USB sticks are the portable data storage of choice. They are small, and the data density is steadily increasing.
However, they are also very easy to lose or forget somewhere. To secure sensitive files from people who shouldn't see them, we need a simple tool to safely encrypt and decrypt them. Bonus points if the tool is portable (OS X, Linux, Windows?) and easy to handle.
From the manpage:
EncFS creates a virtual encrypted filesystem which stores encrypted data in the
rootdirdirectory and makes the unencrypted data visible at the
mountPointdirectory. The user must supply a password which is used to (indirectly) encrypt both filenames and file contents.
The usage is easy. Create a directory on the USB stick, which you'll then mount using
encfs. My USB stick
IO has a directory
.crypt with all the encrypted data. When I mount this directory with
encfs--and the correct passphrase--I'll get an unencrypted view of the data.
# Usage: encfs <encrypted_dir> <decrypted_dir> # If this is our first run, all the directories are created for us. % encfs /Volumes/IO/.crypt ~/IO/ Directory "/Volumes/IO/.crypt" does not exist, create (y,n)?y Directory "/Users/sven/IO" does not exist, create (y,n)?y Creating new encrypted volume. Please choose from one of the following options: enter "x" for expert configuration mode, enter "p" for pre-configured paranoia mode, anything else, or an empty line will select standard mode. ?> Standard configuration selected. Using cipher Blowfish, key size 160, block size 512 New Password: <password entered here> Verify: <password entered here>
Let's create some highly sensitive data:
# in the encrypted/mounted directory % cd ~/IO % echo "top secret stuff" > info.txt % ls info.txt
This is how it looks like in the
.crypt directory on the USB stick:
% ls /Volumes/IO/.crypted/ jxnLg3Us02II7XscN8KqIydA
OS X specifics
osxfuse in order to install
encfs via Homebrew.
% brew install encfs osxfuse: Building this formula from source isn't possible due to OS X Yosemite and above's strict unsigned kext ban. You can install with Homebrew Cask: brew install Caskroom/cask/osxfuse You can download from: http://sourceforge.net/projects/osxfuse/files/ Error: An unsatisfied requirement failed this build. # update brew and brew-cask % brew update && brew upgrade brew-cask && brew cleanup && brew cask cleanup % brew install Caskroom/cask/osxfuse 🍺 osxfuse staged at '/opt/homebrew-cask/Caskroom/osxfuse/2.7.5' (6 files, 8,5M) % brew install encfs 🍺 /usr/local/Cellar/encfs/1.8.1: 64 files, 1,6M, built in 42 seconds
You can supply a volume name to
encfs (which passes it to FUSE). Now the drive on your desktop has a nice descriptive name.
% encfs -o volname=encfs /Volumes/IO/.crypted/ ~/IO/
EncFS is also often used to encrypt directories in Dropbox. However, the security audit by Taylor Hornby shows some issues of the software when used with cloud storage providers:
EncFS is probably safe as long as the adversary only gets one copy of the ciphertext and nothing more. EncFS is not safe if the adversary has the opportunity to see two or more snapshots of the ciphertext at different times. EncFS attempts to protect files from malicious modification, but there are serious problems with this feature.
The section about Disk Encryption on PrismBreak.org lists a couple of alternatives to EncFS. For Linux users, cryptsetup is the recommended utility, which focuses on the convenient setup of full disk encryption.