Creating an encrypted filesystem

References

• /usr/share/doc/encfs/README.gz
• man 1 encfs
• man 1 encfsctl

EncFS provides an encrypted filesystem in user-space. It uses a pass-through design and is modeled after CFS - the original Cryptographic Filesystem by Matt Blaze, published in 1993. EncFS runs without any special permissions and uses the FUSE library and Linux kernel module to provide the filesystem interface. It is open source software, licensed under the GPL. More information is available at http://arg0.net/wiki/encfs.

Note that due to NFS restrictions, encFS directories on the NetApps (e.g., /home) must be created with specific permissions. Follow the examples below.

To create a new encrypted filesystem:

The encrypted and decrypted directories must have world read and execute permissions, so they should be in a protected parent directory (e.g., Encrypt):

create parent directory for encryption directories

host:/home/you>mkdir Encrypt

remove group and other permissions

host:/home/you>chmod 700 Encrypt

create encrypted (.crypt) and decrypted (crypt) directories

host:/home/you>mkdir Encrypt/.crypt
host:/home/you>mkdir Encrypt/crypt

set read and execute on encrypt/decrypt directories

host:/home/you>chmod 755 Encrypt/.crypt Encrypt/crypt

check results (so far...)

host:/home/you>ls -al Encrypt
total 36
drwx------ 4 you you 4096 Feb 23 13:18 .
drwxr-xr-x 45 you bin 24576 Feb 23 13:17 ..
drwxr-xr-x 2 you you 4096 Feb 23 13:18 crypt
drwxr-xr-x 2 you you 4096 Feb 23 13:18 .crypt

create encrypted structure

host:/home/you/Encrypt>encfs ~/Encrypt/.crypt ~/Encrypt/crypt
Creating new encrypted volume.
Please choose from one of the following options:
enter "x" for expert configuration mode,
enter "p" for pre-configured paranoia mode,
anything else, or an empty line will select standard mode.

Standard configuration selected.

Configuration finished. The filesystem to be created has
the following properties:
Filesystem cipher: "ssl/blowfish", version 2:1:1
Filename encoding: "nameio/block", version 3:0:1
Key Size: 160 bits
Block Size: 512 bytes
Each file contains 8 byte header with unique IV data.
Filenames encoded using IV chaining mode.

Now you will need to enter a password for your filesystem. You will need to remember this password, as there is absolutely no recovery mechanism. However, the password can be changed later using encfsctl.

(.crypt is the encrypted directory; crypt is the decrypted version of .crypt)

Now move files into the decrypted directory:

host:/home/you/Encrypt>mv ~/CS750.xls crypt
host:/home/you/Encrypt>mv ~/secret.stuff crypt

here are the files we moved (decrypted)

host:/home/you/Encrypt>ls -al crypt
total 36
drwx------ 2 you you 4096 Feb 23 09:13 .
drwxr-xr-x 5 you wheel 4096 Feb 23 09:12 ..
-rw------- 1 you you 1589 Jan 9 08:25 CS750.xls
-rw------- 1 you you 1325 Jan 14 13:42 secret.stuff

here are the encrypted versions

host:/home/you/Encrypt>ls -al .crypt
total 40
drwx------ 2 you you 4096 Feb 23 09:13 .
drwxr-xr-x 5 you wheel 4096 Feb 23 09:12 ..
-rw------- 1 you you 1597 Jan 9 08:25 dQxWUeTso7NiojItcTHbmdy2
-rw------- 1 you you 1333 Jan 14 13:42 u5gpyk3WhD8DHhylP1-ntd9X
-rw------- 1 you you 224 Feb 23 09:12 .encfs5

When finished, we unmount the decrypted directory:

host:/home/you/Encrypt>fusermount -u ~/Encrypt/crypt

Note that the crypt directory now shows as empty

host:/home/you/Encrypt>ls -al crypt
total 8
drwx------ 2 you you 4096 Feb 23 09:13 .
drwxr-xr-x 5 you wheel 4096 Feb 23 09:12 ..

Note that encrypted files still show in .crypt

host:/home/you/Encrypt>ls -al .crypt
total 40
drwx------ 2 you you 4096 Feb 23 09:13 .
drwxr-xr-x 5 you wheel 4096 Feb 23 09:12 ..
-rw------- 1 you you 1597 Jan 9 08:25 dQxWUeTso7NiojItcTHbmdy2
-rw------- 1 you you 1333 Jan 14 13:42 u5gpyk3WhD8DHhylP1-ntd9X
-rw------- 1 you you 224 Feb 23 09:12 .encfs5

To re-mount the decrypted directory:

host:/home/you/Encrypt>encfs /home/you/Encrypt/.crypt /home/you/Encrypt/crypt
EncFS Password:

We see the file reconstituted in the decrypted directory crypt

host:/home/you/Encrypt>ls -al crypt
total 36
drwx------ 2 you you 4096 Feb 23 09:13 .
drwxr-xr-x 5 you wheel 4096 Feb 23 09:12 ..
-rw------- 1 you you 1589 Jan 9 08:25 CS750.xls
-rw------- 1 you you 1325 Jan 14 13:42 secret.stuff

Caveats

• Be sure to umount the decrypted directory when finished. Otherwise, you have not protected your files.
• Be sure that the parent directory of the encrypted and decrypted directories has permission 700 to provide security
• The encFS process is local to a particular machine. This means that multiple ssh or X-windows sessions on the same machine can access a decrypted directory, but not sessions on different machines. Example: if you have decrypted /home/you/Encrypt/.crypt to /home/you/Encrypt/crypt on another host, you can't access /home/you/Encrypt/crypt on a different host at the same time.

gpg

gpg (GnuPG) is an encryption and signing tool.  More information is available at http://www.gnupg.org/documentation.

gpg is currently installed on all Linux machines in the department.  The man page is available on those machines and at http://www.gnupg.org/documentation/manpage.en.html.  Also see the GnuPG mini HOWTO.

