Introduction
Thanks to the Google Code project
MacFUSE
you can now run FUSE compatible file systems on the
Mac. This includes
EncFS (Encrypted
Filesystem), which provides an encrypted pass-through filesystem.
EncFS provides an encrypted filesystem in user-space. It runs without
any special permissions and uses the FUSE library and Linux or Mac
kernel module to provide the filesystem interface. You can find links
to source and binary releases below. EncFS is open source software,
licensed under the GPL.
As with most encrypted filesystems, Encfs is meant to provide security
against off-line attacks; ie your notebook or backups fall into the
wrong hands, etc. The way Encfs works is different from the
“loopback” encrypted filesystem support built into
the Linux kernel because it works on files at a time, not an entire
block device. Likewise OS X provides AES-128 Disk Images
which also suffer from the same limitations as block devices; that is
all the space for the Disk Image has to be pre-allocated.
Encfs works very well for securing your data on your iDisk, external
drives, and internal drives. Since each file is encrypted
backup programs and iDisk only has to backup the changed files instead
of backing up the entire Disk Image.
When creating Encfs mounts you can configure the encryption algorithm
and other parameters. I recommended just selecting
“pre-configured paranoia mode” which corresponds to
AES-256 with encoded filenames.
GUI Support
MacFusion
has been added to the disk image along with a plugin that allows
mounting from MacFusion.
Examples
Creating a new encrypted filesystem
$ mkdir /tmp/crypt-raw
$ mkdir /tmp/crypt
$ encfs /tmp/crypt-raw /tmp/crypt
Volume key not found, creating new encrypted volume.
...
Password: [password entered here]
Verify: [password entered here]
Acessing the filesystem
$ cd /tmp/crypt
$ echo "hello foo" > foo
$ echo "hello bar" > bar
$ ln -s foo foo2
$ ls -l
total 8
-rw-r--r-- 1 vgough users 10 2003-11-03 21:44 bar
-rw-r--r-- 1 vgough users 6 2003-11-03 21:44 foo
lrwxrwxrwx 1 vgough users 7 2003-11-03 21:44 foo2 -> foo
$ cd /tmp/crypt-raw
$ ls -l
total 8
-rw-r--r-- 1 vgough users 6 2003-11-03 21:44 eEM4YfA
-rw-r--r-- 1 vgough users 10 2003-11-03 21:44 gKP4xn8
lrwxrwxrwx 1 vgough users 7 2003-11-03 21:44 i7t9-m,I -> eEM4YfA
$ umount /tmp/crypt
You can also just eject the mount from Finder instead of using umount
command.
Creating a new encrypted filesystem with iDisk
$ encfs /Volumes/iDisk/Documents/krypt/.data /Volumes/krypt
Now you can acces all you documents from /Volumes/krypt and the
encypted version from will be stored on your iDisk.