Usually system administrators need to secure their data. Plain text passwords, certificate files, private ssh keys laying around your disk are big security risk. Many times on existing system we don’t want to encrypt whole partition or just don’t have time to do it from scratch. We just need one folder encrypted and save our risky data in it.
For this we can use EncFS, which is one of many encryption file systems introduced in linux. Usually Ubuntu and other distributions use cryptfs for securing whole home partitions and such, but what EncFS makes really great, is ease of use. It’s simple, so anyone can set it up in matter of minutes.
Let’s install our EncFS:
apt-get install encfs
Note: On CentOS you get it in Epel repository. Replace apt-get with yum.
Once you have it installed, you are ready to encrypt and decrypt folders. Here’s an example of creating encrypted/decrypted folder:
└─[~]=> encfs ~/enc_folder/ ~/dec_folder/
Creating new encrypted volume.
Please choose from one of the following options:
enter "x" for expert configuration mode,
enter "p" for pre-configured paranoia mode,
anything else, or an empty line will select standard mode.
Paranoia configuration selected.
Configuration finished. The filesystem to be created has
the following properties:
Filesystem cipher: "ssl/aes", version 3:0:2
Filename encoding: "nameio/block", version 3:0:1
Key Size: 256 bits
Block Size: 1024 bytes, including 8 byte MAC header
Each file contains 8 byte header with unique IV data.
Filenames encoded using IV chaining mode.
File data IV is chained to filename IV.
File holes passed through to ciphertext.
-------------------------- WARNING --------------------------
The external initialization-vector chaining option has been
enabled. This option disables the use of hard links on the
filesystem. Without hard links, some programs may not work.
The programs 'mutt' and 'procmail' are known to fail. For
more information, please see the encfs mailing list.
If you would like to choose another configuration setting,
please press CTRL-C now to abort and start over.
Now you will need to enter a password for your filesystem.
You will need to remember this password, as there is absolutely
no recovery mechanism. However, the password can be changed
later using encfsctl.
New Encfs Password: enter_your_password
Verify Encfs Password: enter_your_password
Once you have set up your encrypted / decrypted folder, you are free to upload all your files into ~/dec_folder . Every file that you copied to dec_folder will be seen as encrypted in ~/enc_folder .
You can see ~/enc_folder is mounted in ~/dec_folder:
/dev/mapper/VolGroup-lv_root on / type ext4 (rw)
proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
devpts on /dev/pts type devpts (rw,gid=5,mode=620)
tmpfs on /dev/shm type tmpfs (rw,rootcontext="system_u:object_r:tmpfs_t:s0")
/dev/sda1 on /boot type ext4 (rw)
none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)
encfs on /root/dec_folder type fuse.encfs (rw,nosuid,nodev,default_permissions)
When you finished copying your files you can simply unmount your decrypted folder:
fusermount -u ~/dec_folder/
To retrieve your data again, simply run initial command again:
encfs ~/enc_folder/ ~/dec_folder/
This time EncFS will prompt you for password that you initially entered. Be sure to write it down someplace safe. If you lose this vital part of information, there is no way back. Even using default encryption it would take years to crack it with rainbow tables. Best idea of bruteforcing such password is with wordlists, so have in mind to use long password and special character or two to make sure simple wordlist can’t get thru.