Showing posts with label encfs. Show all posts
Showing posts with label encfs. Show all posts

21 May 2013

427. Very Briefly: encfs on windows (XP, Vista)

I'm using encfs to encrypt files in dropbox -- and it turns out that I'm not the only one. In fact, I'm a late-comer to this apparently.

I've just installed Windows on physical hardware for the first time in a couple of years -- I figured I should learn more about this experimental, unstable OS that a lot of people have been talking about. I hear that it's not even based on linux, and that their leader isn't Torvalds (it's some guy called Gates, apparently). It looks pretty slick actually, but their software management model leaves a lot to desired (you have to use your browser to download software and there's no way of keeping track of security updates for anything other than the core OS). I also haven't figure out how to switch to any of the other virtual desktops/workspaces.

Whatever. The FOSS connection lies in the use of Dokan and encfs4win.

Anyway, to get encfs up and running on Windows, go to http://dokan-dev.net/wp-content/uploads/DokanInstall_0.6.0.exe and install

Then go to http://members.ferrara.linux.it/freddy77/encfs.html and download encfs.zip

I dragged the entire encfs4win folder to Program Files. Start encfsw. A notification icon (shaped like a key) should show up in the task tray. Left-click on it, select Preferences and set to Launch at Startup.

To mount an existing encrypted directory, or to create a new one, left-click, select Open/Create and follow the instructions. Simple.




26 April 2013

398. Securing your Dropbox with encfs

Quite some time ago I made a post about how to use truecrypt and dropbox together. It wasn't a very elegant solution as it consisted of putting a truecrypt container in the dropbox folder.

 Apart from being pretty obvious, it suffers from drawbacks, such as the fixed size of the truecrypt container taking up space whether you're using it all or not.

[Note that mounting the dropbox folder inside a truecrypt container isn't a real solution either since it won't actually encrypt anything.]

Playing around with encfs made me realise that THIS is the perfect solution for secure Dropbox.

We'll make the assumption that you don't want to encrypt everything in your dropbox, but only things which is kept in a specific folder.

I'm presuming that you've got dropbox set up and working. If not, get the deb files from https://www.dropbox.com/

If you're having issues, make sure that fuse is installed, and that you belong to the group fuse (too add, do sudo usermod -a -G fuse $USER . To check do cat /etc/group|grep fuse)

Getting started:

sudo apt-get install encfs
mkdir ~/Dropbox/encrypted
encfs ~/Dropbox/encrypted ~/decrypted
The directory "/home/me/decrypted" does not exist. Should it be created? (y,n) Y Creating new encrypted volume. Please choose from one of the following options: enter "x" for expert configuration mode, enter "p" for pre-configured paranoia mode, anything else, or an empty line will select standard mode. ?> p Paranoia configuration selected. Configuration finished. The filesystem to be created has the following properties: Filesystem cipher: "ssl/aes", version 3:0:2 Filename encoding: "nameio/block", version 3:0:1 Key Size: 256 bits Block Size: 1024 bytes, including 8 byte MAC header Each file contains 8 byte header with unique IV data. Filenames encoded using IV chaining mode. File data IV is chained to filename IV. File holes passed through to ciphertext. -------------------------- WARNING -------------------------- The external initialization-vector chaining option has been enabled. This option disables the use of hard links on the filesystem. Without hard links, some programs may not work. The programs 'mutt' and 'procmail' are known to fail. For more information, please see the encfs mailing list. If you would like to choose another configuration setting, please press CTRL-C now to abort and start over. Now you will need to enter a password for your filesystem. You will need to remember this password, as there is absolutely no recovery mechanism. However, the password can be changed later using encfsctl. New Encfs Password: Verify Encfs Password:
Put the files you want to be encrypted in ~/decrypted -- NOT ~/Dropbox/encrypted. Once you're done, unmount ~/decrypted:
sudo umount ~/decrypted


When you want to access your encrypted files or add more files to the encrypted file, just mount ~/Dropbox/encrypted using encfs:
encfs ~/Dropbox/encrypted ~/decrypted/

18 April 2013

391. encfs on debian testing

Truecrypt is nice and all, but the way it's managed is a bit un-linux like. It IS open source though, but because it isn't completely clear who the maintainers are, and while the source code is probably safe to use, most people use pre-built binaries -- just because it's open source doesn't mean that the binaries are built from that source. I'm happy with truecrypt, but if we're going to be paranoid, we might as well go all the way. Also, it would be nice with an encryption tool which can be installed from the repos, and as a binary built by a trusted party (i.e. the debian maintainers).

