Tutorial
CryFS is very easy to use. Let us show you how.
Install CryFS
Setup an encrypted directory
Once installed, you can create an encrypted directory by calling cryfs basedir mountdir. You can call the directories however you like, we chose basedir and mountdir for demonstration purposes. If the corresponding directories don't exist yet, CryFS will offer to create them for you.
$cryfs basedir mountdir
This will ask you some questions about the configuration of your encrypted directory. For now, we just say yes when we're asked whether to use the default settings. CryFS will also ask you for a password and then you're good to go.
You can modify files and directories in the mountdir directory. CryFS will then encrypt them and store the encrypted data in the basedir directory. The mountdir directory is a virtual directory, meaning it doesn't actually exist on your harddisk, but is provided by CryFS. Whenever you access files or directories in it, CryFS handles the decryption in the background, so that you can work with mountdir as if it was a real directory. This way, even if someone steals your harddisk, your data is still secure, since they can't decrypt it.
Using the encrypted directory
You can work in mountdir, add files to it, modify them, add subdirectories, and do whatever you want with it. Everything you store inside will be encrypted and stored in basedir. The unencrypted content of mountdir will never be stored to the harddisk, so everything on your harddisk is encrypted. CryFS uses an encryption scheme that doesn't only encrypt file contents, but also the file sizes, file metadata and directory structure is encrypted. Let's take a look.
First, we create a file and a directory in mountdir.
$cd mountdir$echo "My file content" > myfile$mkdir mydirectory
Now we check that the file and the directory exist and that the file has the content we just added to it.
$lsmydirectory myfile$cat myfileMy file content
If we look into the basedir, we see some cryptic files that contain the encrypted data of the mountdir directory.
$ls ../basedir[some encrypted files]
Let's go back and unmount the encrypted directory.
$cd ..$cryfs-unmount mountdir
Note: On CryFS versions 0.9.x, use this command instead:
$cd ..$fusermount -u mountdir
Now, CryFS isn't running anymore, which means we cannot access our data anymore. The mountdir is empty.
$ls mountdir[no output because directory empty]
But don't worry, if we look at the basedir, everything is still there, it is only encrypted.
$ls basedir[some encrypted files]
When we start CryFS again, we can access our files again.
$cryfs basedir mountdir$ls mountdirmydirectory myfile$cat mountdir/myfileMy file content
Using CryFS together with Dropbox
Although CryFS can also be used to just encrypt files locally, for example to protect against harddrive theft, its main purpose is to be used together with cloud storage providers like Dropbox. It should work well together with any cloud storage provider that uses a local synchronization folder.
First, setup the Dropbox client to synchronize your cloud files to a local folder. In this tutorial, we'll assume that folder is called dropbox.
Then, we start CryFS. Since we only want to upload the encrypted files, we have to put the basedir into the dropbox folder, so Dropbox will synchronize it. If basedir or mountdir don't exist yet, CryFS will ask us whether it should create them. We answer to that question with yes.
$cryfs dropbox/basedir mountdir
Warning! Take care that you don't put the mountdir into the dropbox folder, because otherwise Dropbox would also upload the unencrypted files from mountdir.
Now, everything we write to mountdir will be automatically encrypted, the encrypted data will be written to dropbox/basedir, where the Dropbox client will pick it up and upload it to the cloud.
As before, let's add a file to it.
$echo "My file content" > mountdir/myfile
To check that synchronization works, we can add a second client on another computer. Install CryFS and the Dropbox client and set Dropbox up to synchronize to a local folder. We'll assume you called it dropbox again.
If it is set up correctly, there should be a folder dropbox/basedir. You might have to wait some seconds for Dropbox to finish synchronization.
$ls dropbox[output contains basedir]
Warning! Never access the file system from two devices at the same time. This can corrupt your file system. When switching devices, always make sure to stop CryFS on the first device, let Dropbox finish synchronization, and then start CryFS on the second device. There are some ideas on how future versions of CryFS could allow for concurrent access, but in the current version this is not safe.
Then, we start CryFS.
$cryfs dropbox/basedir mountdir
Since mountdir doesn't exist yet on the second client, CryFS will ask whether it should create it. We answer to that question with yes.
If we now look into mountdir on the second client, we see the file we created on the first computer.
$ls mountdirmyfile$cat mountdir/myfileMy file content
You can play around with your setup now. As long as CryFS and Dropbox are running on both computers, everything you modify in one of the mountdir directories will automatically be synchronized to the mountdir on the other computer, while Dropbox only sees the encrypted data.