Merge pull request #1 from vgough/docs/encfs-update

Docs/encfs update
This commit is contained in:
Valient Gough 2014-07-24 23:54:30 -07:00
commit 92ad2d0384
2 changed files with 44 additions and 2 deletions

32
README.md Normal file
View File

@ -0,0 +1,32 @@
# EncFS - an Encrypted Filesystem
## About
EncFS provides an encrypted filesystem in user-space. It runs in userspace, using the FUSE library for
the filesystem interface. EncFS is open source software, licensed under the LGPL.
EncFS is now over 10 years old (first release in 2003). It came about because older NFS-based encrypted
filesystems such as CFS had not kept pace with Linux development. When FUSE became available,
I wrote a CFS replacement for my own use and released the first version to Open Source in 2003.
As with most encrypted filesystems, Encfs was meant to provide security against off-line attacks;
ie your notebook or backups fall into the wrong hands, etc. EncFS encrypts individual files, by
translating all requests for the virtual EncFS filesystem into the equivalent encrypted operations on
the raw filesystem.
## Status
Over the last 10 years, a number of good alternatives have grown up. Computing power has increased
to the point where it is reasonable to encrypt the entire filesystem of personal computers (and even
mobile phones!). On Linux, ecryptfs provides a nice dynamically mountable encrypted home directory,
and is well integrated in distributions I use, such as Ubuntu.
EncFS has been dormant for a while. I've started cleaning up in order to try and provide a better
base for a version 2, but whether EncFS flowers again depends upon community interest.
In order to make it easier for anyone to contribute, I'm looking at Github as the next home
for EncFS. So if you're interested in EncFS, please dive in!
## GitHub page
GitHub hosting for EncFS is in progress. See also the original, and more complete,
introduction page at http://www.arg0.net/encfs

View File

@ -272,7 +272,7 @@ to decode filenames if desired.
B<EncFS> is not a true filesystem. It does not deal with any of the actual B<EncFS> is not a true filesystem. It does not deal with any of the actual
storage or maintenance of files. It translates requests (encrypting or storage or maintenance of files. It translates requests (encrypting or
decrypting as necessary) and passes the requests through to the underlying decrypting as necessary) and passes the requests through to the underlying
host filesystem. Therefor any limitations of the host filesystem will be host filesystem. Therefore any limitations of the host filesystem will be
inherited by B<EncFS> (or possibly be further limited). inherited by B<EncFS> (or possibly be further limited).
One such limitation is filename length. If your underlying filesystem limits One such limitation is filename length. If your underlying filesystem limits
@ -306,6 +306,7 @@ I<Standard> mode uses the following settings:
Filesystem Block Size: 1024 bytes Filesystem Block Size: 1024 bytes
Filename Encoding: Block encoding with IV chaining Filename Encoding: Block encoding with IV chaining
Unique initialization vector file headers Unique initialization vector file headers
File holes passed through
I<Paranoia> mode uses the following settings: I<Paranoia> mode uses the following settings:
Cipher: AES Cipher: AES
@ -316,6 +317,7 @@ I<Paranoia> mode uses the following settings:
Unique initialization vector file headers Unique initialization vector file headers
Message Authentication Code block headers Message Authentication Code block headers
External IV Chaining External IV Chaining
File holes passed through
In the expert / manual configuration mode, each of the above options is In the expert / manual configuration mode, each of the above options is
configurable. Here is a list of current options with some notes about what configurable. Here is a list of current options with some notes about what
@ -328,7 +330,7 @@ in the keying function is selected based on wall clock time to generate the
key. In standard mode, a target time of 0.5 seconds is used, and in paranoia key. In standard mode, a target time of 0.5 seconds is used, and in paranoia
mode a target of 3.0 seconds is used. mode a target of 3.0 seconds is used.
On a 1.6Ghz AMD 64 system, it rougly 64k iterations of the key derivation On a 1.6Ghz AMD 64 system, roughly 64k iterations of the key derivation
function can be handled in half a second. The exact number of iterations to function can be handled in half a second. The exact number of iterations to
use is stored in the configuration file, as it is needed to remount the use is stored in the configuration file, as it is needed to remount the
filesystem. filesystem.
@ -465,6 +467,14 @@ When this is not enabled and if B<EncFS> is asked to read modified or corrupted
data, it will have no way to verify that the decoded data is what was data, it will have no way to verify that the decoded data is what was
originally encoded. originally encoded.
=item I<File-hole pass-through>
Make encfs leave holes in files. If a block is read as all zeros, it will be
assumed to be a hole and will be left as 0's when read (not deciphered). This
is required if accessing encfs using the SMB protocol.
Enabled by default. Can be disabled in expert mode.
=back =back
=head1 Attacks =head1 Attacks