EncFS for OS X Yosemite

securecloud It’s about time I updated my instructions for installing and running an EncFS filesystem on Mac OS X, synchronised to Dropbox. Use a combination of FUSE for OS X, EncFS, Dropbox and DropSec to create and maintain a super-secure filesystem which syncs with the cloud, while maintaining

  1. Download and install FUSE for OS X (the MacFUSE compatibility layer is not required)
  2. If you don’t have it already, install the Homebrew package manager
  3. Download and install EncFS (v1.7.5_1 at time of writing) and any dependencies, it’s as easy as ‘brew install homebrew/fuse/encfs
  4. Download DropSec, extract DropSec.app from the archive and copy it to your Applications folder

To create a new encrypted volume (stored locally at first to prevent your EncFS key from being synchronised with Dropbox):

encfs ~/Desktop/_Encrypted ~/Documents/_DropSec

Answer ‘yes’ when prompted to create the new folders and choose ‘p’ for pre-configured paranoia mode (256-bit AES encryption). Enter a secure EncFS password when prompted and you’re done. Now the filesystem has been created we can deal with securing the key.

umount ~/Documents/_DropSec
mkdir ~/.keys
mv ~/Desktop/_Encrypted/.encfs6.xml ~/.keys/dropsec.xml

The commands above move your key from the EncFS filesystem into a hidden folder in your (local) home directory Now move the entire ~/Desktop/_Encrypted folder (minus your key) into your Dropbox:

mv ~/Desktop/_Encrypted ~/Dropbox/

To mount the secure filesystem run the DropSec app from your Application folder. The first time you run DropSec it will prompt you for your EncFS password which it stores in your local login keychain. The password must match the secure password you set earlier.

When the secure volume is mounted a DropSec folder with a padlock icon will appear on your desktop. If it doesn’t, check that you have ‘Show Connected servers’ checked in Finder preferences.

To mount or unmount the encrypted volume simply run the DropSec app. For convenience copy it to your Mac OS dock for quick access.

Advertisements

Dropbox & EncFS on OS X Lion

I previously wrote about a method for creating a super-secure filesystem using Dropbox’s cloud storage.

After updating to Mac OS Lion I struggled to get the MacFusion GUI to work and so I wrote an application to automate the mounting and unmounting of the EncFS filesystem.

I also took the opportunity to switch from the now abandoned MacFUSE to Fuse4X, which is a properly maintained fork of MacFUSE started in June 2011.

The install procedure is much simpler than before, you install Fuse4X and EncFS, but instead of using the MacFusion GUI you just call my script instead.

To the instructions!

First download and install Fuse4X and a version of EncFS which uses the Fuse4X APIs. Thanks to Simone Lehmann for providing an EncFS Mac installer at http://www.lisanet.de/?p=128 (also mirrored here).

To create a new encrypted volume (stored locally at first to prevent the EncFS key from being synchronised with Dropbox):

encfs ~/Desktop/_Encrypted ~/Documents/_DropSec

Answer ‘yes’ when prompted to create the new folders and choose ‘p’ for pre-configured paranoia mode (256-bit AES encryption). Enter a secure EncFS password when prompted and you’re done.

Now the filesystem has been created we can deal with securing the key.

umount ~/Documents/_DropSec
mkdir ~/.keys
mv ~/Desktop/_Encrypted/.encfs6.xml ~/.keys/dropsec.xml

The commands above move your key from the EncFS filesystem into a hidden folder in your (local) home directory

Now move the entire ~/Desktop/_Encrypted folder (minus your key) into your Dropbox:

mv ~/Desktop/_Encrypted ~/Dropbox/

Finally download my DropSec application and copy it to your Applications folder.

The first time you run DropSec it will prompt you for your EncFS password which it stores in your local login keychain. The password must match the secure password you set in a previous step.

To mount or unmount the encrypted filesystem simply run the DropSec app. For convenience copy it to your Mac OS Dock for quick access.

HTC’s Dropbox bonus deception

HTC have been promoting a partnership with Dropbox which gives HTC smartphone customers an additional 3GB of free Dropbox storage space.

The extra storage capacity appears when you activate the Dropbox client on a HTC smartphone with the new HTC Sense 3.5 software.

There’s something they don’t tell you though, which only becomes apparent when you receive the confirmation email from Dropbox:

Congrats on becoming a Dropbox Guru! We’ve awarded you 3GB of bonus space for the next 12 months! You now have 5.25GB on Dropbox. To get even more space, check out our upgrade options.

Thanks again for supercharging your HTC phone with Dropbox!

According to the email, the 3GB bonus space is only awarded for 12 months.

This has been confirmed in the Dropbox support forums by their staffer ‘Michael N’:

We are excited to confirm the announcement from HTC. Owners of HTC phones with a Sense 3.5 ROM will be receiving 3GB of extra space for 1 year, free of charge. All you need do to earn the space is install the Dropbox app on the HTC phone, then complete the Getting Started Quest at www.dropbox.com/gs

So what happens if you are still using the 3GB of bonus space at the end of the 12 months?

Well according to an update from Michael N: “The 3GB extra space goes away, and you’re over quota. Your Dropbox desktop client will stop syncing.

Your options are then to delete files and reduce your storage to under the 2GB free limit or upgrade to Dropbox’s Pro 50 plan at a cost of $9.99/month. How convenient!

