1 Encrypting Home Directories with EncFS
2 ======================================
3 :author: Aaron Ball
4 :email: nullspoon@iohq.net
5
6
7 == {doctitle}
8
9 Before I go into how to do this, I'd like to take a moment to explain how encfs
10 works in slightly simpler terms than are detailed on the
11 http://www.arg0.net/encfsintro[encfs introduction page]. Originally, I was
12 going to write my own explanation, but the Wikipedia article on this explains
13 it so much better than I did (I just erased several paragraphs after reading
14 the Wikipedia article).
15
16 ____
17 EncFS is a Free (GPL) FUSE-based cryptographic filesystem that transparently
18 encrypts files, using an arbitrary directory as storage for the encrypted
19 files.
20 ____
21
22 Two directories are involved in mounting an EncFS filesystem: the source
23 directory, and the mountpoint. Each file in the mountpoint has a specific file
24 in the source directory that corresponds to it. The file in the mountpoint
25 provides the unencrypted view of the one in the source directory. Filenames are
26 encrypted in the source directory. Files are encrypted using a volume key,
27 which is stored encrypted in the source directory. A password is used to
28 decrypt this key."
29
30 http://en.wikipedia.org/wiki/Encfs[Original article]
31
32 Wow. How was that for an explanation? I love Wikipedia.
33
34 Now that that is out of the way, let's get on to business...
35
36 To start things off, we have to create our two directories, the source
37 directory and the mountpoint directory. Both should be owned by the user using
38 the encrypted data.
39
40 ----
41 mkdir /home/.user && chown -R user:user /home/.user
42 mkdir /home/user && chown -R user:user /home/user
43 ----
44
45 *.user* is the
46 encrypted data. You don't ever write data to this directory. EncFS
47 handles this for you. **user** is the decrypted data/the mountpoint. You
48 ONLY write data here. When you write data here, it shows up in .user as
49 encrypted data.
50
51 ----
52 encfs /home/.user /home/user
53 ----
54
55 This will mount /home/.user at the mountpoint /home/user. Without getting too
56 specific, what happens is when data is written to /home/user, the data goes
57 through EncFS which encrypts that data before writing it to /home/.user/. When
58 data is read from /home/user/, the request goes through EncFS, which grabs the
59 encrypted version of the file from /home/.user/ and temporarily decrypts it in
60 RAM for your use. Ah the beauty of the seamless Linux mounting paradigm
61 (that's para-dig-um, not paradigm).
62
63 Since we are encrypting an entire home directory, we need to use a nonempty
64 parameter for Fuse since the home directory will always contain something like
65 \.bash_history from a command line login, or .local from a GUI login. Here's
66 our final command.
67
68 ----
69 encfs -o nonempty /home/.user /home/user
70 ----
71
72 And with that, you have an entirely encrypted home directory.
73
74 On a final note, be sure you keep the file located at /home/.user/.encfs6.xml
75 backed up. That file contains all the data that EncFS needs to use your
76 encrypted data. Without this, retreiving your data will be a lot more
77 difficult.
78
79
80 Category:Linux
81 Category:Encryption
82
83
84 // vim: set syntax=asciidoc:
|
