1ENCFS(1) Encrypted Filesystem ENCFS(1)
2
3
4
6 encfs - mounts or creates an encrypted virtual filesystem
7
9 encfs [--version] [-s] [-f] [-v|--verbose] [-i MINUTES|--idle=MINUTES]
10 [--extpass=program] [-S|--stdinpass] [--anykey] [--forcedecode]
11 [-d|--fuse-debug] [--public] [--no-default-flags] [--ondemand]
12 [--reverse] [-o FUSE_OPTION] rootdir mountPoint [-- [Fuse Mount
13 Options]]
14
16 EncFS creates a virtual encrypted filesystem which stores encrypted
17 data in the rootdir directory and makes the unencrypted data visible at
18 the mountPoint directory. The user must supply a password which is
19 used to (indirectly) encrypt both filenames and file contents.
20
21 If EncFS is unable to find a supported filesystem at the specified
22 rootdir, then the user will be asked if they wish to create a new
23 encrypted filesystem at the specified location. Options will be pre‐
24 sented to the user allowing some control over the algorithms to use.
25 As EncFS matures, there may be an increasing number of choices.
26
28 -i, --idle=MINUTES
29 Enable automatic unmount of the filesystem after a period of inac‐
30 tivity. The period is specified in minutes, so the shortest time‐
31 out period that can be requested is one minute. EncFS will not
32 automatically unmount if there are files open within the filesys‐
33 tem, even if they are open in read-only mode. However simply hav‐
34 ing files open does not count as activity.
35
36 -f The -f (foreground) option causes EncFS to run in the foreground.
37 Normally EncFS spawns off as a daemon and runs in the background,
38 returning control to the spawning shell. With the -f option, it
39 will run in the foreground and any warning/debug log messages will
40 be displayed on standard error. In the default (background) mode,
41 all log messages are logged via syslog.
42
43 -v, --verbose
44 Causes EncFS to enable logging of various debug channels within
45 EncFS. Normally these logging messages are disabled and have no
46 effect. It is recommended that you run in foreground (-f) mode
47 when running with verbose enabled.
48
49 -s The -s (single threaded) option causes EncFS to run in single
50 threaded mode. By default, EncFS runs in multi-threaded mode.
51 This option is used during EncFS development in order to simplify
52 debugging and allow it to run under memory checking tools..
53
54 -d, --fuse-debug
55 Enables debugging within the FUSE library. This should only be
56 used if you suspect a problem within FUSE itself (not EncFS), as it
57 generates a lot of low-level data and is not likely to be very
58 helpful in general problem tracking. Try verbose mode (-v) first,
59 which gives a higher level view of what is happening within EncFS.
60
61 --forcedecode
62 This option only has an effect on filesystems which use MAC block
63 headers. By default, if a block is decoded and the stored MAC
64 doesn't match what is calculated, then an IO error is returned to
65 the application and the block is not returned. However, by speci‐
66 fying --forcedecode, only an error will be logged and the data will
67 still be returned to the application. This may be useful for
68 attempting to read corrupted files.
69
70 --public
71 Attempt to make encfs behave as a typical multi-user filesystem.
72 By default, all FUSE based filesystems are visible only to the user
73 who mounted them. No other users (including root) can view the
74 filesystem contents. The --public option does two things. It adds
75 the FUSE flags "allow_other" and "default_permission" when mounting
76 the filesystem, which tells FUSE to allow other users to access the
77 filesystem, and to use the ownership permissions provided by the
78 filesystem. Secondly, the --public flag changes how encfs's node
79 creation functions work - as they will try and set ownership of new
80 nodes based on the caller identification.
81
82 Warning: In order for this to work, encfs must be run as root --
83 otherwise it will not have the ability to change ownership of
84 files. I recommend that you instead investigate if the fuse
85 allow_other option can be used to do what you want before consider‐
86 ing the use of --public.
