I do not hold a deep understanding of computer science concepts but would like to learn more about how the utility encfs works. I have a few question regarding the concept of filesystem in regards to encfs. It is said that encfs is a cryptographic filesystem wiki link.
1)To encrypt the files encfs is moving around blocks of the files to be encrypted, so am I correct to see this 'scrambled' version of the files as a new perspective which justifies the term of a new filesystem?
2)In the man pages of encfs in the section CEVEATS link to man of encfs online, it says that encfs is not a true file system. How should I understand this? Is that because some necessary features common to all file systems is missing in encfs' file system? Or is because of some other more substantial reason?
3)The man pages say that it creates a virtual encrypted file system. There are two questions here; what is it that makes it virtual is it that it is a file system within a file system? and the encrypted is that there is not a straight forward way to map the file blocks into a format to be read by other programs?
4)How does the command fusermount relate to encfs?
Best Answer
I think that behind your description, there is a misconception. The unencrypted data is not stored on the disk at any point. When you write to a file in the encfs filesystem, the write instruction goes to the
encfsprocess; theencfsprocess encrypts the data (in memory) and writes the ciphertext to a file. The file names, as well as the file contents, are encrypted. Reading a file undergoes the opposite process:encfsreads the encrypted data from the disk file, decrypts it in memory and passes the plaintext to the requesting application.When you run the
encfscommand, it does not decrypt any data. It only uses the password that you supply to unlock the filesystem's secret key. (This is actually a decryption operation, cryptographically speaking, but a different type from what happens with the file data. I will not go into more details here.)1) Encfs is not exactly “moving blocks around”; it is decoding blocks when it reads them. Encfs is a filesystem because it behaves like one: you can store files on it, when it's mounted.
2) Encfs is not a “true” filesystem because it doesn't work independently. Encfs only provides an encryption layer; it uses an underlying filesystem to actually store data and metadata (metadata is auxiliary information about files such as permissions and modification times).
3) Virtual filesystem is another way to say that encfs itself doesn't store any data, it needs an underlying filesystem (see (2) above) for that. Encrypted means just that: encfs stores the data that you put in it in an encrypted form, which cannot be decrypted without the key. Another program could read the data stored by encfs if and only if that other program had access to the key (which requires the password that the key is protected with).
4) The
fusermountcommand sets up a FUSE mount point. You would not normally call it directly, because a FUSE filesystem is implemented by a user-mode process which you have to start anyway, and that process (e.g.encfs) will take care of setting up the mount point. Unmounting a FUSE filesystem, on the other hand, is a generic operation, you can always do it by callingfusermount -u.