encfs
Encrypt/Decrypt a directory using a FUSE filesystem
TLDR
Initialize or mount an encrypted filesystem
Initialize an encrypted filesystem with standard settings
Run encfs in the foreground instead of spawning a daemon
Mount an encrypted snapshot of a plain directory
SYNOPSIS
encfs [options] cipherdir mountpoint
PARAMETERS
cipherdir
The directory where the encrypted files are stored.
mountpoint
The directory where the decrypted view of the files will be available. This must exist. The current user must have write access for the directory to mount correctly.
-v, --verbose
Enable verbose output.
--standard
Run in standard mode.
--expert
Run in expert mode, providing more configuration options.
--public
Enables public mode, allowing any user to access the decrypted data once mounted with the correct password.
--anyinvoke
Allow non-root users to mount, even if /etc/fuse.conf does not allow this globally.
--idle-timeout=seconds
Set an idle timeout in seconds. encfs will unmount after this amount of idle time has passed.
--extpass=command
Use an external command to obtain the password.
--nosuid
Disable set-user-identifier or set-group-identifier bits. This is often useful on systems where fuse mounts are disallowed by default.
DESCRIPTION
encfs
creates an encrypted virtual filesystem. It operates in user space, requiring no root privileges. Data is stored encrypted, using a directory containing encrypted files (the 'cipherdir'), while encfs
presents a decrypted view of the data to the user through another directory (the 'mountpoint'). Files are only decrypted when accessed through the mountpoint. When the filesystem is unmounted, the mountpoint directory appears empty and the encrypted data remains safely stored in the cipherdir. encfs
uses a per-directory configuration file (.encfs6.xml
) in the cipherdir to store the encryption settings, making each encrypted directory self-contained. The first time encfs is used with a directory it will prompt for encryption preferences, after that it operates silently. It is a convenient way to protect sensitive data by creating a secure storage space within your existing filesystem.
CAVEATS
encfs
is considered less secure than other encryption methods, because it reveals metadata (filename lengths, directory structure, etc.). It has known security vulnerabilities. It is best practice to use full disk encryption when possible. Be very careful when relying on encfs
for highly sensitive data. Ensure you understand the security implications before using it.
MOUNTING AND UNMOUNTING
To mount an encfs volume, use the command: encfs cipherdir mountpoint
. To unmount, use fusermount -u mountpoint
or umount mountpoint
.
CONFIGURATION FILE
The encryption configuration is stored in a file named .encfs6.xml
located in the cipherdir. Modifying this file directly can corrupt the encrypted data, so avoid manual changes.
SECURITY CONSIDERATIONS
Always use a strong password. Avoid storing the password in plain text. Be aware that encfs
reveals metadata about the encrypted files, such as file size and directory structure.
HISTORY
encfs
was created to provide a convenient user-space encryption solution. It gained popularity for its ease of use and ability to encrypt individual directories without requiring root privileges or modifications to the kernel. Over time, its security weaknesses became more apparent, and other solutions like full disk encryption (LUKS) and secure containers have become more widely recommended for stronger security. Development has slowed and security audits highlight potential vulnerabilities that users must consider.