Securing cloud backups with EncFS
Assuming you are on Debian/Ubuntu, install encfs
$ apt-get install encfs
Simply run
$ encfs ~/PATH/TO/ENCRYPTED_FOLDER ~/PATH/TO/FOLDER
to create an encrypted version of a folder
$ encfs ~/ENCFS/ENC/ ~/ENCFS/CLEAR/
Creating new encrypted volume.
Please choose from one of the following options:
enter "x" for expert configuration mode,
enter "p" for pre-configured paranoia mode,
anything else, or an empty line will select standard mode.
?> p
Paranoia configuration selected.
Configuration finished. The filesystem to be created has
the following properties:
Filesystem cypher: "ssl/aes", version 3:0:2
Filename encoding: "nameio/block", version 3:0:1
Key Size: 256 bits
Block Size: 1024 bytes, including 8 byte MAC header
Each file contains 8 byte header with unique IV data.
Filenames encoded using IV chaining mode.
File data IV is chained to filename IV.
File holes passed through to ciphertext.
New Encfs Password:
Verify Encfs Password:
Then copy a few files into CLEAR (the unencrypted folder), you can see there is the same number and size of files in the encrypted folder
./CLEAR:
total 19M
-rw-r----- 1 thattommyhall thattommyhall 5.5M Jul 17 17:10 Developing_Backbonedotjs_Applications.epub
-rw-r----- 1 thattommyhall thattommyhall 5.2M Jul 17 17:10 Developing_Backbonedotjs_Applications.mobi
-rw-r----- 1 thattommyhall thattommyhall 7.7M Jul 17 17:10 Developing_Backbonedotjs_Applications.pdf
./ENC:
total 19M
-rw-r----- 1 thattommyhall thattommyhall 5.5M Jul 17 17:10 3R4b6qteJLZmTzMGit2cWajhzkVG,rLw6xry2PujL4LSbtg3EgftaMWfhQk4fM5mc-C
-rw-r----- 1 thattommyhall thattommyhall 7.7M Jul 17 17:10 EnMiuriWbkgXYz7F9GsAzRlCBSpmHub7kvObd8fyFswVkhlUi-FzHaT7twrIHXsEOy5
-rw-r----- 1 thattommyhall thattommyhall 5.2M Jul 17 17:10 Z8izkCiMcMqBf,9a3a2smF3C6RAHQmicTi8UIgl7eCZfcRnOUVtwDq4kxrLM61Yc-n6
`
Getting md5 sums for the files.
~/ENCFS/ENC$ md5sum *
027a7ff02f785dbe211a91e9f218bea7 3R4b6qteJLZmTzMGit2cWajhzkVG,rLw6xry2PujL4LSbtg3EgftaMWfhQk4fM5mc-C
bd2635929cfab11349ba5dde73e0b303 EnMiuriWbkgXYz7F9GsAzRlCBSpmHub7kvObd8fyFswVkhlUi-FzHaT7twrIHXsEOy5
08786c915984a10532a2485f0e21ee4e Z8izkCiMcMqBf,9a3a2smF3C6RAHQmicTi8UIgl7eCZfcRnOUVtwDq4kxrLM61Yc-n6
If you edit one file, just one changes
~/ENCFS/ENC$ md5sum *
73a2f5ec8389aba5806b5b3eb267ed72 3R4b6qteJLZmTzMGit2cWajhzkVG,rLw6xry2PujL4LSbtg3EgftaMWfhQk4fM5mc-C
bd2635929cfab11349ba5dde73e0b303 EnMiuriWbkgXYz7F9GsAzRlCBSpmHub7kvObd8fyFswVkhlUi-FzHaT7twrIHXsEOy5
08786c915984a10532a2485f0e21ee4e Z8izkCiMcMqBf,9a3a2smF3C6RAHQmicTi8UIgl7eCZfcRnOUVtwDq4kxrLM61Yc-n6
If you create a directory structure, it is recreated in the encrypted folder with an obfuscated name
~/ENCFS/CLEAR$ mkdir -p one/two/three
~/ENCFS/CLEAR$ mv Developing_Backbonedotjs_Applications.epub one/two/three/
~/ENCFS/CLEAR$ cd ..
~/ENCFS$ tree ENC/
ENC/
├── EnMiuriWbkgXYz7F9GsAzRlCBSpmHub7kvObd8fyFswVkhlUi-FzHaT7twrIHXsEOy5
├── ViMb6X99i1TkJiAoyT-FHKTE
│ └── 7EVvTVP53WUQF0SiJFhG-jzO
│ └── azretaLwQ40MO38NDhqOlNXJ
│ └── mpIK4ZSAq0gRwTeQWOaJRE,rbxSAAW0V4Cp8VdGXFj37q6IRkHVqdwPeSU0sq0JGQi4
└── Z8izkCiMcMqBf,9a3a2smF3C6RAHQmicTi8UIgl7eCZfcRnOUVtwDq4kxrLM61Yc-n6
This fact means that it will play nice with file based backups, except if they do a diff style copy as the whole file is likely to look changed with each update.
To remount, simply run the same command as before and enter your password
$ encfs ~/ENCFS/ENC/ ~/ENCFS/CLEAR/
EncFS Password:
You can put the encrypted folder in your Dropbox, copy it to S3, rsync/scp it to a VPS somewhere and they will never be able to see your data, neither will the NSA.
OSX
Of course, if you use OSX - it’s easier. According to Emmanuel Bernard you just have to remember that the encfs in homebrew uses fuse4x which is now deprecated in favour of OSXfuse and simply do
$ brew install https://raw.github.com/jollyjinx/encfs.macosx/master/encfsmacosxfuse.rb
from a random github repo and wait while it compiles.
Windows
I did not know that fuse has been ported to windows as dokan and has encfs available here, should be easy enough to set up.
Android
Cryptonite looks good, but will not be as easy to set up as the others