HowTo: Encrypt specific directories (not whole filesystems) in Ubuntu.

Amazingly there are only 22 other threads in this forum that discusses encryption (and the bulk of them seem to involve Samba), and there is not a single HowTo, so for all the newbies, here you go.

Purpose: To encrypt one or more specific directories on Linux without needing to encrypt the entire volume or partition.

Scenario: You have a PC that is shared or can be accessed by more than one person. Let us say that you have a hypothetical Jessica Alba photo collection that you do not want your hypothetical girlfriend to see, much less your inquisitive little brother who thinks he is the ultimate hacker because he can do a wildcard search for *.jpg when you are not around.

Solution: Fear not, through the use of a free encryption package called ENCFS, we can protect that hypothetical sensitive data with little effort.

Pros of ENCFS:

• Easy to install and configure.
• Minimal interaction required to encrypt/decrypt data.
• Data is portable to another PC.
• Strong or weak encryption - up to you. Uses what encryption libraries are available to it.
• Encrypts data and filenames.
• Will encrypt on any filesystem available because it encrypts the files, not the filesystem.
• No kernel changes are required. It uses FUSE (Filesystem in USErspace) to run.
• You are not restricted to one encrypted directory. Create as many as you want.
• Can still playback large streamable files such as MPEGs straight off the decrypted mountpoint with no visible CPU overhead (no more than 2% difference in my test of a 720p Divx clip).

Cons of ENCFS:

• No password recovery is possible, even by an admin if you forget your password. (Hint: Don´t forget your password)
• Encrypted directory is obvious to the casual user, so you need to put it somewhere less likely to be found, or you will need to field questions from curious users.
• Even though filenames and their contents are encrypted, the permissions, date-stamps and file sizes are not.
• While encrypted data is portable between PC´s (eg: on your USB stick), it is not portable across platforms. There is NO Windows client of ENCFS. You will need to decrypt data first, or share the decrypted mountpoint on a Linux box via Samba.
• Filesystem operations such as copy and paste will be slowed down because of the CPU overhead in encrypting/decrypting. Expect large file operations to take twice as long to perform. The performance loss in small files is quite negligible and can barely be noticed.
• Filenames have smaller length limits due to encrypted filenames being longer than the originals. Expect Ext3 filesystems to only be able to have 190 character filenames instead of 255 (not that this should be an issue for anyone, I would think!)
• ENCFS does not encrypt-in-place. Once setup, you need to move the files and folders you wish to be encrypted to the ENCFS mountpoint. If you have a lot of files, this may take some time to finish, but only needs to be done once. Once complete, however, there is nothing stopping you renaming the encrypted folder and putting it back in place of the original unencrypted folder for future use.
• ENCFS does NOT support multiple passwords on a given mountpoint.

In this example, we will take a directory of files and encrypt them so that before and after looks like this:

BEFORE:

Code:

$ ls -l decrypted
total 5632
-rw-r--r-- 1 joeuser joeuser 1499449 2002-04-27 18:03 DSC00106.JPG
-rw-r--r-- 1 joeuser joeuser 1377214 2002-04-27 18:03 DSC00107.JPG
-rw-r--r-- 1 joeuser joeuser 1405776 2002-04-27 18:03 DSC00108.JPG
-rw-r--r-- 1 joeuser joeuser 1457409 2002-04-27 18:04 DSC00109.JPG
$

AFTER:

Code:

$ ls -l encrypted_data
total 5716
-rw-r--r-- 1 joeuser joeuser 1523265 2002-04-27 18:03 0WhBL-h90SH7qDkOjGEZmjrg
-rw-r--r-- 1 joeuser joeuser 1480553 2002-04-27 18:04 A13-qO0kT7Jb3-BzpOAt7Qi0
-rw-r--r-- 1 joeuser joeuser 1399086 2002-04-27 18:03 SW6HfMQhWaRJSemAhjh62t9e
-rw-r--r-- 1 joeuser joeuser 1428104 2002-04-27 18:03 TW98P8n4eE-,gbqwi-xoBwok
$

Installation and configuration:

This HowTo is based on Ubuntu Gutsy Gibbon 7.10, but should work with any distro that has ENCFS available to it.