While Dropbox themselves have been fairly transparent, HTC have been careful not to mention this built-in timebomb.

The bonus space is time-limited and only available to owners of a HTC phone with the new Sense 3.5 ROM. This is very different to HTC’s announcement: “We’re proud to announce that we’ve partnered with @Dropbox, bringing 5GB of storage to all of our #Android phones.

The Advertising Standards Authority now regulates advertising across all media -including marketing on websites. I wonder if this includes marketing statements made on Twitter from an official company account?

I feel a complaint to the ASA coming on!

Problems with 1Password Reader for Android

I’ve been using the 1Password application from AgileBits for a few years. It has been a Godsend for keeping track of the hundreds of logins and secure notes I need to keep in sync across multiple machines.

One of the more recent additions to the client portfolio is the free 1Password Reader app for Android.

The app allows you to read your secure credentials from a 1Password keychain stored on your SD card or Dropbox folder.

This app has been working well right up until the v1.8.1.1 update which was released to Android Market on 20th June. After that the app would no longer import my 1Password keychain and was reporting the error “Urecognizable keychain”.

After some investigation I found that the cause of the problem was that my 1Password keychain did not have the correct file extension, in fact it didn’t have a file extension at all and was displaying in Finder as a folder.

The 1Password keychain is in fact a package file and the latest version of the Android app needs the keychain to have the file extension of .agilekeychain.

To find out where your 1Password keychain file is have a look for a hidden file called .ws.agile.1Password.settings in the root of your Dropbox folder. The contents of this file is the location of your 1Password keychain file.

To fix my Android problem I closed the 1Password Mac client and then added the .agilekeychain file extension to my 1Password keychain folder in Dropbox. The next time I fired up the Mac client I went into Preferences > General and updated the Data File location to match the renamed keychain.

This has fixed the Android issue which now imports the Dropbox keychain without any problems.

Securing Dropbox

After the well publicised Dropbox security failings, I started searching for a solution which would allow me to encrypt private data held in my Dropbox while still having easy access to it from my personal Mac.

I could create a Mac encrypted disk image but this would be unwieldy to manage and probably result in large file updates whenever any of the contents were changed.

A more elegant technical solution is to create an encrypted user-space filesystem. It’s a bit more work to setup and you will need a combination of tools, but it does allow for a much more flexible and manageable configuration.

Instructions:

/usr/bin/ruby -e "$(curl -fsSL https://raw.github.com/gist/323731)"
  • Install Apple Xcode – this can be downloaded from the Apple Developer site
  • Install the latest EncFS encrypted filesystem (v1.7.4 at time of writing):
sudo brew install encfs

I want to make this installation as secure as possible so I’m not going to store the EncFS key file on Dropbox. To accomplish this I use a neat trick.

We’re going to create a new encrypted volume, but do this locally first so the EncFS key is never synchronised with Dropbox:

encfs ~/Desktop/Secure ~/Documents/DropSec

Answer ‘yes’ when prompted to create the new folders and choose ‘p’ for pre-configured paranoia mode (256-bit AES encryption). Enter a secure password when prompted and you’re done.

Now the filesystem has been created we can deal with the key.

umount ~/Documents/DropSec
mkdir ~/.encfskeys
mv ~/Desktop/Secure/.encfs6.xml ~/.encfskeys/dropsec.xml

Remove the /usr/local/bin/encfs symbolic link …

rm /usr/local/bin/encfs

… and replace with a simple wrapper script.

Use a text editor to create the following script:

#!/bin/sh
# Wrapper to EncFS
REALENCFS="/usr/local/Cellar/encfs/1.7.4/bin/encfs"
MYUSER=`whoami`
export ENCFS6_CONFIG="/Users/${MYUSER}/.encfskeys/dropsec.xml"
$REALENCFS "$@"

Don’t forget to make the new wrapper script executable:

chmod 555 /usr/local/bin/encfs

Create a dummy key to ensure that the Macfusion plugin will recognise the EncFS volume:

touch ~/Desktop/Secure/.encfs6.xml

Now move the entire ~/Desktop/Secure folder into your Dropbox:

mv ~/Desktop/Secure ~/Dropbox/

To check the secure volume settings use:

ENCFS6_CONFIG="/Users/youruser/.encfskeys/dropsec.xml" encfsctl info ~/Dropbox/Secure

To change your secret password use:

ENCFS6_CONFIG="/Users/youruser/.encfskeys/dropsec.xml" encfsctl passwd ~/Dropbox/Secure

Use the Macfusion GUI to mount and unmount the volume when you need it.

  • The EncFS Raw Path is /Users/youruser/Dropbox/Secure
  • The Passphrase is the password you gave when you created your EncFS volume
  • The Mount Point is the local (unencrypted) folder where you access your secure folder (in this example we have used /Users/youruser/Documents/DropSec)

You should now have an encrypted volume in your Dropbox which you access via your local ~/Documents/DropSec mount.

The security of the ~/.encfskeys/dropsec.xml key file is of paramount importance. This is the EncFS decryption key which must stay in that folder. If you delete this file then all your encrypted data is gone forever, so keep a secure backup somewhere else just in case.

UPDATE: Read this post for a new method of creating a secure Dropbox folder.