Ubuntu – Filesystem that gives an encrypted view of a directory—the inverse of EncFS


Currently I'm using EncFS to encrypt my directory "confidential" to ".encconfidential" and sync that encrypted directory using an online service (e.g. Dropbox, UbuntuOne etc). However my entire disk is already LUKS encrypted, so the double encryption takes a toll on performance.

I wonder is there an "inverted" EncFS option? An unencrypted directory gets mounted and in the mounted directory you only see encrypted files. So I could work with the unencrypted documents while the sync tool sees and read/writes the encrypted files only.

Clarification: My primary use case is sync not backup. I want to be able to securely keep machines in sync without the double encryption penalty when operating local (I have to wait when I hit save, compared to transmission time an encrypted operation is a minimal increment in time – and it is background time, not user time)

Best Answer

There actually is an Encfs "inverted" option. From the Encfs man page:

       Normally EncFS provides a plaintext view of data on demand.  Normally it stores enciphered data and displays plaintext data.  With --reverse it
       takes as source plaintext data and produces enciphered data on-demand.  This can be useful for creating remote encrypted backups, where you do
       not wish to keep the local files unencrypted.

       For example, the following would create an encrypted view in /tmp/crypt-view.

           encfs --reverse /home/me /tmp/crypt-view

       You could then copy the /tmp/crypt-view directory in order to have a copy of the encrypted data.  You must also keep a copy of the file
       /home/me/.encfs5 which contains the filesystem information.  Together, the two can be used to reproduce the unencrypted data:

           ENCFS5_CONFIG=/home/me/.encfs5 encfs /tmp/crypt-view /tmp/plain-view

       Now /tmp/plain-view contains the same data as /home/me

       Note that --reverse mode only works with limited configuration options, so many settings may be disabled when used.

I have not tried it for syncing, but I think it would work as long as you use the same .encfs5 config folder at the other end.

Related Question