One of the issues posed by storing sensitive information in the cloud is that the cloud provider, and by extension, other 3rd parties (hackers, governments) have access to that data. To work around this, we need to encrypt the data before it’s sent to the cloud provider. Tools like TrueCrypt / VeraCrypt are great for encrypting entire volumes but aren’t meant for this use case. If you stored a TrueCrypt volume in the cloud, a minor change on a small file would cause a full sync to occur. We need a better solution. Enter EncFS.
EncFS is available for Linux here: http://www.arg0.net/encfs. There was a Windows version called Encfs4win (http://members.ferrara.linux.it/freddy77/encfs.html ) but hasn’t been updated. A new revival of that project exists that we’ll cover in this blog and use to encrypt files.
I’m using Windows 10 and Dropbox but this will work on Windows 7 and any other file share/sync provider such as OneDrive and Google Drive.
Our objective is to have a place to store files in a cloud service which has zero knowledge of the content we’re storing. Before we start, there are some alternatives:
Spideroak starts at $5 and has Enterprise products.
boxcryptor is (or was) based on encfs and has a free version.
There are also several blockchain-based file storage providers. I use Storj personally and might blog about these in another post.
While those alternatives are appealing, especially boxcryptor, the free version is limited and for what I’m using, the paid versions aren’t that valuable. So, how can we do this for free?
Let’s go back to the Windows port created by Charles Munson, a.k.a jetwhiz.
- Download the files, encfs-installer.exe and the hashes.asc from github: https://github.com/jetwhiz/encfs4win/releases
- (optional) Verify hash (you can download QuickHash if you need a verification tool). Note, since this is a privacy focused blog post it would make sense to verify the hash to ensure the file that was downloaded hasn’t been modified in-transit or by some other program on your computer (malware/virus/etc.)
- Run the installer, keep all the defaults and it should be done within 2 minutes. Once completed, the binaries will be located in C:\Program Files (x86)\encfs.
First, we need to create an encrypted folder.
- Run C:\Program Files (x86)\encfs\encfsw.exe, this is the graphical interface. Nothing will pop-up, but you’ll see they “key” icon in your taskbar.
- We’re going to use the Open/Create option.
Select a folder. In this example, I created a folder in my Dropbox called “encfs.” Specify the other options and press OK:
- After pressing OK, you should see another login prompt because encfsw is automatically mounting the new folder. Explorer should open the drive letter.
Drag some files in there!
Let’s see what the cloud provider (Dropbox in my case) sees:
- That’s it. Now we can install encfs (on Linux or Windows) to access these files anytime.
Some of the best practices for using encfs are:
- Don’t put anything else in your encrypted folder. There should be the .xml file plus 1 encrypted file for each file you uploaded.
- When mounting the encrypted folder in Windows, use a drive letter versus a folder. The GUI enforces this but the command-line may not.
If you need mobile access, boxcrypter might be worth a look. I didn’t need that and the free version limited me to two devices which didn’t suffice. I’m also just storing sensitive information (like my ninjacat picture) in the encrypted folder. I can use the native Dropbox app to access my other folders that have non-sensitive information.