Encrypting Home Directories with EncFS

Before I go into how to do this, I’d like to take a moment to explain how encfs works in slightly simpler terms than are detailed on the encfs introduction page. Originally, I was going to write my own explanation, but the Wikipedia article on this explains it so much better than I did (I just erased several paragraphs after reading the Wikipedia article).

EncFS is a Free (GPL) FUSE-based cryptographic filesystem that transparently encrypts files, using an arbitrary directory as storage for the encrypted files.

Two directories are involved in mounting an EncFS filesystem: the source directory, and the mountpoint. Each file in the mountpoint has a specific file in the source directory that corresponds to it. The file in the mountpoint provides the unencrypted view of the one in the source directory. Filenames are encrypted in the source directory. Files are encrypted using a volume key, which is stored encrypted in the source directory. A password is used to decrypt this key."

Wow. How was that for an explanation? I love Wikipedia.

Now that that is out of the way, let’s get on to business…

To start things off, we have to create our two directories, the source directory and the mountpoint directory. Both should be owned by the user using the encrypted data.

mkdir /home/.user && chown -R user:user /home/.user
mkdir /home/user && chown -R user:user /home/user

.user is the encrypted data. You don’t ever write data to this directory. EncFS handles this for you. user is the decrypted data/the mountpoint. You ONLY write data here. When you write data here, it shows up in .user as encrypted data.

encfs /home/.user /home/user

This will mount /home/.user at the mountpoint /home/user. Without getting too specific, what happens is when data is written to /home/user, the data goes through EncFS which encrypts that data before writing it to /home/.user/. When data is read from /home/user/, the request goes through EncFS, which grabs the encrypted version of the file from /home/.user/ and temporarily decrypts it in RAM for your use. Ah the beauty of the seamless Linux mounting paradigm (that’s para-dig-um, not paradigm).

Since we are encrypting an entire home directory, we need to use a nonempty parameter for Fuse since the home directory will always contain something like \.bash_history from a command line login, or .local from a GUI login. Here’s our final command.

encfs -o nonempty /home/.user /home/user

And with that, you have an entirely encrypted home directory.

On a final note, be sure you keep the file located at /home/.user/.encfs6.xml backed up. That file contains all the data that EncFS needs to use your encrypted data. Without this, retreiving your data will be a lot more difficult.

Category:Linux Category:Encryption