The following article will explain how to encrypt directory using EncFS on Debian 9 Stretch Linux

Operating System and Software Versions

  • Operating System: - Debian 9 Stretch
  • Software: - encfs version 1.9.1


Privileged access to may be required to perform EncFS installation.




  • # - requires given linux commands to be executed with root privileges either directly as a root user or by use of sudo command
  • $ - requires given linux commands to be executed as a regular non-privileged user


EncFS allows user encrypt a selected directory. After the initial EncFS installation we will be creating two directories. The first directory decrypted-data will be used as a mount point to second encrypted directory encrypted-data. The basic idea behind EncFS it that while encrypted-data directory is mount to decrypted-data all data stored within decrypted-data directory will become encrypted within encrypted-data. To deny access to decrypted data the decrypted-data mount needs to be unmounted and vice versa.


EncFS Installation

Let's begin with a EncFS installation:
# apt install encfs

Create Directories

Create directories to contain decrypted and encrypted data:
$ mkdir ~/decrypted-data
$ mkdir ~/encrypted-data
The ~/decrypted-data directory will act as a mount point to store all decrypted data. Any decrypted data stored within ~/decrypted-data directory will be synced and stored as encrypted within ~/encrypted-data directory.

Mount EncFS directory

At this stage we are ready to mount EncFS encrypted directory ~/encrypted-data to ~/decrypted-data mount point:
$ encfs ~/encrypted-data/ ~/decrypted-data/
When running encfs for a first time you will be asked: Creating new encrypted volume.
Please choose from one of the following options:
enter "x" for expert configuration mode,
enter "p" for pre-configured paranoia mode,
anything else, or an empty line will select standard mode.
?> p

Paranoia configuration selected.
For a pre-confirgured easy use select p otherwise select x. Next, provide a new password which will be use to mount and decrypted data. Once ready you should see your directory mounted within the mount command output:
$ mount | grep encfs
encfs on /home/linuxconfig/decrypted-data type fuse.encfs (rw,nosuid,nodev,relatime,user_id=1000,group_id=1000,default_permissions)

Using EncFS

Any data stored within ~/decrypted-data directory will stored as encrypted into ~/encrypted-data directory. Create a new data eg., a simple text file:
$ echo linuxconfig.org > ~/decrypted-data/FILE1
Check data within both directories:
$ ls ~/decrypted-data/
$ ls ~/encrypted-data/

Mount & Unmount

After finishing your work, to deny access to decrypted data you need unmount ~/decrypted-data directory:
$ fusermount -u ~/decrypted-data
To gain access to your encrypted data ~/encrypted-data directory, the ~/decrypted-data directory needs to mounted with your encryption password:
 $ encfs ~/encrypted-data/ ~/decrypted-data/
EncFS Password: 


On Demand Mount

Prompt for a password after 10 minutes inactivity:
$ encfs -i 10 --extpass=/bin/systemd-ask-password ~/encrypted-data/ ~/decrypted-data/

Change EncFS password

$ encfsctl passwd ~/encrypted-data/
Enter current Encfs password
EncFS Password: 
Enter new Encfs password
New Encfs Password: 
Verify Encfs Password: 
Volume Key successfully updated.
FIND LATEST LINUX JOBS on LinuxCareers.com
Submit your RESUME, create a JOB ALERT.
Subscribe to NEWSLETTER and receive latest news, jobs, career advice and tutorials.
Get extra help by visiting our LINUX FORUM or simply use comments below.