Encrypting files with EncFS

Photo Credit: Getty Images

Encrypting files with EncFS

USB sticks are the portable data storage of choice. They are small, and the data density is steadily increasing.

However, they are also very easy to lose or forget somewhere. To secure sensitive files from people who shouldn't see them, we need a simple tool to safely encrypt and decrypt them. Bonus points if the tool is portable (OS X, Linux, Windows?) and easy to handle.

Enter encfs.


From the manpage:

EncFS creates a virtual encrypted filesystem which stores encrypted data in the rootdir directory and makes the unencrypted data visible at the mountPoint directory. The user must supply a password which is used to (indirectly) encrypt both filenames and file contents.

The usage is easy. Create a directory on the USB stick, which you'll then mount using encfs. My USB stick IO has a directory .crypt with all the encrypted data. When I mount this directory with encfs--and the correct passphrase--I'll get an unencrypted view of the data.

# Usage: encfs <encrypted_dir> <decrypted_dir>
# If this is our first run, all the directories are created for us.
% encfs /Volumes/IO/.crypt ~/IO/
Directory "/Volumes/IO/.crypt" does not exist, create (y,n)?y
Directory "/Users/sven/IO" does not exist, create (y,n)?y
Creating new encrypted volume.
Please choose from one of the following options:
 enter "x" for expert configuration mode,
 enter "p" for pre-configured paranoia mode,
 anything else, or an empty line will select standard mode.

Standard configuration selected.
Using cipher Blowfish, key size 160, block size 512
New Password: <password entered here>
Verify: <password entered here>

Let's create some highly sensitive data:

# in the encrypted/mounted directory
% cd ~/IO
% echo "top secret stuff" > info.txt
% ls

This is how it looks like in the .crypt directory on the USB stick:

% ls /Volumes/IO/.crypted/

OS X specifics


You need osxfuse in order to install encfs via Homebrew.

% brew install encfs
osxfuse: Building this formula from source isn't possible due to OS X
Yosemite and above's strict unsigned kext ban.

You can install with Homebrew Cask:
  brew install Caskroom/cask/osxfuse

You can download from:
Error: An unsatisfied requirement failed this build.

# update brew and brew-cask
% brew update && brew upgrade brew-cask && brew cleanup && brew cask cleanup

% brew install Caskroom/cask/osxfuse
🍺  osxfuse staged at '/opt/homebrew-cask/Caskroom/osxfuse/2.7.5' (6 files, 8,5M)

% brew install encfs
🍺  /usr/local/Cellar/encfs/1.8.1: 64 files, 1,6M, built in 42 seconds


You can supply a volume name to encfs (which passes it to FUSE). Now the drive on your desktop has a nice descriptive name.

% encfs -o volname=encfs /Volumes/IO/.crypted/ ~/IO/

Security considerations

EncFS is also often used to encrypt directories in Dropbox. However, the security audit by Taylor Hornby shows some issues of the software when used with cloud storage providers:

EncFS is probably safe as long as the adversary only gets one copy of the ciphertext and nothing more. EncFS is not safe if the adversary has the opportunity to see two or more snapshots of the ciphertext at different times. EncFS attempts to protect files from malicious modification, but there are serious problems with this feature.

The section about Disk Encryption on PrismBreak.org lists a couple of alternatives to EncFS. For Linux users, cryptsetup is the recommended utility, which focuses on the convenient setup of full disk encryption.

Further resources

  • EncFS DESIGN.md describes usage and encryption technology
  • EncfsAnywhere, an EncFS capable fileviewer for Dropbox that runs entirely in your browser
  • encfs4win, an experimental project of porting encfs to the Windows world