Using EncFS with graphical front ends

Cryptography software has the reputation for being difficult to deal with. However, EncFS plus the graphical front-end Cryptkeeper and Gnome Encfs Manager make it easy even for unschooled encryption users to secure their data with onboard tools. These tools encrypt file blocks with the AES algorithm; the key length is 256 bit.

As its name suggests, EncFS is a cryptographic program that does not secure data by compressing them in containers. Instead, it works as a virtual filesystem that is also encrypted. It sits on the FUSE module and therefore does its work in the user space. Consequently, it does not require administrative rights.

EncFS offers many additional advantages over other solutions. You do not need to worry about setting up special partitions or containers. The system uses only the space actually required by the encrypted data. There are no outsized containers or partitions to squander storage.

Moreover, EncFS does not require a particular filesystem. It cooperates just as well with ext3/4 as it does with XFS, as well as over a network with NFS. However, when applied as a userspace solution, EncFS is suitable only under certain circumstances for encrypting larger amounts of data. This is because rerouting over the FUSE kernel module causes the system to work significantly more slowly than a native filesystem.

Used jointly with backup programs, which are also not always concerned with speed, EncFS shows its strengths by working in a completely transparent fashion and by integrating the encrypted pieces of data into the filesystem as conventional directories and files.

Installation

You will find EncFS in the software repositories of most major distributions. Depending on the derivative, the binary packages may be named differently. For example, the RPM package in Fedora is found under fuse-encfs ; if you are running Ubuntu or Debian, you need only look for encfs .

A warning about a potential security breach in the software will appear when you install EncFS from the package sources, even with the current version 1.8.1. Taylor Hornby discovered this security issue while performing a security audit at the beginning of 2014 [1]. According to his results, the then current version of Encfs was vulnerable to attackers who wanted to decrypt encrypted files. The danger of this kind of attack arose when multiple versions of files had been sequentially saved to a data storage device. As a consequence of this discovery, it was recommended that the tool not be used for encrypting data that would be placed in the cloud since multiple versions of a file or folder are customarily stored there (Figure 1).

Figure 1: A warning appears during installation informing the user of potential security breaches in the program. These vulnerabilities were discovered by Taylor Hornby during an audit performed in 2014.

The graphical front-end Cryptkeeper can also be found in the repositories of all major Linux distros and their derivatives. As with EncFS, there are even different versions for 32-bit and 64-bit architectures. This is not the case when Gnome Encfs Manager is used as an alternative EncFS front end. However, this manager is available for some RPM and DEB-based distributions on external software collections [2].

In order to install the Gnome Encfs Manager under Ubuntu and its derivatives, the user should first integrate the accompanying PPA [3] in the system, then update the package sources, and install the software (Listing 1). As with Cryptkeeper, the installation routine will show a starter in the Launcher.

$ sudo add-apt-repository ppa:gencfsm/ppa
$ sudo apt-get update
$ sudo apt-get install gnome-encfs-manager

The Gnome Encfs manager is generally suitable for more desktop environments than just the Gnome system. Subsequently, each package administration can automatically pull the required dependencies if this is necessary. Moreover, the program's source code is ready for calling [4].

Cryptkeeper

A symbol in the shape of a key will appear in the desktop panel bar once the Cryptkeeper starter is clicked. A right click on this symbol opens the context menu where you can then select the Preferences entry. A small dialog lets you choose only basic options such as the preferred file manager. The dialog offers the Gnome file manager Nautilus as a default option. It is a good idea for users working with a different desktop to enter the file manager of the relevant work interface so that Cryptkeeper can be integrated as seamlessly as possible into the system (Figure 2). If you use Unity, Nautilus is fine.

Figure 2: The settings dialog for Cryptkeeper is limited to the essentials. This makes everything easier.

It is also a good idea to enter a number in the Deactivate folder when not in use (Minutes): option. If you have not modified the encrypted folder once the designated time period expires, then the software will automatically deactivate the folder. After completing the setup, left click on the key symbol and select the New encrypted folder entry.

In the dialog that opens, select a folder from the integrated file manager as a location for the directory to be encrypted. Then enter a label via the Name: option (Figure 3). After clicking on the Forward button in the lower left, enter a password for the encrypted folder in the next dialog and confirm it in the second entry field.

Figure 3: It only takes a few mouse clicks and the entry of a password to set up a new, encrypted folder.

Another click on Forward places the folder in the specified location and opens it directly in the file manager. Along with this directory, EncFS sets up another hidden file of the same name plus the extension _encfs . The software will set up encrypted equivalents for all of the folders and files that the user copies to the original directory (Figure 4).

Figure 4: EncFS keeps the encrypted equivalents with the file extension encfs in a hidden parallel folder. The program retains the original directory structure and also identifies the file size, the rights, and the owner.

When displaying the actual directory, it appears to be empty. Typically only the encrypted data stays in the hidden folder. Although EncFS also encrypts the file and directory names, it retains the folder structure. The size, owner, and rights for individual files can be read. This allows you to draw at least vague inferences about the original contents.

It is a good idea to set up a corresponding entry in the auto-start administration for the system so that Cryptkeeper starts automatically when the computer boots. As soon as the key symbol appears in the system tray after a restart, the software works as desired.

In order to mount a file, click on the key symbol and select the desired directory from the menu. The program asks for a password, integrates the file into the system once the password is entered, and opens the file in the file manager.