Skip to main content

EncFS Hints

EncFS Hints


  1. What is EncFS?
  2. Using EncFS and Cloud Storage
  3. Terms
  4. EncFS Commands
  5. EncFS Tools

1. What is EncFS?

EncFS is a "Virtual Filesystem" ... of sorts.  Encrypted files are placed individually within a folder, on top of an existing filesystem.

With special software, the folder containing the encrypted files is "Mounted"  as another drive letter, ( Z: drive), or as another mountpoint in a Linux/Unix system, (i.e. /mount/shdw).

2. EncFS Best Practices

  1. When mounting/decrypting encrypted files, mount in RAM/Memory, or decrypt to a secure partition.
  2. Encrypt your swap drive, (Linux/Unix).
  3. Use EncFS to encrypt home folders, auto-decrypting on login.
  4. Use EncFS to encrypt files synchronized to cloud storage or with BitTorrent Sync.
  5. Use a "shdw" prefix/folder root, for mounted secure folders, or even secure source repositorie, (i.e., /mnt/shdw/dropbox-encfs, /mnt/shdw/luks-drive/source/apache-source, etc).

3. Using EncFS and Cloud Storage

EncFS is ideal if you would like to use Cloud Storage, but don't want those files on the Internet to be readable if accessed by a third-party.

3. Terms

3.1. General Terms:

  1. Cipher Algorithm:
    1. The Encryption algorithm used to encrypt data, AES, Blowfish, etc.
  2. Block Size:
    1. The amount of data, (size in bytes), which is segmented and encrypted together.
    2. 1024 bytes, (1KB), is sufficient for most purposes.
  3. Initialization Vector:
    1. Randomized Data used to encode something.
  4. Chaining:
    1. Where an Initialization Vector is based off of another Initialization Vector.
    2. If the Source is changed, then the change is "Cascaded" down to all of the derived instances.
    3. Initialization Vectors can be "derived", (i.e., Chained), or come from another source, such as in the case where the Initialization Vector for File Data, is derived from the Parent Folder's Initialization Vector.

3.2. EncFS Options:

  1. Per-file Initialization Vector:
    1. Adds 8 Bytes per file--each file is encrypted with a random 8 byte initialization vector.
    2. Makes encryption more difficult to break.
  2. File Name Encoding:
    1. File names can be encoded.
    2. The two encoding mechanisms are "block" and "stream".
    3. Stream encoding allows for smaller file names.
  3. Block MAC Headers:
    1. Adds Checksum values to reinforce integrity.
    2. Can add random bytes to ensure that two sets of the same data have two different checksums.
  4. File Name Initialization Vector Chaining:
    1. Don't Use: if you want to change folder names.
    2. Causes the Initialization Vector used to encrypt the File Name to be derived from the Parent Folder's Initialization Vector.
    3. If a folder is renamed, the contents of that folder will need to be re-encrypted.
  5. File Name to Initialization Vector Header Chaining:
    1. Don't Use: if Renaming or Moving often.
    2. Encoding is influenced by the full path name. 
    3. Renaming or Moving Files will make the files unreadable without re-encoding.
  6. File Data External Initialization Vector Chaining:
    1. Don't Use: if moving or renaming files often.
    2. Causes the File's Data Initialization Vector to be derived from the File's Name Initialization Vector.
    3. The same data will be encrypted differently, given a different filename or directory.

4. EncFS Commands

Note: It is important to consider mounting the EncFS folder using Fuse Mount options under Linux.
In my case, I am using the BitTorrent Sync service in Linux, to sync this particular folder, but am writing to it using my local Linux User account.

So, I added the btsync, and my personal user account to a "Replication" group, and mount the encfs folder specifying my personal user account, and the Linux Replication group that has both users: btsync, and my account.

cmd:/>encfs /mnt/Secure-Drive/Sync/GoogleDrive/encfs /mnt/Secure-Drive/shdw/GoogleDrive -o allow_other,gid=1002,uid=1001,umask=007
cmd:/>fusermount -u /mnt/Secure-Drive/shdw/GoogleDrive

5. EncFS Tools

Under Windows: Safe

Popular posts from this blog



Heavy tattered curtains smothered the living room window; a heavy gust slammed the screen door against the mountain cabin. Hiding from the lightning, a small boy huddled in the corner, wondering when the daylight would be taken by the storm. I'm not afraid of the lightning, he tried.He closed his eyes at the thunder and then faded into nothingness as his page was thrown away. 
A black, cold iron wood stove stood isolated in its corner; a small ash bucket and a spilled wood cradle spotted the bare wooden floor. A young man watched from his stool, peering between the curtains with a rifle in his hand. What will run here from the storm, he wondered.  He slid a round into the rifle's chamber, turned, and then closed the bolt.  As he waited for what was to come, lightning tore through the mountain top, sundering soul from body—a page torn in half; the clouds crumpled, and then he was gone.

A few framed oil paintings, among a dozen unfinished, hung on the cabin's only inte…

Meta Security & Theosophy

Meta Security & Theosophy ContentsWhen Technical Debates Become ReligiousEquivocation in Technology: Meta DataEquivocation in Theology: Six Days of CreationThe Value of Accepting Ideas, "As Is"Conclusion cmp.20140704
e.s. kohen
1. Where Technical Debates Become Religious How do you know when Meta Data become real Data?  The answer is the same as asking: How do you know when an Electron will change state?  By observing it.

Slashdot vs, the NSA and Meta Data has yet another community mash-up regarding Meta Data.  As always, "Tin Foil Hat" conspiracies abound--but in this case justifiably.

From a Philosophical point of view--namely Epistemology, (even Memetics), for that matter, the International Community has completely failed to "Grok" the idea that "Meta" is a completely relative term.

When any scientific debate is abruptly thrown into the context of the Politics or Theology, the entire planet seems to devolve into manipulati…