12 Sep 2008, 23:23

Secure Remote Storage with FUSE and encfs+sshfs


When you often the computer you work with and you want to have your important files at hand every time you can either carry them around with you on a USB-Stick - perferable encrypted - or you can keep them on a server somewhere. But you’ll probably want to encrypt them there, too. You never know who comes in posession of the data. Beware of the Stasi2.0! One way to achieve secure remote storage is powered by FUSE. With the help of FUSE, encfs and sshfs you can acomplish this task quiete easily. Just get a kernel with FUSE support and install encfs and sshfs. With the help of encfs you can create an encrypted directory (file-level encryption, no blockdevice, no fixed devices size but visible meta-data) and sshfs lets you put this directory on any server on which you have ssh access. Of course not everybody will have an SSH login to some always-on server, but you can easily combine encfs with other remote-storage FUSE drivers. For example GmailFS and there is probably also some WebDAV FUSE driver.

I did experience some problems with FUSE first. Make sure you are a member of the group fuse or else you will run into trouble. If you don’t use udev you may have to create the node /dev/fuse.

If you are unhappy with the performance/latency of this setup you should try to combine encfs toegehter with the NFS storage features of wua.la. Wua.la has some drawbacks, e.g. I wont trust the encryption, but with encfs this should be pretty safe.

Update: I have just tested this encfs inside Wuala, and it seems to work quite good.

I have hacked a small script that uses pinetry-* to ask for the password for the encrypted volume. Remember that it is only a quick hack.

Update II: There is also a german article on dropbox, which can be used instead of dropbox.

Update: Better use kdialog, see encfs Documentation on that topic.

#!/usr/bin/perl -w
# This script invokes pinetry-qt to ask for the encfs password
# written by Dominik Schulz <lkml@ds.gauner.org>
use IPC::Open2;
local (*READER, *WRITER);
my $pid = open2(\*READER, \*WRITER, "/usr/bin/pinentry-qt");
my $ret;
print WRITER "SETDESC Enter decryption Passwort for encfs:\n";
chomp($ret = <READER>);
print WRITER "SETPROMPT Password:\n";
chomp($ret = <READER>);
print WRITER "GETPIN\n";
chomp($ret = <READER>);
my $continue = 1;
my $pw = "";
while(chomp($ret = <READER>) && $continue > 0) {
  if($ret =~ /^D.*/) {
    $continue = 0;
    $pw = substr($ret,2);
close READER;
close WRITER;
print "$pw\n";

You can use it in combination with the “–extpass” switch of encfs. For example

encfs --extpass=encfs-pinentry.pl ~/crypt-raw ~/crypt