natjohan's blog

Posted lun. 08 février 2016

EncFS : simply protect and access to your private data on cloud services


First, I published this article three years ago, in 2013. As things moving fast, specially in security, Sebastian Messmer just advised me that EncFS is not a really secure tool anymore to save files on Dropbox. In February 2014, Taylor Hornby a scientist and security researcher done an audit of the EncFS code, and bad news :

EncFS is probably safe as long as the adversary only gets one copy of the ciphertext and nothing more. EncFS is not safe if the adversary has the opportunity to see two or more snapshots of the ciphertext at different times. EncFS attempts to protect files from malicious modification, but there are serious problems with this feature.

You can find the whole audit online . That mean EncFS is not a good way to secure your Dropbox, as it saves many snapshots of your files. Since this audit, several versions were released : , but unfortunately, all issues are not fixed yet. So Sebastian built his own crypto tool named Cryfs, it alreadydo the job, even if it's not user-friendly and cross platform yet, but that's a young tool. You can find a comparison of the market : and if you're interested in crypto, you can also read the Sebastian's thesis about cryfs.

Lesson learned : don't use the current encfs (1.8) version to protect your files on Dropbox, Open Source allows users to edit the code freely and thus increase the level of security for users of this code.


Nowadays, there is many cloud storage services (Dropbox, Bitcasa, Box, Hubic, Mega, Drive, Sparkleshare, etc) to sync/backup/share/copy your data. Thanks to it, you can prevent hard drive crash or access it from different devices.

Use a third-parties cloud providers mean you have to trust them and there is few questions :

Do you want to put your private data in da cloud ?
Have you ever read termes of use for this services ? (Are you sure ?!)
How does the service provide authentication ?
Which technology protect your data ? Is there an encryption system (in transit and storage) ?
What will happen to your data if you decide to close your account ?
Are there penalties ($) for unwanted access to your data ?
Is it vulnerable to security breaches ?

If you hesitate or can't answer at one or more question, you have to consider to use EncFS to add a new layer of security for your private data. Moreover, according to the Fraunhofer institut report about cloud services (see Go further links) :

The results of the cloud storage provider analysis made clear that most, but not all, cloud storage providers offer built-in methods to encrypt the data to be stored in the cloud. However, the encryption schemes are sometimes not sufficient, as some storage providers encrypt data by using an encryption key generated by and stored at the provider. This means that users cannot be sure wether the storage provider also uses the key to decrypt their data, access the contents and possibly pass it on to third-parties. Even worse, some cloud storage providers do not encrypt data at all.

EncFS in a nutshell

EncFS is an encrypted virtual filesystem which provides a local directory based encryption. It works with FUSE which mean : you don't have to get any privilege to make it works and you can access it through your filesystem (because EncFS is a virtual filesystem : VFS).

Encrypt Settings

In paranoia mode:

Cipher: AES
Key Size: 256 bits
PBKDF2 with 3 second runtime, 160 bit salt
Filesystem Block Size: 1024 bytes
Filename Encoding: Block encoding with IV chaining
Unique initialization vector file headers
Message Authentication Code block headers
External IV Chaining

Why EncFS ?

EncFS offer a good level of protection for personal use (see above)

EncFS is simple to use

EncFS encrypt one file at a time, and not on an entire block device (like TrueCrypt) and it's very cool for cloud storage, because you just update your modified files. Moreover you don't have to define a size for your encrypted folder

EncFS can works on many OS and there is GUI (see below)



On Fedora (there is also a debian or freebsd packages) :

natjohan# yum install fuse-encfs


From command line

You can use Encfs from the command line, the following command create an encrypted folder where your data will be stored and a folder and an other folder for your decrypted data :

natjohan $ encfs /home/.myencryptedfolder /home/mydecryptedfoler

Then follow the instructions (select p for paranoia mode, choose a very strong password and of course, don't forget it ;)

You can verify with :

natjohan $ cat /proc/mounts
 encfs /home/mydecryptedfoler fuse rw,nosuid,nodev,user_id=1000,group_id=1000,default_permissions 0 0

You should see an encfs line.

So, to use EncFS and show/put your data in your mydecryptedfoler you just have to recall :

natjohan $ encfs /home/.myencryptedfolder /home/mydecryptedfoler

Each data in this folder will be encrypted in your .myencryptedfolder.

To umount the folder :

natjohan $ fusermount -u /home/mydecryptedfolder

To change your password :

natjohan $ encfsctl passwd /home/.myencryptedfolder

Ŵith a GUI

There is also a GUI for Encfs called CryptKeeper, you can build it from source or on Fedora :

natjohan# yum install cryptkeeper

CryptKeeper offer a simple GUI thanks to a system tray applet, you can mount/umount or create encrypted folders.

There is also some options (with a right clic on the icon). So, the content of your encrypted folder should looks like this :


"Ok, Encfs is pretty cool, but if I want to access to my data on my android device ?!" There is several android apps for decrypt Encfs folder, but CloudFetch is my favorite, you can decrypt local folder or directly link it with Dropbox, SpiderOak, SparkleShare and Ubuntu One (for the moment). Download it via Google play here


"On my family's computer ?"


So, you need the dokan library, it allows to run a FUSE filesystem on windows. Just download and install the dokan library. Then there is an EncFS port named EncFS4win : download the archive and you can extract it anywhere you want (ex: C:Program Filesencfs).


To launch the GUI, just double click encfsw.exe and now you can easily manage your encrypted folders.

Os X Lion

I'm not a mac user but i found a solution for you on webdiary : you have to download and install Fuse4x to support FUSE and the EncFS mac installer on lisanet. Now you can use EncFS in command line.

If you want a GUI, just follow this quick howto (you need to install homebrew)

Go Further

EncFS official website
EncFS on wikipedia
Very interesting EncFS hints
A pdf report from Fraunhofer institut : On the security of cloud storage services
Category: Linux
Tags: crypt filesystem dropbox cloud security EncFS data