encfs fails to load config .encfs5

make · 09-22-2008, 01:45 AM

I want to do encrypted backups to an FTP server with curlftpfs + encfs + rsync.

I mount an FTP server storage space with:

Code:

curlftpfs -o user=username:pw ftp://ftp.server.com/backup /mnt/ftp

Then I try to mount the folder with encfs:

Code:

cat $HOME/keyfile | encfs -v -S /mnt/ftp /mnt/encfs

I get this:

Code:

09:35:42 (main.cpp:642) Root directory: /mnt/ftp/
09:35:42 (main.cpp:643) Fuse arguments: (daemon) (threaded) (keyCheck) (useStdin) encfs /mnt/encfs -s -o use_ino -o default_permissions 
09:35:42 (FileUtils.cpp:185) Found config file /mnt/ftp/.encfs5, but failed to load
Creating new encrypted volume.

Why?? Why does it fail to load the config file .encfs5 and wants to create a new one? When I continue creating a new config, like it wants, the next time I try to mount the folder with encfs, it fails to load it again and wants to create a new config.

If I use encfs with local folders, there is no problem. Example:

Code:

encfs $HOME/encrypted $HOME/unencrypted

This causes no issues, I can umount and mount the folders again with encfs and it succeeds in loading its config file always. But it won't work with curlftpfs...

make · 09-22-2008, 01:56 AM

Well, I found the cause, but not a way to solve it. For some reason, curlftpfs denies the access to .encfs5 every second time or very randomly.

When I run cat /mnt/ftp/.encfs5, every second time the command succeeds and other times returns "Permission denied". This is from curlftpfs debug output:

Code:

LOOKUP /.encfs5
   NODEID: 7
   unique: 173, error: 0 (Success), outsize: 136
unique: 174, opcode: OPEN (14), nodeid: 7, insize: 48
   unique: 174, error: -13 (Permission denied), outsize: 16
unique: 175, opcode: LOOKUP (1), nodeid: 1, insize: 48
LOOKUP /.encfs5
   NODEID: 7
   unique: 175, error: 0 (Success), outsize: 136
unique: 176, opcode: OPEN (14), nodeid: 7, insize: 48
OPEN[134788520] flags: 0x8000
   unique: 176, error: 0 (Success), outsize: 32
unique: 177, opcode: READ (15), nodeid: 7, insize: 64
READ[134788520] 4096 bytes from 0
   READ[134788520] 239 bytes
   unique: 177, error: 0 (Success), outsize: 255
unique: 178, opcode: FLUSH (25), nodeid: 7, insize: 56
FLUSH[134788520]
   unique: 178, error: 0 (Success), outsize: 16
unique: 179, opcode: RELEASE (18), nodeid: 7, insize: 56
RELEASE[134788520] flags: 0x8000
   unique: 179, error: 0 (Success), outsize: 16

This behaviour has no sense at all. Any ideas?

My software versions:
libcurl4-7.18.0-1mdv2008.1
curlftpfs-0.9.1-2mdv2008.0
curl-7.18.0-1mdv2008.1
libcurl3-7.15.5-2.1mdv2007.0
encfs-1.3.1-1mdv2007.0
libencfs1-1.3.1-1mdv2007.0
fuse-2.5.3-3mdk
dkms-fuse-2.5.3-3mdk
libfuse2-devel-2.6.3-1mdv2007.1
libfuse2-2.6.3-1mdv2007.1

make · 09-22-2008, 02:36 AM

Well, I solved the actual problem with the following loop:

Code:

while ! cat /mnt/ftp/.encfs5 >/dev/null
do
        sleep 3
done
encfs /mnt/ftp /mnt/encfs

It tries to cat the file, until curlftpfs says no more "Permission denied". Then it mounts it with encfs.

However... there is another problem: I can't cat a keyfile to encfs to automate the backup with -S (like in my first post). Otherwise encfs returns "decode failed", claiming the password is incorrect, even though the configuration was created with the same keyfile to begin with!

So I have to enter the password manually, meaning I can't automate my backups...

Any solution?

make · 09-22-2008, 06:09 AM

As I dig further into this, more problems occur...

For some reason rsync can only create directories on the encfs filesystem, files are not copied at all. I can cp my files to there or use a synchronization utility I wrote with FreePascal years ago. These succeed in copying files, but rsync fails.

How is rsync writing the files differently? Any way to change it to behave like cp with copying?

deepsix · 01-08-2009, 03:46 PM

Ive had the same problem with moving an encrypted folder to another filesystem...I get the same exact error that you first stated...

Im wondering if it has something to do with how encfs encrypts the data on the filesystem...for instance on a filesystem a file named umpitysquat is acctually a hardlink to an inode on the filesystem itself...so maybe encfs is only encrypting the hardlink and when you move the hardlink to another filesystem the link is lost...

This would also mean that the data is not encrypted at the inode layer and could be recovered unencrypted with forensic tools...

I could be way off base here but just my theory....

deepsix · 01-08-2009, 04:09 PM

Quote:

Originally Posted by deepsix

Ive had the same problem with moving an encrypted folder to another filesystem...I get the same exact error that you first stated...

Im wondering if it has something to do with how encfs encrypts the data on the filesystem...for instance on a filesystem a file named umpitysquat is acctually a hardlink to an inode on the filesystem itself...so maybe encfs is only encrypting the hardlink and when you move the hardlink to another filesystem the link is lost...

This would also mean that the data is not encrypted at the inode layer and could be recovered unencrypted with forensic tools...

I could be way off base here but just my theory....

I doubt the true security of any encryption method that doesnt involve encrypting the filesystem itself..