Mine the Harvest

Dropbox and EncFS – Encrypting Local Files

by on Mar.22, 2011, under Linux

I have been using Dropbox for quite a while, and I’ve found it extremely helpful. Spideroak, a similar service, is also very interesting and something I am test driving now as well. Being able to share files so easily amongst numerous devices and via the web is handy in the extreme. You can even tie in things like Nevernote into this and sync your notebooks yourself between your devices.

With any of these solutions, security is of course a concern. Regardless of if the data is encrypted in transit, or if the provider encrypts it on their server, I wanted to also encrypt it locally. This is where a combination of Dropbox + encFS comes into play very nicely.

There are many options when it comes to file encryption, but encFS really shines in some areas. Encryption is per-file, and no dedicated space need be reserved before hand. Setup is very simple, and encFS is well supported on all major Linux distros.

Using this solution, encFS stores encrypted files in a Dropbox directory. This is then mounted via encfs to a local folder where the unencrypted files are made available. When I am done, I can simply unmount this directory, leaving only the encrypted files in my Dropbox folder on the local system, encrypted via encFS with AES or blowfish. The information is also thus encrypted in transit, and additionally encrypted by Dropbox/Spideroak on their side.

Setting this up is very simple and takes just a few minutes. More detailed howtos can be found in the reference section, but here is an encFS in 5 minutes quickstart guide:

Ensure you have fuse and encfs installed via your package manager and that the fuse module is loaded
lsmod | grep fuse

Create a directory in Dropbox which will hold the encrypted files, and a mount point outside of Dropbox where the unencrypted versions will be mounted. (For Spideroak simply create two directories in your home folder and add the encrypted directory in your list of folders to back up in Spideroak.)
mkdir ~/Dropbox/encrypted/ ~/unencrypted

Mount the filesystem:
encfs ~/Dropbox/encrypted/ ~/unencrypted/

Note: provide full paths or at least a ~ prefix to encfs.
The first time you do this encfs will set up the encryption. You may choose your options, set the passwords, etc. A “paranoid” auto-config option is available, and full details for options are in the man page.

Using encFS

Now, simply create and use your files in ~/unencrypted. Normal filesystem permissions apply and the use of these should be completely transparent. Anything stored in this mount point is automatically encrypted, and you will see matching (encrypted) entities in ~/Dropbox/encrypted

When you are done, unmount with:
fusermount -u ~/unencrypted

Cryptkeeper Applet

Cryptkeeper is a systray applet for KDE and Gnome which provides a simple GUI for the creation, importing, and mounting of encFS folders. It is quite easy to use. For Suse 11.4, I simply used the rpm available for Fedora 13. Cryptkeeper is maintained by Tom Morton and the source code is available on his site here

By default it uses Nautilus, though KDE users who prefer Dolphin or another file manager can simply change this in Cryptkeepers preferences.

Cryptkeeper also allows you to view information about an encrypted folder, or change the password. These option are available by right clicking on the folder name in the list of encrypted folders.

References:

http://en.wikipedia.org/wiki/EncFS

Setup Guides:

http://movingtofreedom.org/2007/02/21/howto-encfs-encrypted-file-system-in-ubuntu-and-fedora-gnu-linux/

http://www.net-tools.org/web/index.php?option=com_content&view=article&id=124:dropbox-automated-backup-with-encryption&catid=20:scripts&Itemid=40

The last link provides this suggestion on auto-mounting using the enfs extpass option and a compiled file containing your password. However, be aware this simply compiles your password into a binary which spits it out to std out when run. You are creating a program that will spit out your password, or if strings is run on it your password is visible. Man encfs suggests directing –extpass to ssh-askpass as another method, and there is also the option to use libpam-encfs.

PAM Configuration:

For a guide on setting up libpam-encfs see:

http://choffee.co.uk/ramble/2006/06/02/paranoia-at-home/

:, ,
No comments for this entry yet...

Leave a Reply

You must be logged in to post a comment.

Looking for something?

Use the form below to search the site:

Still not finding what you're looking for? Drop a comment on a post or contact us so we can take care of it!

Visit our friends!

A few highly recommended friends...