| Both sides previous revisionPrevious revisionNext revision | Previous revision |
| mounting_an_encrypted_partition_with_encfs [2021/03/22 05:08] – [How it works] hc9 | mounting_an_encrypted_partition_with_encfs [2021/03/22 05:19] (current) – [Mounting an encrypted partition with EncFS] hc9 |
|---|
| ===== Mounting an encrypted partition with EncFS ===== | ====== Mounting an encrypted partition with EncFS ====== |
| |
| ---- | ---- |
| This is designed to protect against off-line attacks, that is, the contents of the encrypted folder are safe(er) while the directory is unmounted. While it is mounted, anyone with enough permissions over the mountpoint can still access the information of the files. Furthermore, since the encryption works on a file-by-file basis, some metadata will remain visible even while unmounted. Things like the number of files, their permissions, sizes and approximate filename size will be accessible to anyone with appropriate permissions over the encrypted folder. | This is designed to protect against off-line attacks, that is, the contents of the encrypted folder are safe(er) while the directory is unmounted. While it is mounted, anyone with enough permissions over the mountpoint can still access the information of the files. Furthermore, since the encryption works on a file-by-file basis, some metadata will remain visible even while unmounted. Things like the number of files, their permissions, sizes and approximate filename size will be accessible to anyone with appropriate permissions over the encrypted folder. |
| |
| Read the [[#tips_and_tricks|#tips_and_tricks]] section for a few of suggestions on how to ameliorate some of these problems. | Read the [[#tips_and_tricks|Tips and Tricks]] section for a few of suggestions on how to ameliorate some of these problems. |
| |
| ==== Set-up ==== | ==== Set-up ==== |
| === Backups === | === Backups === |
| |
| Since the encryption is done file-by-file, we can easily make backups of the encrypted data without the need to mount the filesystem, so for instance, we can leave the backup to a cron job without compromising the safety of the files. Make sure to include the file **~/.crypt/.encfs6.xml** in the backup. This file saves the encryption configuration, and you will need it to decode the information later on. See the tutorial on [[http://sdf.org/?tutorials/rsync-backup|rsync]] for more information on how to make a backup. | Since the encryption is done file-by-file, we can easily make backups of the encrypted data without the need to mount the filesystem, so for instance, we can leave the backup to a cron job without compromising the safety of the files. Make sure to include the file **~/.crypt/.encfs6.xml** in the backup. This file saves the encryption configuration, and you will need it to decode the information later on. See the tutorial on [[:backing_up_home_using_rsync|rsync]] for more information on how to make a backup. |
| |
| The paranoia mode has a feature named "External IV Chaining", which ties the filename (possibly including the absolute path) with the data for its encryption, so a file that has been moved or renamed will fail to decode properly. Make sure that, if you are doing backups of encrypted files, you will either have this option disabled or have a way to restore the whole path and filenames of the encrypted data. | The paranoia mode has a feature named "External IV Chaining", which ties the filename (possibly including the absolute path) with the data for its encryption, so a file that has been moved or renamed will fail to decode properly. Make sure that, if you are doing backups of encrypted files, you will either have this option disabled or have a way to restore the whole path and filenames of the encrypted data. |
| local.machine:~$ sshfs -o idmap=user username@remote.machine:./.crypt-remote ~/.crypt | local.machine:~$ sshfs -o idmap=user username@remote.machine:./.crypt-remote ~/.crypt |
| </code> | </code> |
| * The option **-o idmap=user** will map your local user name to the user name on the remote machine, that is, files on the remote system that are from the user username, appear to be from the user that you are logged in as on the local system (see the tutorial on [[http://sdf.org/?tutorials/sshfs|sshFS]] if you need). | * The option **-o idmap=user** will map your local user name to the user name on the remote machine, that is, files on the remote system that are from the user username, appear to be from the user that you are logged in as on the local system (see the tutorial on [[:sshfs-sdf|sshFS]] if you need). |
| |
| * Use EncFS locally to mount **~/.crypt** at **~/crypt** <code> | * Use EncFS locally to mount **~/.crypt** at **~/crypt** <code> |
