Encrypting File Systems

Why encrypt individual files, when you can encrypt entire file systems? Although Ubuntu does not provide any built-in cryptographic systems for this, you can install EncFS, the Encrypted File System. Using EncFS, you can encrypt directories and files. The decrypted file systems only exist as long as the encrypted system is mounted.

Installing and Configuring EncFS

EncFS is not an independent file system. Instead, it is a file system plug-in that encrypts and decrypts files on the fly. It uses the existing file system for storing data, but all data is encrypted on a file-by-file basis. File names are also cloaked to ensure that the encrypted directory has limited usefulness to someone without the password.

1. Install EncFS. This will also install the FUSE (Filesystem in Userspace) utilities.

    sudo apt-get install encfs 

2. Make sure the command fusermount can run as root.

    sudo chmod u+s /usr/bin/fusermount 

3. Each user who will need to use EncFS must be added to the fuse group. Use sudo vigr to add users to this group. Find the line that starts with fuse and add user names to the end of the line.

4. Changes to /etc/groups do not impact current logins. Make sure the user is in the group fuse by running the command groups. If the group fuse is not listed, then the user must log out and log back in for the change to take effect.

5. Make sure the FUSE kernel module is loaded. You may also want to add fuse to /etc/modules so it is always loaded after a reboot.

    sudo modprobe fuse 

6. Using the encfs command, create the encryption and decryption directories. For example, I use encrypt/ and decrypt/. If the directories do not exist, then you will be prompted to create them. You will also be prompted for a password.

 $ encfs 'pwd'/encrypt 'pwd'/decrypt The directory "/.../encrypt/" does not exist. Should it be created? (y,n) y The directory "/.../decrypt" does not exist. Should it be created? (y,n) y Creating new encrypted volume. Please choose from one of the following options:  enter "x" for expert configuration mode,  enter "p" for pre-configured paranoia mode,  anything else, or an empty line will select standard mode. ?> [enter] Standard configuration selected. Configuration finished.  The filesystem to be created has the following properties: Filesystem cipher: "ssl/blowfish", version 2:1:1 Filename encoding: "nameio/block", version 3:0:1 Key Size: 160 bits Block Size: 512 bytes Each file contains 8 byte header with unique IV data. Filenames encoded using IV chaining mode. Now you will need to enter a password for your filesystem. You will need to remember this password, as there is absolutely no recovery mechanism.  However, the password can be changed later using encfsctl. New Encfs Password: [password] Verify Encfs Password: [password] 

Now you have two directories: decrypt/ contains the decoded file system, and encrypt/ contains the real encrypted files. If you copy files into the decrypt/ directory, then you will see encrypted counterparts in the encrypt/ directory.

Maintaining EncFS

When you are all done with the decrypted directory, you un-mount it using fusermount -u decrypt. Although the encrypted files still exist in the encrypt/ directory, the decrypt/ directory will appear empty (because it is not mounted). Later, when you need to access the encrypted files, you can use: encfs ‘pwd‘/encrypt ‘pwd‘/decrypt. This will only ask you for your password. The files will only appear in the decrypted/ directory if you enter the correct password.

If you ever need to change the password, you can use the encfsctl passwd encrypt/ command. This will prompt you for your old and new passwords.

Using EncFS

EncFS is great for storing files if you are worried about someone stealing the media or accessing the stored data. Here are some sample situations where you might want to use EncFS:

• Encrypt an entire directory-If you have a directory that you don't want people to access, then you can encrypt it. For example, I have a source code repository containing sensitive information. The actual files are stored using EncFS. If you are worried about your web cache, consider encrypting $HOME/.mozilla/.

• Encrypt your home directory for more privacy-Using EncFS, you can encrypt your entire home directory. This can become a little complicated since you cannot mount and un-mount without logging in multiple times. However, this is an option. The secret is to mount the encrypted file system over your existing file system.

  1. You will need a directory outside of your home directory for storing the encrypted files. If my home directory is /home/neal then I can use /home/neal2. For example:

      sudo mkdir ${HOME}2 sudo chown 'id -un':'id -gn' ${HOME}2 mkdir ${HOME}2/encrypt 

  2. Create a temporary encrypted directory and copy your home directory into it.

      encfs ${HOME}2/encrypt $HOME/tmp [Answer the prompts and give it a password] mv $HOME/* $HOME/tmp  # ignore error about copying same directory 

  3. Un-mount $HOME/tmp

      fusermount -u $HOME/tmp 

     At this point, you have all of your file encrypted at ${HOME}2/encrypt, and no files in your home directory.

  4. After you log in, mount your directory using:

      encfs ${HOME}2/encrypt $HOME -- -o nonempty,use_ino,allow_root 

     The options tell EncFS to place the decrypted home directory over the regular home directory.

  5. Now log out and log back in. The decrypted home directory will be visible.

  6. To un-mount, you will need to log out, log in as a different user, and use Sudo to un-mount the directory.

• Encrypt a CD-ROM-Rather than burning a regular directory to a CD-ROM, you can burn an encrypted directory. The CD-ROM will appear to have garbage file names and random data in each file. However, you can then use encfs to mount it and access the decrypted data. If you are worried about someone stealing a CD-ROM that contains sensitive information, then this is an excellent solution. The CD-ROM is as secure as your password.

• Encrypt a USB drive-You can specify a USB thumb drive for storing the encrypted files. This is similar to the CD-ROM solution, except you can read and write to the drive.

• Encrypt a networked file system-NFS does not offer encryption, and SMB provides few security options. Rather than exporting unprotected files, you can export the encrypted file system. Network clients can mount the NFS (or SMB) partition containing the encrypted files, and then use encfs to access the decrypted files. This way, the file system's data is encrypted as it is passed along the network. (See Chapter 6 for configuring NFS and Samba.)

Knowing EncFS Limitations

EncFS is very flexible and is supported by a variety of file systems. You can download EncFS for Windows and other versions of Linux-see http://arg0.net/encfs/ for details. However, there are some limitations with this type of encrypted file system.

• Supported platforms-EncFS is not supported on every operating system. BSD and Mac OS X are just two examples. If you need EncFS on these platforms, consider running a supported platform using a virtual machine like Qemu (see Chapter 6) and exporting the decrypted directory to the host operating system.

• EncFS does not un-mount when you log out-Unmounting needs to be a conscious effort. Consider placing fusermount -u -z decoded/ in your $HOME/.bash_logout script. This will un-mount the directory after all processes end.

• EncFS does not protect the decrypted directory-If you successfully run encfs and can access the decrypted files, then anyone on the system can access the decrypted files.

• EncFS is not for automated systems-Some people have tried to configure EncFS to mount automatically, when the system boots (or when a user logs in). Doing this defeats the security. For example, if the encrypted file system is mounted when the system powers up, then a thief who steals the system only needs to power up the computer in order to access the sensitive files.