Sunday, February 3, 2013

User Data Encryption with FUSE-based EncFS filesystem

1. Introduction

Any decent Linux distribution comes with an installation option to automatically encrypt user's home directory. In case you do not wish to encrypt the entire home directory or perhaps you wish to encrypt some random directories on your Linux system you can use EncFS the FUSE-based cryptographic filesystem. EncFS will allow you to encrypt and decrypt any directory in a matter of seconds. It will reside on top of your current filesytem and provide access to any EncFS encrypted directory only upon entering a correct predefined password. This short tutorial will show you how to encrypt and decrypt your directories with the EncFS cryptographic filesystem.

2. Scenario

Let's assume that you are a heavy Laptop user traveling from one place to another. You also use ssh quite often and so you have generated ssh keypair. For your convenience you even generated a private key without using a pass-phrase ( never good idea ). Furthermore, you have copied you public ssh key to multiple servers for an easy access. The problem with this scenario is that once someone gets hold of your Laptop s/he gets instantly access to all servers using you private ssh key. In this article we will show you how to encrypt your .ssh directory and avoid such problem.

3. Installation

The installation is fairly simple. Unless you are not using some home made Linux Distribution EncFS should be included in the standard repository.

3.1. Ubuntu / Debian

$ sudo apt-get install encfs

3.2. Fedora / Redhat /CentOS

$ sudo yum install encfs

4. Create encrypted Directory

As explained earlier we will use .ssh directory as an example for this tutorial. But first we need to create the encrypted directory:
$ encfs ~/encryptdir/ ~/decryptdir/
You will be asked few questions regarding non-existing directories to which you answer "yes" and whether you wish to use a paranoid configuration. Choose "p". You will also need to choose a password. Make sure that you do not forget your password as there will be no way to access your data without it.
Now you have created and mounted your encrypted directory. Anything you store in ~/decryptdir will be automatically encrypted and put into ~/encryptdir:
$ ls ~/encryptdir
$ ls ~/decryptdir
$ touch ~/decryptdir/file
$ ls ~/decryptdir
$ ls ~/encryptdir
$ rm ~/decryptdir/file

5. Using encrypted directory

At this point we can link our example .ssh directory to our new ~/decryptdir with the following commands:
$ mv .ssh/ ~/decryptdir/
$ ln -s ~/decryptdir/.ssh/ .ssh
From now on as long as the ~/encryptdir directory is mounted the .ssh will show decrypted files. You can also link in the same fashion your other directories such as ~/.thunderbird or ~/.mozilla .

6. Unmounting encrypted directory

If you no longer wish to use you encrypted directory you will need to unmount it with the unmount command:
$ fusermount -u ~/decryptdir
after executing the above command your .ssh directory will be no longer available.

7. Mounting encrypted directory

To start using your encrypted directory again you will need to mount it using your password.
$ encfs ~/encryptdir/ ~/decryptdir/

8. Conclusion

EncFS provides fast and easy way to encrypt any directory of you choice. Do not forget to check more EncFS configuration options such as automatic idle user unmount etc.
$ man encfs
For more Linux Configuration articles subscribe to our RSS. Also make sure you tune in to our Linux jobs portal to stay informed about the latest opportunities in the field. Also, if you want to share your experiences with us or require additional help, please visit our Linux Forum. You can post a comment or question specific to this article on our Article Discussion Forum.

No comments:

Post a Comment