LinuxCommandLibrary

encfs

Encrypt/Decrypt a directory using a FUSE filesystem

TLDR

Initialize or mount an encrypted filesystem

$ encfs [/path/to/cipher_dir] [/path/to/mount_point]
copy

Initialize an encrypted filesystem with standard settings
$ encfs --standard [/path/to/cipher_dir] [/path/to/mount_point]
copy

Run encfs in the foreground instead of spawning a daemon
$ encfs -f [/path/to/cipher_dir] [/path/to/mount_point]
copy

Mount an encrypted snapshot of a plain directory
$ encfs --reverse [path/to/plain_dir] [path/to/cipher_dir]
copy

SYNOPSIS

encfs [options] cipherdir mountpoint

PARAMETERS

cipherdir
    The directory where the encrypted files are stored.

mountpoint
    The directory where the decrypted view of the files will be available. This must exist. The current user must have write access for the directory to mount correctly.

-v, --verbose
    Enable verbose output.

--standard
    Run in standard mode.

--expert
    Run in expert mode, providing more configuration options.

--public
    Enables public mode, allowing any user to access the decrypted data once mounted with the correct password.

--anyinvoke
    Allow non-root users to mount, even if /etc/fuse.conf does not allow this globally.

--idle-timeout=seconds
    Set an idle timeout in seconds. encfs will unmount after this amount of idle time has passed.

--extpass=command
    Use an external command to obtain the password.

--nosuid
    Disable set-user-identifier or set-group-identifier bits. This is often useful on systems where fuse mounts are disallowed by default.

DESCRIPTION

encfs creates an encrypted virtual filesystem. It operates in user space, requiring no root privileges. Data is stored encrypted, using a directory containing encrypted files (the 'cipherdir'), while encfs presents a decrypted view of the data to the user through another directory (the 'mountpoint'). Files are only decrypted when accessed through the mountpoint. When the filesystem is unmounted, the mountpoint directory appears empty and the encrypted data remains safely stored in the cipherdir. encfs uses a per-directory configuration file (.encfs6.xml) in the cipherdir to store the encryption settings, making each encrypted directory self-contained. The first time encfs is used with a directory it will prompt for encryption preferences, after that it operates silently. It is a convenient way to protect sensitive data by creating a secure storage space within your existing filesystem.

CAVEATS

encfs is considered less secure than other encryption methods, because it reveals metadata (filename lengths, directory structure, etc.). It has known security vulnerabilities. It is best practice to use full disk encryption when possible. Be very careful when relying on encfs for highly sensitive data. Ensure you understand the security implications before using it.

MOUNTING AND UNMOUNTING

To mount an encfs volume, use the command: encfs cipherdir mountpoint. To unmount, use fusermount -u mountpoint or umount mountpoint.

CONFIGURATION FILE

The encryption configuration is stored in a file named .encfs6.xml located in the cipherdir. Modifying this file directly can corrupt the encrypted data, so avoid manual changes.

SECURITY CONSIDERATIONS

Always use a strong password. Avoid storing the password in plain text. Be aware that encfs reveals metadata about the encrypted files, such as file size and directory structure.

HISTORY

encfs was created to provide a convenient user-space encryption solution. It gained popularity for its ease of use and ability to encrypt individual directories without requiring root privileges or modifications to the kernel. Over time, its security weaknesses became more apparent, and other solutions like full disk encryption (LUKS) and secure containers have become more widely recommended for stronger security. Development has slowed and security audits highlight potential vulnerabilities that users must consider.

SEE ALSO

openssl(1), gpg(1), fuse(8)

Copied to clipboard