BLUF: encfs provides unfussy user-level mount/unmount of an encrypted directory that can be migrated across machines.
Ah, encfs, where have you been all my life? I have been storing passwords in Keepassx. It is an excellent cross-platform password manager, but it is GUI-only. It is also not a file storage mechanism. I like to access passwords from the command line, and I have yet to find any good tools that I like. Most of them just plain don’t work due to their age. for example, “cpm” is a console password manager available in Debian. When I try to run it, it bails out complaining “Can’t attach to parent!”. A search on Google reveals that it has problems with the more modern kernels. That’s hardly ideal.
To install encfs on Debian is straightforward:
sudo apt-get install encfs
Create two directories, e.g. ~/encrypted and ~/decrypted. Mount them: encfs ~/encrypted ~/decrypted
Enter a password that you want to use.
Created files, subdirectories, and edit away.
You can unmount the directory by typing
fusermount -u ~/decrypted
It’s that simple!
Mileage will depend on use-case, and it is by no means the hammer for every security nail. It does, however, work for me. Points to note: + simple and easy to set up and use
+ The directory has a separate password, distinct from user login. Skim-reading suggests that it can be PAM-enabled and mounted transparently, though.
+ Directory structure is preserved, so it is possible that crackers will be able to deduce the approximate size, quantity and
directory layout of the decrypted directory. File and directory names are themselves encrypted, though. Some might not like that idea, but it works for me
+ mounting is preserved across login sessions. That is great for convenience, although might be considered a security risk. Unmounted it when you exit the system if it’s a concern to you.
So, based on an initial valuation, encfs is an excellent tool. I sometimes use Truecrypt, which an excellent tool, but it seems more difficult to use on a command-line only environment. The GUI is “OK”, but it will be fiddly to use in my Linux environment. I also find the Truecrypt a bit tedious to set up, especially if I have migrated machines. It’s not “too” bad, but getting it to remember key files and preferred mount points is a bit of a chore. In encfs, I wrote a script called “enc” which does the mounting and unmounting for me. Job done.