Home / ubuntu / Questions / 193891
Accepted
stwissel
Asked: 2012-09-28 18:53:12 +0800 CST

Filesystem that gives an encrypted view of a directory—the inverse of EncFS

  • 772

Currently I'm using EncFS to encrypt my directory "confidential" to ".encconfidential" and sync that encrypted directory using an online service (e.g. Dropbox, UbuntuOne etc). However my entire disk is already LUKS encrypted, so the double encryption takes a toll on performance.

I wonder is there an "inverted" EncFS option? An unencrypted directory gets mounted and in the mounted directory you only see encrypted files. So I could work with the unencrypted documents while the sync tool sees and read/writes the encrypted files only.

Clarification: My primary use case is sync not backup. I want to be able to securely keep machines in sync without the double encryption penalty when operating local (I have to wait when I hit save, compared to transmission time an encrypted operation is a minimal increment in time - and it is background time, not user time)

backup

4 Answers

  1. Best Answer

    There actually is an Encfs "inverted" option. From the Encfs man page:

       --reverse
       Normally EncFS provides a plaintext view of data on demand.  Normally it stores enciphered data and displays plaintext data.  With --reverse it
       takes as source plaintext data and produces enciphered data on-demand.  This can be useful for creating remote encrypted backups, where you do
       not wish to keep the local files unencrypted.

       For example, the following would create an encrypted view in /tmp/crypt-view.

           encfs --reverse /home/me /tmp/crypt-view

       You could then copy the /tmp/crypt-view directory in order to have a copy of the encrypted data.  You must also keep a copy of the file
       /home/me/.encfs5 which contains the filesystem information.  Together, the two can be used to reproduce the unencrypted data:

           ENCFS5_CONFIG=/home/me/.encfs5 encfs /tmp/crypt-view /tmp/plain-view

       Now /tmp/plain-view contains the same data as /home/me

       Note that --reverse mode only works with limited configuration options, so many settings may be disabled when used.

    I have not tried it for syncing, but I think it would work as long as you use the same .encfs5 config folder at the other end.

    • 12

  2. Now for how to do exactly what you specify:

    What you're asking for is a read-only filesystem view that automatically encrypts any file that is read through it:

    ~/
    confidential/
        secret_file.txt      # Stored unencrypted
    .enc_confidential/       # Read-only view of files in confidential/
        secret_file.txt      # Encrypted view of corresponding file

    The standard way to do this is to use FUSE (Filesystem in User-space).

    For your use case, there already exists a FUSE filesystem that can do what you want, fuseflt. fuseflt gives a read-only view of a filesystem with arbitrary user-specified filters applied to each file that is read.

    In your case, the filter you want is an encryption program like gpg.

    See the documentation for how to write your config file. Basically, use flt_cmd = gpg --encrypt [... your chosen encryption settings] as the filter command.

    Be careful; if you mess up your configuration it might expose plaintext data to your Internet service. I would recommend my other answer for general use.

    Since you also need write support for syncing to work, it looks like you'll have to write your own FUSE filesystem. It probably won't be hard to modify the fuseflt sources to add write support; just fill in the write functions that aren't implemented. This would work the same way as the read support, calling a decryption filter instead of the encryption one.

    For writing your FUSE filesystem, several tutorials are available. Also see the FUSE wiki for more documentation.

    Once you do this, add your FUSE filesystem mount command to your .profile so that it mounts automatically on login.

    • 2

  3. It's possible in principle (using a FUSE filesystem), but a simpler option is to use a ready-made encrypted backup program using your online service as as the backup target.

    There are 2 suitable backup programs I know of. Both of these also give you the complete history of your files.

    Duplicity / Deja-Dup

    Duplicity (Ubuntu package) is a backup program that efficiently writes compressed, encrypted incremental backups to a remote location. The incremental backups are space-efficient because it uses the rsync algorithm to produce binary diffs.

    You can also use the Deja-Dup front-end, which is included by default in recent Ubuntu versions.

    Duplicity supports writing to many remote locations, or backends. In particular, Duplicity has an Ubuntu One backend. I don't think it directly supports Dropbox, but you can tell it to back up to the local directory that Dropbox syncs.

    If you're backing up large quantities of data, Duplicity is not suitable. Due to limitations in how it stores incremental backups, it requires periodically running a full backup, which entails uploading all your data.

    Obnam

    For larger backups, look at Obnam. It stores encrypted data deduplicated in a backup repository. To use it with a remote storage service, tell Obnam to back up to a repository in a location that Dropbox/Ubuntu One will sync. Since Obnam uses a B-tree-based repository format that only needs to write new/changed data to the repository, syncing should be fast.

    The disadvantage is that it requires storing 2 copies of your data on your hard disk (the canonical copy, and the copy in the backup repository).

    Ubuntu package link. There is also a PPA.

    • 1

  4. Another ready-made sync tool is Seafile. It is a one server multiple clients solution like dropbox. In the latest version there is an option to share encrypted folders in a way that the server won't know the key.

    See Seafile security features

    Hint: Seafile calls a shared folder a "Library", for better understanding of the documentation.

    • 0