I am trying to get Encfs working on Ubuntu 10.10 with only partial success. I am using the Ubuntu package which is version 1.6.1. I am also trying to build 1.7.4 source on Ubuntu 10.10 which is failing.
First the problem with the Ubuntu package, which I realize may be fixed in 1.7.4.
I am mounting a clear directory with the --reverse option to have an encrypted view of this data. This so far works, although I do not know if it really works correctly. I used rsync to copy all the encrypted data to a third directory outside of this first mounting. Then I do a second mounting (without --reverse) using that copy as the source, to make a mountpoint with a clear view of the copied encrypted files. This fails as no files show up at all.
I am doing it this way because my intended first use for Encfs is to copy an encrypted view of a local physically secured backup directory containing clear data to another remote machine where sometimes it is not physically secure. Transfer is by ssh over rsync, but that is not sufficient security for the remote machine. So the role of Encfs is to be sure the data is never in a clear state on that machine when the machine is not attended. This location is the home of the owner of the company who is not always at home. The machine is, in theory, at risk for theft when no one is at home (this is the risk we want to address). The owner will personally have the Encfs password, and may need access to some of these files. So it would be treated as an encrypted store and Encfs would be used to view it in the clear by manually mounting it that way (e.g. not with --reverse).
I am doing the test entirely on my desktop at the moment, as described above. I am using a script to carry out the entire setup of my tests, so it is fully reproducible, and that configuration can be incrementally changed as desired. I have a suspicion that certain messages resulting from the setup may indicate the problem. This is from the first mount with --reverse:
Code:
Creating new encrypted volume.
Standard configuration selected.
--reverse specified, not using unique/chained IV
Configuration finished. The filesystem to be created has
the following properties:
Filesystem cipher: "ssl/aes", version 2:2:1
Filename encoding: "nameio/block", version 3:0:1
Key Size: 192 bits
Block Size: 1024 bytes
File holes passed through to ciphertext.
Now you will need to enter a password for your filesystem.
You will need to remember this password, as there is absolutely
no recovery mechanism. However, the password can be changed
later using encfsctl.
Then after copying the encrypted view to another directory and mounting that copy
without --reverse:
Code:
Creating new encrypted volume.
Standard configuration selected.
Configuration finished. The filesystem to be created has
the following properties:
Filesystem cipher: "ssl/aes", version 2:2:1
Filename encoding: "nameio/block", version 3:0:1
Key Size: 192 bits
Block Size: 1024 bytes
Each file contains 8 byte header with unique IV data.
Filenames encoded using IV chaining mode.
File holes passed through to ciphertext.
Now you will need to enter a password for your filesystem.
You will need to remember this password, as there is absolutely
no recovery mechanism. However, the password can be changed
later using encfsctl.
So is it the case that there is a difference in how the file tree is encrypted, especially the naming scheme, depending on whether --reverse is used or not? Are they supposed to be compatible, or incompatible? Is there an option I can make them work the same?
Now ... on to the source issue for 1.7.4. I downloaded the source for 1.7.4 and ran ./configure. It gets the following error:
Code:
...
checking for joinable pthread attribute... PTHREAD_CREATE_JOINABLE
checking if more special flags are required for pthreads... no
checking for cc_r... gcc
checking for boostlib >= 1.34... configure: error: We could not detect the boost libraries (version 1.34 or higher). If you have a staged boost library (still not installed) please specify $BOOST_ROOT in your environment and do not give a PATH to --with-boost option. If you are sure you have boost installed, then check your version number looking in <boost/version.hpp>. See http://randspringer.de/boost for more documentation.