87
88 --ondemand
89 Mount the filesystem on-demand. This currently only makes sense in
90 combination with --idle and --extpass options. When the filesystem
91 becomes idle, instead of exiting, EncFS stops allowing access to
92 the filesystem by internally dropping it's reference to it. If
93 someone attempts to access the filesystem again, the extpass pro‐
94 gram is used to prompt the user for the password. If this suc‐
95 ceeds, then the filesystem becomes available again.
96
97 --reverse
98 Normally EncFS provides a plaintext view of data on demand. Nor‐
99 mally it stores enciphered data and displays plaintext data. With
100 --reverse it takes as source plaintext data and produces enciphered
101 data on-demand. This can be useful for creating remote encrypted
102 backups, where you do not wish to keep the local files unencrypted.
103
104 For example, the following would create an encrypted view in
105 /tmp/crypt-view.
106
107 encfs --reverse /home/me /tmp/crypt-view
108
109 You could then copy the /tmp/crypt-view directory in order to have
110 a copy of the encrypted data. You must also keep a copy of the
111 file /home/me/.encfs5 which contains the filesystem information.
112 Together, the two can be used to reproduce the unencrypted data:
113
114 ENCFS5_CONFIG=/home/me/.encfs5 encfs /tmp/crypt-view /tmp/plain-view
115
116 Now /tmp/plain-view contains the same data as /home/me
117
118 Note that --reverse mode only works with limited configuration
119 options, so many settings may be disabled when used.
120
121 -o FUSE_ARG
122 Pass through FUSE args to the underlying library. This makes it
123 easy to pass FUSE options when mounting EncFS via mount (and
124 /etc/fstab). Eg:
125
126 mount encfs#/home/me-crypt /home/me -t fuse -o kernel_cache
127
128 Note that encfs arguments cannot be set this way. If you need to
129 set encfs arguments, create a wrapper, such as encfs-reverse;
130
131 #!/bin/sh
132 encfs --reverse $*
133
134 Then mount using the script path
135
136 mount encfs-reverse#/home/me /home/me-crypt -t fuse
137
138 -- The -- option tells EncFS to send any remaining arguments directly
139 to FUSE. In turn, FUSE passes the arguments to fusermount. See
140 the fusermount help page for information on available commands.
141
142 --no-default-flags
143 Encfs adds the FUSE flags "use_ino" and "default_permissions" by
144 default, as of version 1.2.2, because that improves compatibility
145 with some programs.. If for some reason you need to disable one or
146 both of these flags, use the option --no-default-flags.
147
148 The following command lines produce the same result:
149
150 encfs raw crypt
151 encfs --no-default-flags raw crypt -- -o use_ino,default_permissions
152
153 --extpass=program
154 Specify an external program to use for getting the user password.
155 When the external program is spawned, the environment variable
156 "RootDir" will be set to contain the path to the root directory.
157 The program should print the password to standard output.
158
159 EncFS takes everything returned from the program to be the pass‐
160 word, except for a trailing newline (\n) which will be removed.
161
162 For example, specifying --extpass=/usr/lib/ssh/ssh-askpass will
163 cause EncFS to use ssh's password prompt program.
164
165 Note: EncFS reads at most 2k of data from the password program, and
166 it removes any trailing newline. Versions before 1.4.x accepted
167 only 64 bytes of text.
168
169 -S, --stdinpass
170 Read password from standard input, without prompting. This may be
171 useful for scripting encfs mounts.
172
173 Note that you should make sure the filesystem and mount points
174 exist first. Otherwise encfs will prompt for the filesystem cre‐
175 ation options, which may interfere with your script.
176
177 --anykey
178 Turn off key validation checking. This allows EncFS to be used
179 with secondary passwords. This could be used to store a separate
180 set of files in an encrypted filesystem. EncFS ignores files which
181 do not decode properly, so files created with separate passwords
182 will only be visible when the filesystem is mounted with their
183 associated password.
184
185 Note that if the primary password is changed (using encfsctl), the
186 other passwords will not be usable unless the primary password is
187 set back to what it was, as the other passwords rely on an invalid
188 decoding of the volume key, which will not remain the same if the
189 primary password is changed.
