Friday, April 27, 2012

EncFS & Dropbox for Linux/Android/Windows/MacOSX

Nowadays there are a lot of possibilities of storing documents online - which is quite handy if you need to have stuff available on different devices or share it with others. I think one of the first who managed to make this quite easy and even supported all major OS's was Dropbox. So I take Dropbox as example but this should work with Microsoft's SkyDrive and Google Drive as well. You have to put a certain amount of trust in these companies and when it comes to data a little more sensitive it's advisable to encrypt it before uploading. My first approach was a TrueCrypt container and this of course works very well but when I stumbled upon EncFS I seconded TrueCrypt. The combination of Dropbox and EncFS works on all my OS's: Linux, Windows, MacOSX and Android - isn't that great? :-)
Let me state this right at the beginning: I gathered almost everything in this post from others and I will indicate the original source. I just wanted to put it all together - next time I need it I know where to look!


Linux

Let's start with my main OS and set up everything from here. I got all I needed to know from the guys at WebUpd8 - thanks for that! They concentrate on Ubuntu mostly but of course you can "translate" their howto's to Fedora as well. So, if you're running Ubuntu/Debian go ahead with their original post from here.

To install EncFS simply run:

# yum install fuse-encfs cryptkeeper

Cryptkeeper is a nice GUI for EncFS but installation is optional. Once installed create the Dopbox folder which will hold your encrypted stuff, i.e.:

# mkdir ~/Dropbox/mystuff

and the folder where files are going to be mounted un-encrypted, i.e.:

# mkdir ~/Private

Now setup EncFS by:

# encfs ~/Dropbox/mystuff ~/Private

I followed recommendations by WebUpd8 and selected "p" for paranoia mode. Choose a password and you're set!

Using Debian I had to add my user to the "fuse" group before I could run encfs commands. So run as root:

# usermod -aG fuse

Now start cryptkeeper (either by command line or by choosing the menu entry) and you'll find a new icon in your notification bar:


Right clicking the icon will give you some setting options. If you're running Gnome you should be fine. If you're running KDE you might want to replace nautilus with dolphin as filemanager. Left clicking the icon will let you choose to import an already setup EncFS folder. Choose this and add your folders created before. Now you can mount your encrypted filesystem by simply clicking the icon and selecting the filesystem. You might want to add cryptkeeper to your startup programs (run gnome-session-properties for this).
Once your EncFS is mounted you can drop files into your ~/Private folder and you will see them encrypted in ~/Dropbox/mystuff.

There is one (hidden) file though called ".encfs6.xml" (something like the public key for your encryption) and the guys at WebUpd8 suggest to exclude it from being synced to Dropbox. Doing so will have two consequences:

  1. you'll have to copy this file manually to all other machines

  2. you won't be able to decrypt stuff on Android devices

However, if you'd like to do that, first copy the file somewhere else (as it's going to be deleted) and then exclude it, i.e.:

# cp ~/Dropbox/mystuff/.encfs6.xml ~/Downloads
# dropbox exclude add ~/Dropbox/mystuff/.encfs6.xml
# cp ~/Downloads/.encfs6.xml ~/Dropbox/mystuff


To reverse this run

# dropbox exclude remove ~/Downloads/.encfs6.xml

and the file will be synced again. (Maybe keep a backup of this file...)

So far so good. As I have a bunch of notebooks running different OS's (sometimes I don't know why myself...) and an Android phone I need to be able to decrypt stuff on those devices as well. And this is the beauty of this stuff: there are ports for every OS! :-)

Android

Of course you need the Dropbox Android app installed. Then install "Cryptonite", which is a nice app for handling EncFS plus it's open source and free! Just search for cryptonite in Google's Play Store and install it. (In our setup you do not need a rooted device for that to work.) Now just run cryptonite and link it to your Dropbox account, choose "all folders", then select the mystuff folder, type your password and done!

You might want to reed the "Security Considerations" though.

Windows

My "gamer" notebook runs Windows 7 and I found some nice instructions on d24m.de. I followed the howto given here (in German). You basically need something like fuse which comes for Windows as "Dokan". So download and install the latest Dokan library from here (by the time of writing version 0.60). Then get EncFS for Windows from here. It's a zip archive which can be extracted anywhere you want. Maybe C:\Program Files\encfs is a good idea. Now run encfsw.exe and you'll a see a new key icon in your panel which works pretty much like cryptkeeper with Linux!


