Transparently uploading and accessing encrypted files and directories to a Cloud Service

Posted by tracyanne on Nov 28, 2009 9:46 AM EDT
LXer Linux News; By Tracy Anne Barlow
Mail this story
Print this story


LXer Feature: 28-Nov-2009

The idea is to store ones files on a cloud (Ubuntu One), so that they remain private, using encryption, but so that they can be transparently uploaded and downloaded and accessed, as if they are unencrypted files.

Transparently uploading and accessing encrypted files and directories to a Cloud Service.

In this example Ubuntu One.

Since the actual encryption process and retrieval is performed on the client computer (Linux) the cloud doesn't matter.

This example uses encfs.

The idea is to store ones files on a cloud (Ubuntu One), so that they remain private, using encryption, but so that they can be transparently uploaded and downloaded and accessed, as if they are unencrypted files.

To do this I chose to use the FUSE filesystem encfs.

One of the things I discovered in my experimenting is that when you create an encfs filesystem it creates, inside the root folder a hidden file ".encfs6.xml". This file resides inside the root of the encrypted files system, nad is a plain text xml file, it contains the encryption key and the salt value. This is great as you can copy the encrypted folder, I'll called it "encrypted" anywhere you like and then access the files and folders contained in it by simply mounting the folder using encfs with something like

mkdir ~/viewer
encfs /home/<Your Home Directory>/encrypted /home/<Your Home Directory>/viewer

Supply the password then add/remove files from the "encryptd" folder. Which meamns that if you drop the "encrypted" folder into the "Ubuntu One" folder, the "encrypted' and its contents, including ".encfs6.xml" are copied to the Ubuntu One cloud, and become available to any other computer you choose to connect to your cloud directory. One can then simply use the steps above to access the files and directories in the 'encrypted' folder.

The problem with this is that the encryption key and the salt value are available in the cloud environment, which rather defeats the purpose of encrypting in the first place, namely to ensure that the cloud owners do not under any circumstances have access to your private files.

It turns out, the solution to this problem was trivial. I simply removed the hidden file ".encfs6.xml" from the "encrypted" folder, before adding it to the "Ubuntu One" folder. Of course, any other computers one chooses to use to access the contents of the "encrypted" will no longer be able to mount the "viewer" folder, as they will no longer be able to authenticate, the necessary encryption Key and salt, no longer being available.

However all one needs to do to make the contents available again is to copy the file ".encfs6.xml" to the other computer by some other means, email, instant messanger, USB key, what ever you feel most comfortable with.

So, this is how I ended up doing it.

Install encfs (as per http://ubuntuforums.org/showthread.php?t=148600)

sudo apt-get install encfs fuse-utils

sudo modprobe fuse

Add yourself to the fuse group.

sudo adduser fuse

Or simply open Synaptic, search for encfs, select encfs, and install it. You will be added to the fuse user group automatically.

Create the encrypted root

mkdir ~/encrypted

Create the "viewer" directory

mkdir ~/viewer

Mount your encrypted directory for the first time, to set up the encryption strength and the password.

encfs /home/<Your Home Directory>/encrypted /home/<Your Home Directory>/viewer

absolute paths are required.

you will be prompted with

Creating new encrypted volume.
Please choose from one of the following options:
enter "x" for expert configuration mode,
enter "p" for pre-configured paranoia mode,
anything else, or an empty line will select standard mode.

Choose your prefered encrytion method and strength. Standard mode will look like the following

Standard configuration selected.

Configuration finished. The filesystem to be created has
the following properties:
Filesystem cipher: "ssl/aes", version 2:2:1
Filename encoding: "nameio/block", version 3:0:1
Key Size: 192 bits
Block Size: 1024 bytes
Each file contains 8 byte header with unique IV data.
Filenames encoded using IV chaining mode.
File holes passed through to ciphertext.

Now you will need to enter a password for your filesystem.
You will need to remember this password, as there is absolutely
no recovery mechanism. However, the password can be changed
later using encfsctl.

New Encfs Password:

Enter your prefered password, and a second time when prompted.

You will now have an encrypted folder "encrypted" and a mounted folder "viewer". If you drop files and folders into "viewer" you can see them in "encrypted", but will only be able to access them through the mounted folder "viewer".

To unmount "viewer" use

fusermount -u /home/<Your Home Directory>/viewer

Next you need to remove the hidden file ".encfs6.xml" from "encrypted"

mv ~/encrypted/.encfs6.xml ~/.encfs6.xml

Should do it. Next create a symbolic link to ~/.encfs6.xml an place it in "encrypted"

ln -s .encfs6.xml ~/encrypted/.encfs6.xml

Does it for me.

Next copy ot move the "encrypted" folder into the "Ubuntu One" folder. If you are currently connected to the cloud, the files and folders in the encrypted folder will be automatically uploaded to the Cloud.

Provided you make a copy of the original ".encfs6.xml" file available on on the computers you wish to connect to the cloud, and, and you create a link to that file in the "encrypted" folder, you can mount a viewer on any of those computers with something like the following.

encfs "/home/<Your Home Directory>/Ubuntu One/encrypted" /home/<Your Home Directory>/viewer

and entering your password when prompted.

Where 'Ubuntu One' is the Ubuntu One cloud folder in your home directory, the quotes around "/home/<Your Home Directory>/Ubuntu One/encrypted" are required.

tracyanne

  Nav
» Read more about: Story Type: LXer Features; Groups: GNU, Linux, Ubuntu

« Return to the newswire homepage

Subject Topic Starter Replies Views Last Post
The cloud keeper nmset 3 2,239 Jan 4, 2010 11:59 PM
Not exactly macemoneta 15 2,926 Dec 1, 2009 1:00 PM

You cannot post until you login.