1 Encrypting Home Directories with EncFS
2 ======================================
3 :author: Aaron Ball
4 :email: nullspoon@iohq.net
5
6
7
8 Before I go into how to do this, I'd like to take a moment to explain how encfs
9 works in slightly simpler terms than are detailed on the
10 http://www.arg0.net/encfsintro[encfs introduction page]. Originally, I was
11 going to write my own explanation, but the Wikipedia article on this explains
12 it so much better than I did (I just erased several paragraphs after reading
13 the Wikipedia article).
14
15 ____
16 EncFS is a Free (GPL) FUSE-based cryptographic filesystem that transparently
17 encrypts files, using an arbitrary directory as storage for the encrypted
18 files.
19 ____
20
21 Two directories are involved in mounting an EncFS filesystem: the source
22 directory, and the mountpoint. Each file in the mountpoint has a specific file
23 in the source directory that corresponds to it. The file in the mountpoint
24 provides the unencrypted view of the one in the source directory. Filenames are
25 encrypted in the source directory. Files are encrypted using a volume key,
26 which is stored encrypted in the source directory. A password is used to
27 decrypt this key."
28
29 http://en.wikipedia.org/wiki/Encfs[Original article]
30
31 Wow. How was that for an explanation? I love Wikipedia.
32
33 Now that that is out of the way, let's get on to business...
34
35 To start things off, we have to create our two directories, the source
36 directory and the mountpoint directory. Both should be owned by the user using
37 the encrypted data.
38
39 ----
40 mkdir /home/.user && chown -R user:user /home/.user
41 mkdir /home/user && chown -R user:user /home/user
42 ----
43
44 *.user* is the
45 encrypted data. You don't ever write data to this directory. EncFS
46 handles this for you. **user** is the decrypted data/the mountpoint. You
47 ONLY write data here. When you write data here, it shows up in .user as
48 encrypted data.
49
50 ----
51 encfs /home/.user /home/user
52 ----
53
54 This will mount /home/.user at the mountpoint /home/user. Without getting too
55 specific, what happens is when data is written to /home/user, the data goes
56 through EncFS which encrypts that data before writing it to /home/.user/. When
57 data is read from /home/user/, the request goes through EncFS, which grabs the
58 encrypted version of the file from /home/.user/ and temporarily decrypts it in
59 RAM for your use. Ah the beauty of the seamless Linux mounting paradigm
60 (that's para-dig-um, not paradigm).
61
62 Since we are encrypting an entire home directory, we need to use a nonempty
63 parameter for Fuse since the home directory will always contain something like
64 \.bash_history from a command line login, or .local from a GUI login. Here's
65 our final command.
66
67 ----
68 encfs -o nonempty /home/.user /home/user
69 ----
70
71 And with that, you have an entirely encrypted home directory.
72
73 On a final note, be sure you keep the file located at /home/.user/.encfs6.xml
74 backed up. That file contains all the data that EncFS needs to use your
75 encrypted data. Without this, retreiving your data will be a lot more
76 difficult.
77
78
79 Category:Linux
80 Category:Encryption
81
82
83 // vim: set syntax=asciidoc:
|