190
191 Warning: Use this option at your own risk.
192
194 Create a new encrypted filesystem. Store the raw (encrypted) data in
195 "~/.crypt" , and make the unencrypted data visible in "~/crypt". Both
196 directories are in the home directory in this example. This example
197 shows the full output of encfs as it asks the user if they wish to cre‐
198 ate the filesystem:
199
200 % encfs ~/.crypt ~/crypt
201 Directory "/home/me/.crypt" does not exist, create (y,n)?y
202 Directory "/home/me/crypt" does not exist, create (y,n)?y
203 Creating new encrypted volume.
204 Please choose from one of the following options:
205 enter "x" for expert configuration mode,
206 enter "p" for pre-configured paranoia mode,
207 anything else, or an empty line will select standard mode.
208 ?>
209
210 Standard configuration selected.
211 Using cipher Blowfish, key size 160, block size 512
212 New Password: <password entered here>
213 Verify: <password entered here>
214
215 The filesystem is now mounted and visible in ~/crypt. If files are
216 created there, they can be seen in encrypted form in ~/.crypt. To
217 unmount the filesystem, use fusermount with the -u (unmount) option:
218
219 % fusermount -u ~/crypt
220
221 Another example. To mount the same filesystem, but have fusermount
222 name the mount point '/dev/foo' (as shown in df and other tools which
223 read /etc/mtab), and also request kernel-level caching of file data
224 (which are both special arguments to fusermount):
225
226 % encfs ~/.crypt ~/crypt -- -n /dev/foo -c
227
228 Or, if you find strange behavior under some particular program when
229 working in an encrypted filesystem, it may be helpful to run in verbose
230 mode while reproducing the problem and send along the output with the
231 problem report:
232
233 % encfs -v -f ~/.crypt ~/crypt 2> encfs-report.txt
234
235 In order to avoid leaking sensitive information through the debugging
236 channels, all warnings and debug messages (as output in verbose mode)
237 contain only encrypted filenames. You can use the encfsctl program's
238 decode function to decode filenames if desired.
239
241 EncFS is not a true filesystem. It does not deal with any of the
242 actual storage or maintenance of files. It simply translates requests
243 (encrypting or decrypting as necessary) and passes the requests through
244 to the underlying host filesystem. Therefor any limitations of the
245 host filesystem will likely be inherited by EncFS (or possibly be fur‐
246 ther limited).
247
248 One such limitation is filename length. If your underlying filesystem
249 limits you to N characters in a filename, then EncFS will limit you to
250 approximately 3*(N-2)/4. For example if the host filesystem limits to
251 256 characters, then EncFS will be limited to 190 character filenames.
252 This is because encrypted filenames are always longer then plaintext
253 filenames.
254
256 When EncFS is given a root directory which does not contain an existing
257 EncFS filesystem, it will give the option to create one. Note that
258 options can only be set at filesystem creation time. There is no sup‐
259 port for modifying a filesystem's options in-place.
260
261 If you want to upgrade a filesystem to use newer features, then you
262 need to create a new filesystem and mount both the old filesystem and
263 new filesystem at the same time and copy the old to the new.
264
265 Multiple instances of encfs can be run at the same time, including dif‐
266 ferent versions of encfs, as long as they are compatible with the cur‐
267 rent FUSE module on your system.
268
269 A choice is provided for two pre-configured settings ('standard' and
270 'paranoia'), along with an expert configuration mode.
271
272 Standard mode uses the following settings:
273 Cipher: Blowfish
274 Key Size: 160 bits
275 Filesystem Block Size: 512 bytes
276 Filename Encoding: Block encoding with IV chaining
277 Unique initialization vector file headers
278
279 Paranoia mode uses the following settings:
280 Cipher: AES
281 Key Size: 256 bits
282 Filesystem Block Size: 512 bytes
283 Filename Encoding: Block encoding with IV chaining
284 Unique initialization vector file headers
285 Message Authentication Code block headers
286 External IV Chaining
287
288 In the expert / manual configuration mode, each of the above options is
289 configurable. Here is a list of current options with some notes about
290 what they mean:
291
292 Cipher
293 Which encryption algorithm to use. The list is generated automati‐
294 cally based on what supported algorithms EncFS found in the encryp‐
295 tion libraries. When using a recent version of OpenSSL, Blowfish
296 and AES are the typical options.
