by Alexander Todorov
This article is a step-by-step guide to using two passwords with EncFS. The primary password is required and may be used to secure all data; the secondary password is optional and may be stored on USB stick or other removable media and used to secure more sensitive data. EncFS can also be combined with block device encryption for maximum security. Block device encryption is described in a previous article by Michael Petullo, Disk encryption in Fedora: Past, present, and future.
Table of Contents
Before we continue with the details, here are some real-world examples of why this kind of encryption is useful.
1. Protection relative to the sensitivity of the data. John Doe uses EncFS to store some important personal information on his laptop. He uses a secondary password to store corporate information when working from home. Both set of files are stored in the same encrypted directory. Usually personal passwords are easy to guess if you have information about the person. If personal password (e.g his dog’s name) is compromised corporate data is still protected. An attacker will need more time to guess the second password. This will give the company time to take any actions as necessary and maybe the attacker will be arrested by the police during that time.
2. Protect your portable devices. John Doe is a sales agent. He is using EncFS to protect data on his laptop. This includes day-to-day activities like e-mails, meeting appointments, todo list, etc. He is using secondary password stored on USB stick to protect confidential information. This includes upcoming contract details, company financial information, plans for future products. His laptop is stolen and personal password is guessed using dictionary attacks. John Doe did not pick up a strong password. Corporate data is still safe. The USB stick was not stolen.
3. Two levels of security hide data more effectively. Do you remember the story of Kevin Mitnick? John Doe is a wanna-be hacker. He is paranoid and is using encryption to protect all the data on his computer. He is using a secondary password to protect sensitive information about the machines he cracked a month ago. He is arrested by the police and the primary password is compromised because he gives it up. All the data on the computer that is decrypted is examined. Some files did not decrypt and were silently ignored. All charges are dropped because of lack of evidence. John Doe got lucky this time. Think twice next time before doing something illegal.
Q: What is EncFS?
A: EncFS provides an encrypted filesystem in user-space. EncFS provides security against offline attacks like a stolen notebook. Visit EncFS’ home page for more details.
Q: How does EncFS work?
A: EncFS works on files and directories, not an entire block device. This means that it does not encrypt your hard drive. It modifies file names and contents. The data is stored on the underlying filesystem and metadata is preserved. File attributes such as ownership, modification date and permission bits are not encrypted and are visible to anybody. EncFS is acting like a translator between the user and the filesystem, encrypting and decrypting on the fly.
Q: What are EncFS benefits?
- EncFS is easy to use and requires no special setup. A local user has to be in the ‘fuse’ group to use EncFS. It does not require ‘root’ privileges.
- EncFS makes it easy to perform backups while it is not mounted. You can use ‘rsync’ or any other tool that you would use on an ext3 filesystem.
- EncFS can be used with secondary passwords. This could be used to store a separate set of files on the same encrypted filesystem. EncFS ignores files which do not decode properly, so files created with separate passwords will only be visible when the filesystem is mounted with the associated password. Read the man page for details on how this is implemented.
- There is the option to read passwords from an external program or stdin (standard input). This option combined with custom scripting makes EncFS very flexible.
- By default, all FUSE based filesystems are visible only to the user who mounted them. No other users (including root) can view the filesystem contents. For other users it will appear like this:
ls -l /home/jdoe drwxr-xr-x 4 jdoe jdoe 4096 2007-05-18 22:00 encrypted ?--------- ? ? ? ? ? plain
Installation is very simple. Follow the steps below.
Install fuse-encfs from Fedora Extras:
yum install fuse-encfs
You should see something like this (on an x86_64 system):
============================================================================= Package Arch Version Repository Size ============================================================================= Installing: fuse-encfs x86_64 1.3.2-1.fc7 development 278 k fuse-encfs i386 1.3.2-1.fc7 development 276 k Installing for dependencies: fuse x86_64 2.6.3-2.fc7 development 77 k fuse-libs x86_64 2.6.3-2.fc7 development 56 k fuse-libs i386 2.6.3-2.fc7 development 57 k rlog x86_64 1.3.7-3.fc6 development 36 k rlog i386 1.3.7-3.fc6 development 35 k Transaction Summary ============================================================================= Install 7 Package(s) Update 0 Package(s) Remove 0 Package(s)
Load the FUSE module:
And, finally, add any users that will use EncFS to group ‘fuse’:
usermod -Gfuse jdoe
Using EncFS does not differ from using any other filesystem. The only thing you need to do is to mount it somewhere and start creating files and directories under the mount point.
Create working directories:
mkdir -p ~/encrypted ~/plain
plain/– looks like a normal directory. All files stored here look like normal files for the user who mounted this directory with EncFS. This acts like a virtual directory performing encryption and decryption.
encrypted/– looks garbled. The actual data is stored here and is encrypted.
