users 4096 Dec 14 09:23 .. # ls -al ~/.private drwx------ 4 martti users 4096 Dec 13 20:34 . drwx------ 56 martti users 4096 Dec 14 09:23 .. -rw-r----- 1 root root 239 Dec 7 07:34 .encfs5 -rw-r--r-- 1 martti users 832 Dec 13 20:34 xjs,957JlBNvulBGiobTROq4
Next we activate decryption and see that there is one file in the
~/private directory. Judging from the filename it contains
some password information. We can read and modify it as any normal file.
# secdir -e Password: <type your normal login password here to use sudo> EncFS Password: <this is your encryption passphrase> encfs 211G 140G 61G 70% /home/martti/private # ls -al ~/private total 8K drwx------ 4 martti users 4096 Dec 13 20:34 . drwx------ 56 martti users 4096 Dec 14 09:23 .. -rw-r--r-- 1 martti users 808 Dec 13 20:34 PASSWORDS # cat ~/private/PASSWORDS
Note how the decrypted files are now visible in the mount table. Also note
how the disk size and number of free bytes are identical to the
/home filesystem. This is very good as with this approach (=EncFS)
we don't waste any disk space (compared to having an encrypted partition and
using DM-Crypt).
# secdir -l encfs 211G 140G 61G 70% /home/martti/private # df -h Filesystem Size Used Avail Use% Mounted on /dev/md0 9.2G 2.8G 6.0G 32% / varrun 506M 116K 506M 1% /var/run varlock 506M 0 506M 0% /var/lock procbususb 10M 164K 9.9M 2% /proc/bus/usb udev 10M 164K 9.9M 2% /dev devshm 506M 0 506M 0% /dev/shm lrm 506M 18M 489M 4% /lib/modules/2.6.17-10-generic/volatile /dev/md2 211G 140G 61G 70% /home tmpfs 506M 12K 506M 1% /tmp encfs 211G 140G 61G 70% /home/martti/private
Now that we remember what that password for that website is, we should stop decryption to be protected even if someone is able to break into our PC. If you don't care about online intruders you may leave the decryption active.
# secdir -d # secdir -l # df -h Filesystem Size Used Avail Use% Mounted on /dev/md0 9.2G 2.8G 6.0G 32% / varrun 506M 116K 506M 1% /var/run varlock 506M 0 506M 0% /var/lock procbususb 10M 164K 9.9M 2% /proc/bus/usb udev 10M 164K 9.9M 2% /dev devshm 506M 0 506M 0% /dev/shm lrm 506M 18M 489M 4% /lib/modules/2.6.17-10-generic/volatile /dev/md2 211G 140G 61G 70% /home tmpfs 506M 12K 506M 1% /tmp