User Data Encryption with FUSE-based EncFS filesystem


Any decent Linux distribution comes with an installation option to automatically encrypt user’s home directory. In case you do not wish to encrypt the entire home directory or perhaps you wish to encrypt some random directories on your Linux system you can use EncFS the FUSE-based cryptographic filesystem. EncFS will allow you to encrypt and decrypt any directory in a matter of seconds. It will reside on top of your current filesytem and provide access to any EncFS encrypted directory only upon entering a correct predefined password. This short tutorial will show you how to encrypt and decrypt your directories with the EncFS cryptographic filesystem.


Let’s assume that you are a heavy Laptop user traveling from one place to another. You also use ssh quite often and so you have generated ssh keypair. For your convenience you even generated a private key without using a pass-phrase ( never good idea ). Furthermore, you have copied you public ssh key to multiple servers for an easy access. The problem with this scenario is that once someone gets hold of your Laptop s/he gets instantly access to all servers using you private ssh key. In this article we will show you how to encrypt your .ssh directory and avoid such problem.


The installation is fairly simple. Unless you are not using some home made Linux Distribution EncFS should be included in the standard repository.

Ubuntu / Debian

$ sudo apt-get install encfs

Fedora / Redhat /CentOS

$ sudo yum install encfs

Create encrypted Directory

As explained earlier we will use .ssh directory as an example for this tutorial. But first we need to create the encrypted directory:

$ encfs ~/encryptdir/ ~/decryptdir/

You will be asked few questions regarding non-existing directories to which you answer “yes” and whether you wish to use a paranoid configuration. Choose “p”. You will also need to choose a password. Make sure that you do not forget your password as there will be no way to access your data without it.

Now you have created and mounted your encrypted directory. Anything you store in ~/decryptdir will be automatically encrypted and put into ~/encryptdir:

$ ls ~/encryptdir
$ ls ~/decryptdir
$ touch ~/decryptdir/file
$ ls ~/decryptdir
$ ls ~/encryptdir
$ rm ~/decryptdir/file

Using encrypted directory

At this point we can link our example .ssh directory to our new ~/decryptdir with the following linux commands:

$ mv .ssh/ ~/decryptdir/
$ ln -s ~/decryptdir/.ssh/ .ssh

From now on as long as the ~/encryptdir directory is mounted the .ssh will show decrypted files. You can also link in the same fashion your other directories such as ~/.thunderbird or ~/.mozilla .

Unmounting encrypted directory

If you no longer wish to use you encrypted directory you will need to unmount it with the unmount command:

$ fusermount -u ~/decryptdir

after executing the above command your .ssh directory will be no longer available.

Mounting encrypted directory

To start using your encrypted directory again you will need to mount it using your password.

$ encfs ~/encryptdir/ ~/decryptdir/


EncFS provides fast and easy way to encrypt any directory of you choice. Do not forget to check more EncFS configuration options such as automatic idle user unmount etc.

$ man encfs

Comments and Discussions
Linux Forum