Transparently uploading and accessing encrypted files and directories to a Cloud Service
Transparently uploading and accessing encrypted files and directories to a Cloud Service.
In this example Ubuntu One.
Since the actual encryption process and retrieval is performed on the client computer (Linux) the cloud doesn't matter.
This example uses encfs.
The idea is to store ones files on a cloud (Ubuntu One), so that they remain private, using encryption, but so that they can be transparently uploaded and downloaded and accessed, as if they are unencrypted files.
To do this I chose to use the FUSE filesystem encfs.
One of the things I discovered in my experimenting is that when you create an encfs filesystem it creates, inside the root folder a hidden file ".encfs6.xml". This file resides inside the root of the encrypted files system, nad is a plain text xml file, it contains the encryption key and the salt value. This is great as you can copy the encrypted folder, I'll called it "encrypted" anywhere you like and then access the files and folders contained in it by simply mounting the folder using encfs with something like
Supply the password then add/remove files from the "encryptd" folder. Which meamns that if you drop the "encrypted" folder into the "Ubuntu One" folder, the "encrypted' and its contents, including ".encfs6.xml" are copied to the Ubuntu One cloud, and become available to any other computer you choose to connect to your cloud directory. One can then simply use the steps above to access the files and directories in the 'encrypted' folder.
The problem with this is that the encryption key and the salt value are available in the cloud environment, which rather defeats the purpose of encrypting in the first place, namely to ensure that the cloud owners do not under any circumstances have access to your private files.
It turns out, the solution to this problem was trivial. I simply removed the hidden file ".encfs6.xml" from the "encrypted" folder, before adding it to the "Ubuntu One" folder. Of course, any other computers one chooses to use to access the contents of the "encrypted" will no longer be able to mount the "viewer" folder, as they will no longer be able to authenticate, the necessary encryption Key and salt, no longer being available.
However all one needs to do to make the contents available again is to copy the file ".encfs6.xml" to the other computer by some other means, email, instant messanger, USB key, what ever you feel most comfortable with.
So, this is how I ended up doing it.
Install encfs (as per http://ubuntuforums.org/showthread.php?t=148600)
sudo apt-get install encfs fuse-utils
sudo modprobe fuse
Add yourself to the fuse group.
sudo adduser fuse
Or simply open Synaptic, search for encfs, select encfs, and install it. You will be added to the fuse user group automatically.
Create the encrypted root
Create the "viewer" directory
Mount your encrypted directory for the first time, to set up the encryption strength and the password.
encfs /home/<Your Home Directory>/encrypted /home/<Your Home Directory>/viewer
absolute paths are required.
you will be prompted with
Creating new encrypted volume.
Choose your prefered encrytion method and strength. Standard mode will look like the following
Standard configuration selected.
Configuration finished. The filesystem to be created has
Now you will need to enter a password for your filesystem.
New Encfs Password:
Enter your prefered password, and a second time when prompted.
You will now have an encrypted folder "encrypted" and a mounted folder "viewer". If you drop files and folders into "viewer" you can see them in "encrypted", but will only be able to access them through the mounted folder "viewer".
To unmount "viewer" use
fusermount -u /home/<Your Home Directory>/viewer
Next you need to remove the hidden file ".encfs6.xml" from "encrypted"
mv ~/encrypted/.encfs6.xml ~/.encfs6.xml
Should do it. Next create a symbolic link to ~/.encfs6.xml an place it in "encrypted"
ln -s .encfs6.xml ~/encrypted/.encfs6.xml
Does it for me.
Next copy ot move the "encrypted" folder into the "Ubuntu One" folder. If you are currently connected to the cloud, the files and folders in the encrypted folder will be automatically uploaded to the Cloud.
Provided you make a copy of the original ".encfs6.xml" file available on on the computers you wish to connect to the cloud, and, and you create a link to that file in the "encrypted" folder, you can mount a viewer on any of those computers with something like the following.
encfs "/home/<Your Home Directory>/Ubuntu One/encrypted" /home/<Your Home Directory>/viewer
and entering your password when prompted.
Where 'Ubuntu One' is the Ubuntu One cloud folder in your home directory, the quotes around "/home/<Your Home Directory>/Ubuntu One/encrypted" are required.
|Subject||Topic Starter||Replies||Views||Last Post|
|The cloud keeper||nmset||3||1,139||Jan 4, 2010 11:59 PM|
|Not exactly||macemoneta||15||1,590||Dec 1, 2009 1:00 PM|
You cannot post until you login.