Now you can mount the new EncFS volume for the first time. This assumes a default configuration:
encfs /home/jdoe/encrypted /home/jdoe/plain Creating new encrypted volume. Please choose from one of the following options: enter "x" for expert configuration mode, enter "p" for pre-configured paranoia mode, anything else, or an empty line will select standard mode. ?> press Enter Standard configuration selected. Configuration finished. The filesystem to be created has the following properties: Filesystem cipher: "ssl/blowfish", version 2:1:1 Filename encoding: "nameio/block", version 3:0:1 Key Size: 160 bits Block Size: 512 bytes Each file contains 8 byte header with unique IV data. Filenames encoded using IV chaining mode. Now you will need to enter a password for your filesystem. You will need to remember this password, as there is absolutely no recovery mechanism. However, the password can be changed later using encfsctl. New Encfs Password: password-one Verify Encfs Password: password-one
Create a file:
echo "some content" > ~/plain/file.one
Check contents in
ls -la ~/plain/ drwxr-xr-x 2 jdoe jdoe 4096 2007-05-15 20:26 . drwxr-xr-x 4 jdoe jdoe 4096 2007-05-15 20:25 .. -rw-r--r-- 1 jdoe jdoe 14 2007-05-15 20:26 file.one cat ~/plain/file.one some contents
Check what’s in
ls -la ~/encrypted/ drwxr-xr-x 2 jdoe jdoe 4096 2007-05-15 20:26 . drwxr-xr-x 4 jdoe jdoe 4096 2007-05-15 20:25 .. -rw-r--r-- 1 jdoe jdoe 22 2007-05-15 20:26 2JkbGxSVzUCZoj9ggUxT9Sou -rw-r----- 1 jdoe jdoe 224 2007-05-15 20:25 .encfs5
.encfs5is a special file. When performing backups or restoring data, make sure to keep this file. If you loose it, you may not be able to recover your data.
Inspect the contents of encrypted file:
cat ~/encrypted/2JkbGxSVzUCZoj9ggUxT9Sou garbled output follows...
Unmount the filesystem and mount it again with another password:
fusermount -u ~/plain/ encfs --anykey /home/jdoe/encrypted /home/jdoe/plain EncFS Password: password-two
--anykeyoption to allow secondary passwords.
plain/ again. The directory is empty. Previous files were not decoded with the new password.
ls -la ~/plain/ drwxr-xr-x 2 jdoe jdoe 4096 2007-05-15 20:31 . drwxr-xr-x 4 jdoe jdoe 4096 2007-05-15 20:25 ..
Now create another file that will be in “hidden” mode:
echo "hidden contents" > ~/plain/file.two
Check again what’s in
encrypted/. Both files are stored in the same directory:
ls -la ~/encrypted/ drwxr-xr-x 2 jdoe jdoe 4096 2007-05-15 20:32 . drwxr-xr-x 4 jdoe jdoe 4096 2007-05-15 20:25 .. -rw-r--r-- 1 jdoe jdoe 22 2007-05-15 20:26 2JkbGxSVzUCZoj9ggUxT9Sou -rw-r--r-- 1 jdoe jdoe 24 2007-05-15 20:32 m4d,sy2mG81SVfKw6278SBJBi -rw-r----- 1 jdoe jdoe 224 2007-05-15 20:25 .encfs5
Unmount and mount again using the first password:
fusermount -u ~/plain/ encfs --anykey /home/jdoe/encrypted /home/jdoe/plain EncFS Password: password-one
Inspect the contents of
plain/ again. The second file was not decoded properly and is not shown:
ls -la ~/plain/ drwxr-xr-x 2 jdoe jdoe 4096 2007-05-15 20:32 . drwxr-xr-x 4 jdoe jdoe 4096 2007-05-15 20:25 .. -rw-r--r-- 1 jdoe jdoe 14 2007-05-15 20:26 file.one
Tips and tricks
Here’s a few best practice tips for using EncFS:
- For the primary password, choose a strong password containing lowercase and capital letters, numbers, and punctuation marks. Make it easy to remember but hard to guess. Do not use your dog’s name, date of birth, or phone number.
- The secondary password may conform to the rules for primary one or it may be randomly generated. The following command will generate a 4096-bit random password:
dd if=/dev/urandom of=/path/to/password bs=1 count=512
- Store secondary passwords on removable media–a USB stick for example. Keep the physical media in secure place. Never leave media unattended.
- It may be hard to detect that you use two passwords because encrypted files are stored in the same folder. If you have a large number of files encrypted with your primary password and only a few files encrypted with the secondary one, it is very likely that your secondary files may go unnoticed.
- Using multiple passwords may be very frustrating for somebody examining your system. They will probably give up. Keep in mind that using multiple passwords is not easy and you may forget them. Keep in mind that the chances of restoring your data if this happens are almost zero.
- For paranoid set-up, you may combine EncFS with some popular disk encryption tool such as “cryptsetup”. This should be enough secure for (just about) everyone.
- Using encrypted filesystems is risky. Your filesystem becomes even more fragile than before. Perform regular backups just in case.
You have just learned how to use encryption to protect your data. It’s easy, simple, and requires no root privileges. It works without any special setup, and decreases the chance that you will damage your hard drive or accidently break your computer. There is also a nice graphical application for using EncFS with KDE called K-EncFS.