Choose "Open/Create" to import your Dropbox\mystuff folder and type your password. From there on you can simply mount your encrypted folder by selecting the "Mount ..." option. Also look into "Preferences" as this will let you autostart encfsw.exe.

MacOSX (Lion)

Again you'll need fuse to make EncFS work. There is a project named MacFuse but it doesn't seem to get a lot of attention lately and thus a 64bit version (which is required for Lion) is not available. Luckily there is a fork called Fuse4X and it works pretty good on Lion. So download the latest version from here (by the time of writing 0.90) and install it. Next you'll need EncFS compiled against Fuse4X - you'll find it here at LisaNet (German). Again, download and install. I havn't found a GUI so you'll have to use command line to mount the encrypted folder (yeah, I know that's a tough one for a default Mac user... ;-) ). Create a folder as mount point first and open a terminal (or do both in the terminal):

# cd
# mkdir Private
# encfs ~/Dropbox/mystuff ~/Private


Open Finder and you'll see all decrypted files mounted as "fuse4x volume...":


You'll find the original howto for Mac OSX Lion again at d24m (in German) - thanks!

That's about it. Now you can use encrypted Dropbox folder(s) on every OS (Sorry, don't know about iOS though...). Thanks again for those nice howtos at WebUpd8 and d24m.de! And of coures a big thanks to all those porting free software to proprietary operating systems! :-)

19 comments:

  1. Regarding a MacOSX GUI, found here: http://nulladventures.com/?tag=encfs

    Now, we have created an EncFS filesystem that's stored and synced on Dropbox. Mounting and unmounting via Terminal is a pain, though. To make this process easy and automated, we can use MacFusion. MacFusion creates a nice GUI around FUSE filesystems. To get it working with EncFS:

    Download and install Macfusion.
    Download and install the EncFS plugin for Macfusion.
    Run Macfusion. If Macfusion was already running, quit and restart it.
    Click the + dropdown and add a new EncFS configuration.
    Give the configuration an appropriate name in the first text field (e.g. Dropbox).
    For EncFS Raw Path, click Browse and find the Encrypted folder in your Dropbox folder.
    Enter your EncFS passphrase.
    Under the Macfusion tab, enter /Volumes/Encrypted Dropbox for Mount Point. Putting the Encrypted Dropbox under /Volumes will make your Mac treat the EncFS filesystem similarly to a USB thumbdrive.
    For Volume Name, enter something descriptive (e.g "Encrypted Dropbox").
    If you want your EncFS volume to have a special icon, you can copy an icon to the lock icon. For example, to make the icon be the standard Dropbox icon, got to your Applications folder, option-click on the Dropbox app, choose Get Info, then drag the icon under Preview to the lock area.
    Click OK. A new entry will be created for your Dropbox encrypted filesystem. Click on the Mount button to mount it. The Encrypted Dropbox volume should show up on your desktop.
    In the future, if you need to mount the volume again, you can use the Macfusion menu item to quickly do it.

    ReplyDelete
  2. Be careful with this solution. I got a similar solution working apparently very nicely and relied heavily on it for most of my day-to-day data. In fact I had started writing a blog entry about it myself. But then some files started randomly becoming inaccessible to encfs on Linux. It's been about a year so I don't remember the details of the problem, but long and short, many files became unreadable eventually in any version of encfs and therefore the data in them lost. I had to restore unencrypted versions from backup (fortunately I continuously backup my dropbox folders!), but I did still lose some data.

    It would still be really nice to have a working solution like this, but it would really have to be solid and thoroughly tested - unless of course the data is constantly backed up, versioned indefinitely, and/or just not very important.

    For now, I just "rely" on Drobbox's encryption. Sure, it has weaknesses, and I don't exactly trust that some parties (like government agencies) can't access it at will - but the cost of existing cross-platform encryption workarounds (e.g. encfs, truecrypt, etc.) for me do not outweigh the benefits, at least for my data (which I would not break down in tears if it were all made public). I will note however that anything I store on dropbox that is potentially proprietary and I'd like to keep that way, I do encrypt with 7zip and AES.

    ReplyDelete
  3. Thanks for the hint - I'll keep an eye on that! But haven't had any trouble so far...

