On 2011年12月14日, in soft, by netoearth

EncFS provides an encrypted filesystem in user-space. It runs without any special permissions and uses the FUSE library and Linux kernel module to provide the filesystem interface. EncFS is open source software, licensed under the GPL.

As with most encrypted filesystems, Encfs is meant to provide security against off-line attacks; ie your notebook or backups fall into the wrong hands, etc. The way Encfs works is different from the “loopback” encrypted filesystem support built into the Linux kernel because it works on files at a time, not an entire block device. This is a big advantage in some ways, but does not come without a cost.

Pass-through filesystem vs encrypted block device

The pass-through filesystem design is not new for encrypted filesystems. EncFS is modeled after CFS – the original Cryptographic Filesystem by Matt Blaze, published in 1993. Over the years, other filesystems have extended the basic ideas behind CFS in different ways (such as TCFS in 1996). As part of this family of filesystems, EncFS shares the same basic strengths and weaknesses compared to block encryption devices:


  • Size: an empty EncFS filesystem consists of a couple dozen bytes and can grow to any size without needing to be reformatted. With a loopback encrypted filesystem, you allocate a filesystem ahead of time with the size you want.
  • Automated Backups: An EncFS filesystem can be backed-up on a file-by-file basis. A backup program can detect which files have changed, even though it won’t be able to decipher the files.
  • Layering/Separation of Trust: EncFS can be layered on top of other filesystems in order to add encryption to unencrypted filesystems.


Meta-data: Meta-data remains visible to anyone with access to your encrypted files. So he can know some information about them:

  • The number of files you have encrypted
  • The permissions on the files (readable, writable, executable)
  • The size of each file
  • The approximate size of each filename

For more info check the Introduction on the officlal page of EncFS


These are the requisites of EncFS:

  1. FUSE : 2.6 or newer for the latest EncFS
  2. rlog : a C++ logging library
  3. OpenSSL – versions 0.9.6 through 0.9.8 have been tested
  4. boost : C++ utility library 1.34 or later

I’ve tested EncFS in Ubuntu 11.10, in this distribution the software it’s available as package so to install it i’ve used from the terminal aptitude install encfs that has also brought in all the correct dependencies:

root@xubuntu-home:~# aptitude install encfs

The following NEW packages will be installed:
  encfs libboost-filesystem1.46.1{a} libboost-serialization1.46.1{a} libboost-system1.46.1{a} librlog5{a} 
0 packages upgraded, 5 newly installed, 0 to remove and 9 not upgraded.
Need to get 659 kB of archives. After unpacking 3,109 kB will be used.

Basic Usage

1. Create a directory. In the filesystem that you want to use create a directory where your encrypted files will be stored
In this example i put mine in my home dir, but you can put it anywhere you like.

mkdir ~/encrypted

2. Create a mountpoint
This is the directory where you will mount the encrypted directory. Through this path you can access the encrypted files.

mkdir ~/temp_encr

3. Create the encrypted system and mount it
The first time you try to mount the directory, encfs will create the encrypted filesystem asking you the setup and a password. I’ve choose the standard option with an empty line.
It works like a regular mount:

encfs "folder to mount" "mount point"

So for this example:

encfs /home//encrypted /home//temp_encr

Creating new encrypted volume.
Please choose from one of the following options:
 enter "x" for expert configuration mode,
 enter "p" for pre-configured paranoia mode,
 anything else, or an empty line will select standard mode.

Standard configuration selected.

Configuration finished.  The filesystem to be created has
the following properties:
Filesystem cipher: "ssl/aes", version 3:0:2
Filename encoding: "nameio/block", version 3:0:1
Key Size: 192 bits
Block Size: 1024 bytes
Each file contains 8 byte header with unique IV data.
Filenames encoded using IV chaining mode.
File holes passed through to ciphertext.

Now you will need to enter a password for your filesystem.
You will need to remember this password, as there is absolutely
no recovery mechanism.  However, the password can be changed
later using encfsctl.

New Encfs Password: 
Verify Encfs Password:

Note that encfs wants absolute paths, i.e. starting with a /

4. Crypt your files. Now you can put your files in the directory ~/temp_encr and look in the ~/encrypted one: they will show up there, encrypted.

All works as usual in the directory ~/temp_encr

linuxaria@xubuntu-home:~$ echo "this is my EncFS test" > temp_encr/test.txt

linuxaria@xubuntu-home:~$ ls -l ~/temp_encr/test.txt
-rw-rw-r-- 1 linuxaria linuxaria 22 2011-12-14 00:08 /home/linuxaria/temp_encr/test.txt

linuxaria@xubuntu-home:~$ cat ~/temp_encr/test.txt
this is my EncFS test

But if you umount the filesystem with the command:

fusermount -u /home/linuxaria/temp_encr

You’ll have now just the directory ~/encrypted that, as expected, holds all the info encrypted, and the metadata.

linuxaria@xubuntu-home:~$ ls -la encrypted/
total 16
drwxrwxr-x   2 linuxaria linuxaria 4096 2011-12-14 00:08 .
drwx------ 109 linuxaria linuxaria 4096 2011-12-13 23:55 ..
-rw-rw-r--   1 linuxaria linuxaria 1076 2011-12-13 23:56 .encfs6.xml
-rw-rw-r--   1 linuxaria linuxaria   30 2011-12-14 00:08 NOQUHJDpKw4XkS,THEb5OF,8
linuxaria@xubuntu-home:~$ cat encrypted/.encfs6.xml 
< ?xml version="1.0" encoding="UTF-8" standalone="yes" ?>
< !DOCTYPE boost_serialization>
<boost_serialization signature="serialization::archive" version="9">
<cfg class_id="0" tracking_level="0" version="20">
        <creator>EncFS 1.7.4</creator>
        <cipheralg class_id="1" tracking_level="0" version="0">

linuxaria@xubuntu-home:~$ cat encrypted/NOQUHJDpKw4XkS,THEb5OF,8 
�͒���< ��_B|�"?��G��-./t+�

While it’s mounted you can also see this new “filesystem” with a df command:

linuxaria@xubuntu-home:~$ df -h /home/linuxaria/temp_encr
Filesystem            Size  Used Avail Use% Mounted on
encfs                 8.9G  7.8G  656M  93% /home/linuxaria/temp_encr


This solution can be very handy to just encrypt one or some directory of your filesystem.
A good idea could be using this solution with “cloud” directory like Ubuntu One or Dropbox, so you’ll have your information saved on the net..but encrypted.

Tagged with:  

Comments are closed.