Using EncFS with graphical front ends

Cryptography software has the reputation for being difficult to deal with. However, EncFS plus the graphical front-end Cryptkeeper and Gnome Encfs Manager make it easy even for unschooled encryption users to secure their data with onboard tools. These tools encrypt file blocks with the AES algorithm; the key length is 256 bit.

As its name suggests, EncFS is a cryptographic program that does not secure data by compressing them in containers. Instead, it works as a virtual filesystem that is also encrypted. It sits on the FUSE module and therefore does its work in the user space. Consequently, it does not require administrative rights.

EncFS offers many additional advantages over other solutions. You do not need to worry about setting up special partitions or containers. The system uses only the space actually required by the encrypted data. There are no outsized containers or partitions to squander storage.

Moreover, EncFS does not require a particular filesystem. It cooperates just as well with ext3/4 as it does with XFS, as well as over a network with NFS. However, when applied as a userspace solution, EncFS is suitable only under certain circumstances for encrypting larger amounts of data. This is because rerouting over the FUSE kernel module causes the system to work significantly more slowly than a native filesystem.

Used jointly with backup programs, which are also not always concerned with speed, EncFS shows its strengths by working in a completely transparent fashion and by integrating the encrypted pieces of data into the filesystem as conventional directories and files.

Installation

You will find EncFS in the software repositories of most major distributions. Depending on the derivative, the binary packages may be named differently. For example, the RPM package in Fedora is found under fuse-encfs ; if you are running Ubuntu or Debian, you need only look for encfs .

A warning about a potential security breach in the software will appear when you install EncFS from the package sources, even with the current version 1.8.1. Taylor Hornby discovered this security issue while performing a security audit at the beginning of 2014 [1]. According to his results, the then current version of Encfs was vulnerable to attackers who wanted to decrypt encrypted files. The danger of this kind of attack arose when multiple versions of files had been sequentially saved to a data storage device. As a consequence of this discovery, it was recommended that the tool not be used for encrypting data that would be placed in the cloud since multiple versions of a file or folder are customarily stored there (Figure 1).

Figure 1: A warning appears during installation informing the user of potential security breaches in the program. These vulnerabilities were discovered by Taylor Hornby during an audit performed in 2014.

The graphical front-end Cryptkeeper can also be found in the repositories of all major Linux distros and their derivatives. As with EncFS, there are even different versions for 32-bit and 64-bit architectures. This is not the case when Gnome Encfs Manager is used as an alternative EncFS front end. However, this manager is available for some RPM and DEB-based distributions on external software collections [2].

In order to install the Gnome Encfs Manager under Ubuntu and its derivatives, the user should first integrate the accompanying PPA [3] in the system, then update the package sources, and install the software (Listing 1). As with Cryptkeeper, the installation routine will show a starter in the Launcher.

Listing 1

Installing Gnome Encfs Manager

$ sudo add-apt-repository ppa:gencfsm/ppa
$ sudo apt-get update
$ sudo apt-get install gnome-encfs-manager

The Gnome Encfs manager is generally suitable for more desktop environments than just the Gnome system. Subsequently, each package administration can automatically pull the required dependencies if this is necessary. Moreover, the program's source code is ready for calling [4].

Cryptkeeper

A symbol in the shape of a key will appear in the desktop panel bar once the Cryptkeeper starter is clicked. A right click on this symbol opens the context menu where you can then select the Preferences entry. A small dialog lets you choose only basic options such as the preferred file manager. The dialog offers the Gnome file manager Nautilus as a default option. It is a good idea for users working with a different desktop to enter the file manager of the relevant work interface so that Cryptkeeper can be integrated as seamlessly as possible into the system (Figure 2). If you use Unity, Nautilus is fine.

Figure 2: The settings dialog for Cryptkeeper is limited to the essentials. This makes everything easier.

It is also a good idea to enter a number in the Deactivate folder when not in use (Minutes): option. If you have not modified the encrypted folder once the designated time period expires, then the software will automatically deactivate the folder. After completing the setup, left click on the key symbol and select the New encrypted folder entry.

In the dialog that opens, select a folder from the integrated file manager as a location for the directory to be encrypted. Then enter a label via the Name: option (Figure 3). After clicking on the Forward button in the lower left, enter a password for the encrypted folder in the next dialog and confirm it in the second entry field.

