If someone asked me the best way of encrypting files on a USB drive, I honestly wouldn’t know where to begin. Of course, it’s all well and good discussing algorithms, keysizes and implementations, but in the real world we have usability and portability issues to consider. Let’s look at it from the perspective of the average person who needs to access the same files on Windows, Mac and Linux machines. Let’s also say this average person wears a tinfoil hat, and doesn’t trust anything proprietary – I’ve been told that’s a petty concern, even libellous if I named a specific commercial product, but the impact of an exploitable backdoor/escrow could be very serious when dealing with files uploaded (read ‘published’) to DropBox or on a storage device that got mislaid. And I mean ‘mislaid’ as in dropped somewhere outside the home or workplace.
TrueCrypt appeared to have solved this problem pretty well, until The Powers That Be pulled the plug on it. The question is what now? Enter EncFS – a system that enables us to create a storage container that’s constantly encrypted but seamlessly readable/writeable when mounted as a volume. I don’t know exactly how safe it is yet, but I consider it one of the safest options.
EncFS and Cryptkeeper
EncFS has the advantage of being a virtual filesystem, so decryption and file access happens entirely in system memory. There should be no traces of the unencrypted files in persistent storage, and therefore the data isn’t forensically recoverable to anyone who discovers the storage device. Of course, there’s always the small possibility of data being written to the swap partition of whatever machine the VFS is mounted on.
Here I’m going to set up an EncFS container and access it from two Linux machines, using a GUI application called ‘cryptkeeper‘. For this we need two things: EncFS and the cryptkeeper GUI, both of which should be available in most package managers. It’s a good idea to also install the PAM module so other system-level programs could make use of EncFS in future.
The quickest (but not the best!) way to create a container is through the cryptkeeper desktop applet, which should also be found somewhere in the main desktop menu.
After selecting ‘New encrypted folder‘, cryptkeeper will request a directory name and a label for the container, then a password. When this is done, the cryptkeeper applet should list it as an existing storage volume, with a checkbox for mounting/unmounting it. Just be aware that changing the password later might cause problems, so set a strong one and protect it.
It might also appear in the default file manager as an independent storage volume that can be unmounted.
Importing and Accesssing the Container Elsewhere
Now for the acid test to see whether the container can be imported, mounted and accessed on another machine (which could be a Linux VM) with cryptkeeper/EncFS. Come to think of it, I wouldn’t recommend using a virtual machine for EncFS, as the VM state, along with the data and crypto keys, gets written to hard disk when the VM paused/suspended.
Anyway, this time I selected the ‘Import EncFS folder‘ option in the desktop applet, with the aim of adding the container created.
Right-click and select the ‘Show Hidden Files‘, and cryptkeeper should see the encrypted folder, and that should now be importable.
After all is done, there should be a confirmation message. How portable is it? Let’s check…
And there we are: a mount point to the original container. After entering the password and mounting the volume, the files I dropped into the containing directory on the other machine were accessible again.