File system Crypting on Debian systems using ‘encfs’

How-to taken from

Goal: protect one or more directory with crypting against a phisical attack to the server.

Required packages: fuse-source, module-assistant, encfs.


  • download and compile “fuse” module:
    apt-get install fuse-source
    apt-get install module-assistant
    module-assistant prepare
    (may be you’ll be asked to download “kernel-headers”)
    module-assistant build fuse
    module-assistant install fuse
    modprobe fuse
  • install “encfs” module
    apt-get install encfs
  • choose a directory where to store source encoded files and an other one to use as mount point for the corresponding clear files, then “mount” source directory to the target directory
    mkdir /var/secret/encoded
    mkdir /var/www/secret
    encfs /var/secret/encoded /var/www/secret
    (absolute path only)
  • you’ll be prompted for security options (you can leave the default values or choose the ‘paranoia’ set of settings) and for a password
  • if everything worked fine, from now on, all the files and folders copied/moved/made in /var/www/secret are automatically crypted (file by file, dir by dir) in /var/secret/encoded

You’ll find in the encoded directory the hidden file ‘.encfs5’; be warned that you need to keep this control file “.encfs5” in a safe place. If disaster strikes and you do not have that file or your password you will not be able to recover your data. Otherwise you can mount the directory, you’ll be prompted for the password and your data becomes readable!

Only the user that ran ‘encfs’ can use the mounted filesystem. This user MUST belong to the ‘fuse’ group. Take a look at /etc/defaults/fuse-utils.

If you can’t mount the ‘Filesystem in USEr space’ (fuse) and the error message is always:
fuse: failed to exec fusermount: Permission denied fuse failed. Common problems:
– fuse kernel module not installed (modprobe fuse)
– invalid options — see usage message

then follow this checklist:

  1. verify, using ‘modprobe’ that fuse module is loaded
  2. verify/set the correct group with dpkg-reconfigure fuse-utils
  3. verify that the permissions of the file /usr/bin/fusermount are set as shown above:
    ls -l fusermount
    -rwsr-xr– 1 root fuse 18288 2005-07-06 08:38 fusermount

If your file permissions are different, set them as shown:
chown root:www-data fusermount
chmod 4754 /usr/bin/fusermount

After a reboot (or after unmounting using fusermount -u /var/secret/encoded), your /var/www/secret directory will result empty. You have to run
encfs /var/secret/encoded /var/www/secret
and digit the password before use it.

You can backup readable or encrypted files. Consider saving the encrypted version and you won’t have to take care of the place for storing backups any more: without the password and the ‘.encfs5’ hidden file they are useless!

Leave a Reply

Your email address will not be published. Required fields are marked *