Encfs

De WikiMar
Dreceres ràpides: navegació, cerca


Linux GUI

Ubuntu: Ubuntu#encfs


Linux

Create a new encfs volume

Important to disable the default enabled options:

Enable filename initialization vector chaining?
Enable per-file initialization vectors?

So that the encrypted folder can easier syncronize with btsync.

# encfs -o allow_other /media/marti/W2000LUKS/.W2000LUKS_ENC /media/marti/W2000LUKS_ENC
The directory "/media/marti/W2000LUKS/.W2000LUKS_ENC/" does not exist. Should it be created? (y,n) y
Creating new encrypted volume.
Please choose from one of the following options:
 enter "x" for expert configuration mode,
 enter "p" for pre-configured paranoia mode,
 anything else, or an empty line will select standard mode.
?> x

Manual configuration mode selected.
The following cipher algorithms are available:
1. AES : 16 byte block cipher
 -- Supports key lengths of 128 to 256 bits
 -- Supports block sizes of 64 to 4096 bytes
2. Blowfish : 8 byte block cipher
 -- Supports key lengths of 128 to 256 bits
 -- Supports block sizes of 64 to 4096 bytes

Enter the number corresponding to your choice: 1

Selected algorithm "AES"

Please select a key size in bits.  The cipher you have chosen
supports sizes from 128 to 256 bits in increments of 64 bits.
For example: 
128, 192, 256
Selected key size: 256

Using key size of 256 bits

Select a block size in bytes.  The cipher you have chosen
supports sizes from 64 to 4096 bytes in increments of 16.
Or just hit enter for the default (1024 bytes)

filesystem block size: 

Using filesystem block size of 1024 bytes

The following filename encoding algorithms are available:
1. Block : Block encoding, hides file name size somewhat
2. Null : No encryption of filenames
3. Stream : Stream encoding, keeps filenames as short as possible

Enter the number corresponding to your choice: 2

Selected algorithm "Null""

Enable filename initialization vector chaining?
This makes filename encoding dependent on the complete path, 
rather then encoding each path element individually.
The default here is Yes.
Any response that does not begin with 'n' will mean Yes: n

Enable per-file initialization vectors?
This adds about 8 bytes per file to the storage requirements.
It should not affect performance except possibly with applications
which rely on block-aligned file io for performance.
The default here is Yes.
Any response that does not begin with 'n' will mean Yes: n

External chained IV disabled, as both 'IV chaining'
and 'unique IV' features are required for this option.
Enable block authentication code headers
on every block in a file?  This adds about 12 bytes per block
to the storage requirements for a file, and significantly affects
performance but it also means [almost] any modifications or errors
within a block will be caught and will cause a read error.
The default here is No.
Any response that does not begin with 'y' will mean No: 

Add random bytes to each block header?
This adds a performance penalty, but ensures that blocks
have different authentication codes.  Note that you can
have the same benefits by enabling per-file initialization
vectors, which does not come with as great of performance
penalty. 
Select a number of bytes, from 0 (no random bytes) to 8: 0

Enable file-hole pass-through?
This avoids writing encrypted blocks when file holes are created.
The default here is Yes.
Any response that does not begin with 'n' will mean Yes:     


Configuration finished.  The filesystem to be created has
the following properties:
Filesystem cipher: "ssl/aes", version 3:0:2
Filename encoding: "nameio/null", version 1:0:0
Key Size: 256 bits
Block Size: 1024 bytes
File holes passed through to ciphertext.

Now you will need to enter a password for your filesystem.
You will need to remember this password, as there is absolutely
no recovery mechanism.  However, the password can be changed
later using encfsctl.

New Encfs Password: 
Verify Encfs Password: 


Max open files

By default there are only 1024 max files than can be opened at the same time per process/user.

For example Gear360 Actioncam opens many files at the same time using Samba/smb and it fails when reaching the 1024 files.

to solve this add to /etc/security/limits.conf

root soft nofile 64000
root hard nofile 64000

/etc/pam.d/common-session needs to have this line in it:

session required pam_limits.so

/etc/pam.d/common-session-noninteractive also needs to have this line in it:

session required pam_limits.so

Umount and mount the encfs again and check Max open files doing:

ps auxf | grep encfs
cat /proc/1860/limits

where 1860 is the right PID.

You can also check the samba limit:

 ps auxf | grep smbd 


More info: https://underyx.me/2015/05/18/raising-the-maximum-number-of-file-descriptors

Change password

encfsctl passwd /home/bredsaal/encfs_test/plain/

info: http://bredsaal.dk/how-to-change-encfs-password


No password prompt

encfs --extpass='/bin/cat /media/thumbdrive/pw' /home/user/encrypted /home/user/unencrypted

or

cat /home/jc/.password | enfcs -S /home/jc/encrypted /tmp/decrypted/

Windows

Install and use Encfsmp https://sourceforge.net/projects/encfsmp/


Also run on admin console:

fsutil behavior set EncryptPagingFile 1

Explanation from: http://www.getsafe.org/about#system_changes_more_info