Encryption at rest

Created on 2016/10/20, debian, encfs, encryption, security
Category: 

This feature has been tested on Debian Ubuntu 14.04, 12.04 and Centos 6. With Pydio 6.4.2 and 7.0.0.

Install ENCFS

ENCFS is a software that will enable you to mount encrypted folders that you will decrypt with a password (in other term it allows you to protect your data from anyone that doesn’t know the password). Through this “how to”, we will see how to install the software, set up the folders and use ENCFS in practice.

You will be able to encrypt and decrypt folders using the web interface. You will see a padlock on the encrypted folders. You have to mount manually the folders each time you log in to access the encrypted data.

This tutorial assumes that you have the program sudo, it will be required to obtain a working setup. apt-get install sudo

On Debian Ubuntu

Let’s now install ENCFS. On Debian Ubuntu there is nothing more simple. Just run the following command and apt-get will do the job:

sudo apt-get install encfs

On Centos 6

To install ENCFS on Centos 6 you have to get the last version of epel by running the following command:

wget http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm

Then you just have to install the repository by running:

sudo rpm -Uvh epel-release*rpm

Now you have to install fuse-encfs:

sudo yum install fuse-encfs

You, then, went through the first step. Let’s move on to the set up now!

Set up ENCFS

We have to do some preliminary work before using ENCFS in Pydio, even though it’s not very complicated. you have to create an encrypted file system to be able to use some special files that are generated by the encfs command. Don’t worry it’s not that hard,just run the following command (you can change the path for these folders but it has to be absolute) :

encfs ~/.crypt-raw ~/crypt

If the folders are not created you will have to allow encfs to create them (just typing “y” then enter when it asks if it should create the folders). Then you will have to type enter to use the standard configuration of encfs. It will finally ask for a password.

The final result should look like this:

Allow Pydio to run encfs

You now have to enable the user www-data to execute some commands without providing a password. You just have to run the following command to open the sudoers file (if you don’t have nano just use vi):

sudo nano /etc/sudoers

You just have then to add this line at the end of the file (if you got a Debian Kernel):

www-data ALL = NOPASSWD: /usr/bin/encfs,/usr/bin/encfsctl,/bin/umount

Add this line at the end of the file (if you got a Centos Dist):

www-data ALL = NOPASSWD: /usr/bin/encfs,/usr/bin/encfsctl,/bin/umount

In both case if you have the following line uncommented you have to comment it (just put a # at the begining of the line):

Defaults requiretty

Now let’s use all this in Pydio in practice!

Use ENCFS in Pydio

Configure the plugin

The purpose of all this is to use ENCFS in Pydio, we will now see how to do this. Firstly, you have to enable the cypher.encfs plugin through the GUI (go to Settings -> All Plugins -> Encryption Tools -> Encfs). Double click on the plugin and you will see something like this:

Let’s now fill all these fields:

  1. Encfs XML File: It will contain the absolute path to the .encfs6.xml file (this is the special file encfs generates) which is located in the first of the two folder we created. So the value of this field should be something like: /absolute/path/to/home/folder/.crypt-raw/.encfs6.xml.
  2. Encfs Password: This one is pretty straightforward. You just have to type the same password as the one you used to create the encrypted folder.
  3. UID: The last one is a bit special. If you’re using a Debian kernel you will have to let the default value (www-data’s user id, i.e. 33) but if you are using Centos you will have to change the value to 48 (apache user id).
  4. There is no fourth field but you have to be reminded to enable the plugin because if you don’t it won’t work.

Encrypt a folder:

It’s now the easiest part. Actually use ENCFS in Pydio.The mount point of your FS repository has to belong to www-data (or apache). You then have to choose a folder (located at the root of the repository) that is owned by www-data (or apache). Right click on it and you should see the following:

Left click on the selected item and you will be asked for a password. This password can be completely different from the one you used before. It will be the password used to encrypt and decrypt this folder. Once you’ve encrypted a folder you can’t access its content withouth the password.

you should see the following after encrypting a folder:

Decrypt a folder and access its content

This is simple, you have to right click on an already encrypted folder and right click on the following selected item:

Then you will enter the password you used to encrypt the folder and it will be decrypted (you should see that the “encrypted” mention will have disappeared). You can now access the content of this folder as a normal one. If you want to encrypt it again you just have to right click on it and select the same item as previously.