How to Encrypt directory with EncFS on Debian 9 Stretch Linux


The following article will explain how to encrypt directory using EncFS on Debian 9 Stretch Linux

Operating System and Software Versions

  • Operating System: – Debian 9 Stretch
  • Software: – encfs version 1.9.1


Privileged access to may be required to perform EncFS installation.




  • # – requires given linux commands to be executed with root privileges either directly as a root user or by use of sudo command
  • $ – requires given linux commands to be executed as a regular non-privileged user


EncFS allows user encrypt a selected directory. After the initial EncFS installation we will be creating two directories. The first directory decrypted-data will be used as a mount point to second encrypted directory encrypted-data. The basic idea behind EncFS it that while encrypted-data directory is mount to decrypted-data all data stored within decrypted-data directory will become encrypted within encrypted-data. To deny access to decrypted data the decrypted-data mount needs to be unmounted and vice versa.


EncFS Installation

Let’s begin with a EncFS installation:

# apt install encfs

Create Directories

Create directories to contain decrypted and encrypted data:

$ mkdir ~/decrypted-data
$ mkdir ~/encrypted-data

The ~/decrypted-data directory will act as a mount point to store all decrypted data. Any decrypted data stored within ~/decrypted-data directory will be synced and stored as encrypted within ~/encrypted-data directory.

Mount EncFS directory

At this stage we are ready to mount EncFS encrypted directory ~/encrypted-data to ~/decrypted-data mount point:

$ encfs ~/encrypted-data/ ~/decrypted-data/

When running encfs for a first time you will be asked:
Creating new encrypted volume.

Please choose from one of the following options:
enter "x" for expert configuration mode,
enter "p" for pre-configured paranoia mode,
anything else, or an empty line will select standard mode.
?> p

Paranoia configuration selected.

For a pre-confirgured easy use select p otherwise select x. Next, provide a new password which will be use to mount and decrypted data. Once ready you should see your directory mounted within the mount command output:

$ mount | grep encfs
encfs on /home/linuxconfig/decrypted-data type fuse.encfs (rw,nosuid,nodev,relatime,user_id=1000,group_id=1000,default_permissions)

Using EncFS

Any data stored within ~/decrypted-data directory will stored as encrypted into ~/encrypted-data directory. Create a new data eg., a simple text file:

$ echo > ~/decrypted-data/FILE1

Check data within both directories:

$ ls ~/decrypted-data/
$ ls ~/encrypted-data/

Mount & Unmount

After finishing your work, to deny access to decrypted data you need unmount ~/decrypted-data directory:

$ fusermount -u ~/decrypted-data

To gain access to your encrypted data ~/encrypted-data directory, the ~/decrypted-data directory needs to mounted with your encryption password:

 $ encfs ~/encrypted-data/ ~/decrypted-data/
EncFS Password: 


On Demand Mount

Prompt for a password after 10 minutes inactivity:

$ encfs -i 10 --extpass=/bin/systemd-ask-password ~/encrypted-data/ ~/decrypted-data/

Change EncFS password

$ encfsctl passwd ~/encrypted-data/
Enter current Encfs password
EncFS Password: 
Enter new Encfs password
New Encfs Password: 
Verify Encfs Password: 
Volume Key successfully updated.