EncFS
| EncFS | |
|---|---|
| Basic data
|
|
| developer | Valient Gough |
| Current version |
1.9.5 ( April 27, 2018 ) |
| operating system | Linux , FreeBSD , Mac OS X , Windows |
| category | File system , encryption |
| License | LGPL |
| vgough.github.io/encfs/ | |
EncFS is a free encryption extension (published under the GPL ) for any file system of Unix-like operating systems and is based on the FUSE framework . It does not encrypt entire file systems , but only individual files , so that it can be retrofitted without having to set up its own encrypted partition and conventional tools, for example for data backup , can still be used.
functionality
EncFS uses two directories to transparently encrypt the data. The data to be encrypted is stored in one directory. However, the data stored here is not written directly to the hard drive , but is first encrypted by EncFS and then stored in the second so-called source directory in encrypted form. The unencrypted view in the first folder is only visible as long as the second is integrated into the first using EncFS . Each encrypted file in the second folder corresponds to an unencrypted file in the first. If the content of the encrypted folder is not included, the unencrypted folder is empty.
Encryption
The data is encrypted with a large key in a file, the so-called volume key . This is again protected with a password to prevent decryption if the volume key is known. EncFS can use various encryption algorithms ; Blowfish and AES are typical . If you want to access the encrypted data, you have to enter the password of the volume key when integrating.
The data is encrypted in individual data blocks . Data blocks are encrypted as a whole and can only be completely decrypted. So if only a single byte is changed, the whole block has to be re-encrypted and written. In order to optimally adapt this to the available data, the standard block size of 512 bytes can be changed.
EncFS not only encrypts the contents of the files, but also the file names. You can choose between the block mode, which may be somewhat more memory-intensive (depending on the underlying file system), but which obscures the length of the file name, and the more memory-saving data stream mode.
Data integrity
In addition, with an EncFS option called Block MAC headers , it is possible to detect changes or errors in the encrypted files. A checksum of 8 bytes is created for each data block . In addition, 8 additional bytes of random data can be appended to each data block in order to prevent data blocks with the same unencrypted content from having the same checksum.
However, this option requires a lot of computing power from the CPU , since the checksum has to be calculated for every read access for the purpose of checking the integrity and for every write access to update it.
Advantages and disadvantages
Due to its file-by-file encryption, EncFS has several advantages over other crypto file systems:
- It does not occupy a fixed size on the disk. Only the space that is actually required for the encrypted files is used. Data can be stored in EncFS until the file system on which it resides is full.
- Parts of the file system encrypted via EncFS can be stored on different data carriers . For example, a folder can be mounted in the (encrypted) source directory via NFS and another one locally.
- Data backup programs can specifically back up the individual modified encrypted files that have changed in the meantime. It is not necessary to back up the entire partition every time , as is the case with encrypted partitions.
However, there are some disadvantages due to this approach:
- Data saved via EncFS have the same restrictions as the file system in which the source folder is located.
- A fragmentation of the encrypted data leads to a data fragmentation in the source directory.
- The rights management is not implemented again, so everyone can see the number of files, their access rights, size and length of the file name (the file name itself is also encrypted) and the date of the last change.
Security concerns
In January 2014, security researcher Taylor Hornby subjected EncFS to an audit. His conclusion: the tool is not secure unless the potential attacker only has one version of an encrypted file. However, when EncFS is used to encrypt files on cloud storage, there are usually multiple versions of a file. Currently (September 2016) at least one of the identified vulnerabilities has not yet been resolved, a correction is planned for version 2.0 in the future.
See also
Web links
- EncFS site (English)
- EncFS instructions in the wiki of ubuntuusers.de
- encfs4win, an open source EncFS port for Windows , out of date, not updated since 2013
- encfs4win, an EncFS port for Windows that is regularly updated
- EncFS MP, an EncFS port for Windows and Mac OS X (depends on a non-open source library)
- Admin-Magazin: Encrypted files with EncFS ( Memento from March 16, 2014 in the Internet Archive )
- Security Audit (English)
Individual evidence
- ↑ Release 1.9.5 . April 27, 2018 (accessed April 27, 2018).
- ↑ EncFS Security Audit. In: defuse.ca. Retrieved September 17, 2016 .
- ↑ Stream Cipher Used to Encrypt Last File Block Issue # 9 vgough / encfs. In: GitHub. Retrieved September 17, 2016 .