Difference between revisions of "Encrypted Filespace with EncFS"

Latest revision as of 04:51, 1 April 2009

This article based on work done by Ramuk and Andre on Linkstationwiki.org

PowerPC and ARM9 (KuroBox Pro) : This method only works for the powerpc-hdhlan and powerpc-hdhglan LinkStations, and the KuroBox Pro

Abstract

This article is for people that want to add an encrypted filespace to their Link Station^[1]. We will use the powerpc-hdhglan Link Station for our example. EncFS^[2] is used to do this. This probably will work on any PPC link station. It may work on a MIPS Link station but you'll have to compile the FUSE^[3] module yourself somehow. It will also work on a manually Freelinked KuroBox Pro (ARM9)

Encryption Type

EncFS was chosen because of it's relative ease and speed of use. Loop-AES could be used as well[4], A client side encryption system like Truecrypt[5] could be used from a windows client. The TeraStation people have a nice tutorial on using TrueCrypt[6]

Prerequisites

This article assumes that you have installed FreeLink or OpenLink. You also will need to upgrade to a 2.6 Kernel on a PPC Box, use these instructions: Upgrade to the 2.6-kernel (ppc only). Or on an ARM9 box you will need a custom kernel and modules.

Method (ARM9 KuroBox Pro)

Install Armel Debian and FUSE module

Install Armel Debian for the Kurobox Pro - Manual install or Armel for a LSPro and custom kernel and modules contained in those instructions

Install EncFS

apt-get install encfs

Method (PPC)

Install the FUSE module

• I used the binaries^[7] from André's site^[8]:

wget  http://hvkls.dyndns.org/downloads/archive/fuse_2.6.0-binaries-ppc.tar.gz
tar -C / -xvzf fuse*.tar.gz

EDIT: If the link above is dead, please check my server for updates -andre

Install EncFS

FreeLink

PowerPC

apt-get install encfs

OpenLink

wget http://downloads.nas-central.org/ALL_LS_KB_PPC/Packages/rlog-1.3.7_ppc.tar.gz
tar -C / xzvf rlog-1.3.7_ppc.tar.gz
wget http://downloads.nas-central.org/ALL_LS_KB_PPC/Packages/encfs-1.3.1_ppc.tar.gz
tar -C / xzvf encfs-1.3.1_ppc.tar.gz

Post Install Usage

Create an encrypted partition

• place it in a shared directory if you want to access it as a file share using Samba.

 encfs /mnt/locked /mnt/share/locked -- -o allow_other

/mnt/share here is a shared directory. /mnt/locked is where the encrypted bits will be stored and /mnt/share/locked is where the (de)crypted space will be mounted to. You will be prompted for the type of encryption that you want and for password creation. Look here for more details on using EncFS.

Access Permissions

• You will have to chmod the created directory so everyone can access it

chmod og+rwx /mnt/share/locked/

Just beware that it takes a long time for files to be encrypted when you copy or move them into this directory, however you can use this directory like any other shared space with Samba. After files are placed in there they can be accessed pretty fast.

Unmount

• You can unmount the partition at any time in which case the encrypted directory will end up appearing blank.

fusermount -u /mnt/share/locked

Remount

• And remount it when you need it the same way you created it, this time you will just be prompted for the password you used when you created it.

encfs /mnt/locked /mnt/share/locked -- -o allow_other

What's the point?

Slow to Write

I've been using this solution for awhile now, it's slow to ENcode data but faster to DEcode data. So that saving (ENcoding) a file to an encrypted share over samba can be somewhat slow. Writing a new file to a samba share that is an EncFS volume happens for me at about 1.7 MB/s and to an unencrypted share at 5 MB/s. - Ramuk 10:58, 21 March 2008 (CDT)

What's the point of all this? Well you can create an encrypted file space that once mounted functions completely transparently as a shared directory. Once it is unmounted, either manually or automatically (when the system is shut down) the data will only exist in an encrypted form in the encrypted directory you specified. In this example in /mnt/locked , if your linkstation is stolen or lost, as soon as it is unplugged the data will no longer be accessible without the password. Even if someone cracks open the device and takes the hard drive out all they will be able to get is encrypted gibberish in that directory. However they would be able to figure out how MANY files you had in that directory and the SIZE of each file, as EncFS encypts each file individually, not the block device.

Keyfile and Security

The keyfile is stored in the encrypted directory /mnt/locked/.encfs5 you could store it externally (on a USB Key Drive for example) and move it to the proper location if you wanted even more security.

Shell Scripts

#!/bin/bash
# mountcrypt.sh
# You can change these lines to reflect the locations on your system
# or add whatever user comments you want
modprobe fuse

   usage(){
   echo "mountcrypt [m|mount|u|unmount]"
   echo " either mounts or unmounts our encrypted shared file space to /mnt/share/locked"
   }

   if [ -z $1 ]
   then
           usage
           exit
   fi

# You will have to change the directories to reflect what is on your
# system here

   case "$1" in
           "m" | "mount" )
                   encfs /mnt/locked /mnt/share/locked -- -o allow_other
                   echo "Encrypted filesystem now mounted"
                   ;;
           "u" | "unmount" )
                   fusermount -u /mnt/share/locked
                   echo "Encrypted filesystem has been unmounted"
                   ;;
           * )
                   usage
                   ;;
   esac

Bonnie++ I/O Speeds

Here is a speed comparision using Bonnie++^[9] as a diagnostic tool. Fifilein is trying to use AES/DMCrypt and his numbers are in the speed comparision too^[10] all numbers are from an HG-LS.

References

1. ↑ The Linkstation Community Forum / Linkstation HG (ppc) / Encrypted Partitions, and Installing modules (FUSE)
2. ↑ The EncFS Wiki: http://arg0.net/wiki/encfs
3. ↑ The FUSE Wikipedia Page: FUSE:Wikipedia
4. ↑ Comparison of various Encryption Schemes: Encrypt filesystems with EncFS and Loop-AES
5. ↑ Truecrypt - Free open-source disk encryption software for Windows XP/2000/2003 and Linux - http://www.truecrypt.org
6. ↑ Encryption, NTFS Support, and Windows Share Management
7. ↑ André's documentation on the FUSE binary: http://hvkls.dyndns.org/downloads/documentation/README-fuse.html
8. ↑ André's site with 2.6 kernel and compiled FUSE binary: http://hvkls.dyndns.org/
9. ↑ Bonnie++ disk benchmark: http://www.coker.com.au/bonnie++/
10. ↑ The Linkstation Community Forum / Everything else / JBOD with ENCFS, Key on USB Stick