LinuxCommandLibrary

encfs

Encrypt/Decrypt a directory using a FUSE filesystem

TLDR

Initialize or mount an encrypted filesystem

$ encfs /[path/to/cipher_dir] /[path/to/mount_point]
copy

Initialize an encrypted filesystem with standard settings
$ encfs --standard /[path/to/cipher_dir] /[path/to/mount_point]
copy

Run encfs in the foreground instead of spawning a daemon
$ encfs -f /[path/to/cipher_dir] /[path/to/mount_point]
copy

Mount an encrypted snapshot of a plain directory
$ encfs --reverse [path/to/plain_dir] [path/to/cipher_dir]
copy

SYNOPSIS

encfs [options] <encrypted_directory> <mount_point>
encfs --unmount <mount_point>
encfs --check <encrypted_directory>
encfs --change-password <encrypted_directory>
encfs --init [options] <encrypted_directory> <mount_point>

PARAMETERS

<encrypted_directory>
    The directory containing the encrypted files and the encfs configuration file.

<mount_point>
    The directory where the decrypted files will be accessible.

-s, --standard
    Use standard (recommended) encryption configuration during initialization.

-v, --verbose
    Enable verbose output for debugging purposes.

-f, --foreground
    Run the encfs process in the foreground instead of daemonizing.

-D, --extpass
    Read the password from an external program instead of the console.

--idle=MINUTES
    Unmount the filesystem automatically after the specified minutes of inactivity.

--reverse
    Run encfs in reverse mode, decrypting files from the mount point into the encrypted directory (useful for encrypting on the fly).

-o FUSE_OPT
    Pass additional FUSE options directly to the underlying FUSE library (e.g., 'ro' for read-only).

--unmount
    Unmount the specified mount_point.

--check
    Check the integrity of the encrypted filesystem in encrypted_directory.

--change-password
    Change the password for the specified encrypted_directory volume.

--init
    Explicitly initialize a new encrypted filesystem. This is often implied if no configuration exists in the encrypted_directory.

DESCRIPTION

encfs is a user-space filesystem that encrypts files and directories. It leverages FUSE (Filesystem in Userspace) to provide a virtual view of encrypted data. When you access files through the encfs mount point, they are transparently decrypted; when you write files, they are transparently encrypted and stored on the underlying filesystem. encfs encrypts both file contents and filenames, providing a layer of privacy for your data.

It's often used for cloud storage synchronization, where data is stored on untrusted servers, or for protecting local sensitive information. It operates on a file-by-file basis, meaning each file is individually encrypted, allowing for partial synchronization and less overhead than full disk encryption. It offers various encryption algorithms and configuration options, allowing users to balance security and performance.

CAVEATS

encfs provides good security against passive observers but has known limitations. It is vulnerable to certain types of attacks, particularly if an attacker can observe changes to the ciphertext over time (e.g., chosen-plaintext attacks, as detailed by security researchers). Metadata like file sizes, directory structure, and modification times are often exposed. It's generally not recommended for scenarios requiring the highest level of security against active, sophisticated adversaries. Performance can also be an issue for very large numbers of small files or intensive I/O operations due to the per-file encryption overhead.

SECURITY CONSIDERATIONS

While encfs encrypts file contents and filenames, it does not hide metadata such as the number of files, directory structure, approximate file sizes, or access/modification timestamps. In certain scenarios, particularly with active attackers who can observe changes to the encrypted filesystem, this metadata leakage can be exploited to deduce information about the plaintext. Users are advised to be aware of these limitations and consider alternatives like cryptsetup (LUKS) or ecryptfs for higher security requirements, especially for full partition or system encryption. encfs is generally suitable for protecting data from passive observation (e.g., lost drives, untrusted cloud storage).

CONFIGURATION FILE

Each encfs volume has a configuration file (typically .encfs6.xml by default) located within the encrypted_directory. This XML file stores details about the encryption algorithms, key derivation parameters, and other settings used for the volume. It is critical to keep this file secure and intact, as its corruption or loss will render the encrypted data irrecoverable. Do not modify this file manually unless you fully understand the implications.

HISTORY

encfs was created by Louis Bettens and first released in 2005. Its primary motivation was to provide a user-space, cross-platform solution for encrypting filesystems, particularly useful for cloud storage synchronization where data needs to be secured before being uploaded to untrusted services. It gained significant popularity due to its ease of use and file-granularity encryption. While initial versions used less robust encryption configurations, later updates introduced more secure defaults and options. Despite its utility, security audits and research in the 2010s highlighted potential vulnerabilities, leading to recommendations for more robust alternatives in high-security contexts. Development has continued, albeit with a slower pace, focusing on maintenance and minor improvements.

SEE ALSO

cryptsetup(8), ecryptfs(7), mount(8), fusermount(1), gnupg(1)

Copied to clipboard