1. Get into a terminal and type in:
   
   Code:

   $ sudo apt-get install encfs fuse-utils
   

   (ENCFS requires FUSE to run, however Ubuntu already comes pre-installed with FUSE, so you don´t have to try and install it again - it will skip it if it is already there).
   .
2. Now create two directories. One will be your folder for storing the encrypted data and the other will be a mount point for accessing the decrypted versions, eg:
   
   Code:

   $ cd /home/joeuser
   $ mkdir encrypted_data
   $ mkdir decrypted
   

   NOTE: For the purposes of this tutorial, these directories should be EMPTY for the moment.
   .
3. Since ENCFS uses FUSE, we need to add YOUR username to the FUSE group so you can use the handler:
   
   Code:

   $ sudo addgroup joeuser fuse
   

4. Reboot your PC so the group change can take effect.
   .
5. Now let us create the encrypted filesystem. Open a terminal again and type the following:
   
   Code:

   $ encfs /home/joeuser/encrypted_data /home/joeuser/decrypted
   Creating new encrypted volume.
   Please choose from one of the following options:
    enter "x" for expert configuration mode,
    enter "p" for pre-configured paranoia mode,
    anything else, or an empty line will select standard mode.
   ?> p
   

6. You will be asked for how you want the encryption to be setup. The Paranoia mode is good enough, so type in the letter P and hit enter.
   
   Code:

   Paranoia configuration selected.
   
   Configuration finished.  The filesystem to be created has
   the following properties:
   Filesystem cipher: "ssl/aes", version 2:1:1
   Filename encoding: "nameio/block", version 3:0:1
   Key Size: 256 bits
   Block Size: 512 bytes, including 8 byte MAC header
   Each file contains 8 byte header with unique IV data.
   Filenames encoded using IV chaining mode.
   File data IV is chained to filename IV.
   
   -------------------------- WARNING --------------------------
   The external initialization-vector chaining option has been
   enabled.  This option disables the use of hard links on the
   filesystem. Without hard links, some programs may not work.
   The programs 'mutt' and 'procmail' are known to fail.  For
   more information, please see the encfs mailing list.
   If you would like to choose another configuration setting,
   please press CTRL-C now to abort and start over.
   
   Now you will need to enter a password for your filesystem.
   You will need to remember this password, as there is absolutely
   no recovery mechanism.  However, the password can be changed
   later using encfsctl.
   
   New Encfs Password: 
   Verify Encfs Password: 
   $
   

7. You will now be asked for the password to encrypt the data with. Incidently, ENCFS generates its own random password to encrypt your data. The password you enter here will encrypt the ENCFS generated password only. This way, you can change your password without the need to re-encrypt your data.
   .
8. Once you have entered your password and verified it, your encryption filesystem is ready to go. Copy the files/folders you wish to encrypt into the decrypted folder. As you copy, the files/folders will be encrypted and placed into the encrypted_data folder automatically.
   .
9. Once you are done encrypting your data, unmount the filesystem by typing in:
   
   Code:

   $ fusermount -u /home/joeuser/decrypted
   

   (This will empty the decrypted folder as it is a folder again, not a mountpoint)
   .
10. To re-mount your encrypted filesystem again, simply re-enter:
    
    Code:

    $ encfs /home/joeuser/encrypted_data /home/joeuser/decrypted
    

    ...and you will be re-prompted for your password without any need to re-setup everything. Note that you do not have to use the same /home/joeuser/decrypted mountpoint - you can use anything you like, eg: /home/joeuser/foobar (as long as the directory for that mountpoint is created or exists first).
    .
11. Pat yourself on the back. You are done.

