How-to taken from http://www.debian-administration.org/articles/204.
Goal: protect one or more directory with crypting against a phisical attack to the server.
Required packages: fuse-source, module-assistant, encfs.
Procedure:
- download and compile “fuse” module:
apt-get install fuse-source
apt-get install module-assistant
module-assistant prepare (may be you’ll be asked to download “kernel-headers”)
module-assistant build fuse
module-assistant install fuse
modprobe fuse - install “encfs” module
apt-get install encfs - choose a directory where to store source encoded files and an other one to use as mount point for the corresponding clear files, then “mount” source directory to the target directory
mkdir /var/secret/encoded
mkdir /var/www/secret
encfs /var/secret/encoded /var/www/secret (absolute path only) - you’ll be prompted for security options (you can leave the default values or choose the ‘paranoia’ set of settings) and for a password
- if everything worked fine, from now on, all the files and folders copied/moved/made in /var/www/secret are automatically crypted (file by file, dir by dir) in /var/secret/encoded
You’ll find in the encoded directory the hidden file ‘.encfs5’; be warned that you need to keep this control file “.encfs5” in a safe place. If disaster strikes and you do not have that file or your password you will not be able to recover your data. Otherwise you can mount the directory, you’ll be prompted for the password and your data becomes readable!
Only the user that ran ‘encfs’ can use the mounted filesystem. This user MUST belong to the ‘fuse’ group. Take a look at /etc/defaults/fuse-utils.
Troubleshooting
If you can’t mount the ‘Filesystem in USEr space’ (fuse) and the error message is always:
fuse: failed to exec fusermount: Permission denied fuse failed. Common problems:
– fuse kernel module not installed (modprobe fuse)
– invalid options — see usage message
then follow this checklist:
- verify, using ‘modprobe’ that fuse module is loaded
- verify/set the correct group with dpkg-reconfigure fuse-utils
- verify that the permissions of the file /usr/bin/fusermount are set as shown above:
ls -l fusermount
-rwsr-xr– 1 root fuse 18288 2005-07-06 08:38 fusermount
If your file permissions are different, set them as shown:
chown root:www-data fusermount
chmod 4754 /usr/bin/fusermount
Reboot
After a reboot (or after unmounting using fusermount -u /var/secret/encoded), your /var/www/secret directory will result empty. You have to run
encfs /var/secret/encoded /var/www/secret
and digit the password before use it.
Backups
You can backup readable or encrypted files. Consider saving the encrypted version and you won’t have to take care of the place for storing backups any more: without the password and the ‘.encfs5’ hidden file they are useless!