Encrypted Filesystem for Mac OS X


Thanks to the Google Code project MacFUSE you can now run FUSE compatible file systems on the Mac.   This includes EncFS (Encrypted Filesystem), which provides an encrypted pass-through filesystem.

EncFS provides an encrypted filesystem in user-space. It runs without any special permissions and uses the FUSE library and Linux or Mac kernel module to provide the filesystem interface. You can find links to source and binary releases below. EncFS is open source software, licensed under the GPL.

As with most encrypted filesystems, Encfs is meant to provide security against off-line attacks; ie your notebook or backups fall into the wrong hands, etc. The way Encfs works is different from the “loopback” encrypted filesystem support built into the Linux kernel because it works on files at a time, not an entire block device.  Likewise OS X provides AES-128 Disk Images which also suffer from the same limitations as block devices; that is all the space for the Disk Image has to be pre-allocated.

Encfs works very well for securing your data on your iDisk, external drives, and internal drives.  Since each file is encrypted backup programs and iDisk only has to backup the changed files instead of backing up the entire Disk Image.

When creating Encfs mounts you can configure the encryption algorithm and other parameters. I recommended just selecting “pre-configured paranoia mode” which corresponds to AES-256 with encoded filenames.

GUI Support

MacFusion has been added to the disk image along with a plugin that allows mounting from MacFusion.



Creating a new encrypted filesystem

$ mkdir /tmp/crypt-raw
$ mkdir /tmp/crypt
$ encfs /tmp/crypt-raw /tmp/crypt
Volume key not found, creating new encrypted volume.
Password: [password entered here]
Verify: [password entered here]

Acessing the filesystem

$ cd /tmp/crypt
$ echo "hello foo" > foo
$ echo "hello bar" > bar
$ ln -s foo foo2
$ ls -l
total 8
-rw-r--r-- 1 vgough users 10 2003-11-03 21:44 bar
-rw-r--r-- 1 vgough users 6 2003-11-03 21:44 foo
lrwxrwxrwx 1 vgough users 7 2003-11-03 21:44 foo2 -> foo
$ cd /tmp/crypt-raw
$ ls -l
total 8
-rw-r--r-- 1 vgough users 6 2003-11-03 21:44 eEM4YfA
-rw-r--r-- 1 vgough users 10 2003-11-03 21:44 gKP4xn8
lrwxrwxrwx 1 vgough users 7 2003-11-03 21:44 i7t9-m,I -> eEM4YfA
$ umount /tmp/crypt
You can also just eject the mount from Finder instead of using umount command.

Creating a new encrypted filesystem with iDisk

$ encfs /Volumes/iDisk/Documents/krypt/.data /Volumes/krypt
Now you can acces all you documents from /Volumes/krypt and the encypted version from will be stored on your iDisk.


Chuck Facts