Filesystem that gives an encrypted view of a directory—the inverse of EncFS

Currently I'm using EncFS to encrypt my directory "confidential" to ".encconfidential" and sync that encrypted directory using an online service (e.g. Dropbox, UbuntuOne etc). However my entire disk is already LUKS encrypted, so the double encryption takes a toll on performance.

I wonder is there an "inverted" EncFS option? An unencrypted directory gets mounted and in the mounted directory you only see encrypted files. So I could work with the unencrypted documents while the sync tool sees and read/writes the encrypted files only.

Clarification: My primary use case is sync not backup. I want to be able to securely keep machines in sync without the double encryption penalty when operating local (I have to wait when I hit save, compared to transmission time an encrypted operation is a minimal increment in time - and it is background time, not user time)


Solution 1:

There actually is an Encfs "inverted" option. From the Encfs man page:

   --reverse
       Normally EncFS provides a plaintext view of data on demand.  Normally it stores enciphered data and displays plaintext data.  With --reverse it
       takes as source plaintext data and produces enciphered data on-demand.  This can be useful for creating remote encrypted backups, where you do
       not wish to keep the local files unencrypted.

       For example, the following would create an encrypted view in /tmp/crypt-view.

           encfs --reverse /home/me /tmp/crypt-view

       You could then copy the /tmp/crypt-view directory in order to have a copy of the encrypted data.  You must also keep a copy of the file
       /home/me/.encfs5 which contains the filesystem information.  Together, the two can be used to reproduce the unencrypted data:

           ENCFS5_CONFIG=/home/me/.encfs5 encfs /tmp/crypt-view /tmp/plain-view

       Now /tmp/plain-view contains the same data as /home/me

       Note that --reverse mode only works with limited configuration options, so many settings may be disabled when used.

I have not tried it for syncing, but I think it would work as long as you use the same .encfs5 config folder at the other end.

Solution 2:

Now for how to do exactly what you specify:

What you're asking for is a read-only filesystem view that automatically encrypts any file that is read through it:

~/
    confidential/
        secret_file.txt      # Stored unencrypted
    .enc_confidential/       # Read-only view of files in confidential/
        secret_file.txt      # Encrypted view of corresponding file

The standard way to do this is to use FUSE (Filesystem in User-space).

For your use case, there already exists a FUSE filesystem that can do what you want, fuseflt. fuseflt gives a read-only view of a filesystem with arbitrary user-specified filters applied to each file that is read.

In your case, the filter you want is an encryption program like gpg.

See the documentation for how to write your config file. Basically, use flt_cmd = gpg --encrypt [... your chosen encryption settings] as the filter command.

Be careful; if you mess up your configuration it might expose plaintext data to your Internet service. I would recommend my other answer for general use.


Since you also need write support for syncing to work, it looks like you'll have to write your own FUSE filesystem. It probably won't be hard to modify the fuseflt sources to add write support; just fill in the write functions that aren't implemented. This would work the same way as the read support, calling a decryption filter instead of the encryption one.

For writing your FUSE filesystem, several tutorials are available. Also see the FUSE wiki for more documentation.

Once you do this, add your FUSE filesystem mount command to your .profile so that it mounts automatically on login.