    ReplyDelete
  4. Hey,

    what if I wan't to acces these encrypted files with another computer? Can I decrypt sigle encfs encrypted file with any computer? I often work with multiple computers and I keep certain files in Dropbox so I can use them with any computer. It would be nice if those files would be safe (=encrypted).

    Or if desaster happens can I decrypt all of the files withous the "mother computer" with the "Private" folder? For example if my laptop breaks down...

    ReplyDelete
  5. I'm not sure if it's possible to encrypt single files, but why not drop them all into the same folder and encrypt that? And: yes, you may decrypt from any computer as long as you have the password and the file "encfs6.xml" is readable. In case of a coruption you would not be able to decrypt from any computer of course. So it's always advisable to keep backups somewhere safe :-)

    ReplyDelete
  6. Thanks for your post. For the windows section it is not clear if you need to do a command-line entry to connect the mounted drive and the source directory as stated for the other Operating Systems.
    Nevertheless I tried it, but unfortunately it seemed unstable. Files added in the source directory sometimes appeared in the encrypted directory, but not always. And just for the monkey proof: What happens if a file is deleted in the source directory? Also: what happens if a file is deleted in the mounted drive?

    ReplyDelete
  7. Hi Jim,
    Precious feedback but details should be provided and.... Issues troubleshooted instead of being abandoned as unsafe.
    Maybe it would be interesting to know if you used the same libraries and which versions.
    Cheers,
    G

    ReplyDelete
  8. A common scenario I often face is needing my files (from stick or out of dropbox) on a computer where I have no admin rights (i.e. customer site). That kept me from the combination Truecrypt+Dropbox, as TC needs at least once admin rights to mount a container.
    Do you now if there is any portable (say: usbstick-installable) combination of Dokan+EncFS to mount encrypted folder/dropbox as simple user in windows?

    ReplyDelete
  9. Sorry, I thought I made this clear: once you run "encfsw.exe" you'll have a new icon in the taskbar and from there you can manage your EncFS filesystems. As for your "unstability problems" - I never encountered them... Of course you should never alter/add/delete files in the encrypted directory - always use the mounted unencrypted for that.

    ReplyDelete
  10. Hi Sonia,
    I'm not sure if there's anything like this which runs from usbstick. The EncFS part is likely to run from usbstick as there is no installation required - but I think you'll need admin privileges to install Dokan. I'm not an expert on Windows though as I mainly run and work with Unix/Linux... Let me know if you find something!

    ReplyDelete
  11. very useful! thx for sharing. Hope to find something portable as well, in combination with dropbox portable ahk would be perfect...

    ReplyDelete
  12. Many Thanks! I used to run encFS on Linux, now happy to see a working windows port. Thanks for the explanations, very easy to follow.

    ReplyDelete
  13. [...] EncFS & Dropbox for Linux/Android/Windows/MacOSX [...]

    ReplyDelete
  14. This is a great tool, however I'm missing something:
    How can I automount the space on Windows? With the described solution I get the tool autostarted, but that doesn't mount the folder. I still have to klick on the tool, select mount and enter the password manually each time. As my whole computer is already encrypted, I would like to have the EncFS folder mounted without any further interaction, as possible on Linux with pam_mount.

    ReplyDelete
  15. [...] let’s do this on our Fedora System. There are some good guides on that here, here and [...]

    ReplyDelete
  16. I've been using EncFS on Win 7 Home Premium, accessing it many times in the last five months. It's worked wonderfully but I have run into a problem. I copied files into an EncFS drive/folder from a laptop with the same OS. The files are usable for a while but suddenly I start getting "access denied" errors. Strangely, the file previews remain available (maybe they're cached?). If I unmount and re-mount, access is restored. So it's like permissions are temporarily corrupted. This is somewhat inconvenient and unsettling and I'd appreciate if someone could prevent it.

    ReplyDelete
  17. For Mac users, Fuse4X have decided to merge the project into OSXFUSE. You can install it using "brew install osxfuse" There is a detailed post of how to install, setup EncFS on Mac: http://ninjatips.com/encrypt-dropbox-using-encfs/

    ReplyDelete
  18. Hi,

    the first question that comes to mind is: did you check if the corrupted files had the same md5 hashes with the originals? Dropbox had a (quite silenced) problem back in 2011 where they would deduplicate files that weren't actually duplicates....

    ReplyDelete
  19. There is an easier way to use EncFS volumes on Mac OS X and Windows. It's called Safe, http://www.getsafe.org/

    ReplyDelete