** SPECIAL NOTE ABOUT SHARING VIA SAMBA **
If you want to encrypt a directory on your fileserver and have the decrypted mountpoint accessible by Linux or Windows clients via Samba, you need to modify your setup slightly to permit "other" access to the Fuse device.

First, modify the /etc/fuse.conf file so that the last line "user_allow_other" does NOT have a leading hash. Save and exit. You do not need to reboot.

Next, add an option to your EncFS mount command. In the HowTo example, you would use:

Code:

$ encfs /home/joeuser/encrypted_data /home/joeuser/decrypted -- -o allow_other

This will permit a Samba share to see and give users access to your decrypted mountpoint as a regular everyday folder.

Note that this option does not give global "other user" access to all your encrypted folders - it gives access on a per-mountpoint basis only. If you setup a folder inside a Samba share with this option and another folder under the same share without it, the first mountpoint will appear as an accessible regular folder (containing decrypted data) and the second mountpoint will appear as an inaccessible file, despite appearing locally as a decrypted folder.




** WARNING: COOL CONTENT! ** (May cause gasps of appreciation)

Here is a cool thing. The mountpoint you choose does NOT have to be empty! This makes for disguising of your data with an element of Secret Squirrel! Let us take a Real World practical example - Limewire. It typically uses the following directory structure:

/home/joeuser/LimeWire/
/home/joeuser/LimeWire/store
/home/joeuser/LimeWire/Incomplete
/home/joeuser/LimeWire/complete

We can create a bit of a spoof here. These are real directories, so you can populate them with some real downloads that you don´t give a hoot about anyone else seeing, but then when you mount your encrypted filesystem, your LimeWire directory is automagically replaced with the decrypted version of your sensitive data. When unmounted, the harmless data is automagically put back, and LimeWire does not know the difference!

To do this:

1. Shutdown your LimeWire client completely.
   .
2. Create a directory somewhere that will hold your encrypted LimeWire data:
   
   Code:

   $ mkdir /home/joeuser/.lw
   

   The above will create a hidden directory called lw, but ideally you should nest it inside another populated directory where it could easily be missed by the casual observer.
   .
3. Now create your encrypted filesystem (note: you do NOT need to delete or move whatever you currently have in your LimeWire directory):
   
   Code:

   $ encfs /home/joeuser/.lw /home/joeuser/LimeWire -- -o nonempty
   

   NOTE: That is two dashes, a space, a dash then a lowercase letter o and then nonempty on the end. If you do not specify this, FUSE will not allow the mount because the mountpoint folder is not empty. If you additionally need to have this mountpoint visible by Samba for sharing, change the options section on the end to read "-o nonempty -o allow_other" (see special note about Samba above).
   .
4. Examine your LimeWire directory now. You will see that was was there before is now empty - but don´t panic! Your mounted ENCFS filesystem has simply assumed control of that directory as a mountpoint only. Now, fire up LimeWire. It will think that the directories have been moved or deleted and will prompt you to create them again. Create them EXACTLY as your previous configuration was.
   .
5. Now begin some downloads that are totally different to what you had before. Get some completed and partially-completed ones going.
   .
6. Now completely shutdown Limewire again.
   .
7. Go to the terminal and unmount your ENCFS filesystem by entering:
   
   Code:

   $ fusermount -u /home/joeuser/LimeWire
   

8. Check out your /home/joeuser/LimeWire folder - your original downloads have returned!
   .
9. Check out /home/joeuser/.lw - you will see some encrypted folders and files.
   .
10. Fire up LimeWire again and it will resume all your original downloads as though nothing has happened.
    .
11. Quit LimeWire again and then restore your encrypted filesystem again with:
    
    Code:

    $ encfs /home/joeuser/.lw /home/joeuser/LimeWire -- -o nonempty
    

12. Fire up LimeWire again - it resumes your encrypted downloads as though nothing has happened! Way cool...
    .
13. Apply smug smile as you leave your PC in peace, secure in the knowledge that only you and your (hypothetical) collection of Jessica Alba will ever share a tender moment together again.
    .
14. Lather, rinse, repeat for any other applications (except for any that rely on hard links).

