EncFSVault provides a replacement for Apple’s FileVault. There are a lot of issues with FileVault. Personally I don’t like any proprietary software for security sensitive storage of my data. But the main reason I was not able to use FileVault was the fact that FileVault still doesn’t provide support for case sensitive HFS+ file systems as of OS X Leopard 10.5.6. That’s a shame!
My choice was EncFSVault. Good or bad choice?

• Installation
• Encrypt an existing user account
• Problems with Spotlight indexing

Installation

EncFSVault requires EncFS & MacFUSE to be priory installed.
Download and install:

• EncFS-10.5-2.0.0.zip
• MacFUSE-2.0.3,2.dmg
• EncFSVault-10.5-0.0.6.zip

Enable/Disable EncFSVault from Terminal:

$ encfsVaultCntrl --status
EncfsVault is enabled
$ encfsVaultCntrl --disable
$ encfsVaultCntrl --enable

Encrypt an existing user account

In order to encrypt an existing user account in OS X Leopard, we need an administration account (setup by System Preferences). From there we are going to create the users encrypted volume and encrypt his whole home directory. Upon login the user’s encrypted volume will be mounted to the original destination of his home directory. The following example demonstrates the encryption of user zod:

1) Login to administration user account

2) move away the user’s data

If you are running out of space on your disk:

$ cd /Users
$ mkdir zod_BKUP
$ mv zod/.* zod_BKUP/; mv zod/* zod_BKUP/

We can lateron move all data back into the user’s home. But I do prefer to do this after the creation of the encrypted volume to speed up things and to prevent my MacBook Pro from filling up its disk.

3) Create encrypted volume

EncFSVault provides us with a nice script that automates the whole encryption process, setupNewEncfsVaultUser. There won’t be any options to choose, it will create a straightforward EncFS directory /Users/.zod and mount it to /Users/zod:

$ setupNewEncfsVaultUser

The script now created an encfs volume in /User/.zod with the following encryption options:

Configuring Encfs with the follwoing options
cipher algorithms = AES (option 1)
key size = 256
filesystem block size = 512 (default)
encoding algorithms = Block (option 1)
filename initialization vector chaining = yes (default)
per-file initialization vectors = yes (default)
filename to IV header chaining = no (default)
block authentication code headers = no (default)

The encrypted volume is now correctly mounted to /Users/zod:

$ mount
/dev/disk0s2 on / (hfs, local, journaled)
encfs@fuse0 on /Users/zod (fusefs, synchronous)

Try unmounting and re-mounting the volume (to mount with encfs, always provide absolute paths!):

$ umount /Users/zod
$ encfs /Users/.zod /Users/zod

4) Move back your data (encryption)

The whole encryption of your data can now take place. If you are running out of space on your system, move back your directories one-by-one. The mv command is no actual mv as we are moving across different partitions (the EncFS volume is mounted) – actually it will invoke the cp command and only free your space after completion.

$ cd /Users
$ mv zod_BKUP/.* zod/; mv zod_BKUP/* zod/

This will take some time as encryption of your data now takes place and all your data will be copied. Expect some error output as e.g.:

mv: zod_BKUP/Library/...: could not copy extended attributes to zod/Library/...: No such file or directory
mv: lchmod: ./Library/...: No such file or directory
mv: /bin/cp: terminated with 1 (non-zero) status: Cross-device link

Usually you can ignore those messages as this only happens on missing links. But still, I cannot guarantee that the whole copy process runs successfully without harming your data. I encountered some issues with several application settings that were missing after logging into my user account.

Check disk usage:

$ df -h
Filesystem      Size   Used  Avail Capacity  Mounted on
/dev/disk0s2   204Gi  192Gi   13Gi    94%    /
encfs@fuse0    204Gi  192Gi   13Gi    94%    /Users/zod

5) Login to your encrypted user account

You can now unmount the encrypted volume…

$ umount /Users/zod

… and login to your freshly encrypted user account. Everything should be working and your home directory automatically mounted right after you login.

Problems with Spotlight indexing

You will notice, that Spotlight indexes don’t work any more on your user data (encfsvault issue #1). Spotlight is a must as I’m using it to do full-text searches in Apple Mail.
The only workaround is to rebuild EncFSVault from source, recompile it with the encfs mount option -o local.

$ svn co http://encfsvault.googlecode.com/svn/tags/0.0.6 /projects/encfsvault
$ cd /projects/encfsvault

Here’s the line I have changed, simply add the "-olocal" option:

$ svn diff
Index: encfsvault.m
===================================================================
--- encfsvault.m	(revision 27)
+++ encfsvault.m	(working copy)
@@ -287,8 +287,8 @@
 	int forkStatus = 0;
 	pid_t pid;
 
-	char *args[] = { (char*)encfsWithPath, "-S", "--idle=1", (char*)storagePath, (char*)mountPath, "--",
-						(char*)volumeOpt, "-osubtype=10", "-oping_diskarb", "-oallow_other", (char*)fishIconOpt, (char*)0 };
+	char *args[] = { (char*)encfsWithPath, "-S", "--idle=1", (char*)storagePath, (char*)mountPath, "--",
+						(char*)volumeOpt, "-osubtype=10", "-oping_diskarb", "-olocal", "-oallow_other", (char*)fishIconOpt, (char*)0 };

Rebuild the whole project with Xcode 3.0. The build should now be in build/Release/EncfsVault.bundle. Replace your originally installed EncfsVault.bundle from your administration account:

$ sudo su -
$ encfsVaultCntrl --disable
$ cd /System/Library/CoreServices/SecurityAgentPlugins
$ mv EncfsVault.bundle /projects/BKUP/
$ cp -R /projects/encfsvault/build/Release/EncfsVault.bundle .
$ encfsVaultCntrl --enable

The volume should now be mounted with the -o local option and your home directory acts like a local directory. I don’t give any guarantee on this. You might run into different problems…

Using local option:
This option marks the volume being mounted as “local”. By default, MacFUSE volumes are marked as “nonlocal”, which technically isn’t necessarily the same as a “server” or “network” volume, but is treated as such by the Finder in some cases. For example, the Finder may not show “connected servers” on the Desktop or in the sidebar in some cases. If you use this option, you can get around this “limitation”. However, wait!
Don’t be too tempted and think local is a magic pill that will solve all your problems. In fact, it may mess things up more than you realize. The operating system can be more aggressive in dealing with “local” volumes (a .Trashes. directory will be created, for one). You could run into mysterious problems with Disk Arbitration and other system components. I don’t know (and possibly can’t know–Mac OS X isn’t all
open source!) the side effects of using this option. Therefore, treat this as experimental and use with caution. Moreover, please do not file bug reports that involve this option–reproduce your issue without this option and then file a bug report.

Force Spotlight re-indexing of your mounted home directory:

$ mdutil -i on /Users/zod

After some seconds/minutes, Spotlight should start its indexing activity.

Last but not least: I had to give up on EncFSVault. See my warning above.