EncFS

EncFS provides an encrypted filesystem in user-space. It runs without any special permissions and uses the FUSE library and Linux kernel module to provide the filesystem interface.

It works on files at a time, not an entire block device and it allows you to change the passphrase later! You can use any standard filesystem you like underneath it, you don't have to change your partitions or filesystems.

This text describes an easy method to encrypt your home directory using EncFS. You may also use any other directory, e.g. you can encrypt your files on a fileserver, mount it via NFS on your client machine and decrypt it there. You will have a directory with your encrypted data and you will have a mountpoint where this directory can be accessed unencrypted, until you umount it.

Preparing your system
Lets assume you are user john with home directory using bash as shell and console login.

Login as root and emerge some needed packages for encfs and for secure deletion of our yet unencrypted data

If fuse refuses to build because "your kernel is too new", goto, type

and check for the following setting:

If it isn't enabled, change to  or <*>, save and enter

Finally, load the FUSE kernel module

Your system is now ready for encfs.

Move your unencrypted data through encfs
Create a directory where the crypted data will be stored and a temporal mount point for it. I personally use for my encrypted files (I don't want to see the encrypted directory) But to avoid confusion I will use john-crypt to make sure you know which directory contains what. Change the names to whatever you like.

Login as user john and create a new crypted directory in and mount it to :

You are being asked for expert mode (x) or a predefined paranoia mode (p). p should be enough for now (but if you want to define how encfs really works, you should use x and read the encfs documentation and the wikipedia article about encfs). Then you will be asked for the password/passphrase. Use a safe and long passphrase. Good news is, that you can change the password with encfsctl if you want to do so. Other cryptosystems don't have the possibility to change the password.

Copy all files from your unencrypted home directory to the new crypted directory and securely delete the remaining unencrypted files. This may take some time, secure deletion is IO itensive.

Now unmount the crypted directory.

Login as root and remove the temporal mount point.

Some optional comfort
Be aware of the fact that nobody, not even root and especially no demons like samba or NFS can access your encrypted data in your mountpoint because of FUSE. All they see are files named ??????. If you want to change this, you must use the encfs switch --public and have to mount your directory as root!

In this case you cannot do the following optional steps, because for them you have to mount the encrypted data as john:

If you want to have your home unmounted after logout, append this line to the file (create it if it does not exist).

If you want to be prompted for the encfs passphrase after login, login as john and create .bash_profile in

Alternatively, using the package pam_mount, i.e. emerge pam_mount, you are able to realize an encfs mapping at login. Install pam_mount first if you haven't done so already:

Then edit accordingly. This however only works, if your login and encfs passwords match.

You must also make sure that the pam_mount.so module is loaded in order for pam_mount.conf to be parsed

When logging-in using, an error message appears, because the file is being created before the home directory is mounted. To create the file in instead, edit:

Backups
You can backup your data in any form you like and now you have the additional and preferable choice to backup your encrypted folder instead of your unencrypted folder/mountpoint -- why encrypt all data if the one hour old backup isn't? ;-) The only thing you have to remember is your passphrase or your current and backupped data is toast ;-)