Userspace Filesystem Encryption with EncFS
by KIVILCIM Hindistan
For a long time now, computer-related theft has been a real problem. The most likely victims of these thefts are laptops and USB sticks, which are obviously very easy to lift (and leave with). Desktop computers and backup media are stolen less frequently. In all of these cases, much of the time, the data stored in the media is more valuable than both the computer and the media. An important question is how to protect valuable data in our computer's storage areas.
Woes of Encryption
A solution may be to use gpg or similar PKI-based file encryption, but that is still far from transparent and key maintenance is still not very practical. When you consider that you may have to work with several files at a time, this solution becomes even less practical.
The immediate solution is to use an encrypted filesystem, which will encrypt all of the data written into the filesystem and decrypt it on the fly when you need to access it. Though this may solve most of the problems, it has performance/privacy trade-offs; the encryption of your latest work may be good, but the encryption of your favorite text editor or your browser's cache files may be unnecessary.
There's another partial solution related to partitioning on Linux: having all of the system files on an unencrypted partition and the data files on an encrypted partition. As a best-of-two-worlds solution, this seems to solve both the performance and privacy problems, in theory. However, in real life, having such a partitioning may not be easy; you may not have the rights to repartition a multi-user system, or your hard disk layout may make it very difficult to repartition.
The problem is bigger with USB sticks, for you may want to use those sticks to store your private data as well as to exchange some other data with others, probably Windows users. Having a filesystem-wide encryption scheme would subvert that goal. Many projects have tried this classical approach. The most famous are Loopback, CFS, and TCFS.
Linux Server Security
Linux Server Security
By Michael D. Bauer
Table of Contents
Read Online--Safari Search this book on Safari:
Code Fragments only
A new and different approach to this problem is EncFS. EncFS runs in userspace, meaning that you do not have to compile kernel modules or have administrative rights. Its most important feature is being able to encrypt not the whole filesystem or partitions, but separate directories. For its simple usage and implementation, on a modern CPU the performance loss is almost negligible, because even a 1.5GHz CPU waits often for RAM or hard disk I/O and has enough power to perform encryption and decryption on the fly.
Valient Gough's EncFS page