Encrypted Filespace with EncFS

'' This article based on work done by Ramuk and Andre on Linkstationwiki.org ''

Abstract
This article is for people that want to add an encrypted filespace to their Link Station. We will use the powerpc-hdhglan Link Station for our example. EncFS is used to do this. This probably will work on any PPC link station. It may work on a MIPS Link station but you'll have to compile the FUSE module yourself somehow. It will also work on a manually Freelinked KuroBox Pro (ARM9)

Prerequisites
This article assumes that you have installed FreeLink or OpenLink. You also will need to upgrade to a 2.6 Kernel on a PPC Box, use these instructions: Upgrade to the 2.6-kernel (ppc only). Or on an ARM9 box you will need a custom kernel and modules.

Install Armel Debian and FUSE module
Install Armel Debian for the Kurobox Pro - Manual install or Armel for a LSPro and custom kernel and modules contained in those instructions

Install EncFS
apt-get install encfs

Install the FUSE module

 * I used the binaries from André's site :

wget http://hvkls.dyndns.org/downloads/archive/fuse_2.6.0-binaries-ppc.tar.gz tar -C / -xvzf fuse*.tar.gz

EDIT: If the link above is dead, please check my server for updates -andre

PowerPC
apt-get install encfs

OpenLink
wget http://downloads.nas-central.org/ALL_LS_KB_PPC/Packages/rlog-1.3.7_ppc.tar.gz tar -C / xzvf rlog-1.3.7_ppc.tar.gz wget http://downloads.nas-central.org/ALL_LS_KB_PPC/Packages/encfs-1.3.1_ppc.tar.gz tar -C / xzvf encfs-1.3.1_ppc.tar.gz

Create an encrypted partition
encfs /mnt/locked /mnt/share/locked -- -o allow_other /mnt/share here is a shared directory. /mnt/locked is where the encrypted bits will be stored and /mnt/share/locked is where the (de)crypted space will be mounted to. You will be prompted for the type of encryption that you want and for password creation. Look here for more details on using EncFS.
 * place it in a shared directory if you want to access it as a file share using Samba.

Access Permissions
chmod og+rwx /mnt/share/locked/ Just beware that it takes a long time for files to be encrypted when you copy or move them into this directory, however you can use this directory like any other shared space with Samba. After files are placed in there they can be accessed pretty fast.
 * You will have to chmod the created directory so everyone can access it

Unmount
fusermount -u /mnt/share/locked
 * You can unmount the partition at any time in which case the encrypted directory will end up appearing blank.

Remount
encfs /mnt/locked /mnt/share/locked -- -o allow_other
 * And remount it when you need it the same way you created it, this time you will just be prompted for the password you used when you created it.

What's the point?
What's the point of all this? Well you can create an encrypted file space that once mounted functions completely transparently as a shared directory. Once it is unmounted, either manually or automatically (when the system is shut down) the data will only exist in an encrypted form in the encrypted directory you specified. In this example in /mnt/locked, if your linkstation is stolen or lost, as soon as it is unplugged the data will no longer be accessible without the password. Even if someone cracks open the device and takes the hard drive out all they will be able to get is encrypted gibberish in that directory. However they would be able to figure out how MANY files you had in that directory and the SIZE of each file, as EncFS encypts each file individually, not the block device.

Keyfile and Security
The keyfile is stored in the encrypted directory /mnt/locked/.encfs5 you could store it externally (on a USB Key Drive for example) and move it to the proper location if you wanted even more security.

Shell Scripts
modprobe fuse
 * 1) !/bin/bash
 * 2) mountcrypt.sh
 * 3) You can change these lines to reflect the locations on your system
 * 4) or add whatever user comments you want

usage{ echo "mountcrypt [m|mount|u|unmount]" echo " either mounts or unmounts our encrypted shared file space to /mnt/share/locked" }   if [ -z $1 ] then usage exit fi   case "$1" in            "m" | "mount" )                    encfs /mnt/locked /mnt/share/locked -- -o allow_other                    echo "Encrypted filesystem now mounted"                    ;;            "u" | "unmount" ) fusermount -u /mnt/share/locked echo "Encrypted filesystem has been unmounted" ;;           * )                    usage                    ;;    esac
 * 1) You will have to change the directories to reflect what is on your
 * 2) system here

Bonnie++ I/O Speeds
Here is a speed comparision using Bonnie++ as a diagnostic tool. Fifilein is trying to use AES/DMCrypt and his numbers are in the speed comparision too all numbers are from an HG-LS.