 

Or use TrueCrypt and encrypt the Entire System Disk from block 0?

 

That´s certainly an option, but I have to admit I like Encfs´ simplicity. TC´s only real advantage is that it creates a big file that can be hidden away for extra plausible deniability, but the setup and use is a lot more involved for the newbie compared to Encfs.

 

No drama, I'm a big fan of showing different ways of doing stuff too. Version 5.2 of TrueCrypt in a few clicks will encrypt the entire OS Disk. No Containers and a pre-boot password.

 

wow, cool. i'm just starting to use encfs. I have successfully got it working on my fedora core 5 fileserver, using a test folder. I use samba to share out a folder to my windows boxes.

However I can not see the decrypted folder i have created with encfs. I can see the encrypted folder ok (with 1 encrypted file). So far, nothing on google has helped me out.

Any ideas on how to network share the decrypted folder?

 

Funny thing - this is the one thing I never tried out. Playing with it myself just now, it would appear that Samba refuses to display the decrypted mountpoint (it appears as a file instead of a folder).

I can see the encrypted folder without a problem, just not the decrypted mountpoint. Damn.

I can, however, copy the encrypted files over Samba and decrypt them locally, but that does not help you. Trying to use a symbolic link to the decrypted mount does not work either.

I have ammended my HowTo to specify that sharing does NOT work. You will have to use something else if sharing is required. I do not know if TrueCrypt volumes can be shared out, but since it presents itself as a volume, I do not see why not.

 

been looking into this a bit in the last hour. you can try adding a -o allow_other option to the encfs mount command. However at the moment, I am getting a fuse module not found error, which means i have to properly install fuse (i installed it from yum/rpm). maybe you could try it?

 

I should not have dismissed myself so easily. The -o allow_other option works. You can see and mount the decrypted point from Samba.

The problem was not EncFS, it was Fuse - you have to specifically allow access for "other users" to the Fuse device, because up until then, only those who are listed in the FUSE group can access it, ie: you and root, not Samba. The -o option permits per-mount access for other users without having to specify global access.

Edit /etc/fuse.conf and remove the leading hash from the last line user_allow_other then save and exit. No reboot is necessary.

My tutorial is then modified as follows:

Code:

$ encfs /home/joeuser/encrypted_data /home/joeuser/decrypted -- -o allow_other

The mount point is now visible by Samba either directly or indirectly.

For my LimeWire example, the mount command modification is as follows:

Code:

$ encfs /home/joeuser/.lw /home/joeuser/LimeWire -- -o nonempty -o allow_other

This will permit the decrypted non-empty LimeWire directory to be seen by Samba.

 

excellent news. thanks for looking into this

edit: just got mine working, turns out i needed the -- option after the mount point, fuse is working after all

 

Cheers - yeah, the double-dash thing gets me too. Just fixed that in my previous reply to you now.

 

Is a reboot necessary for adding a user to a group?
Remember....this is linux, not Windows ;-)

Cheers,
Martin.

 

You could also achieve much the same thing without having to fuck around with a whole new fuse driver by just mounting an encrypted filesystem-in-a-file using crypto-loop-aes. Fair bit simpler. Only downside to that approach is that you've potentially got a bit more overhead due to having an entire extra filesystem. Depends which filesystem you're using really

 

OK, Mr. Nitpicky, you could just logout and back in again too!

And what if you don't wish to encrypt the entire filesystem? That's what this guide is about - to encrypt specific directories only. It also means that it will be harder for someone to exploit the RAM freeze/quick reboot and RAM dump trick that is currently employed to defeat drive/filesystem encryption systems like Windows' Bitlocker because you will only ever decrypt the data on-demand, not all the time.