EncFSVault as a FileVault replacement

EncFSVault provides a replacement for Apple’s FileVault. There are a lot of issues with FileVault. Personally I don’t like any proprietary software for security sensitive storage of my data. But the main reason I was not able to use FileVault was the fact that FileVault still doesn’t provide support for case sensitive HFS+ file systems as of OS X Leopard 10.5.6. That’s a shame!
My choice was EncFSVault. Good or bad choice?


[warning]WARNING: I had to give up on EncFSVault again after running it for 1 single day! On a running system EncFSVault disconnected/unmounted the encrypted volume every 30 minutes or so. This leaded in severe instability, mostly to complete system crashes. The following tutorial is meant for those who would like to try it out. I strongly discourage you to run EncFSVault in a productive environment! Backup your data before you mess around with it![/warning]

Installation

EncFSVault requires EncFS & MacFUSE to be priory installed.
Download and install:

Enable/Disable EncFSVault from Terminal:

Encrypt an existing user account

In order to encrypt an existing user account in OS X Leopard, we need an administration account (setup by System Preferences). From there we are going to create the users encrypted volume and encrypt his whole home directory. Upon login the user’s encrypted volume will be mounted to the original destination of his home directory. The following example demonstrates the encryption of user zod:

1) Login to administration user account

2) move away the user’s data

If you are running out of space on your disk:

We can lateron move all data back into the user’s home. But I do prefer to do this after the creation of the encrypted volume to speed up things and to prevent my MacBook Pro from filling up its disk.

3) Create encrypted volume

EncFSVault provides us with a nice script that automates the whole encryption process, setupNewEncfsVaultUser. There won’t be any options to choose, it will create a straightforward EncFS directory /Users/.zod and mount it to /Users/zod:

The script now created an encfs volume in /User/.zod with the following encryption options:

The encrypted volume is now correctly mounted to /Users/zod:

Try unmounting and re-mounting the volume (to mount with encfs, always provide absolute paths!):

4) Move back your data (encryption)

The whole encryption of your data can now take place. If you are running out of space on your system, move back your directories one-by-one. The mv command is no actual mv as we are moving across different partitions (the EncFS volume is mounted) – actually it will invoke the cp command and only free your space after completion.

This will take some time as encryption of your data now takes place and all your data will be copied. Expect some error output as e.g.:

Usually you can ignore those messages as this only happens on missing links. But still, I cannot guarantee that the whole copy process runs successfully without harming your data. I encountered some issues with several application settings that were missing after logging into my user account.

Check disk usage:

5) Login to your encrypted user account

You can now unmount the encrypted volume…

… and login to your freshly encrypted user account. Everything should be working and your home directory automatically mounted right after you login.

Problems with Spotlight indexing

You will notice, that Spotlight indexes don’t work any more on your user data (encfsvault issue #1). Spotlight is a must as I’m using it to do full-text searches in Apple Mail.
The only workaround is to rebuild EncFSVault from source, recompile it with the encfs mount option -o local.

Here’s the line I have changed, simply add the "-olocal" option:

Rebuild the whole project with Xcode 3.0. The build should now be in build/Release/EncfsVault.bundle. Replace your originally installed EncfsVault.bundle from your administration account:

The volume should now be mounted with the -o local option and your home directory acts like a local directory. I don’t give any guarantee on this. You might run into different problems…

Using local option:
This option marks the volume being mounted as „local“. By default, MacFUSE volumes are marked as „nonlocal“, which technically isn’t necessarily the same as a „server“ or „network“ volume, but is treated as such by the Finder in some cases. For example, the Finder may not show „connected servers“ on the Desktop or in the sidebar in some cases. If you use this option, you can get around this „limitation“. However, wait!
Don’t be too tempted and think local is a magic pill that will solve all your problems. In fact, it may mess things up more than you realize. The operating system can be more aggressive in dealing with „local“ volumes (a .Trashes. directory will be created, for one). You could run into mysterious problems with Disk Arbitration and other system components. I don’t know (and possibly can’t know–Mac OS X isn’t all
open source!) the side effects of using this option. Therefore, treat this as experimental and use with caution. Moreover, please do not file bug reports that involve this option–reproduce your issue without this option and then file a bug report.

Force Spotlight re-indexing of your mounted home directory:

After some seconds/minutes, Spotlight should start its indexing activity.

Last but not least: I had to give up on EncFSVault. See my warning above.

2 Responses

  1. guly
    Apr 17, 2009 - 12:02 PM

    On a running system EncFSVault disconnected/unmounted the encrypted volume every 30 minutes or so

    what do you mean by that? if you encrypt all your home and work on your system encfsvault disconnect/unmount ie /Users/zod ?

  2. iezzip
    Apr 17, 2009 - 12:41 PM

    Yep, if I’m logged in as user zod with a fully encrypted /Users/zod, his home gets disconnected/unmounted and the whole system gets unstable.
    I’ve also tried to recompile EncFSVault with the encfs –idle=0 mount option. That did not help either, same problem.

Leave a Comment

css.php