Transparently uploading and accessing encrypted files and directories to a Cloud Service

Posted by tracyanne on Nov 28, 2009 9:46 AM
LXer Linux News; By Tracy Anne Barlow


LXer Feature: 28-Nov-2009

The idea is to store ones files on a cloud (Ubuntu One), so that they remain private, using encryption, but so that they can be transparently uploaded and downloaded and accessed, as if they are unencrypted files.

Transparently uploading and accessing encrypted files and directories to a Cloud Service.

In this example Ubuntu One.

Since the actual encryption process and retrieval is performed on the client computer (Linux) the cloud doesn't matter.

This example uses encfs.

The idea is to store ones files on a cloud (Ubuntu One), so that they remain private, using encryption, but so that they can be transparently uploaded and downloaded and accessed, as if they are unencrypted files.

To do this I chose to use the FUSE filesystem encfs.

One of the things I discovered in my experimenting is that when you create an encfs filesystem it creates, inside the root folder a hidden file ".encfs6.xml". This file resides inside the root of the encrypted files system, nad is a plain text xml file, it contains the encryption key and the salt value. This is great as you can copy the encrypted folder, I'll called it "encrypted" anywhere you like and then access the files and folders contained in it by simply mounting the folder using encfs with something like

mkdir ~/viewer
encfs /home/<Your Home Directory>/encrypted /home/<Your Home Directory>/viewer

Supply the password then add/remove files from the "encryptd" folder. Which meamns that if you drop the "encrypted" folder into the "Ubuntu One" folder, the "encrypted' and its contents, including ".encfs6.xml" are copied to the Ubuntu One cloud, and become available to any other computer you choose to connect to your cloud directory. One can then simply use the steps above to access the files and directories in the 'encrypted' folder.

The problem with this is that the encryption key and the salt value are available in the cloud environment, which rather defeats the purpose of encrypting in the first place, namely to ensure that the cloud owners do not under any circumstances have access to your private files.

It turns out, the solution to this problem was trivial. I simply removed the hidden file ".encfs6.xml" from the "encrypted" folder, before adding it to the "Ubuntu One" folder. Of course, any other computers one chooses to use to access the contents of the "encrypted" will no longer be able to mount the "viewer" folder, as they will no longer be able to authenticate, the necessary encryption Key and salt, no longer being available.

However all one needs to do to make the contents available again is to copy the file ".encfs6.xml" to the other computer by some other means, email, instant messanger, USB key, what ever you feel most comfortable with.

So, this is how I ended up doing it.

Install encfs (as per http://ubuntuforums.org/showthread.php?t=148600)

sudo apt-get install encfs fuse-utils

sudo modprobe fuse

Add yourself to the fuse group.

sudo adduser fuse

Or simply open Synaptic, search for encfs, select encfs, and install it. You will be added to the fuse user group automatically.

Create the encrypted root

mkdir ~/encrypted

Create the "viewer" directory

mkdir ~/viewer

Mount your encrypted directory for the first time, to set up the encryption strength and the password.

encfs /home/<Your Home Directory>/encrypted /home/<Your Home Directory>/viewer

absolute paths are required.

you will be prompted with

Creating new encrypted volume.
Please choose from one of the following options:
enter "x" for expert configuration mode,
enter "p" for pre-configured paranoia mode,
anything else, or an empty line will select standard mode.

Choose your prefered encrytion method and strength. Standard mode will look like the following

Standard configuration selected.

Configuration finished. The filesystem to be created has
the following properties:
Filesystem cipher: "ssl/aes", version 2:2:1
Filename encoding: "nameio/block", version 3:0:1
Key Size: 192 bits
Block Size: 1024 bytes
Each file contains 8 byte header with unique IV data.
Filenames encoded using IV chaining mode.
File holes passed through to ciphertext.

Now you will need to enter a password for your filesystem.
You will need to remember this password, as there is absolutely
no recovery mechanism. However, the password can be changed
later using encfsctl.

New Encfs Password:

Enter your prefered password, and a second time when prompted.

You will now have an encrypted folder "encrypted" and a mounted folder "viewer". If you drop files and folders into "viewer" you can see them in "encrypted", but will only be able to access them through the mounted folder "viewer".

To unmount "viewer" use

fusermount -u /home/<Your Home Directory>/viewer

Next you need to remove the hidden file ".encfs6.xml" from "encrypted"

mv ~/encrypted/.encfs6.xml ~/.encfs6.xml

Should do it. Next create a symbolic link to ~/.encfs6.xml an place it in "encrypted"

ln -s .encfs6.xml ~/encrypted/.encfs6.xml

Does it for me.

Next copy ot move the "encrypted" folder into the "Ubuntu One" folder. If you are currently connected to the cloud, the files and folders in the encrypted folder will be automatically uploaded to the Cloud.

Provided you make a copy of the original ".encfs6.xml" file available on on the computers you wish to connect to the cloud, and, and you create a link to that file in the "encrypted" folder, you can mount a viewer on any of those computers with something like the following.

encfs "/home/<Your Home Directory>/Ubuntu One/encrypted" /home/<Your Home Directory>/viewer

and entering your password when prompted.

Where 'Ubuntu One' is the Ubuntu One cloud folder in your home directory, the quotes around "/home/<Your Home Directory>/Ubuntu One/encrypted" are required.

tracyanne

Return to the LXer Features

Subject Topic Starter Replies Views Last Post
The cloud keeper nmset 3 1,031 Jan 4, 2010 11:59 PM
Not exactly macemoneta 15 1,340 Dec 1, 2009 1:00 PM

You cannot post until you login.

LXer

  Latest Features
Scott Ruecker (Phoenix, U.S.): LXer Weekly Roundup for 14-Dec-2014
Dec 15, 2014

Scott Ruecker (Phoenix, U.S.) : Interview With Richard Kenner of AdaCore
Aug 29, 2014

Carla Schroder: Test Sites for Heartbleed OpenSSL Vulnerability
Apr 09, 2014

penguinist: Better Than a Quad-Head Display: My Adventures with "4K" 2160p and Linux
Mar 31, 2014

Dr Tony Young: Replacing KDE4 with Xfce
Mar 07, 2014

Dr Tony Young: Removing/Disabling The Semantic Deskop in KDE4 Running on openSUSE 13.1 Part 2
Feb 18, 2014

Dr Tony Young: Removing/Disabling The Semantic Deskop in KDE4 (and firing up Thunderbird) Part 1
Feb 08, 2014

Dr Tony Young: KMail Complexity - and a little Patience
Jan 26, 2014

Carla Schroder: Linux Nerd New Year's Resolutions
Dec 29, 2013

Carla Schroder: Fedora 20 Released With New, Newer, and Newest
Dec 17, 2013


View all

  Search Features

Search LXer Features:

[ Copyright © LXer | All times are recorded in Central Daylight Time (CDT) ]

[ Contact Us | Privacy Policy | Terms of Service | About us | rss | Mobile ]

Login