« Installing Splunk forwarder on OS X | Main | Increasing Browser Security »

Thursday, December 27, 2012

Encypting folders in OS X

encfs is a user level file system that provides strong encryption of files, and which works with Fuse to allow mounting encrypted folders as if they were a remote drive. The result is an easy to use method of creating a space to store sensitive data, but without creating a monolithic disk image that has to be backed up in it's entirety every time it gets touched. I've been using an encrypted disk image for this for a few years now, and the load on Time Machine or, in my case, Crash Plan, is pretty high. Also, this system will allow you to create an encrypted space in dropbox or other cloud storage system.

First, some caveats. If you do this and lose your password, you lose access to the encrypted files. Period. No ifs, ands, or butts. I strongly suggest that you also make an unecrypted copy of these files on a DVD or external drive that you can physically secure and do so on a regular basis. Finally, I can't really say whether doing this is better or worse than other approaches, but it seems to be a good idea to me.


There are a few sites out in the internet that have versions of fuse for OS X, but my favorite is OSXFuse on github. This fork is actively being updated, unlike macfuse, and has macfuse compatibilty layer. Get both fuse and sshfs from there--we're not talking about sshfs now, but it's a handy thing to have--it lets you mount any system you can use ssh to connect to as a mounted drive. Install the osxfuse package, this provides the hooks for user level file systems, it's a simple package install. An alternative fuse for OSX is fuse4X, but I haven't tried that one, see http://fuse4x.github.com

To get encfs, one possibility is to install boxcryptor. It's a nice wrapper, if you want a decent GUI for this, it's a decent option. Also, a hat tip to them for putting up information on how to do this, those were very helpful. You could also build the source found at http://www.arg0.net/encfs, and there are installers for in in brew, darwin ports, and fink (although the latter is not up to the current version). I just took the easy way out and used boxcryptor. If you use boxcryptor do make sure to do a custom install and uncheck the OSXFUSE option, since the main project page is a newer version.

When you run boxcryptor, it will lead you through creating one encrypted folder, I went ahead and put that into dropbox. When you do the install on a second machine with dropbox, it will find that folder--just click on the BoxCryptor.bc folder and it will prompt you for a password, and that folder will mount in the sidebar. Put stuff in, and it gets encrypted on the fly, dismount the folder when you're done.

But you can also use the command line to make other encrypted folders, for example:

mkdir ~/Crypt
encfs /Users/hays/Crypt.raw /Users/hays/Crypt

will make an encrypted folder that can be mounted to ~/Crypt as a fuse drive. In a shell, that folder will ~/Crypt, but in Finder, it will appear as OSXFUSE volume 0 (encfs) in that same dir. If you drag that folder to the Finder's sidebar, it will reappear there each time you mount the encrypted volume.

You may find this a little confusing at first--the key thing to remember is that any files that you place directly in the Crypt.raw folder will not be encrypted--the encryption occurs when you put files and folder into the mounted FUSE volume, and the encrypted files are stored in the Crypt.raw folder.

This latter bit is a bit more secure than boxcryptor's free version in that file and folder names are encrypted as well as the contents. To mount the filesystem:

encfs -i 20 /Users/hays/Crypt.raw /Users/hays/Crypt

You'll be prompted for a password, eh voilà!

Again, I want to stress that it is important to keep backups of whatever data you encypt in this manner--last spring I spent about an hour in a cold sweat trying to remember my password for an encypted disk image that contained my tax data.

Posted by bil at 11:29 AM
Edited on: Thursday, December 27, 2012 11:46 AM
Categories: Other Software