This Ubuntu 10.10 system has the following installed:
Code:
lorentz/root /root 1391# dpkg -l | fgrep boost
ii libboost-filesystem1.42.0 1.42.0-3ubuntu1 filesystem operations (portable paths, iteration over directories, etc) in C++
ii libboost-iostreams1.42.0 1.42.0-3ubuntu1 Boost.Iostreams Library
ii libboost-program-options1.42.0 1.42.0-3ubuntu1 program options library for C++
ii libboost-regex1.42.0 1.42.0-3ubuntu1 regular expression library for C++
ii libboost-serialization1.42.0 1.42.0-3ubuntu1 serialization library for C++
ii libboost-system1.42.0 1.42.0-3ubuntu1 Operating system (e.g. diagnostics support) library
lorentz/root /root 1392#
It appears the version is suitable since it is greater than 1.34. Has Ubuntu mangled it so the path cannot be found? Any suggestion on how to tell ./configure where this is (and which path should be used)?
Would it be better to switch all this to Slackware?
Here is the script I am doing the test with:
Code:
#!/bin/bash
pass="OhF00barz"
cwd=$( exec pwd )
[[ -n "${workdir}" ]] || workdir="test-encfs"
[[ -d "${workdir}" ]] || mkdir "${workdir}" || exit
workdir=$( cd "${workdir}" && exec pwd ) || exit 1
dir1="${workdir}/cleardata"
dir2="${workdir}/cryptview"
dir3="${workdir}/cryptcopy"
dir4="${workdir}/clearview"
cmd() {
echo "EXECUTING:" "$@" 1>&2
time "$@"
return $?
}
# if being called for password, output it and exit
if [[ -n "${OUTPUT_ENCFS_PASSWORD}" ]] ; then
echo "${pass}"
exit 0
fi
# set this to recursively run the password output
# it is just a flag and does not contain the password
export OUTPUT_ENCFS_PASSWORD=1
# be sure the source directory exits
[[ -n "${1}" ]] || { echo "No source directory specified" ; exit 1 ; }
[[ -e "${1}" ]] || { echo "Source directory '${1}' does not exist" ; exit 1 ; }
[[ -d "${1}" ]] || { echo "Source directory '${1}' is not a directory" ; exit 1 ; }
[[ -r "${1}" ]] || { echo "Source directory '${1}' is not readable" ; exit 1 ; }
[[ -x "${1}" ]] || { echo "Source directory '${1}' is not accessible" ; exit 1 ; }
# which version is this?
cmd encfs --version
sleep 1
# be sure these are not mounted
cmd fusermount -u "${dir2}"
sync
sleep 1
cmd fusermount -u "${dir4}"
sync
sleep 1
# be sure these are not existing YET
cmd rm -fr "${dir1}" "${dir2}" "${dir3}" "${dir4}"
sync
sleep 1
# populate the clear data tree
cmd rsync -aHSW --temp-dir="${cwd}" "${1}/." "${dir1}" || exit 1
sync
sleep 1
# make the mount point for the encrypted view
cmd mkdir "${dir2}" || exit 1
sync
sleep 1
# mount the encrypted view
cmd encfs --standard --extpass="${0}" --reverse "${dir1}" "${dir2}" || exit 1
sync
sleep 1
# replicate the encrypted view
cmd rsync -aHSW --temp-dir="${cwd}" "${dir2}/." "${dir3}" || exit 1
sync
sleep 1
# make the mount point for the clear view
cmd mkdir "${dir4}" || exit 1
sync
sleep 1
# mount the clear view of the encrypted copy
cmd encfs --standard --extpass="${0}" "${dir3}" "${dir4}" || exit 1
sync
sleep 1
# see what we end up with
echo =============================================================================
cat /proc/mounts | egrep "${dir1}|${dir2}|${dir3}|${dir4}"
echo =============================================================================
for d in "${dir1}" "${dir2}" "${dir3}" "${dir4}" ; do
( ls -dl "${d}"/.encfs[5-9].xml ) 2>/dev/null
echo -n "total number of files in '${d}' is: "
find "${d}" -mindepth 1 -print | wc -l
done
echo =============================================================================
# if noclean requested, we are done
[[ -z "${noclean}" ]] || exit 0
# clean up
cmd fusermount -u "${dir2}"
sync
sleep 1
cmd fusermount -u "${dir4}"
sync
sleep 1
cmd rm -fr "${dir1}" "${dir2}" "${dir3}" "${dir4}"
sync
sleep 1
