Objective
The following article will explain how to encrypt directory using EncFS on Debian 9 Stretch Linux
Operating System and Software Versions
- Operating System: – Debian 9 Stretch
- Software: – encfs version 1.9.1
Requirements
Privileged access to may be required to perform EncFS installation.
Difficulty
EASY
Conventions
- # – requires given linux commands to be executed with root privileges either directly as a root user or by use of
sudo
command - $ – requires given linux commands to be executed as a regular non-privileged user
Introduction
EncFS allows user encrypt a selected directory. After the initial EncFS installation we will be creating two directories. The first directory decrypted-data
will be used as a mount point to second encrypted directory encrypted-data
. The basic idea behind EncFS it that while encrypted-data
directory is mount to decrypted-data
all data stored within decrypted-data
directory will become encrypted within encrypted-data
. To deny access to decrypted data the decrypted-data
mount needs to be unmounted and vice versa.
Instructions
EncFS Installation
Let’s begin with a EncFS installation:
# apt install encfs
Create Directories
Create directories to contain decrypted and encrypted data:
$ mkdir ~/decrypted-data $ mkdir ~/encrypted-data
The ~/decrypted-data
directory will act as a mount point to store all decrypted data. Any decrypted data stored within ~/decrypted-data
directory will be synced and stored as encrypted within ~/encrypted-data
directory.
Mount EncFS directory
At this stage we are ready to mount EncFS encrypted directory ~/encrypted-data
to ~/decrypted-data
mount point:
$ encfs ~/encrypted-data/ ~/decrypted-data/
When running encfs
for a first time you will be asked:
Creating new encrypted volume.
Please choose from one of the following options: enter "x" for expert configuration mode, enter "p" for pre-configured paranoia mode, anything else, or an empty line will select standard mode. ?> p Paranoia configuration selected.
For a pre-confirgured easy use select p
otherwise select x
. Next, provide a new password which will be use to mount and decrypted data. Once ready you should see your directory mounted within the mount
command output:
$ mount | grep encfs encfs on /home/linuxconfig/decrypted-data type fuse.encfs (rw,nosuid,nodev,relatime,user_id=1000,group_id=1000,default_permissions)
Using EncFS
Any data stored within ~/decrypted-data
directory will stored as encrypted into ~/encrypted-data
directory. Create a new data eg., a simple text file:
$ echo linuxconfig.org > ~/decrypted-data/FILE1
Check data within both directories:
$ ls ~/decrypted-data/ FILE1 $ ls ~/encrypted-data/ xCsHlozRb,TnR,jRW4TbdUuH
Mount & Unmount
After finishing your work, to deny access to decrypted data you need unmount ~/decrypted-data
directory:
$ fusermount -u ~/decrypted-data
To gain access to your encrypted data ~/encrypted-data
directory, the ~/decrypted-data
directory needs to mounted with your encryption password:
$ encfs ~/encrypted-data/ ~/decrypted-data/ EncFS Password:
Appendix
On Demand Mount
Prompt for a password after 10 minutes inactivity:
$ encfs -i 10 --extpass=/bin/systemd-ask-password ~/encrypted-data/ ~/decrypted-data/
Change EncFS password
$ encfsctl passwd ~/encrypted-data/ Enter current Encfs password EncFS Password: Enter new Encfs password New Encfs Password: Verify Encfs Password: Volume Key successfully updated.