297
298 Blowfish is an 8 byte cipher - encoding 8 bytes at a time. AES is
299 a 16 byte cipher.
300
301 Cipher Key Size
302 Many, if not all, of the supported ciphers support multiple key
303 lengths. There is not really much need to have enormous key
304 lengths. Even 160 bits (the default) is probably overkill.
305
306 Filesystem Block Size
307 This is the size (in bytes) that EncFS deals with at one time.
308 Each block gets its own initialization vector and is encoded in the
309 cipher's cipher-block-chaining mode. A partial block at the end of
310 a file is encoded using a stream mode to avoid having to store the
311 filesize somewhere.
312
313 Having larger block sizes reduces the overhead of EncFS a little,
314 but it can also add overhead if your programs read small parts of
315 files. In order to read a single byte from a file, the entire
316 block that contains that byte must be read and decoded, so a large
317 block size adds overhead to small requests. With write calls it is
318 even worse, as a block must be read and decoded, the change applied
319 and the block encoded and written back out.
320
321 The default is 512 bytes as of version 1.0. It was hard coded to
322 64 bytes in version 0.x, which was not as efficient as the current
323 setting for general usage.
324
325 Filename Encoding
326 New in 1.1. A choice is given between stream encoding of filename
327 and block encoding. The advantage of stream encoding is that the
328 encoded filenames will be as short as possible. If you have a
329 filename with a single letter, it will be very short in the encoded
330 form, where as block encoded filenames are always rounded up to the
331 block size of the encryption cipher (8 bytes for Blowfish and 16
332 bytes for AES).
333
334 The advantage of block encoding mode is that filename lenths all
335 come out as a multiple of the cipher block size. This means that
336 someone looking at your encrypted data can't tell as much about the
337 length of your filenames. It is on by default, as it takes a simi‐
338 lar amount of time to using the stream cipher. However stream
339 cipher mode may be useful if you want shorter encrypted filenames
340 for some reason.
341
342 Prior to version 1.1, only stream encoding was supported.
343
344 Filename Initialization Vector Chaining
345 New in 1.1. In previous versions of EncFS, each filename element
346 in a path was encoded separately. So if "foo" encoded to "XXX",
347 then it would always encode that way (given the same encryption
348 key), no matter if the path was "a/b/foo", or "aa/foo/cc", etc.
349 That meant it was possible for someone looking at the encrypted
350 data to see if two files in different directories had the same
351 name, even though they wouldn't know what that name decoded to.
352
353 With initialization vector chaining, each directory gets its own
354 initialization vector. So "a/foo" and "b/foo" will have completely
355 different encoded names for "foo". This features has almost no
356 performance impact (for most operations), and so is the default in
357 all modes.
358
359 Note: One significant exception is directory renames. Since the
360 initialization vector for filename encoding depends on the direc‐
361 tory path, any rename requires re-encoding every filename in the
362 tree of the directory being changed. If there are thousands of
363 files, then EncFS will have to do thousands of renames. It may
364 also be possible that EncFS will come across a file that it can't
365 decode or doesn't have permission to move during the rename opera‐
366 tion, in which case it will attempt to undo any changes it made up
367 to that point and the rename will fail.
368
369 Per-File Initialization Vectors
370 New in 1.1. In previous versions of EncFS, each file was encoded
371 in the same way. Each block in a file has always had its own ini‐
372 tialization vector, but in a deterministic way so that block N in
373 one file is encoded in the same was as block N in another file.
374 That made it possible for someone to tell if two files were identi‐
375 cal (or parts of the file were identical) by comparing the encoded
376 data.
377
378 With per-file initialization vectors, each file gets its own 64bit
379 random initialization vector, so that each file is encrypted in a
380 different way.
