encfs
Encrypt/Decrypt a directory using a FUSE filesystem
TLDR
Initialize or mount an encrypted filesystem
Initialize an encrypted filesystem with standard settings
Run encfs in the foreground instead of spawning a daemon
Mount an encrypted snapshot of a plain directory
SYNOPSIS
encfs [options] <encrypted_directory> <mount_point>
encfs --unmount <mount_point>
encfs --check <encrypted_directory>
encfs --change-password <encrypted_directory>
encfs --init [options] <encrypted_directory> <mount_point>
PARAMETERS
<encrypted_directory>
The directory containing the encrypted files and the encfs configuration file.
<mount_point>
The directory where the decrypted files will be accessible.
-s, --standard
Use standard (recommended) encryption configuration during initialization.
-v, --verbose
Enable verbose output for debugging purposes.
-f, --foreground
Run the encfs process in the foreground instead of daemonizing.
-D, --extpass
Read the password from an external program instead of the console.
--idle=MINUTES
Unmount the filesystem automatically after the specified minutes of inactivity.
--reverse
Run encfs in reverse mode, decrypting files from the mount point into the encrypted directory (useful for encrypting on the fly).
-o FUSE_OPT
Pass additional FUSE options directly to the underlying FUSE library (e.g., 'ro' for read-only).
--unmount
Unmount the specified mount_point.
--check
Check the integrity of the encrypted filesystem in encrypted_directory.
--change-password
Change the password for the specified encrypted_directory volume.
--init
Explicitly initialize a new encrypted filesystem. This is often implied if no configuration exists in the encrypted_directory.
DESCRIPTION
encfs is a user-space filesystem that encrypts files and directories. It leverages FUSE (Filesystem in Userspace) to provide a virtual view of encrypted data. When you access files through the encfs mount point, they are transparently decrypted; when you write files, they are transparently encrypted and stored on the underlying filesystem. encfs encrypts both file contents and filenames, providing a layer of privacy for your data.
It's often used for cloud storage synchronization, where data is stored on untrusted servers, or for protecting local sensitive information. It operates on a file-by-file basis, meaning each file is individually encrypted, allowing for partial synchronization and less overhead than full disk encryption. It offers various encryption algorithms and configuration options, allowing users to balance security and performance.
CAVEATS
encfs provides good security against passive observers but has known limitations. It is vulnerable to certain types of attacks, particularly if an attacker can observe changes to the ciphertext over time (e.g., chosen-plaintext attacks, as detailed by security researchers). Metadata like file sizes, directory structure, and modification times are often exposed. It's generally not recommended for scenarios requiring the highest level of security against active, sophisticated adversaries. Performance can also be an issue for very large numbers of small files or intensive I/O operations due to the per-file encryption overhead.
SECURITY CONSIDERATIONS
While encfs encrypts file contents and filenames, it does not hide metadata such as the number of files, directory structure, approximate file sizes, or access/modification timestamps. In certain scenarios, particularly with active attackers who can observe changes to the encrypted filesystem, this metadata leakage can be exploited to deduce information about the plaintext. Users are advised to be aware of these limitations and consider alternatives like cryptsetup (LUKS) or ecryptfs for higher security requirements, especially for full partition or system encryption. encfs is generally suitable for protecting data from passive observation (e.g., lost drives, untrusted cloud storage).
CONFIGURATION FILE
Each encfs volume has a configuration file (typically .encfs6.xml by default) located within the encrypted_directory. This XML file stores details about the encryption algorithms, key derivation parameters, and other settings used for the volume. It is critical to keep this file secure and intact, as its corruption or loss will render the encrypted data irrecoverable. Do not modify this file manually unless you fully understand the implications.
HISTORY
encfs was created by Louis Bettens and first released in 2005. Its primary motivation was to provide a user-space, cross-platform solution for encrypting filesystems, particularly useful for cloud storage synchronization where data needs to be secured before being uploaded to untrusted services. It gained significant popularity due to its ease of use and file-granularity encryption. While initial versions used less robust encryption configurations, later updates introduced more secure defaults and options. Despite its utility, security audits and research in the 2010s highlighted potential vulnerabilities, leading to recommendations for more robust alternatives in high-security contexts. Development has continued, albeit with a slower pace, focusing on maintenance and minor improvements.
SEE ALSO
cryptsetup(8), ecryptfs(7), mount(8), fusermount(1), gnupg(1)