March 4, 2015

encfs + GnuPG

Yesterday I discussed with somebody that it would be cool to use encfs on a folder shared with several people. The word “folder” can be understood as a Samba share, a Subversion repository, or a Dropbox. Obviously, the show stopper here is the exchange of the symmetric key needed by encfs. So let’s use our GnuPG keys!

The idea of the script is as follows:

  • generate a symmetric key $encfsKey for encfs using /dev/urandom
  • wrap $encfsKey using GnuPG; the $receivers variable holds the IDs of all people that should be allowed to decrypt $encfsKey (the folder) plus your own ID (you also want to decrypt!)
  • initialize the encfs safe (Hint: interaction with encfs required!)
  • shred $encfsKey

On future runs it is sufficient to

  • decrypt encfs.key.enc using GnuPG
  • open the encfs safe
  • shred $encfsKey

Here we go:


myID=ho1ger  ##something that sufficiently identifies keys in your keyring or 0x1234...
receivers=(alice bob charles)  #add people allowed to open the encfs safe
receivers+=($myID)  #we are always allowed to open

safe=/path/to/share/safe  #points into the share; we want to sync!
#safe=`pwd`/safe  #for SVN usage; ./safe would be insufficient for encfs!
open=/path/not/to/share/OPEN  #no sync please!
encfsKey=/path/not/to/share/key  #no sync please!

if [ ! -f "encfs.key.enc" ]; then
        cat /dev/urandom | head -c 2048 | base64 > $encfsKey
        echo encFS safe can be opened by following identities: >> policy.txt
        for i in ${receivers[*]}; do
                recvs=$recvs" -r "$i
                echo $i >> policy.txt
        gpg -o encfs.key.enc -ea -u $myID $recvs $encfsKey
        gpg -o $encfsKey -d encfs.key.enc

encfs $safe $open --extpass="cat $encfsKey"
srm $encfsKey  #on Linux use 'shred'

Please note: Above script writes encfs.key into a file. This is ugly. But necessary: it turned out that at least my machine is unable to call pinentry when I tried something like

encfs `pwd`/safe `pwd`/open --extpass="gpg -o - -d encfs.key.enc"

However, make really sure that $encfsKey does not point into your Dropbox or so! By this reason: Rule #1: keep everything plain text outside the share. This applies to the decrypted encfs.key and everything inside the $open folder!!

Using the Script with Subversion, Git, etc.

One person copies the script to a SVN repository, modifies $receivers according to the desired user IDs, and does the first run. Now she has to add and commit encfs.key.enc, policy.txt and the safe directory with all files. (Hint: we could also script this step, of cause)

Other users may update their repository locally. If a person is allowed to decrypt encfs.key.enc (their ID should appear in policy.txt) she can decrypt the safe and access the protected files in the open directory. If she adds stuff to open, a new encrypted file will be added to safe. This file must be added to the repository and checked in as well. Be sure to obey to Rule #1.

Using the Script with OwnCloud, Dropbox, etc.

Create a new directory, put the script into this directory and edit the script. Be sure to adapt the paths $safe and $open on top with some care. Obey Rule #1. Do the first run.

The script, the encrypted key and your files in the encrypted directory referenced by $safe are automatically synced to OwnCloud or Dropbox.

© ho1ger 2015 - 2022