Encrypting data with the FUSE encryption module

I use a laptop to conduct most of system administration duties, and periodically need to store sensitive information in my home directory on my laptop. To ensure that this information can’t be used for malicious purposes, I use the FUSE encryption module to encrypt anything I think is sensitive (I probably go overboard when it comes to encrypting data, but you can never be too safe with your (or your companies) data!).

Now you may be asking yourself why not GNUPG? Well, the FUSE encryption module allows transparent access to file and directories, so you don’t have to manually key in a symmetric key each time you need to access a file (you only need to type the key in when you mount the encrypted folder). This provides a fair amount of flexibility, and helps me ensure that I won’t accidentally forget to reencrypt a file when I am done using it.

Configuring the FUSE encryption module is a simple process. To create a new source directory (this is the directory where the encrypted data goes) and mount it on a destination directory (this is the place where you read and write data to), the encfs utility can be run with the full path to the source directory, and the full path to the destination directory:

$ encfs /home/matty/source /home/matty/encrypt/

The first time you run the encfs utility, it will ask you to pick a setup mode, and a symmetric key to encrypt data that is added to the destination directory. Here are the screens I was presented with when I ran the encfs command line listed above::

Creating new encrypted volume.
Please choose from one of the following options:
 enter "x" for expert configuration mode,
 enter "p" for pre-configured paranoia mode,
 anything else, or an empty line will select standard mode.
?> p

Paranoia configuration selected.

Configuration finished.  The filesystem to be created has
the following properties:
Filesystem cipher: "ssl/aes", version 2:1:1
Filename encoding: "nameio/block", version 3:0:1
Key Size: 256 bits
Block Size: 512 bytes, including 8 byte MAC header
Each file contains 8 byte header with unique IV data.
Filenames encoded using IV chaining mode.
File data IV is chained to filename IV.

-------------------------- WARNING --------------------------
The external initialization-vector chaining option has been
enabled.  This option disables the use of hard links on the
filesystem. Without hard links, some programs may not work.
The programs 'mutt' and 'procmail' are known to fail.  For
more information, please see the encfs mailing list.
If you would like to choose another configuration setting,
please press CTRL-C now to abort and start over.

Now you will need to enter a password for your filesystem.
You will need to remember this password, as there is absolutely
no recovery mechanism.  However, the password can be changed
later using encfsctl.

New Encfs Password: 
Verify Encfs Password: 

Once this operation completes, the source directory will be initialized, and mounted on the destination directory:

$ df -h

Filesystem            Size  Used Avail Use% Mounted on
/dev/hda1              19G  2.6G   16G  15% /
tmpfs                 314M     0  314M   0% /dev/shm
/dev/hda2              19G  177M   18G   1% /home
encfs                  19G  177M   18G   1% /home/matty/encrypt

The destination directory can be accessed just like any other directory on the server, but it’s contents will only be viewable while the directory is mounted. To unmount the destination directory so it’s contents can no longer be viewed, the fusermount utility can be run with the “-u” (unmount) option and the directory to unmount:

$ fusermount -u /home/matty/encrypt

I really dig FUSE, and am hopeful the Solaris port will complete in the near future. :)

2 thoughts on “Encrypting data with the FUSE encryption module”

  1. as an data entry employee I also have some very important data in my machine and i USE Folder Lock to secure that data,really easy to use software.

Leave a Reply

Your email address will not be published. Required fields are marked *