Simple encryption:

To encrypt myfile

    host:/home/you>gpg -c myfile           gpg will prompt for passphrase to encrypt
    gpg: CAST5 encrypted data
    gpg: encrypted with 1 passphrase
    gpg: WARNING: message was not integrity protected

    host:/home/you>ls -al myfile*         Note encrypted version has .gpg extension
    -rw------- 1 you you 13023 Feb 24 11:21 myfile
    -rw------- 1 you you  5073 Feb 24 11:20 myfile.gpg

    host:/home/you>rm myfile                  remove original file, leaving only encrypted version

    host:/home/you>ls -al myfile*
    -rw------- 1 you you  5073 Feb 24 11:20 myfile.gpg

To decrypt myfile.gpg

    host:/home/you>gpg myfile.gpg         gpg will prompt for passphrase to decrypt

    host:/home/you>ls -al myfile*     myfile  is restored from  myfile.gpg
    -rw------- 1 you you 13023 Feb 24 11:21 myfile
    -rw------- 1 you you  5073 Feb 24 11:20 myfile.gpg

To encrypt - specifying output filename

    host:/home/you>gpg -c -o myfile.enc myfile      creates encrypted file  myfile.enc

To decrypt  - specifying output filename

    host:/home/you>gpg -o myfilenew myfile.enc      creates decrypted  myfilenew  from  myfile.enc


Encryption with keys:

The first step is to create a key pair:

    host:/home/you>gpg --gen-key        generate secret and public keys  (follow prompts -- can leave comment blank)

To list keys

    host:/home/you>gpg --list-keys
    /home/you/.gnupg/pubring.gpg
    ----------------------------
    pub 1024D/45F39F41 2006-02-23
    uid Bob User <bob@somewhere.edu>
    sub 2048g/FA303B4D 2006-02-23

    Note username is Bob User and email is bob@somewhere.com

To encrypt with a key

    lec:/home/bob>gpg -e -r 'Bob User' myfile            encrypts with key based on name
    lec:/home/bob>gpg -e -r 'bob@somewhere.edu' myfile   encrypts with key based on email addresslec:/home/bob>ls -al myfile*            Note that either command creates encrypted file   myfile.gpg

    -rw------- 1 bob bob 13023 Feb 24 11:25 myfile
    -rw------- 1 bob bob  5484 Feb 24 11:32 myfile.gpg

To delete keys

    * First, list keys

    lec:/home/bob>gpg --list-keys             Note that there are two sets of keys for Bob
    /home/bob/.gnupg/pubring.gpg
    ----------------------------
    pub 1024D/45F39F41 2006-02-23
    uid Bob User <bob@somewhere.edu>
    sub 2048g/FA303B4D 2006-02-23

    pub 1024D/30849979 2006-02-24
    uid Bob User <bob@somewhere.edu>
    sub 2048g/7F08115A 2006-02-24

    * Next, delete the keys

    Delete the secret key first
    lec:/home/bob>gpg --delete-secret-key 45F39F41
    gpg (GnuPG) 1.4.2.1; Copyright (C) 2005 Free Software Foundation, Inc.
    This program comes with ABSOLUTELY NO WARRANTY.
    This is free software, and you are welcome to redistribute it
    under certain conditions. See the file COPYING for details.

    sec 1024D/45F39F41 2006-02-23 Bob User <bob@somewhere.edu>

    Delete this key from the keyring? (y/N) y
    This is a secret key! - really delete? (y/N) y

    Then delete the public key
    lec:/home/bob>gpg --delete-key 45F39F41       
    gpg (GnuPG) 1.4.2.1; Copyright (C) 2005 Free Software Foundation, Inc.
    This program comes with ABSOLUTELY NO WARRANTY.
    This is free software, and you are welcome to redistribute it
    under certain conditions. See the file COPYING for details.

    pub 1024D/45F39F41 2006-02-23 Bob User <bob@somewhere.edu>

    Delete this key from the keyring? (y/N) y

    * Then, list the keys to confirm

    lec:/home/bob>gpg --list-keys

    gpg: checking the trustdb
    gpg: 3 marginal(s) needed, 1 complete(s) needed, 
         PGP trust model
    gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 
         0n, 0m, 0f, 1u
    /home/bob/.gnupg/pubring.gpg
    ----------------------------
    pub   1024D/30849979 2006-02-24
    uid                  Bob User <bob@somewhere.edu>
    sub   2048g/7F08115A 2006-02-24

    Note that the first key pair is gone


Caveats

    * Be sure to delete original file after creating encrypted version.  Otherwise, there is no protection.

    * Be sure to remember keys or passphrases.  There is no recovery.

Send mail to the Webmaster

	This site best viewed with a browser
	Warning: This is a Debian centric site and MAY contain peanuts.
	Many thanks to Debra Lynn and Ian Murdock for making Debian possible
	First created Nov 19, 2010 ~ Last revised March 11, 2011