The following article will explain how to encrypt directory using EncFS on Debian 9 Stretch Linux

Operating System and Software Versions

  • Operating System: - Debian 9 Stretch
  • Software: - encfs version 1.9.1


Privileged access to may be required to perform EncFS installation.




  • # - requires given linux commands to be executed with root privileges either directly as a root user or by use of sudo command
  • $ - requires given linux commands to be executed as a regular non-privileged user


EncFS allows user encrypt a selected directory. After the initial EncFS installation we will be creating two directories. The first directory decrypted-data will be used as a mount point to second encrypted directory encrypted-data. The basic idea behind EncFS it that while encrypted-data directory is mount to decrypted-data all data stored within decrypted-data directory will become encrypted within encrypted-data. To deny access to decrypted data the decrypted-data mount needs to be unmounted and vice versa.


EncFS Installation

Let's begin with a EncFS installation:
# apt install encfs

Create Directories

Create directories to contain decrypted and encrypted data:
$ mkdir ~/decrypted-data
$ mkdir ~/encrypted-data
The ~/decrypted-data directory will act as a mount point to store all decrypted data. Any decrypted data stored within ~/decrypted-data directory will be synced and stored as encrypted within ~/encrypted-data directory.

Mount EncFS directory

At this stage we are ready to mount EncFS encrypted directory ~/encrypted-data to ~/decrypted-data mount point:
$ encfs ~/encrypted-data/ ~/decrypted-data/
When running encfs for a first time you will be asked: Creating new encrypted volume.
Please choose from one of the following options:
enter "x" for expert configuration mode,
enter "p" for pre-configured paranoia mode,
anything else, or an empty line will select standard mode.
?> p

Paranoia configuration selected.
For a pre-confirgured easy use select p otherwise select x. Next, provide a new password which will be use to mount and decrypted data. Once ready you should see your directory mounted within the mount command output:
$ mount | grep encfs
encfs on /home/linuxconfig/decrypted-data type fuse.encfs (rw,nosuid,nodev,relatime,user_id=1000,group_id=1000,default_permissions)

Using EncFS

Any data stored within ~/decrypted-data directory will stored as encrypted into ~/encrypted-data directory. Create a new data eg., a simple text file:
$ echo linuxconfig.org > ~/decrypted-data/FILE1
Check data within both directories:
$ ls ~/decrypted-data/
$ ls ~/encrypted-data/

Mount & Unmount

After finishing your work, to deny access to decrypted data you need unmount ~/decrypted-data directory:
$ fusermount -u ~/decrypted-data
To gain access to your encrypted data ~/encrypted-data directory, the ~/decrypted-data directory needs to mounted with your encryption password:
 $ encfs ~/encrypted-data/ ~/decrypted-data/
EncFS Password: 


On Demand Mount

Prompt for a password after 10 minutes inactivity:
$ encfs -i 10 --extpass=/bin/systemd-ask-password ~/encrypted-data/ ~/decrypted-data/

Change EncFS password

$ encfsctl passwd ~/encrypted-data/
Enter current Encfs password
EncFS Password: 
Enter new Encfs password
New Encfs Password: 
Verify Encfs Password: 
Volume Key successfully updated.
FIND LATEST LINUX JOBS on LinuxCareers.com
Submit your RESUME, create a JOB ALERT or subscribe to RSS feed.
Subscribe to NEWSLETTER and receive latest news, jobs, career advice and tutorials.
Get extra help by visiting our LINUX FORUM or simply use comments below.