Content
- Key Features
- Security Benefits
- Install latest release
- Setup an encrypted directory (vault)
- Using the encrypted directory (vault)
- · Mount the encrypted directory
- · Unmount the encrypted directory
- Summary
- Links
Key Features
- Encryption: CryFS encrypts file contents, file sizes, file metadata, and directory structures, ensuring that even if an attacker gains access to the stored data, they cannot decrypt or access the contents.
- Tree-based encryption: CryFS splits file contents into blocks and encrypts them individually, using a tree structure to remember how the blocks belong together to form a file.
- User-chosen cipher: The user can select a block cipher for encryption, and CryFS generates two keys (outer_key and inner_key) using scrypt and the user’s chosen password.
- Double encryption: The configuration file is encrypted twice, once with AES-256-GCM and once with the user-chosen cipher, providing an additional layer of security.
- Mountable: CryFS creates a virtual directory (mountdir) that can be accessed as a regular directory, allowing users to work with encrypted files and directories as if they were unencrypted.
- Cloud-friendly: CryFS is designed to work seamlessly with cloud storage providers, such as Dropbox, and can be used with other cloud services as well.
Security Benefits
- Data-at-rest encryption: CryFS encrypts data stored on cloud servers, protecting against unauthorized access.
- Metadata protection: File sizes, file metadata, and directory structures are also encrypted, preventing attackers from identifying or accessing sensitive information.
- Key management: CryFS generates keys from the user’s chosen password using scrypt, ensuring secure key management.
Install latest release
Linux
- Arch-based distros:
sudo pacman -S cryfs - Debian-based distros:
sudo apt install cryfs
Setup an encrypted directory (vault)
Once installed, you can create an encrypted directory by calling cryfs basedir mountdir in the terminal. You can name the directories like you want, basedir and mountdir are used for demonstration purposes. If the corresponding directories don't exist yet, CryFS will offer to create them for you.
cryfs basedir mountdir
This will ask you some questions about the configuration of your encrypted directory. For now, we just say yes when we're asked whether to use the default settings. CryFS will also ask you for a password and then you're good to go.
You can modify files and directories in the mountdir directory. CryFS will then encrypt them and store the encrypted data in the basedir directory. The mountdir directory is a virtual directory, meaning it doesn't actually exist on your harddisk, but is provided by CryFS. Whenever you access files or directories in it, CryFS handles the decryption in the background, so that you can work with mountdir as if it was a real directory. This way, even if someone steals your harddisk, your data is still secure, since they can't decrypt it.
Using the encrypted directory (vault)
You can work in mountdir, add files to it, modify them, add subdirectories, and do whatever you want with it. Everything you store inside will be encrypted and stored in basedir. The unencrypted content of mountdir will never be stored to the harddisk, so everything on your harddisk is encrypted. CryFS uses an encryption scheme that doesn't only encrypt file contents, but also the file sizes, file metadata and directory structure is encrypted. Let's take a look.
Mount the encrypted directory
The command below will mount the mountdir, in other words, open the vault, where you put your files.
cryfs basedir mountdir
Unmount the encrypted directory
The command below will unmount mountdir, in other words, close the vault and secure the access of your files.
cryfs-unmount mountdir
Summary
basedir is the directory where your files are encrypted.
mountdir is a virtual unencrypted representation of your vault, this is where you add or remove files and directories.
Links
Official CryFS
source: www.cryfs.org/tutorial