381
382 This option is enabled by default.
383
384 External IV Chaining
385 New in 1.1.3. This option is closely related to Per-File Initial‐
386 ization Vectors and Filename Initialization Vector Chaining. Basi‐
387 cally it extends the initialization vector chaining from filenames
388 to the per-file initialization vector.
389
390 When this option is enabled, the per-file initialization vector is
391 encoded using the initialization vector derived from the filename
392 initialization vector chaining code. This means that the data in a
393 file becomes tied to the filename. If an encrypted file is renamed
394 outside of encfs, it will no longer be decodable within encfs.
395 Note that unless Block MAC headers are enabled, the decoding error
396 will not be detected and will result in reading random looking
397 data.
398
399 There is a cost associated with this. When External IV Chaining is
400 enabled, hard links will not be allowed within the filesystem, as
401 there would be no way to properly decode two different filenames
402 pointing to the same data.
403
404 Also, renaming a file requires modifying the file header. So
405 renames will only be allowed when the user has write access to the
406 file.
407
408 Because of these limits, this option is disabled by default for
409 standard mode (and enabled by default for paranoia mode).
410
411 Block MAC headers
412 New to 1.1. If this is enabled, every block in every file is
413 stored along with a cryptographic checksum (Message Authentication
414 Code). This makes it virtually impossible to modify a file without
415 the change being detected by EncFS. EncFS will refuse to read data
416 which does not pass the checksum, and will log the error and return
417 an IO error to the application.
418
419 This adds substantial overhead (default being 8 bytes per filesys‐
420 tem block), plus computational overhead, and is not enabled by
421 default except in paranoia mode.
422
423 When this is not enabled and if EncFS is asked to read modified or
424 corrupted data, it will have no way to verify that the decoded data
425 is what was originally encoded.
426
428 The primary goal of EncFS is to protect data off-line. That is, pro‐
429 vide a convenient way of storing files in a way that will frustrate any
430 attempt to read them if the files are later intercepted.
431
432 Some algorithms in EncFS are also meant to frustrate on-line attacks
433 where an attacker is assumed to be able to modify the files.
434
435 The most intrusive attacks, where an attacker has complete control of
436 the user's machine (and can therefor modify EncFS, or FUSE, or the ker‐
437 nel itself) are not guarded against. Do not assume that encrypted
438 files will protect your sensitive data if you enter your password into
439 a compromised computer. How you determine that the computer is safe to
440 use is beyond the scope of this documentation.
441
442 That said, here are some example attacks and data gathering techniques
443 on the filesystem contents along with the algorithms EncFS supports to
444 thwart them:
445
446 Attack: modifying a few bytes of an encrypted file (without knowing
447 what they will decode to).
448 EncFS does not use any form of XOR encryption which would allow
449 single bytes to be modified without affecting others. Most modifi‐
450 cations would affect dozens or more bytes. Additionally, MAC Block
451 headers can be used to identify any changes to files.
452
453 Attack: copying a random block of one file to a random block of another
454 file.
455 Each block has its own [deterministic] initialization vector.
456
457 Attack: copying block N to block N of another file.
458 When the Per-File Initialization Vector support is enabled (default
459 in 1.1.x filesystems), a copied block will not decode properly when
460 copied to another file.
461
462 Attack: copying an entire file to another file.
463 Can be prevented by enabling External IV Chaining mode.
464
465 Attack: determine if two filenames are the same by looking at encrypted
466 names.
467 Filename Initialization Vector chaining prevents this by giving
468 each file a 64-bit initialization vector derived from its full path
469 name.
470
471 Attack: compare if two files contain the same data.
472 Per-File Initialization Vector support prevents this.
473
475 This library is distributed in the hope that it will be useful, but
476 WITHOUT ANY WARRANTY; without even the implied warranty of MER‐
477 CHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Please refer to the
478 "COPYING" file distributed with EncFS for complete details.
479
481 EncFS was written by Valient Gough <vgough@pobox.com>.
482
484 encfsctl(1)
485
486
487
4881.4.1 2008-01-12 ENCFS(1)