mirror of
https://github.com/vgough/encfs.git
synced 2025-01-01 03:28:57 +01:00
Valient Gough
commit
92ad2d0384
32
README.md
Normal file
32
README.md
Normal file
@ -0,0 +1,32 @@
|
||||
# EncFS - an Encrypted Filesystem
|
||||
|
||||
## About
|
||||
|
||||
EncFS provides an encrypted filesystem in user-space. It runs in userspace, using the FUSE library for
|
||||
the filesystem interface. EncFS is open source software, licensed under the LGPL.
|
||||
|
||||
EncFS is now over 10 years old (first release in 2003). It came about because older NFS-based encrypted
|
||||
filesystems such as CFS had not kept pace with Linux development. When FUSE became available,
|
||||
I wrote a CFS replacement for my own use and released the first version to Open Source in 2003.
|
||||
|
||||
As with most encrypted filesystems, Encfs was meant to provide security against off-line attacks;
|
||||
ie your notebook or backups fall into the wrong hands, etc. EncFS encrypts individual files, by
|
||||
translating all requests for the virtual EncFS filesystem into the equivalent encrypted operations on
|
||||
the raw filesystem.
|
||||
|
||||
## Status
|
||||
|
||||
Over the last 10 years, a number of good alternatives have grown up. Computing power has increased
|
||||
to the point where it is reasonable to encrypt the entire filesystem of personal computers (and even
|
||||
mobile phones!). On Linux, ecryptfs provides a nice dynamically mountable encrypted home directory,
|
||||
and is well integrated in distributions I use, such as Ubuntu.
|
||||
|
||||
EncFS has been dormant for a while. I've started cleaning up in order to try and provide a better
|
||||
base for a version 2, but whether EncFS flowers again depends upon community interest.
|
||||
In order to make it easier for anyone to contribute, I'm looking at Github as the next home
|
||||
for EncFS. So if you're interested in EncFS, please dive in!
|
||||
|
||||
## GitHub page
|
||||
|
||||
GitHub hosting for EncFS is in progress. See also the original, and more complete,
|
||||
introduction page at http://www.arg0.net/encfs
|
||||
@ -272,7 +272,7 @@ to decode filenames if desired.
|
||||
B<EncFS> is not a true filesystem. It does not deal with any of the actual
|
||||
storage or maintenance of files. It translates requests (encrypting or
|
||||
decrypting as necessary) and passes the requests through to the underlying
|
||||
host filesystem. Therefor any limitations of the host filesystem will be
|
||||
host filesystem. Therefore any limitations of the host filesystem will be
|
||||
inherited by B<EncFS> (or possibly be further limited).
|
||||
|
||||
One such limitation is filename length. If your underlying filesystem limits
|
||||
@ -306,6 +306,7 @@ I<Standard> mode uses the following settings:
|
||||
Filesystem Block Size: 1024 bytes
|
||||
Filename Encoding: Block encoding with IV chaining
|
||||
Unique initialization vector file headers
|
||||
File holes passed through
|
||||
|
||||
I<Paranoia> mode uses the following settings:
|
||||
Cipher: AES
|
||||
@ -316,6 +317,7 @@ I<Paranoia> mode uses the following settings:
|
||||
Unique initialization vector file headers
|
||||
Message Authentication Code block headers
|
||||
External IV Chaining
|
||||
File holes passed through
|
||||
|
||||
In the expert / manual configuration mode, each of the above options is
|
||||
configurable. Here is a list of current options with some notes about what
|
||||
@ -328,7 +330,7 @@ in the keying function is selected based on wall clock time to generate the
|
||||
key. In standard mode, a target time of 0.5 seconds is used, and in paranoia
|
||||
mode a target of 3.0 seconds is used.
|
||||
|
||||
On a 1.6Ghz AMD 64 system, it rougly 64k iterations of the key derivation
|
||||
On a 1.6Ghz AMD 64 system, roughly 64k iterations of the key derivation
|
||||
function can be handled in half a second. The exact number of iterations to
|
||||
use is stored in the configuration file, as it is needed to remount the
|
||||
filesystem.
|
||||
@ -465,6 +467,14 @@ When this is not enabled and if B<EncFS> is asked to read modified or corrupted
|
||||
data, it will have no way to verify that the decoded data is what was
|
||||
originally encoded.
|
||||
|
||||
=item I<File-hole pass-through>
|
||||
|
||||
Make encfs leave holes in files. If a block is read as all zeros, it will be
|
||||
assumed to be a hole and will be left as 0's when read (not deciphered). This
|
||||
is required if accessing encfs using the SMB protocol.
|
||||
|
||||
Enabled by default. Can be disabled in expert mode.
|
||||
|
||||
=back
|
||||
|
||||
=head1 Attacks
|
||||
|
||||
Loading…
Reference in New Issue
Block a user