diff options
Diffstat (limited to 'src/Encrypting_Home_Directories_with_EncFS.adoc')
| -rw-r--r-- | src/Encrypting_Home_Directories_with_EncFS.adoc | 84 |
1 files changed, 84 insertions, 0 deletions
diff --git a/src/Encrypting_Home_Directories_with_EncFS.adoc b/src/Encrypting_Home_Directories_with_EncFS.adoc new file mode 100644 index 0000000..a8b8dbb --- /dev/null +++ b/src/Encrypting_Home_Directories_with_EncFS.adoc @@ -0,0 +1,84 @@ +Encrypting Home Directories with EncFS +====================================== +:author: Aaron Ball +:email: nullspoon@iohq.net + + +== {doctitle} + +Before I go into how to do this, I'd like to take a moment to explain how encfs +works in slightly simpler terms than are detailed on the +http://www.arg0.net/encfsintro[encfs introduction page]. Originally, I was +going to write my own explanation, but the Wikipedia article on this explains +it so much better than I did (I just erased several paragraphs after reading +the Wikipedia article). + +____ +EncFS is a Free (GPL) FUSE-based cryptographic filesystem that transparently +encrypts files, using an arbitrary directory as storage for the encrypted +files. +____ + +Two directories are involved in mounting an EncFS filesystem: the source +directory, and the mountpoint. Each file in the mountpoint has a specific file +in the source directory that corresponds to it. The file in the mountpoint +provides the unencrypted view of the one in the source directory. Filenames are +encrypted in the source directory. Files are encrypted using a volume key, +which is stored encrypted in the source directory. A password is used to +decrypt this key." + +http://en.wikipedia.org/wiki/Encfs[Original article] + +Wow. How was that for an explanation? I love Wikipedia. + +Now that that is out of the way, let's get on to business... + +To start things off, we have to create our two directories, the source +directory and the mountpoint directory. Both should be owned by the user using +the encrypted data. + +---- +mkdir /home/.user && chown -R user:user /home/.user +mkdir /home/user && chown -R user:user /home/user +---- + +*.user* is the +encrypted data. You don't ever write data to this directory. EncFS +handles this for you. **user** is the decrypted data/the mountpoint. You +ONLY write data here. When you write data here, it shows up in .user as +encrypted data. + +---- +encfs /home/.user /home/user +---- + +This will mount /home/.user at the mountpoint /home/user. Without getting too +specific, what happens is when data is written to /home/user, the data goes +through EncFS which encrypts that data before writing it to /home/.user/. When +data is read from /home/user/, the request goes through EncFS, which grabs the +encrypted version of the file from /home/.user/ and temporarily decrypts it in +RAM for your use. Ah the beauty of the seamless Linux mounting paradigm +(that's para-dig-um, not paradigm). + +Since we are encrypting an entire home directory, we need to use a nonempty +parameter for Fuse since the home directory will always contain something like +\.bash_history from a command line login, or .local from a GUI login. Here's +our final command. + +---- +encfs -o nonempty /home/.user /home/user +---- + +And with that, you have an entirely encrypted home directory. + +On a final note, be sure you keep the file located at /home/.user/.encfs6.xml +backed up. That file contains all the data that EncFS needs to use your +encrypted data. Without this, retreiving your data will be a lot more +difficult. + + +Category:Linux +Category:Encryption + + +// vim: set syntax=asciidoc: |