For notes about internationalization, see README-NLS.

EncFS is a program which provides an encrypted virtual filesystem for Linux using the FUSE kernel module ( see http://sourceforge.net/projects/avf to download the latest version of FUSE ). FUSE provides a loadable kernel module which exports a filesystem interface to user-mode. EncFS runs entirely in user-mode and acts as a transparent encrypted filesystem.

Usage:

• To see command line options, see the man page for encfs and encfsctl, or for brief usage message, run the programs without an argument (or '-h'): % encfs -h % man encfs

• To create a new encrypted filesystem: % encfs [source dir] [destination mount point]

  eg.: "encfs ~/.crypt ~/crypt". Both directories should already exist, although Encfs will ask if it can create them if they do not. If the "~/.crypt" directory does not already contain encrypted filesystem data, then the user is prompted for a password for the new encryption directory. The encrypted files will be stored in ~/.crypt, and plaintext access will be through ~/crypt

• To mount an existing filesystem: % encfs [source dir] [destination mount point]

  This works just like creating a new filesystem. If the Encfs control file is found in the directory, then an attempt is made to mount an existing filesystem. If the control file is not found, then the filesystem is created.

Technology:

• Encfs uses algorithms from third-party libraries (OpenSSL is the default) to encrypt data and filenames.

• a user supplied password is used to decrypt a volume key, and the volume key is used for encrypting all file names and contents. This makes it possible to change the password without needing to re-encrypt all files.

• EncFS has two encryption modes, which are used in different places:

  • Stream encryption: Used for filenames and partial blocks at the end of files. The cipher is run in CFB stream mode in multiple passes over the data, with data order reversal between passes to make data more interdependent.
  • Block encryption: Fixed size filesystem blocks are encrypted using the cipher in CBC mode. The filesystem block size is a multiple of the cipher block size, and is configurable on filesystem creation and can be up to 4096 bytes in size. Each block has a deterministic initialization vector which allows for simple random access to blocks within a file.

• Filename encryption:

  Filenames are encrypted using either a stream mode or a block mode, in both cases with an initialization vector based on the HMAC checksum of the filename.

  Using a deterministic initial vector allows fast directory lookups, as no salt value needs to be looked up when converting from plaintext name to encrypted name. It also means very similar filenames (such as "foo1" and "foo2") will encrypt to very different values, to frustrate any attempt to see how closely related two files are based on their encrypted names.

• Data blocks are handled in fixed size blocks (64 byte blocks for Encfs versions 0.2 - 0.6, and user specified sizes in newer versions of Encfs, defaulting to 512 byte block). The block size is set during creation of the filesystem and is constant thereafter. Full filesystem blocks are encrypted in the cipher's block mode as described above. Partial filesystem blocks are encrypted using the cipher's stream mode, which involves multiple passes over the data along with data reordering to make the data in the partial block highly interdependent.

  For both modes this means that a change to a byte in the encrypted stream may affecting several bytes in the deciphered stream. This makes it hard for any change at all to go unnoticed.

  An additional option is to store Message Authentication Codes with each filesystem block. This adds about 8 bytes of overhead per block and a large performance penalty, but makes it possible detect any modification within a block.

  Also during filesystem creation, one can enable per-file initialization vectors. This causes a header with a random initialization vector to be maintained with each file. Each file then has its own 64 bit initialization vector which is augmented by the block number - so that each block within a file has a unique initialization vector. This makes it infeasible to copy a whole block from one file to another.

Backward Compatibility:

At the top level of the raw (encrypted) storage for an EncFS filesystem is a configuration file, created automatically by EncFS when a new filesystem is made.

In Encfs versions 0.2 to 0.6, the file was called ".encfs3" - meaning version 3 of the Encfs configuration file format (earlier versions 1 and 2 were prior to the encfs public release). EncFS 1.0.x used ".encfs4", and the Encfs 1.1.x uses yet another format (".encfs5"). The encfsctl program can be used to show information about a filesystem.

Encfs 1.1 can read and write to existing filesystems, but older versions will not be able to mount a filesystem created by a newer version, as the newer versions use algorithms and/or new options which were not previously available.

Utility:

In addition to the "encfs" main program, a utility "encfsctl" has been provided which can perform some operations on encfs filesystems. Encfsctl can display information about the filesystem for the curious (the encryption algorithm used, key length, block size), and more importantly it can also change the user-supplied password used to encrypt the volume key.

Dependencies:

Encfs uses the OpenSSL toolkit (http://www.openssl.org) by default. OpenSSL is not covered by the GPL, and some people are concerned about the licenses being incompatible. Although I believe it should be clear that I intended to allow linking encfs with OpenSSL, I will make it more explicit:

As a special exception to encfs's GPL license, the copyright holders give permission to link the code or portions of this program with the OpenSSL library, and distribute linked combinations including the two. This exception should be construed as narrowly as possible to allow OpenSSL to be used and distributed as part of encfs.