LinuxCommandLibrary

encfs

Encrypt/Decrypt a directory using a FUSE filesystem

TLDR

Initialize or mount an encrypted filesystem

$ encfs /[path/to/cipher_directory] /[path/to/mount_point]
copy

Initialize an encrypted filesystem with standard settings
$ encfs --standard /[path/to/cipher_directory] /[path/to/mount_point]
copy

Run encfs in the foreground instead of spawning a daemon
$ encfs -f /[path/to/cipher_directory] /[path/to/mount_point]
copy

Mount an encrypted snapshot of a plain directory
$ encfs --reverse [path/to/plain_directory] [path/to/cipher_directory]
copy

SYNOPSIS

encfs [options] encdir mountpoint

PARAMETERS

-v, --verbose
    Increase verbosity level

-f, --foreground
    Run in foreground (no daemon)

-S, --stdinpass
    Read password from stdin

-P, --stdoutpass
    Write derived key to stdout

--extpass=<PROGRAM>
    Use external program for password

--standard
    Use standard encfs config (stream cipher)

--paranoia
    Paranoid mode: strong filename encryption

--x509
    Use X.509 certificates for auth

--public
    Public mount mode (server)

--ondemand
    Streamable/ondemand mode

--reverse
    Reverse: mountpoint is encrypted dir

--idle=<SECONDS>
    Unmount after idle timeout

-C, --check
    Check config and exit

--force
    Allow mountpoint overwrite

--gcrypt
    Use libgcrypt instead of OpenSSL

--help
    Show help

--version
    Show version info

DESCRIPTION

Encfs provides a transparent encrypted filesystem using FUSE on Linux and Unix-like systems.

It operates by creating two directories: an encrypted cipher directory (stored persistently) and a decrypted mountpoint (virtual view). Files written to the mountpoint are automatically encrypted, obfuscated by name, and saved to the cipher directory. Reading reverses the process seamlessly.

Key strengths include filename encryption, optional plausible deniability (--paranoia mode hides file sizes and counts), and streamable mode for partial mounts. No kernel modules needed; runs as user. Supports block and stream ciphers like AES.

Initial setup prompts for password and config mode: standard (stream cipher, filename IV chaining), paranoia (stronger filename security), or x509 (certificates). Unmount with fusermount -u.

Primarily for personal secure storage, backups, or portable encrypted volumes. Not suited for high-performance or enterprise use due to FUSE overhead.

CAVEATS

Encfs has known security issues: potential metadata leaks, IV reuse risks in stream mode, and filename length/padding attacks. Not recommended for high-security needs; use gocryptfs or cryptsetup instead. Unmaintained since ~2016; FUSE overhead impacts performance. Requires FUSE kernel module.

BASIC USAGE

encfs ~/.crypt ~/plain
Enter password, then write to ~/plain (auto-encrypts to ~/.crypt).
Unmount: fusermount -u ~/plain

UNMOUNT SCRIPT

Use encfsctl mountpoint auto-unmount for safe idle unmount.

HISTORY

Developed by Valient Gough starting 2004 as FUSE-based encfs. Gained popularity for userspace crypto. Peaked ~2010-2014 on Google Code. Discontinued there in 2016 due to policy; mirrors on GitHub. Criticized by experts (e.g., 2014 SageMath disclosure) for design flaws; dev disputed but no fixes.

SEE ALSO

fusermount(1), encfsctl(1), mount.fuse(8), cryfs(1), gocryptfs(1)

Copied to clipboard