How to Encrypt a Filesystem with Fuse-EncFS on Fedora

by Todd Warner

This mini-howto will guide you towards encrypting selected portions of your filesystem using Fuse + EncFS; specifically, protecting your Thunderbird email and private Firefox browser data on a Fedora linux platform. Fedora rocks by the way.

Note: this has been tested on Fedora Core 5, Core 6, 7 and 8.

Useful links:

Install Fuse and EncFs and Set Up Permissions:

  • Log in as or switch user to root.
  • yum install fuse-encfs
  • Add username to the fuse Unix group and preserve original group memberships for each user creating a protected mount point.
    usermod -a -Gfuse username
  • Ensure the fuse service is started
    service fuse start
  • Log out of X and log back in again (makes the permissions stick throughout the X environment).

Create Your Encrypted Filesystem (as a normal user):

  • The directory tree under ._raw-efs will be the encrypted filesystem; efs will be the mountpoint.
    mkdir ~/efs ~/._raw-efs
  • Create and mount the encrypted filesystem and choose the listed options.
    encfs ~/._raw-efs ~/efs
    • x (for expert)
    • AES
    • 256bit key size
    • 4096 byte block size
    • "Block" filename encoding
    • the defaults for the rest
  • Unmount the filesystem.
    fusermount -u ~/efs # unmount it

Test It (as a normal user):

  • Mount the encrypted filesystem.
    encfs ~/._raw-efs ~/efs
  • We should see efs as mounted.
    mount |grep fuse
  • Create an "I'm mounted" flag that is useful for scripting. If the filesystem is not mounted, you will not see this file.
    touch ~/efs/.mounted-flag
  • Test with a simple text file.
    echo "this is a test" > ~/efs/test-file.txt
  • cat ~/efs/test-file.txt
  • Unmount the filesystem.
    fusermount -u ~/efs
  • The test file shouldn't exist since we are not mounted.
    cat ~/efs/test-file.txt
  • The mount flag shouldn't exist since we are not mounted.
    ls -a ~/efs/.mounted-flag
  • The mountpoint should be empty.
    ls -a ~/efs
  • The encrypted directory tree should be a bunch of gibberish.
    ls -l ~/._raw-efs

Using It with Firefox and Thunderbird:

  • Mount the encrypted filesystem.
    encfs ~/._raw-efs ~/efs
  • Shutdown Firefox and Thunderbird if open.
  • Change directory to your home directory.
    cd ~/
  • Move Mozilla (Firefox) tree over if it exists.
    mv .mozilla efs/
  • Move Thunderbird tree over if it exists.
    mv .thunderbird efs/
  • Create soft-link to the encrypted filesystem.
    ln efs/.thunderbird .
  • Create soft-link to the encrypted filesystem.
    ln efs/.mozilla .

You can now crank up Firefox and Thunderbird and all sensitive data will be placed in an encrypted filesystem. Without scripting, you will have to mount the encrypted directory prior to opening the browser or email client. Don't limit this to just Firefox and Thunderbird, for example, all my instant messaging private information is stored in ~/efs/.purple/.

Scripting:

I scripted opening and closing the encrypted filesystem. You can also script auto mounting of this directory upon login fairly simply. I have my desktop set up so that Firefox, Thunderbird, and Pidgin all symlink their .* file directories under ~/efs. The launch scripts all look for that .mounted-flag files flag. If it doesn't exist, the scripts will mount the encrypted file system. I use gnome-ssh-askpass to graphically ask the password ($SSH_ASKPASS). FIXME: More on this later.

This should be enough to get you going. Good luck and safe travels for both you and your private data.

Article Todo

  1. Flesh out entire article.
  2. Add "what is Fuse?" "what is EncFS?" "why?" etc.
  3. Add note about scope of encryption and the dangers of leaving it mounted.
  4. Add howto have new users automatically part of the fuse group upon creation.
  5. Add howto script mounting the directory.
  6. Add howto script firefox, thunderbird, pidgin launching.

<-- HOWTOs page
Last updated: 2008-02-08