- What is EncFS?
- Using EncFS and Cloud Storage
- EncFS Commands
- EncFS Tools
1. What is EncFS?
EncFS is a "Virtual Filesystem" ... of sorts. Encrypted files are placed individually within a folder, on top of an existing filesystem.
With special software, the folder containing the encrypted files is "Mounted" as another drive letter, ( Z: drive), or as another mountpoint in a Linux/Unix system, (i.e. /mount/shdw).
2. EncFS Best Practices
- When mounting/decrypting encrypted files, mount in RAM/Memory, or decrypt to a secure partition.
- Encrypt your swap drive, (Linux/Unix).
- Use EncFS to encrypt home folders, auto-decrypting on login.
- Use EncFS to encrypt files synchronized to cloud storage or with BitTorrent Sync.
- Use a "shdw" prefix/folder root, for mounted secure folders, or even secure source repositorie, (i.e., /mnt/shdw/dropbox-encfs, /mnt/shdw/luks-drive/source/apache-source, etc).
3. Using EncFS and Cloud Storage
EncFS is ideal if you would like to use Cloud Storage, but don't want those files on the Internet to be readable if accessed by a third-party.
3.1. General Terms:
- Cipher Algorithm:
- The Encryption algorithm used to encrypt data, AES, Blowfish, etc.
- Block Size:
- The amount of data, (size in bytes), which is segmented and encrypted together.
- 1024 bytes, (1KB), is sufficient for most purposes.
- Initialization Vector:
- Randomized Data used to encode something.
- Where an Initialization Vector is based off of another Initialization Vector.
- If the Source is changed, then the change is "Cascaded" down to all of the derived instances.
- Initialization Vectors can be "derived", (i.e., Chained), or come from another source, such as in the case where the Initialization Vector for File Data, is derived from the Parent Folder's Initialization Vector.
3.2. EncFS Options:
- Per-file Initialization Vector:
- Adds 8 Bytes per file--each file is encrypted with a random 8 byte initialization vector.
- Makes encryption more difficult to break.
- File Name Encoding:
- File names can be encoded.
- The two encoding mechanisms are "block" and "stream".
- Stream encoding allows for smaller file names.
- Block MAC Headers:
- Adds Checksum values to reinforce integrity.
- Can add random bytes to ensure that two sets of the same data have two different checksums.
- File Name Initialization Vector Chaining:
- Don't Use: if you want to change folder names.
- Causes the Initialization Vector used to encrypt the File Name to be derived from the Parent Folder's Initialization Vector.
- If a folder is renamed, the contents of that folder will need to be re-encrypted.
- File Name to Initialization Vector Header Chaining:
- Don't Use: if Renaming or Moving often.
- Encoding is influenced by the full path name.
- Renaming or Moving Files will make the files unreadable without re-encoding.
- File Data External Initialization Vector Chaining:
- Don't Use: if moving or renaming files often.
- Causes the File's Data Initialization Vector to be derived from the File's Name Initialization Vector.
- The same data will be encrypted differently, given a different filename or directory.
4. EncFS CommandsNote: It is important to consider mounting the EncFS folder using Fuse Mount options under Linux.
In my case, I am using the BitTorrent Sync service in Linux, to sync this particular folder, but am writing to it using my local Linux User account.
So, I added the btsync, and my personal user account to a "Replication" group, and mount the encfs folder specifying my personal user account, and the Linux Replication group that has both users: btsync, and my account.
cmd:/> cmd:/>encfs /mnt/Secure-Drive/Sync/GoogleDrive/encfs /mnt/Secure-Drive/shdw/GoogleDrive -o allow_other,gid=1002,uid=1001,umask=007 cmd:/>fusermount -u /mnt/Secure-Drive/shdw/GoogleDrive cmd:/>