Decrypt EncFS files without the .encfs6.xml

encfsencryption

This actually happened on Mac OS X, but I believe I can get the answer here rather than on http://apple.stackexchange.com

I have a directory encrypted with encfs. I accidentally deleted .encfs6.xml from there.

Now when I want to mount this directory as encfs one, encfs wants to create new encrypted volume there. Can I somehow force it to open existing one instead of creating new one?

Of course I remember the password.

Best Answer

.encfs6.xml contains the key. If you've lost that file, you won't be able to decrypt your files.

The encryption key is not derived from the password. What is derived from the password is the key used to encrypt the file encryption key which is stored in encfs6.xml. This is a standard method. It's done this way for two reasons:

  • For security: passwords typically have low entropy — it's usually possible to find them by enumerating all likely possibilities (12345678, password, iloveyou, Passw0rd, …). On the other hand, keys are generated randomly; having a non-negligible of chance guessing the right key would take longer than the age of the universe. So an attacker who guesses your password must also get hold of the key file .encfs6.xml. (This is not much of an advantage when the key file isn't stored together with the encrypted data though.)
  • For usability: this way, if you change your password, the software only needs to update .encfs6.xml, it doesn't need to reencrypt all the files.

Restore .encfs6.xml from your backup.

If you don't have a backup, you may be able to recover it using forensic tools that search for deleted files. This is of course not guaranteed to work, and not necessarily easy even if it does work.

Related Question