mounting_an_encrypted_partition_with_encfs
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
mounting_an_encrypted_partition_with_encfs [2021/03/22 05:08] – [How it works] hc9 | mounting_an_encrypted_partition_with_encfs [2024/09/05 06:08] (current) – ='' hc9 | ||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ====== Mounting an encrypted partition with EncFS ====== | ||
+ | |||
+ | ---- | ||
+ | |||
+ | ==== Introduction ==== | ||
+ | |||
+ | [[http:// | ||
+ | |||
+ | ==== How it works ==== | ||
+ | |||
+ | The idea behind EncFS is to create a directory where the encrypted information is saved. This directory is then mounted (using FUSE) in a user-defined mountpoint, where the contents of the encrypted directory are accessible as decrypted data. The translation between these two parts is the work of EncFS. | ||
+ | |||
+ | This is designed to protect against off-line attacks, that is, the contents of the encrypted folder are safe(er) while the directory is unmounted. While it is mounted, anyone with enough permissions over the mountpoint can still access the information of the files. Furthermore, | ||
+ | |||
+ | Read the [[# | ||
+ | |||
+ | ==== Set-up ==== | ||
+ | |||
+ | The set up of the encrypted folder is very easy. First of all you need to run | ||
+ | |||
+ | $ man encfs | ||
+ | |||
+ | and read ahead. After that, we need to create both, the encrypted folder and the mount point. We call **~/ | ||
+ | |||
+ | $ mkdir ~/.crypt ~/crypt | ||
+ | |||
+ | Now we just need to run | ||
+ | |||
+ | $ encfs ~/.crypt ~/crypt | ||
+ | |||
+ | which mounts **~/ | ||
+ | |||
+ | The first time we run this command we will be asked for some configuration details for the **~/ | ||
+ | |||
+ | $ encfs ~/.crypt ~/crypt | ||
+ | Creating new encrypted volume. | ||
+ | Please choose from one of the following options: | ||
+ | enter “x” for expert configuration mode, | ||
+ | enter “p” for pre-configured paranoia mode, | ||
+ | | ||
+ | ?> | ||
+ | |||
+ | Choosing the standard mode should be good enough for most cases but if you would like extra security, choose **p** for the paranoia mode (be aware that paranoia mode can make more difficult to make backups of the data. See Section [[# | ||
+ | |||
+ | EncFS allows us to automatically unmount the filesystem if it is idle for a certain period of time by giving the command line option –'' | ||
+ | |||
+ | To check that everything is working fine, we can run the **mount** command, which output should look like this: | ||
+ | |||
+ | $ mount | ||
+ | ... | ||
+ | ... | ||
+ | encfs on / | ||
+ | $ | ||
+ | |||
+ | To unmount the filesystem leaving only the encrypted contents, we just need to do | ||
+ | |||
+ | $ fusermount -u ~/crypt | ||
+ | |||
+ | Make sure to do this before logging out, otherwise the information could be left unprotected. | ||
+ | |||
+ | ==== Tips and Tricks ==== | ||
+ | |||
+ | As mentioned before, this method is intended for protection against off-line attacks. If you would like to avoid ever having the information on the clear on the remote server, and if you have access to EncFS at your local machine, you have at least two possibilities; | ||
+ | |||
+ | === Backups === | ||
+ | |||
+ | Since the encryption is done file-by-file, | ||
+ | |||
+ | The paranoia mode has a feature named “External IV Chaining”, | ||
+ | |||
+ | === sshFS+EncFS === | ||
+ | |||
+ | Using this method will allow you to write to a local **~/crypt** directory which automatically, | ||
+ | |||
+ | We achieve this by doing the following: | ||
+ | |||
+ | * Create a **~/ | ||
+ | local.machine: | ||
+ | </ | ||
+ | * Mount that directory using sshFS on your local machine as **~/ | ||
+ | local.machine: | ||
+ | </ | ||
+ | * The option **-o idmap=user** will map your local user name to the user name on the remote machine, that is, files on the remote system that are from the user username, appear to be from the user that you are logged in as on the local system (see the tutorial on [[: | ||
+ | |||
+ | * Use EncFS locally to mount **~/ | ||
+ | local.machine: | ||
+ | </ | ||
+ | * To unmount you then need to do the following < | ||
+ | local.machine: | ||
+ | local.machine: | ||
+ | </ | ||
+ | * You now can remount the **~/ | ||
+ | |||
+ | **Beware that this can yield to irrecoverable data loss!** If there are connectivity problems, the partially transmitted files will not contain usable information, | ||
+ | |||
+ | $Id: encfs_tutorial.html, | ||