Figure 3: It only takes a few mouse clicks and the entry of a password to set up a new, encrypted folder.

Another click on Forward places the folder in the specified location and opens it directly in the file manager. Along with this directory, EncFS sets up another hidden file of the same name plus the extension _encfs . The software will set up encrypted equivalents for all of the folders and files that the user copies to the original directory (Figure 4).

Figure 4: EncFS keeps the encrypted equivalents with the file extension encfs in a hidden parallel folder. The program retains the original directory structure and also identifies the file size, the rights, and the owner.

When displaying the actual directory, it appears to be empty. Typically only the encrypted data stays in the hidden folder. Although EncFS also encrypts the file and directory names, it retains the folder structure. The size, owner, and rights for individual files can be read. This allows you to draw at least vague inferences about the original contents.

It is a good idea to set up a corresponding entry in the auto-start administration for the system so that Cryptkeeper starts automatically when the computer boots. As soon as the key symbol appears in the system tray after a restart, the software works as desired.

In order to mount a file, click on the key symbol and select the desired directory from the menu. The program asks for a password, integrates the file into the system once the password is entered, and opens the file in the file manager.

Administration

Cryptkeeper lets the user set up multiple encrypted directories according to the method described here. Each of these appears in the list view for the context menu. A check mark in front of an entry signals that the folder has been activated in the system. One mouse click on an activated folder deactivates it.

In order to administer Cryptkeeper files, click in the context menu on the Edit entry. The software will open a window where all of the encrypted folders will be listed to the left in a list view. To the right, you will find three buttons for deleting folders no longer used and modifying the password for the selected directory. If you want to delete a folder, the corresponding routine will ask whether the designated folder is really supposed to be deleted. Then it will ask whether you really want to delete all of the encrypted files that the folder contains. Once these questions are answered affirmatively, the tool will remove the directory from the system (Figure 5).

Figure 5: You can process the encrypted folders in an easy-to-use dialog.

Gnome Encfs Manager

The Gnome Encfs Manager also integrates automatically into the system tray in other desktop environments. It will appear as a small symbol composed of a folder and key. In order to get the user interface onto the desktop, click on this icon and then on Show Manager in the context menu that opens. A window will appear with an empty list view and a buttonbar sitting horizontally at the top. A menubar sits at the upper edge of the window itself (Figure 6).

Figure 6: The Gnome Encfs Manager also has a minimalistic look and feel.

You navigate to the configuration dialog by clicking on the menu Manager and then picking Preferences . You can then specify the basic settings, such as automatic program start during system boot or the display options for the symbol in the system tray.

Navigate to a dialog for defining the directory to be encrypted and the mount directory by clicking on Manager | Create or import a stash . When finished, enter a password for the folder that will be encrypted. You can also open this dialog by clicking on the plus button in the toolbar. After setting up the directory, it will appear in the list view of the main window. You can set up multiple directories at this point and selectively integrate them into the system (Figure 7).

Figure 7: The simple user interface makes it possible for even the most inexperienced user to easily set up and encrypt a new directory.

You can specify individual options for each folder by clicking on the Stash | Configure menu. So, for example, you can specify a time period after which the software will automatically deactivate a directory that has remained idle. System behavior during boot can also be defined at this point. If necessary, you can change the password by clicking on Stash | Change Password for each tagged folder.

Management

In order to work with the encrypted directory, activate the directory with a mouse click on the name in the applet. You can deactivate a directory in the same way.

You remove a folder by clicking on the red cross symbol in the buttonbar in the program window. Alternatively, you can navigate to Remove | Directory . With this approach, you can also specify in a special dialog whether the relevant folder should be removed solely from the program window or completely deleted from the data storage device. If you choose to only remove the folder from the list view for the program window, then the data will persist, and the encrypted folder can later be integrated into the system again.

Conclusion

EncFS and its front-end Cryptkeeper provide you with an extremely easy way to encrypt important data and secure it against outside attack. These software packages are stable, reliable, and uncomplicated to install.

The tools for the packages are limited to the essentials, thus letting beginners get started right away without prior training. This ease-of-use holds true for non-native English speakers as well in spite of the fact that the software has language localization issues.

The software combination is suitable for encrypting local and limited amounts of data. Potential vulnerability issues related to multiple versions of identical data were discovered in 2014. You should keep these security issues in mind when applying EncFS-based solutions in the cloud or on servers containing different versions of the same folder.