EncFS: Setting up EncFS with FUSE
1. Introduction
EncFS is an encrypted file system which allows you to store files on your hard drive that others cannot access, even if the machine is physically taken.
EncFS seems particularly interesting for the following reasons:
- No need to be root to use it
- Super simple implementation and trivial usage (see below)
- Separate encryption for each file. This may seem less secure (file sizes, names, and modification dates are known) but it has the enormous advantage of being more efficient (no need to re-encrypt the entire volume if only one file changes) and adaptable (no need to predict in advance the size the file system will take)
- (subjective opinion) the developer seems to have a good understanding of cryptographic tools. You should verify this for yourself ;-)
2. Installation
2.1 Debian
Let's get the necessary packages:
Now, let's check that you have what you need in your kernel:
You should have one of these 2 lines:
If this is not the case, you need to recompile your kernel and set FUSE as a module or integrate it directly.
2.2 FreeBSD
On FreeBSD, it's preferable to take the packaged versions as the compilation part is long and requires dependencies:
Then add this line to your rc.conf:
Next, if you want any user to be able to use fuse, run this command:
3. Configuration
We will create the encrypted file system:
Answer the questions:
We're not going to complicate things here and will configure in Paranoia mode to have the best encryption:-)
Choose your password:
4. Usage
4.1 Single User
To mount our encrypted folder:
Enter your password now. (Read the Multi-User version for the rest of the explanations). If you want everyone to be able to access your encrypted share, you need to add --public:
4.2 Multi Users
Create a file to be encrypted on-the-fly:
Let's check our file:
And now in the encrypted folder:
4.3 Unmounting a volume
To unmount the volume:
That's how simple it is :-)
4.4 Changing the password
If you want to change the password of an encfs volume, do this:
5. Pam and Encfs
Put pam_encfs.conf in /etc/security and modify your pam to load (for example):
and if you want to auto umount on logout:
(note that setting "encfs_default --idle=1", means it'll auto umount after 1 minute idletime, so you can ignore this if you want to)
If you want gdm working you'll have to do this: (to allow use of --public / allow_root / allow_other)
Setup your /etc/pam_encfs.conf (default should work)
Use same password as your login atm:
when you login, the directory should be mounted.
Example to enable encryption for existing user (logout of any important things, turn off your apps, preferably do this in terminal login/as root):
Use your main password on next part:
On next login (in theory) your homedir should be mounted ;)
6. FAQ
6.1 Is there an example configuration file?
Yes, both in svn (link at https://hollowtube.mine.nu/wiki/index.php?n=Projects.PamEncfs), and in the downloaded archive from my release. Some distributions have chosen an extremely simple example configuration file, mine is a bit more explained.
6.2 What command will pam_encfs run to mount a directory?
It depends on your options, but something like:
6.3 My KDE doesn't work
Login through KDE sometimes fails because KDE tries to store files to the home directory before mounting, and expect them to be there afterwards. To work around this you'll need to set 3 things in /etc/kde3/kdm/kdmrc, "DmrcDir=/tmp" (in the general section). And "UserAuthDir,ClientLogFile", both can be set to /tmp, these are in the [X-*-Core] section. There might be security related issues with this solution, I haven't looked into that. If your paranoid about it you could make a temp directory tmp/user that only you have access to.
6.4 Can I mount multiple under one login directories with pam_encfs?
No, there is however an unofficial patch here: https://bugs.gentoo.org/show_bug.cgi?id=102112 (https://joshua.haninge.kth.se/~sachankara/pam_encfs-0.1.3-multiple-mount-points.patch). This has not been applied to the main tree, as it segfaults when I test it with a very basic encfs configuration file (but might work with more advanced ones).
6.5 pam_encfs does not find my encfs executable
pam_encfs uses execvp, that means that in some systems it wont find it if it's in /usr/local/bin, make a symlink to /usr/bin.
6.6 It works on normal login, but not in gdm
- Problem1, /etc/pam.d/gdm has a different system than /etc/pam.d/login, fix it ;).
- Problem2, You dont have the fuse option user_allow_root(or other) set,
- Make sure /etc/fuse.conf has user_allow_other (or user_allow_root).
- Make sure /etc/pam_encfs.conf has fuse_default allow_root, or the fuse option allow_root set.
6.7 It asks me for my password twice
Try adding use_first_pass after pam_unix (or any other module that supports it).
6.8 I've tried to use pam_encfs as my main authentication scheme, it doesn't work!
I return PAM_IGNORE on errors, this can't work reliably as a main system, because of for example logging in twice (in which case the directory would already be mounted, and we therefore can't check password ok).
6.9 I can't login to X because the filesystem doesn't support locks
This could be a problem if your not using drop_permission, use it. And if you REALLY want to mount as root, put:
in your ~/.bashrc
My system-auth file on gentoo:
Here it'll ask for the password twice, my modules (pam_encfs/pam_sha512) will try to use any previous password if it finds one. So if you move pam_unix.so in auth to under pam_env.so, it'll ask for the password once. Note that if pam_unix gets a password it finds ok, pam_encfs/pam_sha512 wont be used at all.
6.10 I can't create hard link
This is because of the External IV Chaining:
If you create as the paranoia mode a crypted partition, this mode will be automatically enable. So use the default mode or create as expert mode without this :-)
6.11 Encfs in an OpenVZ VE
If you want to use encfs in a VE, you may encounter permission issues:
Be aware that you need to load the fuse module at the VZ level so that VEs inherit it. Add this to your VZ to avoid having to load the module at each boot:
Then load it dynamically to access it afterwards:
To work around this, we'll create the fuse device from the host on the VE in question and add admin rights to it (somewhat problematic in terms of security, but no choice):
The second line may not work when the VE is turned off. Run it once it's on and then mount your encfs partition.