Encfs encryption the Truecrypt alternative?

[viking60]

Well those cryptic announcements that Truecrypt has become unsafe and is discontinued do probably mean that the NSA have demanded and gotten what they needed.

So it is time to look for an alternative. There are several but i went for Encfs.
Encfs does not reserve a space on your HD and simply grows and shrinks with the files you put in there.

The one thing that can seem a bit confusing about it is that you need to make two directories (folders) to make it work:
one encrypted and one unencrypted.

Why would I need an unencrypted folder that contains the data I want to encrypt; is that not the mother of all security flaws?

The entire point with encryption is that the encrypted data should not be accessible in an unencrypted form; right?

Well the way encfs works is that the un-encrypted directory is the mount point for the encrypted content.
If you do not mount it - nothing nix de nada - will be visible there.
And to mount it; you need to enter that password

Ok let's go then:
I installed Encfs in my Manjaro distro (it will be pretty much the same in any distro. I found a bug in SolydX though).

Code: Select all

sudo pacman -S encfs

Then I decided that I wanted to make a directory that I would call .secret to keep my encrypted stuff and I would make the mount point secret:

Code: Select all

encfs ~/.secret ~/secret

Note that .secret will contain the unreadable encrypted stuff so we make that a hidden directory with the "." because there is no use in looking at it.
.secret will be mounted to secret (where you put all the content you want to encrypt aka your working directory) as a HD with this command in the future, but since this is a first time run the directories need to be created.
You will be prompted about this and can simply answer "y" twice so the directories will be created.

Next you will be prompted for the configuration mode here you can simply pick "p" for paranoia mode which is a good mode.
(If you pick x for expert mode; you can configure manually).

Next you will be prompted for your password. Make it long and hard to crack but don't forget it - if you do; there is no way of recovering your data.
(Tip: use sentences and slang like; Ain'tToHappyBoutNSATheseDays062014)

And that's it you'r finished

Well let us test it then; open your Thunar or Nautilus or Dolphin and go to ~/secret and add a file like test.txt or whatever.

Next open ~/.secret and there you will se something completely jiberish

That is why we made it a hidden directory (don't mind the addresses - I used encfs to encrypt my dropbox - we will get to that later...).

To test that the password prompt and the mounting will work properly we need to unmont secret first:

Code: Select all

fusermount -u ~/secret

Have a look at secret now! It is completely empty (as it should be). Our test.txt is not there.
Then we (re)mount it with:

Code: Select all

encfs ~/.secret ~/secret

Here you will have to enter your password.
Et voila now the test.txt is visible and editable in secret.

It is as easy as that The security lies in that you will have to mount your secret to make it visible.

Now I found those commands a bit hard to remember so I made myself an alias

Code: Select all

alias mountsecret='encfs ~/.secret ~/secret'

and to unmount it

Code: Select all

alias umountsecret='fusermount -u ~/secret'

Naturally you can pick some other names than "mountsecret" and "umountsecret".

You can also install a GUI (from AUR in the Arch world) like gencfs it will make the mounting and unmounting real easy:

[viking60]

Ok Encrypting Dropbox is not much different from encrypting any other directory. What we want to achieve is that the jiberish encrypted stuff is on the internet and only readable on our boxes after we have mounted it on our local box.

If you have installed dropbox in the traditional way you will have to work with the

Code: Select all

~/Dropbox

directory.
So i want to make a directory there that is encrypted and an un-encrypted mount-point.

Code: Select all

encfs ~/Dropbox/encrypted ~/Dropbox_unencrypted

Answer yes twice to create the directories when prompted.

Next enter a password as we did above.

Remember: Never put any content in /Dropbox/encrypted; your working directory will always be Dropbox_unencrypted

encfs will sync the data between the directories and Dropbox will sync the data to the "cloud".

To read the Dropbox content on another box (like a laptop) repeat the steps above and create the exact same directories and the exactly same password.

