Tuesday, March 11, 2014

Using EncFS for safefly storing data

Just wanted to share what i think is a nice solution to encrypting your data. If you have confidential data that you would like to store securely, then have a look at EncFS. According to the man page, EncFS creates a virtual file system which stores encrypted data in one directory (they call this directory the rootdir) and makes it available unencrypted in another directory (mountPoint). The user must supply a password that would be used to encrypt the user's files and file names. EncFs relies on the underlying file system. Therefore if there are any limitations on the underlying file system, they will be inherited by EncFS.

One of the blogs that i follow (HowtoForge.com)has a nice write-up on using EncFS that I encourage you to check out. Below, I will provide a summary of the key commands that you will need to get up and running.


# apt-get install encfs

Create 2 directories needed by EncFS.

# mkdir ~/.confidential // This is a hidden directory
# mkdir ~/confidential

The ~/confidential directory will act as the mount point while the encrypted data and file names will be stored at the hidden directory, ~/.confidential.

Mounting the directory:

On first time run, you will be asked to select some preferences as well as your password. A config file will be placed in the ~/.confidential folder and it will be hidden (use ls -la to see this file). Once this is done, every time you run the same command, it will simply mount the unencrypted folder (~/confidential).

# encfs ~/.confidential ~/confidential

Unmount directory:

# fusermount -u ~/confidential

Thats the basics in a nutshell. I can envision this utility being used to encrypt certain folders in your home directory (Documents, Downloads, Music, Video) and then automatically have these folders mounted in their unencrypted form when a user logs in. A program like "expect" can be utilized to automate the password entry while being run via a log on script.


It was brought to my attention via comments (Andy Chang), that a security audit performed on Encfs revealed some potential problems in the software. A report of the audit can be viewed here. In Summary, Encfs ignores many standard best-practices in cryptography. According to the report, this is most likely due to its old age (originally developed before 2005). The holes found in this audit do not suggest that Encfs is broken. However, there is potential (it is not-impossible) for the security be broken (very difficult to exploit) and thus makes the tool's overall security weaker.


  1. I like EncFs, though the recent security audits showed that the encryption could be compromised. But if it is implemented properly, it is still safe to use. Mac users can follow this tutorial to install encfs ( http://ninjatips.com/encrypt-dropbox-using-encfs/ ) on their Macs.

  2. Andy Chang, thanks for bringing this to my attention. I was able to look at the Encfs report @ https://defuse.ca/audits/encfs.htm and i have concluded that it is still relativly safe to use. The key thing that i took from the report is that Encfs, being an older program, ignores many standard best-practices in cryptography. However, the possibility for exploitation is slim/extremely difficult.