Note that truecrypt wins hands down on features -- as always, pick the tool that does the job.

encfs is a well-established encryption tool for linux systems and is available in most distro repos -- it does encryption of files, and while it lacks many of the options of truecrypt, it is useful for encrypting directory structures.

Installation
sudo apt-get install encfs

Yes, that's it. If you're having issues, make sure that fuse is installed, and that you belong to the group fuse (too add, do sudo usermod -a -G fuse $USER . To check do cat /etc/group|grep fuse)

Set-up
Set-up is equally easy.
 encfs ~/.secret ~/encrypted
The directory "/home/me/encrypted" does not exist. Should it be created? (y,n) Y Creating new encrypted volume. Please choose from one of the following options: enter "x" for expert configuration mode, enter "p" for pre-configured paranoia mode, anything else, or an empty line will select standard mode. ?> Standard configuration selected. Configuration finished. The filesystem to be created has the following properties: Filesystem cipher: "ssl/aes", version 3:0:2 Filename encoding: "nameio/block", version 3:0:1 Key Size: 192 bits Block Size: 1024 bytes Each file contains 8 byte header with unique IV data. Filenames encoded using IV chaining mode. File holes passed through to ciphertext. Now you will need to enter a password for your filesystem. You will need to remember this password, as there is absolutely no recovery mechanism. However, the password can be changed later using encfsctl. New Encfs Password: Verify Encfs Password:

At the end of this your encryption folder will be mounted.

How it works:
A (to me) nice way of illustrating how it works is the following:
ls ~/encrypted/ -lah
total 24K drwxr-xr-x 2 me me 4.0K Apr 18 14:29 . drwxr-xr-x 212 me me 20K Apr 18 14:29 ..
ls ~/.secret/ -lah
total 32K drwxr-xr-x 2 me me 4.0K Apr 18 14:29 . drwxr-xr-x 212 me me 20K Apr 18 14:29 .. -rw-r--r-- 1 me me 1.1K Apr 18 14:29 .encfs6.xml -rw-r--r-- 1 me me 411 Nov 14 2011 .passwd.gpg
touch ~/encrypted/test ls ~/encrypted/ -lah
total 24K drwxr-xr-x 2 me me 4.0K Apr 18 14:32 . drwxr-xr-x 212 me me 20K Apr 18 14:29 .. -rw-r--r-- 1 me me 0 Apr 18 14:32 test
ls ~/.secret/ -lah
total 32K drwxr-xr-x 2 me me 4.0K Apr 18 14:32 . drwxr-xr-x 212 me me 20K Apr 18 14:29 .. -rw-r--r-- 1 me me 1.1K Apr 18 14:29 .encfs6.xml -rw-r--r-- 1 me me 0 Apr 18 14:32 IfSGAzSkFsuN2A,SpPmnKSYu -rw-r--r-- 1 me me 411 Nov 14 2011 .passwd.gpg
df -h
encfs 734G 525G 172G 76% /home/me/encrypted

In other words, anything that is put into ~/encrypted ends up as an encrypted file in ~/.secret. It's a little bit different from truecrypt, which uses a filesystem container -- this is more similar to encrypting each file with gpg/pgp, just with a good way of managing it from a filesystem pov.

Also, this means that you don't have to dedicate a certain amount of space to the encrypted file system as you would have to with truecrypt.

Anyway, unmount ~/encrypted and no-one will have access to the decrypted forms of the files.
sudo umount ~/encrypted

To mount it again, just do
encfs ~/.secret ~/encrypted

You can change the name of the directory you want to mount it in.

It is also possible to mount automatically on boot, but this would defeat most purposes of encrypting in the first place.