Code: Select all

encfs ~/Dropbox/encrypted ~/Dropbox_unencrypted

This works well; just don't be logged in on Dropbox on both computers at the same time (I had trouble with the syncing then). When you add content in Dropbox_unencrypted on any computer it will be nicely synced and readable the next time you log in on that other computer.

Time to make those aliases then:

Code: Select all

alias mountdropbox='encfs ~/Dropbox/encrypted ~/Dropbox_unencrypted'

and

Code: Select all

alias umountdropbox='fusermount -u ~/Dropbox_unencrypted'

Or simply use gencfs.

......

This is what it will look like on the web (in the cloud).

and here is the readable version on your computer;

[Snorkasaurus]

Sweet... kickass write up man! Thanks.
S.

[Panther96]

Wow as Snorkasaurus said, kickass explaination.

I'm having an issue where despite any folder i create I get this ¨Can not find root directory, abandoning¨ (original message:Impossible de trouver le répertoire racine, abandon. ) and then it will spit out how to use encfs options bla bla. I even copied and pasted your encfs ~/.secret ~/secret to verify it wasn't my error and it still gives me issues.

[viking60]

hm you should not run

Code: Select all

encfs ~/.secret ~/secret

as root (do not use sudo)
You can simply try again, or you can create .secret and secret manually before you run the command.

[Panther96]

Creating the files beforehand seemed to work for me thanks. I was able to get the secret command to work. My last problem is creating encrypted sync for my SpiderOak Hive. I created an encrypted folder within it and then one called ¨Private¨ in my home file for something like you did for dropbox. When I type it exactly as encfs ~/SpiderOak Hive/encrypted ~/Private , it will spit out When using daemon mode, you must use absolute paths (starting with '/') . When i type it as encfs ~/SpiderOak_Hive/encrypted ~/Private , it asks me to create a folder that already exist, and then it poops out the same answer as earlier ¨Can not find root directory, abandoning¨ . Is there anything else special I have to do when its a two word file? Thanks

*edit* Nevermind, I've found this to be easier with a program called KEencFS. Great tool that provides easy GUI for all of the above. You simple have to create the folders in advance, and then you indicate which one will be the encrypted which one will be the mountpoint, give it a file system ID, and done. It also allows to add and remove as you wish, as well as control the mounting and unmounting with ease. I think i saw they had something like it for gnome as well.

[viking60]

Yes you need to use the full path in encfs. When there are spaces in names you could try to omit them And when you create directories make sure that you own them (not root).

Code: Select all

chown -R panther ~/.secret

In any case I am glad it worked out for you.
I will have a look at KEencFS now of course...Edit: I cannot find it

Meanwhile if you should need to access Dropbox with your Android phone you can use the Cryptonite encfs App.

And don't think that this makes it absolutely safe to save your sensitive data in the cloud. But it sure is more practical for encrypting Dropbox because it does not reserve valuable Dropbox space like Truecrypt did. So this is about as secure as it gets in the cloud - there are some things that do not belong there though - because nothing in the cloud is 100% safe.

[Panther96]

Y
I will have a look at KEencFS now of course...Edit: I cannot find it

It should be in the AUR/Yaourt group.

[viking60]

Found it but I already have both cryptkeeper and gencfs so I am covered.
Video coming up where I amuse myself with unmounting and mounting in both crypkteeper and genfcs. You can see how the data disappear the moment the directory is unmounted.....

What I am doing here is no different than doing

Code: Select all

fusermount -u ~/private

and

Code: Select all

encfs ~/.private ~/private

From the command line.
At the bottom right you see all the HD.s mounted in docky (this is Openbox). If you pay attention you will see that the HD's do disappear and reappear as I play along....

[viking60]

I have "comited" the Manjaro wiki:
https://wiki.manjaro.org/index.php?title=Encfs
In the hope that all certainties can now be removed

[Panther96]

Wow team all-star there. Made a video and contributed to the wiki

[viking60]

C'est rien , De nada